Yahoo Removes Malicious Ads Redirecting to
Magnitude Exploit Kit
by Michael Mimoso January 6, 2014 , 11:58 am
The race to replace the Blackhole Exploit Kit as the web exploit pack of choice for cybercriminals
seems to have an early leader in Magnitude.
Researchers at Dutch security firm Fox-IT reported over the weekend that European visitors to
Yahoo were falling victim to malicious ads hosted on the site. The ads were injecting iframes onto
the user’s browser and redirecting them to sites hosting Magnitude.
Related Posts
Malicious Ads on DailyMotion Redirect to Fake AV Attack
January 7, 2014 , 5:05 pm
This is the first known major incursion redirecting to Magnitude since the takedown of Blackhole and
the arrest of its alleged creator Paunch in October.
The Magnitude exploit kit targets Java vulnerabilities and installs a number of dangerous Trojans,
including Zeus, Dorkbot, Necurs and a number of click-fraud malware. Fox-IT’s investigation
concluded the infections started Dec. 30, possibly earlier.
Most of the victims are in Romania, Great Britain and France; Fox-IT said it was monitoring an
average of 300,000 visits per hour to Yahoo and based on an estimated infection rate of 9 percent, the
company says about 27,000 infections were happening per hour.
Page 1
“At this time, it’s unclear why those countries are most affected,” the company wrote on its blog. “It
is likely due to the configuration of the malicious advertisements on Yahoo.”
The Washington Post reported, meanwhile, that Yahoo has removed the advertisements in question.
“Users in North America, Asia Pacific and Latin America were not served these advertisements and
were not affected,” a Yahoo representative told the Post. “Additionally, users using Macs and mobile
devices were not affected.”
The malicious ads were served by Yahoo from a number of domains, including two registered on Jan.
1: blistartoncom[.]org and slaptonitkons[.]net. The company advises that concerned organizations
should block the 192.133.137 and 193.169.245 subnets. Those domains then redirect to a number of
domains hosting Magnitude, including boxdiscussing[.]net, crisisreverse[.]net, and
limitingbeyond[.]net. All of the domains, Fox-IT said, were served from a single Dutch IP address
193[.]169[.]245[.]78.
“It is unclear which specific group is behind this attack, but the attackers are clearly financially
motivated and seem to offer services to other actors,” Fox-IT said, adding that Magnitude is similar
to an exploit kit used in an October compromise of php.net.
Since the takedown of the Blackhole Exploit Kit shortly following the arrest of its alleged creator
Paunch in Russia, cybercriminals have yet to settle on an adequate successor. The hodgepodge of
exploits kits in circulation, including Magnitude, Cool, Angler, Neutrino and others, don’t have the
same muscle as Blackhole. Blackhole not only was a complete catalog of webinjects and banking
malware, but it was updated almost daily, and was relatively affordable with an annual license selling
for around $1,500. Since Paunch’s arrest, activity from Blackhole and its cousin Cool has dwindled
to almost zero, and attackers are scrambling not only for a successor, but also to recover lost revenue.
Recently, researchers at Websense reported that the keepers of the Cutwail botnet had resorted to
using phishing and spam email schemes spiked with malicious attachments or links to malware
downloads because of the unavailability of Blackhole. Prior, there was a heavy use of Blackhole to
automatically compromise computers and install banking Trojans or other financial malware, and to a
lesser extent, direct attachments. That ratio has flipped, Websense said.
“What we’ve seen post Blackhole is this immediate cutoff where the URL based attacks inside these
emails declined because of the Blackhole infrastructure going down,” said Alex Watson, Websense
director of security research.
As for Magnitude, Websense reported a blip where criminals were experimenting with the new
exploit kit for a period of time, but then moved away. Magnitude and Neutrino, a number of
researchers report, support many of the most recent exploits, but they seem to be a work in progress
in terms of how they deliver redirects or exploits.
“It has to be a worthwhile business arrangement as well. When they adopt exploit kits, it’s both a
mixture of the frequency of adoption to avoid security solutions and another element how quickly it
is to incorporate the latest exploits,” Watson said. “The third is the cost of the business arrangement
for the exploit kit and if it can be competitive with what Blackhole was before.”
Page 2
Yahoo malware turned European computers
into bitcoin slaves
Search firm remains silent on how its ad servers infected Windows PCs of visitors to homepage


Alex Hern
theguardian.com, Wednesday 8 January 2014 06.52 EST
As many as two million European users of Yahoo may have received PC malware from virus-laden
ads served by its homepage over a four-day period last week.
Some of the malware would turn PCs into bitcoin miners - a huge drain on its computing resources without users' knowledge. Yahoo has been criticized for not saying how many people could be
affected or doing anything to help those with the malware, which attacked flaws in Java modules on
systems.
In a statement, Yahoo said: "From December 31 to January 3 on our European sites, we served some
advertisements that did not meet our editorial guidelines – specifically, they spread malware." Users
in North America, Asia Pacific and Latin America weren't affected, Yahoo said. Nor were users of
Apple Macs or mobile devices.
"We will continue to monitor and block any advertisements being used for this activity," the
company added. "We will post more information for our users shortly."
According to Light Cyber, a security research firm which warned Yahoo of the attacks in late
December, one of the malware programs delivered in the attack turned the victim's computer into a
bitcoin miner. The computer is set to work performing the calculations required to make the bitcoin
network run, but the rewards for doing so accrue to the malware writer.
Yahoo has been criticized for not doing more to aid users infected by the faulty adverts. Dan Farber
of technology site CNET says that: "At this point, Yahoo hasn't addressed any of the details, such as
how the malware exploit got into its Web pages, how many users are impacted, and what victims of
the attack should do. The company may still be gathering data."
Fox IT, the Dutch cybersecurity firm which first disclosed the vulnerability to the public, estimated
that there were around 27,000 infections every hour the malware was live on the site. If the malware
was being served consistently for the three days, it may be the case that almost 2 million computers
were infected.
Java target
"The attack focused on outdated software," says Steve Regan of security site CSO. "The only way for
the exploits to work is to have outdated versions of Java on your system. If Java is up to date, then the
odds are, you're safe. However, I don't trust Java, so unless you absolutely need it, my advice is to
uninstall it from your system. It seems like I see more zero-day attacks aimed at Java than anything
else, the risk isn't worth it for me." Zero-day attacks exploit previously unreported flaws in software
to install malware or take over a computer.
Page 3
As well as the bitcoin mining malware, other software installed includes ZeuS, which attempts to
steal banking information; Andromeda, which turns the computer into part of a "botnet" for use by
third parties, and "adjacking" malware which hijacks the user's browser to click on adverts, thus
channeling income to corrupt site owners.
Bitcoin is fast becoming a tool of choice for malware developers. As well as directly using
compromised computers to mine for new coins, software such as ZeuS lets criminals install
Cryptolocker, a dangerous new type of malware, which first encrypts the user's files and then
demands a ransom, payable in bitcoin, to decrypt them. In most versions of Cryptolocker, the ransom
is set at two bitcoins, currently worth around $2,000.
Bitcoin is so valuable to botnet owners, criminals who control large numbers of compromised
computers, that one academic paper argues that the security of the network is permanently at risk.
Philipp Güring and Ian Grigg argue that the currency violates Gresham's Law (pdf), an economic
theorem that states that bad money drives out good. Since bitcoin mining is far more profitable if
done on stolen computers with stolen energy, they argue, it will soon be uneconomical to do it any
other way.
Page 4