Difference between revisions of "DBSA:2014-0001"

From Digibase Knowledge Base
Jump to: navigation, search
(Created page with "{{DBSAHEAD | TITLE=Yahoo! Advertisement Network Compromise | KEYWORDS=Yahoo, compromise, Yahoo!, malware }} '''DBSA ID:''' {{PAGENAME}} '''Regarding:''' Yahoo! Advertisement...")
 
m
Line 1: Line 1:
 
{{DBSAHEAD
 
{{DBSAHEAD
 
| TITLE=Yahoo! Advertisement Network Compromise
 
| TITLE=Yahoo! Advertisement Network Compromise
| KEYWORDS=Yahoo, compromise, Yahoo!, malware
+
| KEYWORDS=Yahoo, compromise, Yahoo!, malware, Magnitude Exploit, Java
 
}}
 
}}
  
Line 42: Line 42:
  
 
==Mitigation/Solution==
 
==Mitigation/Solution==
Users are advised to utilize care and caution while accessing web resources, this includes having up-to-date anti-malware and anti-virus solutions along with being careful when a site provides a download without provokation or asks to install software to view content.
+
Users are strongly advised to remove Java plugins from their browsers and scan their systems ensuring no out-of-place software has been installed and monitor their systems for unauthorised activity. Due to Java's track record users should not utilize it as a browser plugin, Java can operate without being installed as a plug-in for locally installed games and tools. Note that Java is different from Javascript.
  
It may be prudent to insert the listed domains names into ad blocking blacklists or web filtering solutions to prevent loading of any content from said domains.
+
Users are also advised to utilize care and caution while accessing web resources, this includes having up-to-date anti-malware and anti-virus solutions along with being careful when a site provides a download without provokation or asks to install software to view content.
  
Users are advised to scan their systems and ensure no out-of-place software has been installed and monitor their systems for unauthorised activity.
+
It may be prudent to insert the listed domains names into ad blocking blacklists or web filtering solutions to prevent loading of any content from said domains (possibly including ads.yahoo.com to prevent future incidents).
  
 
==References==
 
==References==

Revision as of 06:05, 6 January 2014

Disclaimer: as technology changes, advisories may become out of date or may no longer be relevant, please refer to the "Date" section of the header to be sure the advisory is recent as pertains to your situation.

Digibase Security Advisory - Yahoo! Advertisement Network Compromise

Keywords: Yahoo, compromise, Yahoo!, malware, Magnitude Exploit, Java

DBSA ID: 2014-0001

Regarding: Yahoo! Advertisement Network Compromise

Writeup: Kradorex Xeron (talk) 05:58, 6 January 2014 (EST)

Date: 2014 01 06

Last Modified: 20140106060539 by Kradorex Xeron

Who should take note: All Users

Classification

Priority: HIGH

Rationale: Users must take action to ensure their computers have not been compromised.

Severity: MODERATE

Rationale: Systems with adequate security solutions should be able to filter out most of the issue, however there is still risk that new malware may be being delivered.

Spread of Issue: MULTI-PLATFORM HIGH

Rationale: All users who access Yahoo! associated sites or sites that utilize Yahoo Advertisements are potentially affected.

Description

Yahoo! (herein written "Yahoo") has an advertisement platform in which itself uses to provide itself and other sites revenue from advertisements. Recently Yahoo had their advertisement platform compromised and was serving malicious code along with malware in a mass-infection attempt of thousands of systems who may load the bad advertisements.

The malware and malicious code would have originated from "ads.yahoo.com" and be provided by iframes to the following resources:

  • blistartoncom.org (192.133.137.59), registered on 1 Jan 2014
  • slaptonitkons.net (192.133.137.100), registered on 1 Jan 2014
  • original-filmsonline.com (192.133.137.63)
  • funnyboobsonline.org (192.133.137.247)
  • yagerass.org (192.133.137.56)

Credit for this list: Fox-IT

Mitigation/Solution

Users are strongly advised to remove Java plugins from their browsers and scan their systems ensuring no out-of-place software has been installed and monitor their systems for unauthorised activity. Due to Java's track record users should not utilize it as a browser plugin, Java can operate without being installed as a plug-in for locally installed games and tools. Note that Java is different from Javascript.

Users are also advised to utilize care and caution while accessing web resources, this includes having up-to-date anti-malware and anti-virus solutions along with being careful when a site provides a download without provokation or asks to install software to view content.

It may be prudent to insert the listed domains names into ad blocking blacklists or web filtering solutions to prevent loading of any content from said domains (possibly including ads.yahoo.com to prevent future incidents).

References