Yahoo ads corrupted, colossal exploit download detected
Dutch cybersec firm estimates 27,000 infections per hour through Java vulnerabilities
Yahoo's ad network may have exposed the Web giant's public users to massive volumes of malware over the past few days at a rate as high as 27,000 infections every hour, according to a Netherlands-based cyber security company.
The Dutch firm, FoxIT, said some ads caused on-click redirects to infected sites. The sites then installed a range of malware, using exploits tailored to vulnerabilities in the Java runtime library.
FoxIT, reported on its blog that a number of its clients had encountered infections on or before 3 January after they visited yahoo.com. The blog listed a number of domains to which the ads redirected users and also said the domains were served by a single IP address that "appears to be hosted in the Netherlands". The redirect led to the download of an exploit kit called Magnitude, which installed malware such as infamous banking Trojan ZeuS and Andromeda, which has a variety of uses including joining a machine to a botnet.
"Based on a sample of traffic we estimate the number of visits to the malicious site to be around 300,000 per hour," FoxIT claimed on its blog.
"Given a typical infection rate of 9% this would result in around 27,000 infections every hour. Based on the same sample, the countries most affected by the exploit kit are Romania, Great Britain and France."
"We recently identified an ad designed to spread malware to some of our users," CNET quoted Yahoo as saying. "We immediately removed it and will continue to monitor and block any ads being used for this activity."
FoxIT said a traffic drop to the Magnitude exploit suggested that Yahoo was starting to address the issue.