IE Exploit Targets Banner Ad Servers

Hackers take advantage of an Internet Explorer flaw to successfully load exploit code on banner advertising served to hundreds of Web sites.

The ubiquitous banner ad has become the latest delivery mechanism for exploit code targeting a known flaw in Microsoft Corp.s Internet Explorer browser.

During a 12-hour window over the weekend, hackers broke into a load balancing server that handles ad deliveries for Germanys Falk eSolutions and successfully loaded exploit code on banner advertising served on hundreds of Web sites.

"Users visiting Web sites that carry banner advertising delivered by our system were periodically delivered a file from the compromised site. This file tries to execute the IE-Exploit function on the users computer," Falk eSolutions confirmed Monday.

The exploit (Bofra/IFrame) takes advantage of an IE vulnerability discovered and reported to Microsoft earlier this month. It is a variant of the MyDoom virus that launched zero-day attacks on vulnerable IE users two weeks ago.

/zimages/4/28571.gifRead more here about the zero-day attacks.

The flaw, which does not affect IE users running Windows XP Service Pack 2 (SP2), has not yet been patched.

Falk eSolutions said the affected AdSolution ad serving software is used by more than 150 Web publishers, agencies and marketers worldwide, but it did not say how many of those customers were affected.

Falk AdSolution clients include AtomShockwave, IDG, A&E Television Networks, MediaCom and Universal McCann.

European tech publisher The Register was the first to notice that banner ads served by Falk were launching exploit code to non-SP2 IE users.

"If you may have visited The Register between 6am and 12.30pm GMT on Saturday, Nov 20 using any Windows platform bar XP SP2 we strongly advise you to check your machine with up to date anti-virus software, to install SP2 if you are running Windows XP, and to strongly consider running an alternative browser, at least until Microsoft deals with the issue," The Register said in a statement.

The site said it suspended ad serving by Falk eSolutions as soon as it discovered the problem. At midday EST on Monday, The Register was still not serving banner ads.

/zimages/4/28571.gifIE rival Mozilla Firefox 1.0 impresses eWEEK Labs. Read the review here.

In a brief note posted Monday, Falk said a virus found on its European network was "inadvertently redistributed" to a small number of users (calculated under 2 percent).

"As of 11:30 a.m. GMT, the virus was removed from all Falk European and U.S. networks, and normal ad delivery was restored," the company said.

Additional details on the network breach were provided to The Register, which posted a second notice outlining the problems with one of the ad servers load balancers.

"This attack made use of a weak point on this specific type of load balancer. The function of a load balancer is to evenly distribute requests to the multiple servers behind it. The system concerned was only used to handle a specific request type to our ad server and has now been investigated," the note read.

"The use of a weak point in one of our load balancers led to user requests not being passed to the ad servers. Instead the user requests were answered with a 302 redirect to a compromised website. This happened with approximately every 30th request," the company added.

Next Page: Extent of the compromise?