Hacked European Ad Server Infects IE Users

[Mobo]

By Gregg Keizer, TechWeb News

A hacked server in Germany fed malicious code to unsuspecting Internet Explorer users at an unknown number of Web sites for several hours over the weekend, a banner ad-serving company acknowledged Monday.

The affected Web sites included trusted sites in the U.K., the Netherlands, and Sweden, according to the Internet Storm Center of the SANS Institute. Users who visited one of the impacted sites stood a 1-in-30 chance of being infected with a worm that exploits the still-unpatched IFRAME vulnerability in Microsoft's Internet Explorer 6.0.

Recent versions of the MyDoom worm have exploited the IFRAME vulnerability, as has the Bofra worm, which is what security firms which believe the exploit is dissimilar to MyDoom, have dubbed the threat. Whatever the name, the IFRAME exploit can let hackers grab control of infected PCs.

The sequence of events went like this. Early Saturday morning in Germany, a load balancing server run by Falk eSolutions AG was hacked. Load balancing servers sit in front of the actual delivery servers, and parse out ad requests made by Web sites to equalize workloads.

For over six hours, from 5:10 to 11:30 a.m., GMT (12:10 to 6:30 a.m., EST), a virus was "inadvertently redistributed to a small number of users," Falk said in a statement. The hack sent user requests for banner ads -- such requests are invisibly sent by browsers whenever they hit a site with ads -- being redirected from the ad servers to a compromised site. That site, in turn, delivered a Bofra worm to the target computer.

On Sunday, the U.K.-based technology news Web site The Register said that it was one of the affected sites. Although the site suspended ad serving operations from Falk, it warned users that they may have been infected. Unless users were running Windows XP Service Pack 2 (SP2), which is immune to the IFRAME vulnerability, The Register recommended that its readers scan for viruses and install SP2 if possible.

"Consider running an alternative browser," The Register said in a statement, "at least until Microsoft deals with the issue."

According to SANS Institute's Internet Storm Center, sites in the Netherlands and Sweden were also compromised by the Falk hack. "This may indicate a more wide-spread attack across Europe," wrote Marcus Sachs, the center's director, in an alert posted on its Web site.

DoubleClick, the largest ad-serving firm in the U.S., declined to comment on Falk's predicament Monday, but said it was preparing a statement to its customers about what precautions it's taken. "We can't really discuss them because of security concerns," a DoubleClick spokesperson said.

Security analysts, though not alarmed, sounded concerned at the news of the infection.

"Frankly, I'm surprised we haven't seen more of this kind of thing," said Vincent Gullotto, the vice president of McAfee's AVERT virus research group. "One thing it certainly points out is that anything today can be a target [of hackers]."

While Gullotto wasn't willing to call this outbreak a turning point in hacking -- for one thing, this isn't the first time that surfing to a trusted site infected IE users -- he did note that the longer the IFRAME vulnerability remains unpatched, the more likely other attackers will join the fray.

"It doesn't take much for them to notice what's effective and then replicate it," he said.

"We're at the point now where things are almost like a blur," said Gullotto. "It's just not going to be clear cut going forward as to what kind of threats we face. This may be one of the first to exploit a vulnerability and use adware to deliver the tool, but there are bots downloading exploits, mass-mailers to contend with, and worms creating bot networks.

"We face a barrage of threats because hackers are always looking for new and interesting ways to get people infected."