It is being reported that Yahoo’s ad system (ads.yahoo.com) was recently compromised leading to the system serving up malware targeting European web visitors.  It is not clear if the servers and systems themselves were directly breached, or if ads were created to bypass Yahoo filtering systems to feed out the malware.

The malware is targeting Java exploits on Windows users’ systems and is being distributed via iFrames on the pages directing to several domains that redirect to domains mapping to a single IP address in the Netherlands.

The exploit kit takes advantage of several  vulnerabilities in Java and installs various forms of malware including:

  • ZeuS
  • Andromeda
  • Dorkbot/Ngrbot
  • Advertisement clicking malware
  • Tinba/Zusy
  • Necurs

Fox IT who discovered the compromise recommend blocking these subnets  where the malicious code is being deployed 192.133.137/24 and  193.169.245/24. They also believe that the compromised servers were infecting systems at a rate of 27,000 per hour.

Categories: ,

Ken Westin

Ken Westin has contributed 97 posts to The State of Security.

View all posts by Ken Westin >