On January 3rd, independent cyber security company, Fox-IT, released a report revealing that someone had infected Yahoo’s advertising server with malware. Yet to be identified, the attacker loaded the server — which distributes advertisements to hundreds of thousands Yahoo users worldwide — with a slew of «malvertisements» designed to infect computers after a single click.
What is a Malvertisement?
Normally, when a company submits an advertisement to Yahoo’s server, that advertisement has to meet a certain set of standards meant to prevent the distribution of malware, spyware, adware, or other PUPs. Once the ad’s coding passes those standards, it is then distributed via ads.yahoo.com. A malvertisement is a malicious «ad» that somehow slips its way onto such a server, somehow bypassing the server’s standards and then infecting users as it is distributed.
Unlike Trojans or Rogues, a malvertisement can begin infecting your computer as soon as you click on it, without you even having to initiate a download.
Am I Infected?
Reports indicate that Yahoo’s advertisement server was infected from December 30th, 2013 to as late as January 3rd, 2014. During that week alone, the malvertisements were being distributed at a peak rate of 300,000 users per hour, with an estimated infection rate of 27,000 per hour. This means that if you clicked on a Yahoo advertisement last week — and you weren’t running some sort of anti-malware — you were probably infected.
Infection would have occurred after clicking on a malware ad and being redirected to a malicious website which initiated automatic download of a variety of common malware programs, such as: ZeuS, Andromeda, Dorkbot/Nrgbot, and others. The website was able to do this because it took advantage of many of the vulnerabilities that exist on Java, an application that runs in the background of most web users computers without them even knowing that it’s there.
Countries with the highest infection rates include Romania, the U.K., and France.
How Can I Fix This?
Earlier today, Yahoo announced that they have removed the malvertisements from their server and that they are launching further investigations to identify the malware’s source.
Anyone running Emsisoft Anti-Malware 8 last week would have been automatically protected from this threat. Anyone else who thinks they might have been infected can view detailed prevention/removal instructions from Fox-IT here or can download Emsisoft’s Emergency Scanner for free.
Along with the recent breach in Blizzard Entertainment’s WoW user accounts, this week’s malvertisement infection demonstrates yet again that even the largest and most seemingly secure computing corporations are not immune to attack. In fact, because they are so large and because they contain so much sensitive financial information, they are often the first to be targeted…no pun intended.
This means that wherever you find yourself on the Internet, you should always remember to be careful where you click. Especially if you find an advertising offer you think seems just a little too good to be true.