Romanian anti-malware firm BitDefender has reported that it found malware on Opera’s portal page, and has urged any user who hasn’t changed the browser’s default home page – or who has recently visited that page – to scan their system for malware.
BitDefender’s report suggests that “the script has been loaded through third-party advertisement, a practice commonly known as malvertising.” Malvertising is a popular and successful method for compromising commercial sites that accept advertising. It is simply a benign looking but malicious advert that is placed on the website. Criminals have been known to develop such advertisements, pay to place them with ad networks, and leave them dormant for several months gaining trust, reputation and distribution. At a pre-configured point the malware component bursts into life either for a short period or until discovered.
BitDefender detected this one, and reported the issue to Opera. Opera immediately disabled the ads, and tweeted, “We're investigating this, and while we're working with this, we've disabled the ads temporarily on portal.opera.com.”
The sample found by BitDefender inserts an iFrame that loads malicious content from an external source. “If the Opera user hasn’t changed the default homepage, active malicious content is loaded from a third-party website (g[removed]750.com/in.cgi) whenever they open their browser,” reports the firm. “This malicious page harbors the BlackHole exploit kit (we got served with the sample via a PDF file rigged with the CVE-2010-0188 exploit) that will infect the unlucky user with a freshly-compiled variant of ZBot, detected by Bitdefender as Trojan.Zbot.HXT,” it continued.
Since Opera is the world’s fifth most popular browser, and it is likely that a large number of users have retained the browser’s default home page portal, it is an attractive target for the cyber criminals. It is not known whether any users were infected in this way, or whether the speed of BitDefender’s discovery and Opera’s reaction prevented infections. Nevertheless, any user who has visited the Browser portal page within the last week should take the precaution of scanning their system for malware.