The security firm said that the campaign is still active and pivots on a Java exploit. It also uses Dynamic Domain Name System (DDNS) to prevent itself from being tracked. Symantec has observed the use of over 50 different dynamic domains hosted on multiple servers in the last five months to serve "silent infections" of malware, unbeknownst to users.
According to researcher John Harrison, the campaign spread rapidly and compromised popular domains and adult websites. High-profile domains with an Alexa ranking of 5,000 or under have also been compromised. And even after being alerted to the issue, many of the domains remain dangerous, he warned.
“The interesting thing about infections delivered through malvertising is that it does not require any user action (like clicking) to compromise the system and it does not exploit any vulnerabilities on the website or the server it is hosted from,” Harrison explained. “Infections delivered through malvertising silently travel through Web page advertisements.”
Malvertisement is a growing issue, increasing 20 times over from 2010 to 2012. More than 50% of publishers have experienced a malvertising incident at least once, Harrison said. That rate dovetails with findings in Cisco’s 2013 Annual Security Report, which found that malvertising increased in 2012, with about 83% of malware on the web coming from malicious iframes and scripts last year.
Users with the latest Java update (Java 7 update 13) are no longer at risk through silent exploitation. To avoid being exploited, it is recommended that users continuously apply the latest updates to their operating systems, software, and anti-virus and IPS definitions.
In addition, Harrison recommended the anti-malvertisement guidelines from the Online Trust Alliance (OTA) as a starting point for website owners.