Yahoo Ad Servers Under Attack

But Apple users aren't affected. Why?

Get It Try It

NOT-SO-SUNNYVALE (Rixstep) — Yahoo ad servers are under attack, according to CNN.

Tens of thousands of visitors to Yahoo sites are being hit each day. Apple users are not affected.

It's nice to get this information, but once again one must wonder why the information is so sparse.

What We Know

Dutch-based Fox IT (no relation) reported that the server ADS.YAHOO.COM was spewing out the malware. This means anyone visiting the main server YAHOO.COM will be attacked. The attack involves IFRAMEs sent from one of the following external sites.

• BLISTARTONCOM.ORG
• SLAPTONITKONS.NET
• ORIGINAL-FILMSONLINE.COM
• FUNNYBOOBSONLINE.ORG
• YAGERASS.ORG

Those sites in turn get more malware from, inter alia, one of the following sites.

• BOXSDISCUSSING.NET
• CRISISREVERSE.NET
• LIMITINGBEYOND.NET

The IP serving those domains is 78-245-169-193.deltahost.com.ua, and that address seems to be hosted by Serverius Holding BV of the Netherlands.

How It Works (Yawn)

If you were on Windows, you'd love to read about this. Mostly because you have no time for anything else. For those who've gone over to Cupertino, this is mostly a bore, as who really wants to know how an exploit works? But whatever.

√ The exploit uses Java. Big shocker. Java is the new black of Windows.

√ The exploit is a veritable Father Xmas with a sack absolutely bursting with goodies.

• ZeuS
• Andromeda
• Dorkbot/Ngrbot
• Advertisement clicking malware
• Tinba/Zusy
• Necurs

Those who are interested (!) can hunt down descriptions of all those crafty things, and they'll find what platforms are affected. Those who can't bother have already arrived at the same conclusion.

Fox IT provided a schematic of how all this works, and it might provide light entertainment for Windows users munching on their Doritos, but it's unnecessary as you already know the sequence of events.

Fox IT also go into what countries are affected - they're so helpful - but again: that's of no interest whatsoever. What you really need to know is conspicuously not mentioned anywhere.

What We Don't Know (But Will Soon Find Out)

Let's take a look at the payloads listed above. Let's start with ZeuS. What does it say at Wikipedia?

Zeus, ZeuS, or Zbot is Trojan horse computer malware that runs on computers running under versions of the Microsoft Windows operating system.

Trend Micro have a bit on Andromeda. And Andromeda turns out to be a really nasty bastard just like 'ZeuS', infecting your system (of as yet indeterminate origin) with keyloggers, rootkits - in short: all the good stuff that makes life exciting. The Trend screenshot gives a hint of something no one wants to say.



Gee what a grotty interface! But it does look vaguely familiar, doesn't it?

Even the Trend article won't say it outright. You have to be something of a system techie to read between the lines.

It also uses the following native APIs to inject to the normal processes, a technique also seen in DUQU and KULUOZ.

And those 'native processes'?

• ZwCreateSection
• ZwMapViewOfSection
• ZwResumeThread
• ZwUnmapViewOfSection

And those four, or all of the APIs beginning with 'Zw', are part of Dave Cutler's NT kernel.

The words 'Microsoft' and 'Windows' are not mentioned a single time in either the CNN or Trend articles.

Theoretically this could be because everyone on that side of the fence assumes everyone on the planet is running Microsoft Windows! Theoretically. But look back what happened when the first big malware epidemic hit the planet in May 2000.

• The BBC were roundly castigated for not releasing details of the ILOVEYOU worm for over 48 hours. People wanted to know if they were in danger. This was a legitimate concern. The BBC had the details and still refused to release them.

• The same thing happened in Sweden where Fred Björck hunted the worm back to its origins (and people at a familiar site analysed the code). There was a 48-hour delay before Swedish state media would reveal which platform was affected.

Things like that don't happen by accident. The way the BBC and Swedish state media (and who knows but countless others) embargoed the news was no coincidence.

You can like your Apple device for its cute 'lickable' icons. You can like it because things seem to 'just work'. You can like it because the overall feel is of greater efficiency, greater simplicity.

You can like it because you're a developer and you think Objective-C is the shizzle, or the Apple code classes are the shizzle. You can like it because you're an admin and Unix is always a lot more fun to work with.

But choosing Apple over Microsoft isn't merely a matter of taste. And what we need more than anything, to get our world more secure, is to get the media, wobbly in the knees from the implicit threats emanating from Redmond Washington, to stop serving the monster and start serving the people.