"The poison ad infiltration method is growing in popularity because it does not require users to click on anything," Jiri Sejtko, a senior virus analyst at Avast, stated, explaining: "Users can get infected just by reading their favorite newspaper or by doing a search on popular topics; the infection begins just after the infected ad is loaded by the browser."
The new strain of malware represents the latest in an ongoing progression of malware being distributed by online advertising sources, a practice that has been dubbed "malvertising." In recent months, the perpetrators of such attacks have grown more brazen and ingenious in their efforts to use advertising, advertisers and even agencies as a new vector for distributing their malicious code, which often launches a variety of attacks, some of which can infect personal computer operating systems to steal personal identities or for other nefarious purposes.
The ALWIL team said it has found that the infected ads are placing malware and viruses on the computers of people visiting leading Web sites such as Google and Yahoo, and that some of the biggest and most popular ad delivery platforms have been the "most compromised," including Yahoo's Yieldmanager.com and Fox Audience Network's Firmerve.com.
"The list of poisoned ad services is extensive and includes advertangel, bannering, jambovideonework, myspace, vestraff and zedo," they said. "DoubleClick, an advertising server affiliated with Google, is ranked fifth in the Avast Virus Lab list of infected servers by rate of infection."
The ALWIL researchers described the JS:Prontexi.code as a new kind of "vector," which acts as a channel for malware attacks on vulnerable software such as Adobe and "a range of zero-day exploits." "JS:Prontexi highlights the lack of care shown by advertising service providers to actively screen the content they are distributing," Sejtko asserted. "Serving up infected content like this is a double hazard for advertising companies. In addition to reducing consumer trust in their services, they run the risk of being flagged or even blocked by antivirus programs as a source of malware."
ALWIL said a surge of JS:Prontexi attacks began in February, but said its Avast program has updated its virus databases to fully protect against the new vector. Details of the ALWIL research, including various trace files, can be found on the Avast blog.