I have been waiting for this is happen for a while now. Jeremiah and I discussed this about a year ago while thinking about the fastest way to deploy malware across the web. Our idea was slightly different but the same principles apply, buy your way on to the big sites with ads or convince a site to install a widget/JS snippet.
In this attack the malware distributors purchased ad space on the doubleclick network, uploaded encrypted flash ads that then did drive by malware installs. Here is a video that shows what happens when one of these banners is displayed and attempts to install malware.
This is a very interesting attack but here is what a lot of people fail to realize. Ads, widgets, flash etc are all programs that execute in your browser. Once I source code from another source (like the youtube movie above) I have given up control of my webpage to a third party. Youtube could change that code to do something completely different tomorrow and the only recourse I have is to notice it and remove the code from my site. While removing the code that calls the YouTube video will remove the attack vector from my site, I (really my users) where exposed for the time it was available.The malware people are already thinking about this as well. As demonstrated in the video above, they are not attempting to infect everyone all the time but do it to some people some of the time. Pretty tricky eh?I fear this is only going to get worse. Hold on to your seats, it is going to get bumpy.
If you enjoyed this post, make sure you subscribe to my RSS feed!
