EyeWonder malware incident affects popular web sites

EyeWonder malware incident affects popular web sites

Summary: During the last couple of hours, visitors of popular and high trafficked web sites such as CNN, BBC, Washington Post, Gamespot, WorldOfWarcraft, Mashable, Chow.com, ITpro.

SHARE:
18

During the last couple of hours, visitors of popular and high trafficked web sites such as CNN, BBC, Washington Post, Gamespot, WorldOfWarcraft, Mashable, Chow.com, ITpro.co.uk, AndroidCommunity; Engadget and Chip.de, started reporting that parts of the web sites are unreachable due to malware warnings appearing through the EyeWonder interactive digital advertising provider.

Let's assess the butterfly effect of a single malware incident affecting an ad network whose ads get syndicated across the entire Web.

What originally started as "we have been mistakenly flagged as malware", briefly turned into "appears the EW.com domain was potentially maliciously "hacked" causing these errant and erroneous alerts to appear" malware incident.

Is the EyeWonder attack a typical malvertising campaign where malicious content is pushed on legitimate sites through the ad network, or did their web site actually got compromised in the ongoing Cold Fusion web sites compromise attack?

Sadly, it could be an indication of both, since I managed to reproduce the actual exploit serving attack at the Washington Post, using the exact link given by an affected reader within the comments of the article. However, what might have triggered the actual badware alert appears to a compromise of the site itself.

According to Google's SafeBrowsing advisory for EyeWonder, the exploits were hosted on currently active and participating in the Cold Fusion injection attack domains, namely elfah .net, 2ici .cn and javazhu.3322 .org - the following have also managed to compromise Pakistan's Telecommunication Authority.

By using RealPlayer Import stack overflow exploit and another one attempting a QVOD Player URL overflow, the cybercriminals then attempt to push eight different malware samples. Detection rates for the droppers are improving.

Interestingly, one of the malware samples attemps to download the updated list of malware binaries by connecting a compromised Italian site part of the Cold Fusion injection attacks (betheboss.it) since it appears to have been exploited in such a way.

This malware incident demonstrates how a single exploitation of a trusted third-party content/ad serving vendor can not only undermine its credibility, but potentially the credibility of the sites using the network. And since the ads on the affected sites are dynamically served through different networks, it remains questionable whether it was in fact EyeWonder that served malicious content, or a compromised partner of the network itself.

Case in point - the partnership between Facilitate Digital and EyeWonder comes in a very insecure fashion with EyeWonder having a permanent iFrame tag loading a domain (adsfac.us) belonging to Facilitate Digital on its front page.

For the time being, EyeWonder.com remains down for maintenance.

Topics: Browser, Malware, Security

Dancho Danchev

About Dancho Danchev

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

18 comments
Log in or register to join the discussion
  • Ads were not affected. It was Eyewonder.com's CMS that was affected

    I have been told that it was actually the www.eyewonder.com only that was hacked, which is a different subdomain than what the ads run on and there is no way that it could have affected any ads since they are on different servers than their marketing site, etc (run a traceroute on cdn1.eyewonder.com to see it's different than www.eyewonder.com). Unfortunately, Google was overzealous and blocked ALL eyewonder.com subdomains, causing the error to get thrown up in other places on certain versions of Firefox and Chrome. Google should have been more careful to limit their flag to only the subdomain that was affected, and this is an obvious bug in Google's functionality. Please get in touch with Google to make their malicious software warnings only for the domain that was affected to prevent the mess that Google caused from happening again.
    oneuptwodown
    • More Info On EyeWonder CMS

      Do you have any more info on how the EyeWonder CMS system was the launchpad of the attack payloads?
      Compromised account or CMS system insecurity?
      CMS systems are theoretically great targets because they can automatically distribute the payload (like here), but I have not heard of any successful attacks in the wild, so any extra info appreaciated.
      McRiskman
      • RE: EyeWonder malware incident affects popular web sites

        Very cool! Thanks for sharing :) <a href="http://www.replicachanelonline.org">chanel replica bags</a>
        <a href="http://www.replicachanelonline.org">chanel bag</a>
        <a href="http://www.replicachanelonline.org/chanel-sandals-c-15.html">chanel sandals</a>
        meimeili
    • RE: EyeWonder malware incident affects popular web sites

