According to tech news site The Register, one of the sites on
which the ads were displayed, "Early on Saturday morning some
banner advertising served for The Register by third party ad
serving company Falk AG became infected with the Bofra/IFrame
exploit."
The exploit, which first came to light in early November, takes
advantage of a weakness in Microsoft Internet Explorer 6.0
browsers. On this occasion hackers used it to implant a Trojan –
code that can carry out malicious acts or give another user remote
control of the target computer – into banner ads. The Trojan then
directed the unfortunate visitor to a further site, from which
another malicious virus was then downloaded into the machine.
"If you may have visited The Register between 6am and 12.30pm
GMT on Saturday, Nov 20 using any Windows platform bar XP SP2 we
strongly advise you to check your machine with up to date
anti-virus software, to install SP2 if you are running Windows XP,
and to strongly consider running an alternative browser, at least
until Microsoft deals with the issue," warned The Register in a
statement.
Ilse.nl, a Dutch internet firm, Nu.nl, a popular Dutch news
site, and other sites in the Netherlands and Sweden were also
targeted by the rogue banner ads, which have now been removed.
All the compromised sites were clients of German firm Falk
Solutions AG, which explained that on Saturday an "unauthorised
individual" had exploited a weakness in a load balancer on one of
the firm's networks in order to distribute the malware. That load
balancer has now been permanently removed and all others checked
and found to be secure. No more infected ads are being
distributed.
"Falk AG is treating this event as a criminal offence and has
notified the appropriate local authorities," said the firm.
It also advises computer users to consider using a browser other
than Internet Explorer, or to upgrade their Windows operating
system to the XP Service Pack 2, in order to avoid the as yet
unpatched Internet Explorer exploit.
