Yahoo serves malicious ads

Yahoo serves malicious ads

Summary: [UPDATED with Yahoo! statement] IFRAMEs injected into Yahoo! ads which served Java-exploiting malware. Yahoo! appears to have put an end to the attacks, at least for now.

TOPICS: Security

According to Fox-IT, a security product and service company in the Netherlands, computers visiting on January 3 were served malware from the Yahoo ad network (

Fresh analysis indicates that Yahoo has a handle on the problem and that the attack traffic has decreased substantially.

[UPDATE 1/5/2014 8PM EST: Yahoo issued an updated statement:

"At Yahoo, we take the safety and privacy of our users seriously.  From December 31 to January 3 on our European sites, we served some advertisements that did not meet our editorial guidelines -- specifically, they spread malware. On January 3, we removed these advertisements from our European sites. Users in North America, Asia Pacific and Latin America were not served these advertisements and were not affected.  Additionally, users using Macs and mobile devices were not affected.

We will continue to monitor and block any advertisements being used for this activity.  We will post more information for our users shortly."]

The ads were in the form of IFRAMEs hosted on the following domains:

  • (, registered on 1 Jan 2014
  • (, registered on 1 Jan 2014
  • (
  • (
  • (

The ads redirect the user to a site using the Magnitude exploit kit, all of which appears to come from a single IP address in the Netherlands. (Perhaps this relates to why Fox-IT's customers were affected so quickly.)

The exploit kit at the site exploits vulnerabilities in Java on the client to install a variety of malware:

  • ZeuS
  • Andromeda
  • Dorkbot/Ngrbot
  • Advertisement clicking malware
  • Tinba/Zusy
  • Necurs

Fox-IT's research shows the 83% of the attacks in Romania, Great Britain, France and Pakistan; none in the US. They speculate that the distribution is a function of the Yahoo! ads affected.

Fox-IT recommends blocking the 192.133.137/24 and 193.169.245/24 subnets until further information is available.

Hat tip to the Internet Storm Center at the SANS Institute. One commenter on that post notes that the two IP addresses appear to be in the Netherlands and California, but controlled by a Russian.

Don't confuse Fox-IT with Foxit, which makes tools for working with PDF files.

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Would disabling Java in the browser prevent this malware ...

    Would disabling Java in the browser prevent this malware from infecting a machine?
    • Yup.

      "The exploit kit at the site exploits vulnerabilities in Java on the client . . ."


      My advice: If you don't use Java apps, uninstall. If you do use Java apps, disable the browser plugins.
      • Once again they "forget" to mention the operation system of those machines

        But i will tell it : Microsoft Windows. W-I-N-D-O-W-S.
        • They didn't forget to mention anything

          it's irrelevant to the story. Been down that road before.

          Nice try at the misdirection, though. Now you can go wet your pants.
      • Or you can keep Java current and run AV

        Presumably known malware programs like this list are blocked by any decent antimalware program. I know I see at least one every year get blocked by my favorite solution and have always assumed they were triggered by ads.
    • And so the Redmond propaganda machines started to work...

      ... hide the real reason. The real reason is of course that pathetic Windows system.
      Napoleon XIV
  • Don't install Java.

    Friends don't let friends install Java.
    The one and only, Cylon Centurion
    • Let's say it together

      • LOL! You're actually scared of Microsoft.

        That's really funny, and sad at the same time.

        Now, what sites are always hacked to deliver these exploits? Lets say this together - Linux. L-I-N-U-X.

        that was too easy.
      • Dear Sir

        It it time to start acting like and adult?
  • Firefox and Noscript

    How many times do people have to be told ?
    Alan Smithie
    • How many times do people have to be told ?

      Too many times. Many of them never learn the lesson: Don't ever use Windows. It's malware, spyware and crapware.
      Napoleon XIV
      • How many times do you people have to be told, Napoleon XIV

        Shills and trolls like you are not welcome. I'd ask you to control your fear, but that would be asking too much.

        Now go back to your cartoons.

  • -

    Yahoo! - enough said.
    • Agreed

      How many times has Yahoo been exploited? Personally i have done over 10 my self, adding a redirect URL to the end of a genuine yahoo URL (&sk=&redirect=http:// Your attack URL)and adding that in between the yahoo fields through YMSG protocol would send your Y & T cookies used for Authentication straight to any server of your choice. Yep it was that easy, how long did it take them to fix it, over 3 weeks.
      I rest my case.
  • un-authorized os update

    any O/S that allows itself to be infected by an app program is un-acceptable.

    beyound that we need the ability to regulate what various app programs are allowed to access. check into AppArmor.
  • The Biger Issue

    The problem is when site owner allows third party ads. I see the same problem on other sites, especially fan sites that are not keeping tabs on ads running on their sites, for example and a fandom site ran update for your browser malware ads. The solution is not to allow any ads, (like my blogs) or at the least only static graphic ads, not interactive java, vb, pop up, or JavaScript ads.
  • Yahoo

    Yahoo is sooooo 20th century....enough said!