Antivirus and malware researchers say they
have discovered a "widespread campaign" that is infecting the display ads served by leading online publishers and advertising services, including Google, Yahoo and Fox. The researchers at ALWIL
Software, the Prague-based developers of the Avast antivirus software, have identified the new strain of malware as "JS:Prontexi," and said it is a JavaScript code that is enabling malware attacks to
spread via advertising distributed by mainstream publishers and ad-serving systems.
"The poison ad infiltration method is growing in popularity because it does not require users to click on
anything," Jiri Sejtko, a senior virus analyst at Avast, stated, explaining: "Users can get infected just by reading their favorite newspaper or by doing a search on popular topics; the infection
begins just after the infected ad is loaded by the browser."
The new strain of malware represents the latest in an ongoing progression of malware being distributed by online advertising sources,
a practice that has been dubbed "malvertising." In recent months, the perpetrators of such attacks have grown more brazen and ingenious in their efforts to use advertising, advertisers and even
agencies as a new vector for distributing their malicious code, which often launches a variety of attacks, some of which can infect personal computer operating systems to steal personal identities or
for other nefarious purposes.
The ALWIL team said it has found that the infected ads are placing malware and viruses on the computers of people visiting leading Web sites such as Google and
Yahoo, and that some of the biggest and most popular ad delivery platforms have been the "most compromised," including Yahoo's Yieldmanager.com and Fox Audience Network's Firmerve.com.
"The list
of poisoned ad services is extensive and includes advertangel, bannering, jambovideonework, myspace, vestraff and zedo," they said. "DoubleClick, an advertising server affiliated with Google, is
ranked fifth in the Avast Virus Lab list of infected servers by rate of infection."
The ALWIL researchers described the JS:Prontexi.code as a new kind of "vector," which acts as a channel for
malware attacks on vulnerable software such as Adobe and "a range of zero-day exploits." "JS:Prontexi highlights the lack of care shown by advertising service providers to actively screen the content
they are distributing," Sejtko asserted. "Serving up infected content like this is a double hazard for advertising companies. In addition to reducing consumer trust in their services, they run the
risk of being flagged or even blocked by antivirus programs as a source of malware."
ALWIL said a surge of JS:Prontexi attacks began in February, but said its Avast program has updated its virus
databases to fully protect against the new vector. Details of the ALWIL research, including various trace files, can be found on the Avast blog.