Jiri Sejtko

18 February 2010

Ads poisoning – JS:Prontexi

The malware usually spreads through web infection placed on innocent, badly secured websites. The ad infiltration method is growing in popularity alongside with the website infections. Now we are facing probably the biggest ad poisoning ever made – all important ad services are affected. It means that users might get infected just by reading their favorite newspaper or by doing search on famous web indexers. User interaction is not needed in this attack – infection begins just after poisoned ad is loaded by the browser - it is not a type of social engineering. We named the source of this attack JS:Prontexi – JavaScript code which initiates infection on victims computer using various vulnerabilities including latest PDF exploits.

All avast! users with current virus databases are fully protected against this attack. We are blocking bad guys from accessing your computer. This allows us to count hits made on machines participating in “avast! community IQ”. The following graph shows the number of incidents we have counted in the last 6 days in 4-hour windows (The number of hits assigned to each service represent only the avast! users, absolute number of hits would be much greater in global scale).

JS:Prontexi distribution chart

Only 8 most infiltrated ad services/websites are shown using their own line. The most compromised services are yieldmanager.com (Yahoo) and fimserve.com (FOX Audience Network) which covers more than 50%. The list of the poisoned ad services is not limited to the “TOP 8” shown in the graph above. The following domains are compromised too:

  • unanimis.co.uk 4593
  • xtendmedia.com 4389
  • doubleclick.net 4076
  • vuze.com 3599
  • openx.net 2978
  • globaltakeoff.net 1915
  • specificclick.net 1726
  • bidsystem.com 1581

Almost all of the services above are targeted on advertising – at least one website you are reading uses one of these services. The actual files of JS:Prontexi are not hosted on single domain, the attack uses randomly generated domains. In some cases, it even tries to hide the domain by prefixing commonly known “google.analytics.com”. Following list contains JS:Prontexi domains we found in last 6 days (We decided to remove 3 characters to make them inaccessible):

aawzcamdf???.com, acdbxyba???.com, aczgefrmp???.com, ajirfmra???.com, annvx???.in, aqxqiloqd???.com, bbeockzx???.com, bfqcffdxw???.com, bguwoxufe???.com, bra???.in, btnqvbosi???.com, coudfind???.org, eabeejee???.com, ehwozbkik???.com, elifant???.ru, eliyisgt???.com, fejxwacus???.com, footbal???.ua, galvang???.com, geone???.com, globos???.in, gmkfizxev???.com, google.analytics.com.ckzqfrxax???.info, google.analytics.com.eliyisgt???.info, google.analytics.com.ezqaxnm???.info, google.analytics.com.fanqhpyz???.info, google.analytics.com.hnstetlse???.info, google.analytics.com.jgvsjnhmv???.info, google.analytics.com.kmpbfdtkn???.info, google.analytics.com.muhrlwuzy???.info, google.analytics.com.nbtislvi???.info, google.analytics.com.omvdbdckn???.info, google.analytics.com.qxixemv???.info, google.analytics.com.rmkbyklbh???.info, google.analytics.com.rxflhciir???.info, google.analytics.com.vgmhlwrix???.info, google.analytics.com.yggxvnwum???.info, google.analytics.com.zelhnalb???.info, google.analytics.com.zsvihgpks???.info, googlein???.in, hdewptwh???.com, her???.info, hfgtiith???.com, hkhdhbhmg???.com, inflbjwlm???.com, jseaiulm???.com, jxlywtdh???.com, mcybnjvd???.com, mda???.info, nzlvcxrqf???.com, ore???.info, ore???.info, ore???.info, pianwenp???.com, qefshhsq???.com, qmyz???.info, quisyg???.info, rcykjdw???.com, retnchigm???.com, rilsgzhmh???.com, rsqkszbn???.com, rsvqcnpk???.com, rtvzguny???.com, sdt???.info, sjafjcaqq???.com, slydir???.biz, ssuqlqnrs???.com, tdscli???.com, tdscount???.com, tdwvginb???.com, tgsytldfd???.com, thjgjcgt???.com, uefxrwxu???.com, ueoovs???.in, ujge???.in, user???.info, ustp???.info, vquvmkzms???.com, wbvdeetfl???.com, wdxbntaji???.com, wsjnsit???.com, xaxijfaqb???.com, xdfkycpa???.com, xgzkuqgu???.com

JavaScript code hosted on the servers uses strong encryption and obfuscation which make the scripts and exploit codes mostly undetected by other AV vendors. Following links and images show detection of the malicious script and PDF exploit used to infect victim’s computer.

JS:Prontexi JavaScript detection

http://www.virustotal.com/analisis/4ee895ed5a88de46f2725dbb907d0c41457e010d68e24504f0db43ec4c5166d6-1266404229

JS:Prontexi PDF exploit detection

http://www.virustotal.com/analisis/ff391d3c81d25dff32f3bb14cf7d86b230b7f7237e68ee9a63841c97382b7d30-1266404239

JS:Prontexi comes to life and brings BIG WARNING not only to AV vendors. Advertising services/providers should be more careful about the content they are distributing. Many people don’t like any type of advertising and what happens if ads will become the source of the infection of their machines?

Threat Research, Security News