Detection of the infection
Fox-IT operates the shared Security Operations Center service ProtACT. This service monitors the networks of our clients for malicious activity. On January 3 we detected and investigated the infection of clients after they visited yahoo.com.
Clients visiting yahoo.com received advertisements served by ads.yahoo.com. Some of the advertisements are malicious. Those malicious advertisements are iframes hosted on the following domains:
- blistartoncom.org (188.8.131.52), registered on 1 Jan 2014
- slaptonitkons.net (184.108.40.206), registered on 1 Jan 2014
- original-filmsonline.com (220.127.116.11)
- funnyboobsonline.org (18.104.22.168)
- yagerass.org (22.214.171.124)
Upon visiting the malicious advertisements users get redirected to a “Magnitude” exploit kit via a HTTP redirect to seemingly random subdomains of:
- and others
All those domains are served from a single IP address: 126.96.36.199. This IP-address appears to be hosted in the Netherlands.
This exploit kit exploits vulnerabilities in Java and installs a host of different malware including:
- Advertisement clicking malware
The investigation showed that the earliest signs of infection were at December 30, 2013. Other reports suggest it might have started even earlier.
Schematically the exploit looks like this:
Based on a sample of traffic we estimate the number of visits to the malicious site to be around 300k/hr. Given a typical infection rate of 9% this would result in around 27.000 infections every hour. Based on the same sample, the countries most affected by the exploit kit are Romania, Great Britain and France. At this time it’s unclear why those countries are most affected, it is likely due to the configuration of the malicious advertisements on Yahoo.
It is unclear which specific group is behind this attack, but the attackers are clearly financially motivated and seem to offer services to other actors. The exploit kit bears similarities to the one used in the brief infection of php.net in October 2013.
Block access to the following IP-addresses of the malicious advertisement and the exploit kit:
- Block the 192.133.137/24 subnet
- Block the 193.169.245/24 subnet
Also closely inspect network traffic for signs of successful exploits for any of the dropped malware.
Yahoo is aware of the issue and looking into it.
Please watch this page for updates.
Update January 3, 1815 (GMT+1): It appears the traffic to the exploit kit has significantly decreased. It looks like Yahoo is taking steps to fix the problem.