DoubleClick Malware Exposes Millions to Ad-based Infection

On Friday night, researchers on the Malwarebytes team noticed a peculiar set of instructions coming out of ads hosted on websites like Last.fm, and The Jerusalem Post.

The first website would suggest that the attacks were targeted at random, though the second and several others like it might point to the true source of the malware and its perpetrators.

As tensions between Israel and Gaza continue to flare, cyber activists have begun using the conflict as a jumping off point to further their own agendas, using websites on both sides of the battlefront as covers which allow them to operate in the gray area between political agenda and profitable action.

It’s important to note that the websites themselves were not involved in the attack, but instead were exploited by the hackers through a workaround in the DoubleClick code.

“Earlier today, we warned people that both The Times of Israel and The Jerusalem Post were affected by a malvertising attack. It appears that this is a much larger and ongoing campaign that is affecting a number of other popular websites.

The reason this is really big is because it involves doubleclick.net (a subsidiary of Google for online ads) and Zedo (a popular advertising agency).”

The ads were primarily moving the Zemot malware, which is mainly used for mass distribution of infected code that can later be called up for the act of installing and maintaining a robust botnet.

Hackers like to use these types of programs to create DDoS systems that are used to disable high-security destinations, creating havoc on local servers and exploiting the moment that their networks need to reset in order to install nodes which give them control over the servers and their connected clients.

double click

Photo: Microsoft Technet

Google has since shut down all the affected servers which were redirecting malicious code, and have disabled the ads that delivered malware to user’s computers since the report was first published.

The company has yet to elaborate on the exact methods that hackers used to infiltrate the DoubleClick servers, though it’s believed they were able to trick part of the advertising network into thinking their code was part of the legitimate distribution cookies that many companies use to keep tabs on their users and specifically target them with banners that more accurately coincide with their interests.

The attack was first detected around the end of last month, and was reported to the press only after members of the Malwarebytes team had enough time to coordinate with Google to both implement and distribute a solution which would prevent the problem from spreading beyond the borders it had already crossed.

“Looking at our logs we first detected this new attack pattern on August 30th, at 2 AM. These are the URLs we caught (posted on PasteBin). What is important to remember is that legitimate websites entangled in this malvertising chain are not infected. The problem comes from the ad network agency itself.

We rarely see attacks on a large scale like this, so we highly recommend that people keep their systems up-to date, with current antivirus and anti-malware protection.”