Ad vendor serving exploits thru Facebook
Last night I was reading a friend's blog on FaceBook, and IE popped up a message saying that the webpage was trying to start RDS (Remote Data Services) services, and would I allow it. I clicked "No", and then thought "Hang on... it shouldn't have been starting RDS!" (It was late and I was a bit slow), so I opened up a goat machine, retraced my steps, and about a minute later.... blam... programs dropped and executed on my machine.
No rootkit, and no detection from any avs that I had access to, but after a reboot, I found that now, when I started IE and went to my home page, I got extra copies of the browser starting, and ads being served.
It’s hard to sort out, but here’s the critical sequence of connections …
Facebook calls to bannerconnect
208_67_70_3 Referer: http://ads.ak.facebook.com/ads [snip] ,Host: ad.bannerconnect.net
bannerconnect calls to yieldmanager
208_67_70_3 Referer: http://ad.bannerconnect.net/st?ad_t [snip] ,Host: ad.yieldmanager.com 208_67_70_3 Referer: http://ad.bannerconnect.net/st?ad_t [snip] ,Host: ad.yieldmanager.com
yieldmanager calls to valuead
69_63_219_104 Referer: http://ad.yieldmanager.com/iframe3? [snip] ,Host: reduxads.valuead.com 69_63_219_104 Referer: http://ad.yieldmanager.com/iframe3? [snip] ,Host: reduxads.valuead.com
valuead calls to megapromition, which throws an exploit (MS06-014), which runs an adware installer85_17_161_17 Referer: http://reduxads.valuead.com/test?pi [snip] ,Host: www.megapromition.net
After reboot, an Internet Explorer launch that should just show google looked like this …
It might well be an old exploit, but adware vendors shouldn't be doing it.