Google, Microsoft distribute malware after domain name trickery
Ads served by DoubleClick (Google) and MSN (Microsoft) were distributing drive-by malware last week after attackers were able to trick the networks using a ploy from the phishers' playbook: they masqueraded as a legitimate advertising provider by using a domain name that looked the same as the provider's.
AdShuffle.com is a legitimate company selling ads to various ad networks, including DoubleClick and MSN. AdShufffle.com—three fs—is not, but it looks close enough to AdShuffle.com that the networks were tricked. These banner ads attempted to use a range of exploits (two Internet Explorer, one Java, and four Adobe Reader flaws—all which are currently patched), to install the HDD Plus malware. HDD Plus is bogus disk diagnostic software; it warns of impending failures, and says that to avoid trouble you should buy the full version.
Analysis of the attacks suggests that various obfuscation techniques were used to disguise the exploitation, and that as a result, antivirus software was having a hard time detecting and trapping the attacks. The offending ads have been pulled by the networks in question, but the people behind the attack have registered more domains and similar attempts are likely to occur in the future.
