Ads poisoning – JS:Prontexi

From the avast! blog.

Article

 

Re: Ads poisoning – JSrontexi

Thanks for the article.

These types of exploits seem to come and go in waves! I have in my notes an earlier one from 2004:

IFRAME Exploit Spreading Through Banner Ads
http://news.netcraft.com/archives/2004/11/21/iframe_exploit_spreading_through_banner_ads.html

It's a huge problem today, where many sites depend on an outside advertising service to supply ads, and hackers inject code into the ads before they are displayed on the site. The site depends on the outside service to monitor the ads, and here is where something breaks down.

For individual users: while this statement from the article seems ominous,

"might" goes a long way, because the exploits are the usual stuff,

I've asked if this particular exploit is a redirection one. If so, then configuring Javascript per site nullifies it at the gate. This means that if you have Javascript enabled for your newspaper site, being redirected to a malware server will put you on a page where scripting is not enabled, and the Javascript code will not run.

The second line of defense would be protection against the normal types of payloads delivered by PDF exploits and the like: trojan executables.

----
rich

 

I just joined after Googling it; I can't access the folder to where it may be contained, but it's Prontexi-P.

My name's Kegan, and I first noted the virus through MegaUpload where I was downloading an audio file through IE; for some reason, out of the blue, I am also unable to use MU via Firefox like I used to.

I've never cared for IE, but when this popped up through Avast! I nearly spilled my coffee. Is there any method of removal?

Thanks - Kegan

 

Re: Ads poisoning – JSrontexi

Rmus, would you say that this payload is delivered through Adobe-centric exploits? I.E. does an unpatched version of Reader need to be present for the PDF exploit to be leveraged, a la 'Aurora'? Or is delivery and installation of malware likely even in the absence of vulnerable PDF readers?

In other words, what's the component of this attack that does the installing? The javascript, or the PDF exploit?

Trying to keep myself safest! Javascript on a per-site whitelist seems best for now.

 

1.What folder are you trying to access?
2.What message does Firefox provide?
3.If Avast! detected it soon after visiting the website, you're probably not infected. The javascript file is probably just something that starts the infection - download the trojan and execute it - not the infection itself. If Avast detected the js upon viewing the website, it probably just blocked/deleted the js.
I say probably, not definitely. Try asking at the Avast! forums.

 

Re: Ads poisoning – JSrontexi

I don't know, because not enough details have been provided. All we know is from the first line of the Avast blog, quoted by tgell in the first post.

I posted a comment to the analyst Jiri Sejtko's blog asking for more details, but he has not responded.

Vendors use their own names for malware, so until other vendors pick up this exploit which Avast calls JS: Prontexi, we are stuck with Avast's information.

It's strange that no one else has picked up on this, because Avast asserts in the blog,

Yet I've not seen any other mention of an increase in ad poisoning. Search for "ad poisoning" and all that comes up is the Avast blog.

So, we'll have to just wait for more information.

Meanwhile,

That would seem to be a good practice!

----
rich

 

It's music from a blog site, but as I said, for some reason FF will no longer download from MegaUpload properly - I get the 'unexpected end of archive' for RAR files, so I turned to IE which worked.

Now every time I access IE, I get the Avast warning, and it simply puts it in the chest - I have one virus locked, and I was able to move the other to my desktop, but not to the Avast folder.

I'm going to let my IT guy look at it, but he's on hiatus due to a death in the family, so it'll be awhile. As the trojan only pops up in IE, I'm not too worried, but I would love to know why MegaUpload no longer downloads via Firefox.

I suppose I could reinstall Chrome and try that, but for now, I'll just keep pushing it aside, and warn bloggers on Blogger about it.

Always something new...sigh. IE is also crashing itself, with some generic error message...you know 00000X something or other.

Just be careful, guys.

 

Update

I received a response from the Avast analyst, Jiri Sejtko:

http://blog.avast.com/2010/02/18/ads-poisoning-–-jsprontexi/#comment-3379

So, it's a simple redirection exploit. There are at least two possibilities for PDF exploit code:

1) Javascript/Plugin.

Typical code would be:



The user would be protected by

• by having javascript configured "per site" in the browser
  
• or, having the PDF plugin disabled in the browser.

2) I-frame. The Reader would start to open:



and then the PDF file would appear in the inline frame, and any malicious code would run automatically:



The analyst did not respond to my question as to whether i-frame is used in the exploit code.

Note that he also refers to:

With no specifics about the other vulnerabilities, a good guess would be IE exploits, or other media file exploits -- both of which are in the "toolkits" used by cybercriminals.

----
rich