      You are welcome and thank you! ^_^ <a href="http://www.classicchanelbags.org">replica chanel bags</a></a>
      hmmmm,nice post i like you post <a href="http://www.classicchanelbags.org">chanel replica</a>
      Thank you for your sharing. <a href="http://www.classicchanelbags.org/chanel-coco-bag-c-9.html">chanel coco bags</a>
      mingtian
    • RE: EyeWonder malware incident affects popular web sites

      Very great job. :) Thank you! <a href="http://www.replicachanelonline.org">fake chanel bags</a>
      <a href="http://www.replicachanelonline.org">chanel bags</a>
      <a href="http://www.replicachanelonline.org">replica purses</a>
      meimeili
  • RE: EyeWonder malware incident affects popular web sites

    oneuptwodown wrote: "Please get in touch with Google to
    make their malicious software warnings only for the domain
    that was affected to prevent the mess that Google caused
    from happening again."

    Why don't you "get in touch with Google"?
    I see, you're too busy writing anti-Google propaganda for
    Microsoft.
    zato_3
    • try to

      Well, I hate to gloat being a "Microsoft fan" and all, though Internet Explorer wasn't affected because it wasn't using Google's database.

      Contact Google? Go to their malware section (through the Firefox bar) and try to find a way to contact them. The only place you can reach out is on the forum and the response probably won't come over the 4th of July weekend.

      Now, I am not saying I don't appreciate the service Google is doing, though I think they could have thought twice before making it so their automated solution blanket flags all domains in a network when only one is affected. I figure most of the time it's some obscure site out in Russia or China or something and not a huge publisher or network so Google probably hasn't identified this issue with their solution before.
      oneuptwodown
    • get in touch with Google.

      the last time i tried to get in touch with Google they answered 3 months later!. and not even giving a real solution.

      magallanes
  • RE: EyeWonder malware incident affects popular web sites

    From what I know, it affected some versions of Chrome and Firefox, so if using other browsers on Mac or Linux (such as Safari), or Firefox 3.5 which would silently block the Javascript, then it won't be affected.
    oneuptwodown
  • RE: EyeWonder malware incident affects popular web sites

    Hmmm... Go to eyewonder.com and it's unblocked, so apparently making their home page "down for maintenance" must have done it which supports Dancho's theory that their website got compromised by a Coldfusion security hole and it wasn't a malvertising attack.

    I bet everyone out there is thinking, "I'm glad this didn't happen to me" -- I know I am. Just one application on one subdomain of many for a larger publisher, ad network, or 3rd party content provider can cause all subdomains to be blocked, even when all other subdomains probably are on different servers and not affected. This underscores how scary it is -- it could have happened to anyone. For instance, Coldfusion is a very popular CMS and I wonder how many sites out there are at risk due to these Coldfusion vulnerabilities. Consider some video and file hosting services that differentiate accounts based on subdomain.

    I think it makes more sense just to block the offending subdomain and not every subdomain.
    oneuptwodown
  • RE: EyeWonder malware incident affects popular web sites

    The EyeWonder.com domain was mislabled. The issue has been resolved. Our ad delivery system and website are fully operational.
    EyeWonder
    • Another mis-spelling hack?

      I remember that crackers are registering domains of mis-spelled domains to take advantage of people's mis-spelling.
      However, we in the server community need to make sure that we spell everything correctly to prevent this from happening and embarrassing ourselves.
      phatkat
  • RE: EyeWonder malware incident affects popular web sites

    Well, all must be well. I just got an EyeWonder served ad for trend Micro while reading this string on ZDNet.
    OLAG
  • Thanks for the article

    as it caused me to add *eyewonder.com* to my AdBlock Plus filter list.
    Problem solved.
    davebarnes
  • Proof Reading

    Good information.
    Could you proof read your articles?
    mstry9comcast
    • Ummm...

      I believe that the question should be [u]would[/u] you proof read your articles?

      Although "could" is also probably correct as well. (Ooo...snarkey!)

      OldTechie
  • RE: EyeWonder malware incident affects popular web sites

    Nice information that very good
    emmaelle
  • RE: EyeWonder malware incident affects popular web sites

    Great!!! thanks for sharing this information to us!
    <a href="http://www.yuregininsesi.com">seslisohbet</a> <a href="http://www.yuregininsesi.com">seslichat</a>
    birumut