According to tech news site The Register, one of the sites on which the ads were displayed, "Early on Saturday morning some banner advertising served for The Register by third party ad serving company Falk AG became infected with the Bofra/IFrame exploit."
The exploit, which first came to light in early November, takes advantage of a weakness in Microsoft Internet Explorer 6.0 browsers. On this occasion hackers used it to implant a Trojan – code that can carry out malicious acts or give another user remote control of the target computer – into banner ads. The Trojan then directed the unfortunate visitor to a further site, from which another malicious virus was then downloaded into the machine.
"If you may have visited The Register between 6am and 12.30pm GMT on Saturday, Nov 20 using any Windows platform bar XP SP2 we strongly advise you to check your machine with up to date anti-virus software, to install SP2 if you are running Windows XP, and to strongly consider running an alternative browser, at least until Microsoft deals with the issue," warned The Register in a statement.
Ilse.nl, a Dutch internet firm, Nu.nl, a popular Dutch news site, and other sites in the Netherlands and Sweden were also targeted by the rogue banner ads, which have now been removed.
All the compromised sites were clients of German firm Falk Solutions AG, which explained that on Saturday an "unauthorised individual" had exploited a weakness in a load balancer on one of the firm's networks in order to distribute the malware. That load balancer has now been permanently removed and all others checked and found to be secure. No more infected ads are being distributed.
"Falk AG is treating this event as a criminal offence and has notified the appropriate local authorities," said the firm.
It also advises computer users to consider using a browser other than Internet Explorer, or to upgrade their Windows operating system to the XP Service Pack 2, in order to avoid the as yet unpatched Internet Explorer exploit.