July 3rd, 2009
EyeWonder malware incident affects popular web sites
During the last couple of hours, visitors of popular and high trafficked web sites such as CNN, BBC, Washington Post, Gamespot, WorldOfWarcraft, Mashable, Chow.com, ITpro.co.uk, AndroidCommunity; Engadget and Chip.de, started reporting that parts of the web sites are unreachable due to malware warnings appearing through the EyeWonder interactive digital advertising provider.
Let’s assess the butterfly effect of a single malware incident affecting an ad network whose ads get syndicated across the entire Web.
What originally started as “we have been mistakenly flagged as malware“, briefly turned into “appears the EW.com domain was potentially maliciously “hacked” causing these errant and erroneous alerts to appear” malware incident.
Is the EyeWonder attack a typical malvertising campaign where malicious content is pushed on legitimate sites through the ad network, or did their web site actually got compromised in the ongoing Cold Fusion web sites compromise attack?
Sadly, it could be an indication of both, since I managed to reproduce the actual exploit serving attack at the Washington Post, using the exact link given by an affected reader within the comments of the article. However, what might have triggered the actual badware alert appears to a compromise of the site itself.
According to Google’s SafeBrowsing advisory for EyeWonder, the exploits were hosted on currently active and participating in the Cold Fusion injection attack domains, namely elfah .net, 2ici .cn and javazhu.3322 .org - the following have also managed to compromise Pakistan’s Telecommunication Authority.
By using RealPlayer Import stack overflow exploit and another one attempting a QVOD Player URL overflow, the cybercriminals then attempt to push eight different malware samples. Detection rates for the droppers are improving.
Interestingly, one of the malware samples attemps to download the updated list of malware binaries by connecting a compromised Italian site part of the Cold Fusion injection attacks (betheboss.it) since it appears to have been exploited in such a way.
- Go through related malvertising attacks: MSN Norway serving Flash exploits through malvertising; Fake Antivirus XP pops-up at Cleveland.com; Scareware pops-up at FoxNews
This malware incident demonstrates how a single exploitation of a trusted third-party content/ad serving vendor can not only undermine its credibility, but potentially the credibility of the sites using the network. And since the ads on the affected sites are dynamically served through different networks, it remains questionable whether it was in fact EyeWonder that served malicious content, or a compromised partner of the network itself.
Case in point - the partnership between Facilitate Digital and EyeWonder comes in a very insecure fashion with EyeWonder having a permanent iFrame tag loading a domain (adsfac.us) belonging to Facilitate Digital on its front page.
For the time being, EyeWonder.com remains down for maintenance.
Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response. He's been an active security blogger since 2007, and maintains a popular security blog. See his full profile and disclosure of his industry affiliations.
Subscribe to Zero Day via Email alerts or RSS.
