Researchers at Malwarebytes have identified malicious code serving through advertisements from Google's DoubleClick ad servers and the Zedo advertising platform. The Times of Israel and The Jerusalem Post ads were among the sites serving infected advertisements with the Zemot malware, along with the music site Last.fm.
Advertisements on these sites set off anti-virus warnings raising flags in Malwarebytes' virus detection systems. The ads lead users to sites containing an exploit kit that tries to identify a vulnerable version of Adobe Flash or unpatched version of Microsoft Internet Explorer.
It's important to remember legitimate Web sites "entangled in this malvertising chain are not infected," Jerome Segura, a senior security researcher with Malwarebytes, wrote in a blog post. "The problem comes from the ad network agency itself."
Microsoft identified the Zemot malware earlier this month. The bug affects machines that are running some versions of Windows.
Zedo has spent years trying to identify and stop this type of malware in advertisements, establishing processes and procedures. "Zedo is a leader in the anti-malvertising world, and always has been," says a spokesperson for the company. "We immediately traced the problem and resolved it. Everything's clear now. These incidents are not what we'd like to happen, and we address them as soon as they come to our attention, including pulling people out of bed and away from travel."
Malwarebytes researchers last detected the malicious redirection during the weekend. DoubleClick officials could not be reached for comment.
Earlier this month, Cisco Systems also identified ad-serving malicious malware. The malware hit Amazon, YouTube, and Yahoo, pre Cisco. The advertisements redirected the person to a different Web site, triggering a malware download on a computer running Windows or Apple's OS X. Some 74 domains were affected.
The malvertising nickname "Kyle and Stan" comes from the naming scheme that attackers use for their domains to distribute the major part of their malware. In this case, all the domains directly associated to the attackers are hosted by Amazon and use a privacy protection service to keep the identity protected with a goal to infect Windows and Mac users with spyware, adware and browser hijackers.
"The large number of domains allows the attackers to use a certain domain just for a very short time, burn it and move on to use another one for future attacks," wrote Armin Pelkmann, researcher at Talos Security Intelligence and Research Group. "This helps avoiding reputation and blacklist based security solutions. We are facing a very robust and well-engineered malware delivery network that won't be taken down until the minds behind this are identified."
UPDATE: A Google spokesperson responded to a request for comment. "Our team took steps to shut this down immediately after it was discovered," she said.