According to Fox-IT, a security product and service company in the Netherlands, computers visiting yahoo.com on January 3 were served malware from the Yahoo ad network (ads.yahoo.com).
Fresh analysis indicates that Yahoo has a handle on the problem and that the attack traffic has decreased substantially.
[UPDATE 1/5/2014 8PM EST: Yahoo issued an updated statement:
"At Yahoo, we take the safety and privacy of our users seriously. From December 31 to January 3 on our European sites, we served some advertisements that did not meet our editorial guidelines -- specifically, they spread malware. On January 3, we removed these advertisements from our European sites. Users in North America, Asia Pacific and Latin America were not served these advertisements and were not affected. Additionally, users using Macs and mobile devices were not affected.
We will continue to monitor and block any advertisements being used for this activity. We will post more information for our users shortly."]
The ads were in the form of IFRAMEs hosted on the following domains:
- blistartoncom.org (188.8.131.52), registered on 1 Jan 2014
- slaptonitkons.net (184.108.40.206), registered on 1 Jan 2014
- original-filmsonline.com (220.127.116.11)
- funnyboobsonline.org (18.104.22.168)
- yagerass.org (22.214.171.124)
The ads redirect the user to a site using the Magnitude exploit kit, all of which appears to come from a single IP address in the Netherlands. (Perhaps this relates to why Fox-IT's customers were affected so quickly.)
The exploit kit at the site exploits vulnerabilities in Java on the client to install a variety of malware:
- Advertisement clicking malware
Fox-IT's research shows the 83% of the attacks in Romania, Great Britain, France and Pakistan; none in the US. They speculate that the distribution is a function of the Yahoo! ads affected.
Fox-IT recommends blocking the 192.133.137/24 and 193.169.245/24 subnets until further information is available.
Hat tip to the Internet Storm Center at the SANS Institute. One commenter on that post notes that the two IP addresses appear to be in the Netherlands and California, but controlled by a Russian.
Don't confuse Fox-IT with Foxit, which makes tools for working with PDF files.