August 27th, 2008
MSN Norway serving Flash exploits through malvertising
Morten Krakvik from the Norwegian Honeynet Project is reporting that MSN Norway is among the latest victims of
malvertising, a practice where a bogus advertising provider tricks leading portals into accepting advertisements from its network, which often end up redirecting to live exploit URLs. The recent wave of malvertising that also targeted Digg, MSNBC and Newsweek, is very similar to the malvertising campaigns that took place in February which were targeting popular sites as Expedia, Excite, Rhapsody and MySpace. The only thing the malvertisers keep changing are the fake security software domains that they push through their campaigns.
Flash player versions susceptible to exploitation are :
Adobe Flash 9.0.16
Adobe Flash 9.0.28
Adobe Flash 9.0.45
Adobe Flash 9.0.47
Adobe Flash 9.0.115
According to Krakvik’s analysis, the malicious ad came from bannersrotator DOT com which is still active, and serving
the malicious ad (tunnel28.swf) currently detected by 9 out of 36 antivirus scanners as SWF:CVE-2007-0071, or SWF.Exploit.
Who’s to blame anyway? The end users for not bothering to patch their browsers and third-party applications at the first place, the portals for doing business with such obviously rogue advertising providers like bannersrotator DOT com, or the advertising networks sacrificing security for efficiency and not screening the ads and newly joining advertisers like bannersrotator DOT com?
It’s the lack of decent situational awareness demonstrated by all parties. For instance, the end user thinking that patching their browser is where it all ends, the portals for not taking advantage of publicly obtainable tools aimed at analyzing malicious flash files, and the advertising networks themselves, for choosing efficiency next to security and helping rogue security software providers have their ads syndicated across legitimate sites.
