IE Exploit Targets Banner Ad Servers

The ubiquitous banner ad has become the latest delivery mechanism for exploit code targeting a known flaw in Microsoft Corp.’s Internet Explorer browser.

During a 12-hour window over the weekend, hackers broke into a load balancing server that handles ad deliveries for Germany’s Falk eSolutions and successfully loaded exploit code on banner advertising served on hundreds of Web sites.

“Users visiting Web sites that carry banner advertising delivered by our system were periodically delivered a file from the compromised site. This file tries to execute the IE-Exploit function on the users’ computer,” Falk eSolutions confirmed Monday.

The exploit (Bofra/IFrame) takes advantage of an IE vulnerability discovered and reported to Microsoft earlier this month. It is a variant of the MyDoom virus that launched zero-day attacks on vulnerable IE users two weeks ago.

Read more here about the zero-day attacks.

The flaw, which does not affect IE users running Windows XP Service Pack 2 (SP2), has not yet been patched.

Falk eSolutions said the affected AdSolution ad serving software is used by more than 150 Web publishers, agencies and marketers worldwide, but it did not say how many of those customers were affected.

Falk AdSolution clients include AtomShockwave, IDG, A&E Television Networks, MediaCom and Universal McCann.

European tech publisher The Register was the first to notice that banner ads served by Falk were launching exploit code to non-SP2 IE users.

“If you may have visited The Register between 6am and 12.30pm GMT on Saturday, Nov 20 using any Windows platform bar XP SP2 we strongly advise you to check your machine with up to date anti-virus software, to install SP2 if you are running Windows XP, and to strongly consider running an alternative browser, at least until Microsoft deals with the issue,” The Register said in a statement.

The site said it suspended ad serving by Falk eSolutions as soon as it discovered the problem. At midday EST on Monday, The Register was still not serving banner ads.

IE rival Mozilla Firefox 1.0 impresses eWEEK Labs. Read the review here.

In a brief note posted Monday, Falk said a virus found on its European network was “inadvertently redistributed” to a small number of users (calculated under 2 percent).

“As of 11:30 a.m. GMT, the virus was removed from all Falk European and U.S. networks, and normal ad delivery was restored,” the company said.

Additional details on the network breach were provided to The Register, which posted a second notice outlining the problems with one of the ad server’s load balancers.

“This attack made use of a weak point on this specific type of load balancer. The function of a load balancer is to evenly distribute requests to the multiple servers behind it. The system concerned was only used to handle a specific request type to our ad server and has now been investigated,” the note read.

“The use of a weak point in one of our load balancers led to user requests not being passed to the ad servers. Instead the user requests were answered with a 302 redirect to a compromised website. This happened with approximately every 30th request,” the company added.

Next Page: Extent of the compromise?

The SANS Internet Storm Center (ISC), which tracks malicious Internet activity, said it was in the process of contacting other Falk customers in Sweden and the Netherlands that may have also been compromised.

SANS ISC Director Marcus Sachs told eWEEK.com the fact that the ad servers were used to distribute the exploit suggests that hundreds of sites, and possibly millions of users, were affected.

Sachs said the Center is highly recommending that users ditch the affected IE browser until Microsoft issues a fix.

“This is a strong candidate for an out-of-cycle Microsoft patch. There are real exploits circulating with real security risks,” Sachs said, noting that the next scheduled patch from Microsoft won’t be available until Dec. 14.

“The fact that this has already been fixed in SP2 suggests that Microsoft has been aware of it for a very long time,” Sachs said, noting it was also very possible that the vulnerability was fixed during the SP2 code rewrite.

The ISC is urging Web site operators that serve banner ads to verify the banners do not contain the IFrame exploit code. “Or you might want to consider disabling banner ads for a little while to minimize the risk of accidentally infecting your users and propagating,” the Center said.

Because the vulnerability is easy to exploit, Sachs said it is very likely that malware for this issue will emerge in many flavors and colors. In addition to the possibility of becoming infected while surfing a Web site, there are e-mail propagation vectors, he added.

Check out eWEEK.com’s for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzer’s Weblog.