Google’s popular DoubleClick ad network has been hijacked by malvertisers looking to infect vulnerable machines with trojan malware, according to researchers at Malwarebytes.
The firm first discovered something was wrong late last week when its honeypots picked up malicious activity coming from the Times of Israel website.
Malicious ads on the site were redirecting users to sites hosting the Nuclear exploit kit. It would then check a victim’s machine to see if it was running out-of-date versions of Flash, IE or Adobe software.
If the PC was indeed running old or unpatched software, then it would download the Zemot trojan, detected as Trojan.Agent.BPEN, which is designed to drop additional malware onto a user's machine.
Zemot was added to the Malicious Software Removal Tool by Microsoft earlier this month. Since November 2013, the Zemot infected machine count gradually increased to a peak of 45,000 in June this year, before declining to around 27,000 last month, Redmond said.
However, soon after posting a first blog alerting users to the infected ads, Malwarebytes senior security researcher, Jérôme Segura, warned that additional sites the Jerusalem Post and Last.fm had been caught up in the campaign.
“The reason this is really big is because it involves doubleclick.net (a subsidiary of Google for online ads) and Zedo (a popular advertising agency),” he wrote.
“What is important to remember is that legitimate websites entangled in this malvertising chain are not infected. The problem comes from the ad network agency itself. We rarely see attacks on a large scale like this, so we highly recommend that people keep their systems up-to date, with current antivirus and anti-malware protection.”
In an update, Segura claimed that the malicious redirection had stopped for the time being, although users are still advised to act with caution and keep their systems up to date.
Back in March, Blue Coat Systems claimed that malvertising had overtaken pornography as the number one threat vector for mobile devices.
Then earlier this month Cisco warned of a new network of malicious ads dubbed “Kyle and Stan” which had already affected over 700 domains.