Feeds

Real Media attacks real people via RealPlayer

Hackers twist ad network into Trojan network

Choosing a cloud hosting partner with confidence

Hackers have rooted into a server owned by internet advertising network 24/7 Real Media and used it to serve malware-laced banner ads that tried to circumvent security mechanisms on end users' machines, Symantec researchers said. The malware exploited a previously unknown vulnerability in Real Player that was patched on Friday.

While Real Media no longer appears to be serving the tainted ads, it's possible competing ad networks are launching the same attack, said Alfred Huger, vice president of software engineering at Symantec Security Response.

"There is a very real chance this is not the only server serving up this bad content," he told The Register.

People who use RealPlayer should download a patch, available here as soon as possible, he said. Symantec Antivirus was updated on Thursday to detect the attack. By now, competing antivirus programs are likely to have followed suit.

Real Media has become the latest ad network to be outed as an unwitting ally to cyber crooks. In September, it was disclosed that Yahoo!-owned Right Media served about 12 million ads over three weeks, which silently installed a Trojan back door on unpatched Windows machines. The ads were served on MySpace, PhotoBucket and other popular web destinations.

The complex web of networks provide an ideal vehicle for spreading malware because they attack users who are visiting sites deemed trustworthy. Ads also make it easy to disguise malicious payloads by allowing cyber crooks to infect end users only during certain hours located only in certain geographic parts of the world: in Europe between 12 and 6 a.m., for instance. That makes it harder for researchers to detect and repel the attacks.

Windows users who used Internet Explorer to visit certain sites hosted by Tripod.com and Lycos.com were silently infected if they also had RealPlayer installed, according to a report issued on Symantec's DeepSight Threat Management System. It was possible other trusted web sites that served ads distributed by Real Media also infected users, Huger said. Symantec discovered the tainted ads on October 8. It remains unclear how many ads Real Media served or when the problem was corrected.

An IFrame contained in the tainted ads pointed to malicious code hosted on a server located in the Netherlands that has a history of attacking honeypot machines maintained by Symantec. Vulnerable machines were force-fed code dubbed Trojan.Zonebac, which attempts to disable anti-virus and other third-party security programs, lowers IE security settings and modifies the registry so the program runs each time the computer starts.

It remains unclear how miscreants breached Real Media's server or what steps, if any, the company has taken to prevent a similar incident from happening again. Representatives of New York-based Real Media didn't immediately return calls, which we made outside of business hours on Monday. Real Media is not affiliated with RealNetworks, maker of the RealPlayer program. ®

Beginner's guide to SSL certificates

More from The Register

next story
FYI: OS X Yosemite's Spotlight tells Apple EVERYTHING you're looking for
It's on by default – didn't you read the small print?
Russian hackers exploit 'Sandworm' bug 'to spy on NATO, EU PCs'
Fix imminent from Microsoft for Vista, Server 2008, other stuff
Edward who? GCHQ boss dodges Snowden topic during last speech
UK spies would rather 'walk' than do 'mass surveillance'
Microsoft pulls another dodgy patch
Redmond makes a hash of hashing add-on
'LulzSec leader Aush0k' found to be naughty boy not worthy of jail
15 months home detention leaves egg on feds' faces as they grab for more power
China is ALREADY spying on Apple iCloud users, claims watchdog
Attack harvests users' info at iPhone 6 launch
Carders punch holes through Staples
Investigation launched into East Coast stores
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Cloud and hybrid-cloud data protection for VMware
Learn how quick and easy it is to configure backups and perform restores for VMware environments.
Three 1TB solid state scorchers up for grabs
Big SSDs can be expensive but think big and think free because you could be the lucky winner of one of three 1TB Samsung SSD 840 EVO drives that we’re giving away worth over £300 apiece.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.