Yahoo malware attack may include users beyond Europe
Web giant admits infection started sooner, spread farther than expected
Yahoo Inc now believes that the malware attack discovered on its ads service last week may have had farther-reaching coverage than previously reported.
Initially Yahoo said the infection, which was first reported by Netherlands-based cyber security company, FoxIT, was limited to European servers and had infected an estimated 2m end-user devices.
According to tech site CNET, Yahoo has now admitted that its users outside Europe may have been infected and that the attack started four days earlier than it initially thought.
At first, 3 January had been named as the day of the attack. This information was later updated when Yahoo said the attack occurred between 31 December and 3 January. In a blog post on Friday, the company said the malware was active between 27 December and 3 January.
Cyber specialist FoxIT was the first to report the Yahoo attack. It reported on its company blog that a number of its clients had encountered infections on or before 3 January after they visited yahoo.com. The blog listed a number of domains to which the ads redirected users and also said the domains were served by a single IP address that "appears to be hosted in the Netherlands".
FoxIT said the redirect led to the download of an exploit kit called Magnitude, which installed malware using exploits tailored to vulnerabilities in the Java runtime library. Malware downloaded included infamous banking Trojan ZeuS and Andromeda, which has a variety of uses including joining a machine to a botnet. On Wednesday, the BBC reported that security firm Light Cyber claimed the malware was intended to create a huge network of Bitcoin-mining machines, called a "bitnet".
"The malware writers put a lot of effort into making it as efficient as possible to utilise the computing power in the best way," the BBC quoted Light Cyber's founder Giora Engel as saying.
Yahoo advised its users to ensure they had the latest Windows, Java and Adobe patches installed and to make sure their anti-virus software was up to date.