As we all know, compromised sites play an important role in web distributed malware, acting as the conduit, guiding user traffic to further malicious content. Sometimes, the attackers get lucky, and succeed in compromising a high profile, popular site. Another way to increase the number of users exposed to the attack is to compromise advertising content, thereby exposing all users of any 3rd party sites that happen to load the ads.
Late yesterday evening, we started to see evidence of such an attack - Sophos products were blocking certain ad content as Mal/Iframe-U.
Knowing that detection and what it looked for, I was pretty sure that the ad server of Campus Party was compromised.
Not the first time I have seen an OpenX ad-server getting compromised, and I suspect it won't be the last.
This initiates the attack, triggering a chain of events summarised below:
- ad content (pro-actively blocked as Mal/Iframe-U) silently loads content from the attack site.
- user's browser and browser plug-ins are inspected to determine most appropriate exploit content to load. For this a legitimate library is used.
- exploit content (e.g. Mal/HcpExpl-A, Troj/Lifsect-A, Mal/ExpJS-M) is loaded in order to infect the user with malware. At the time of writing, the exploit site is currently serving up a rootkit which Sophos products detect as Mal/TDSSPack-AX.
As is typically the case for today's web attacks, all of the script components used are heavily obfuscated in an attempt to thwart detection efforts and hinder analysis.
We have already informed those at Campus Party about this issue in order that they can get the malvertising attack cleaned up as soon as possible. In fact as I type, I can see that the ad server is already offline, presumably whilst they resolve the issue. Kudos to them for actioning this quickly!
As to the root cause of the compromise, I do not know exactly how the server was compromised. However, given history, my money would be on an out of date or unpatched version of OpenX.