It’s not a new vector: Sirefef, which is a ZeroAccess variant, was also used in malicious Bing ads back in March 2013, the firm said. It turns machines into bots for Bitcoin mining and adware scams.
“We’re seeing our old friend ‘rogue ads in Bing’ doing the rounds,” Chris Boyd, a senior researcher at ThreatTrack Security, said in a blog. “Should you go searching for ‘YouTube’ and click on the rogue ad (in this case, the one in the bottom right hand corner under ‘Ads related to YouTube’), you’ll be taken to a site which redirects to an exploit.”
Boyd has found dozens of re-directors simply related to a basic YouTube search; but he noted that the scammers behind the gambit could well be targeting other keywords too. When searching for YouTube, he returned a host of infected sites, including MyVideosSite, correctweathersite, enterfreegames and myyoutubechannel, among others.
“It seems likely that at least some of the [re-directors] were compromised sites, and some of them appear to be back to normal and/or offline at time of writing,” he said. “End-users would be redirected from the [site] to a dynamic DNS service Hopto.org subdomain, with the exploit domain resting on the IP 109.236.81.176.
A portion of the ZeroAccess botnet was recently taken down by Symantec, but it’s estimated to be present in 2.2 to 1.9 million computers on any given day, making it the most pervasive botnet to date. At the end of last year, an estimated one in every 125 of US home networks were infected – and it continues to evolve to better hinder detection and removal. The bot is notable particularly in its use of a peer-to-peer (P2P) command-and-control (C&C) communications architecture, which gives the botnet an especially high degree of availability and redundancy.