Details of hijacked 24/7 ad server emerge

Symantec was not available over the weekend to answer questions about the nature of that information or to provide any other details of the attack.

"What's most interesting about the exploit is where it is hosted," the three researchers said. "The compromise of an ad server can greatly increase the effectiveness of the attack. It is so effective because it allows an attacker to target victims that are browsing trusted or well-known Web sites."

In the specific attack that Symantec monitored, the advertisement -- which was for job-hunting site Monster.com -- had been placed on a site hosted by Tripod.com, a Web hosting service owned by Lycos Inc. that offers both free and for-a-fee plans. "The Tripod.com Web site that triggered the breach on the DeepSight honeypot was 'xxxxxxxxx.tripod.com,' containing [an] embedded script ... which loaded the compromised advertisement and then in turn loaded the exploit," said the Adams, Ball and Roe report. "To emphasize the severity of this attack, [the ad script] is embedded and called in every Tripod.com user Web page (URLs formatted like 'name.tripod.com') at least," they added.

Ground control to major mess

Tripod places ads on sites hosted under its free plan; customers who pay hosting fees, however, do not have ads stuck on their sites' pages.

It's not known if the only sites served with ads containing the IFrame were Tripod's. There were hints, however, that Tripod might not be the only tainted domain. Last Wednesday, for example, NASA issued a warning to workers of a surge in attacks on Windows PCs running Internet Explorer and RealPlayer. According to the space agency's bulletin, the attacks had come from "well-known news sites which may be hosting advertisements from ad servers that redirect the users to malware hosting sites." Friday, NASA spokesman Mike Mewhinney declined to name the news sites the agency suspected of displaying rogue ads.

Because 24/7 Real Media's ad research is significant, the IFrame-infected ads may have been placed on a large number of Web sites. According to the most recent data from Internet audience measurement firm comScore Inc., 24/7's ads reached 50% of all Americans online last month. The company's reach placed it at No. 15 on comScore's September Top 50.

24/7 Real Media did not respond to e-mails sent Friday and Sunday.

Symantec couldn't pin down the start date of the attack, but it did note that the malicious site had hosted exploit code since at least Oct. 8. "There is a possibility that this IP [has been] controlled by the same attackers for quite some time and that they are using it to launch numerous low-key attacks," said Adams, Ball and Roe.

Late Friday, RealNetworks issued a patch for RealPlayer 10.5 and the RealPlayer 11 beta. It also urged users of earlier versions to first upgrade to 10.5 or 11, then apply the patch. Only Windows versions of RealPlayer are vulnerable, RealNetworks said in its advisory; Mac and Linux versions are not at risk.

Read more about security in Computerworld's Security Knowledge Center.