ID: IRCNE2014012060
Date: 2013-01-06
According to "zdnet", according to Fox-IT, a security product and service company in the Netherlands, computers visiting yahoo.com on January 3 were served malware from the Yahoo ad network (ads.yahoo.com).
Fresh analysis indicates that Yahoo has a handle on the problem and that the attack traffic has decreased substantially.
The ads were in the form of IFRAMEs hosted on the following domains:
- blistartoncom.org (192.133.137.59), registered on 1 Jan 2014
- slaptonitkons.net (192.133.137.100), registered on 1 Jan 2014
- original-filmsonline.com (192.133.137.63)
- funnyboobsonline.org (192.133.137.247)
- yagerass.org (192.133.137.56)
The ads redirect the user to a site using the Magnitude exploit kit, all of which appears to come from a single IP address in the Netherlands. (Perhaps this relates to why Fox-IT's customers were affected so quickly.)
The exploit kit at the site exploits vulnerabilities in Java on the client to install a variety of malware:
- ZeuS
- Andromeda
- Dorkbot/Ngrbot
- Advertisement clicking malware
- Tinba/Zusy
- Necurs
Fox-IT's research shows the 83% of the attacks in Romania, Great Britain, France and Pakistan;
Fox-IT recommends blocking the 192.133.137/24 and 193.169.245/24 subnets until further information is available.
- 4