Details of hijacked 24/7 ad server emerge

The attack should be a warning to the Web, said Andrew Storms, director of security operations at nCircle Network Security.

Hackers have hijacked a server operated by Internet advertising company 24/7 Real Media and are using it to seed legitimate Web sites with ads carrying attack code, Symantec said Friday.

Windows users who visited sites with the attacking ads were infected if they browsed with Microsoft's Internet Explorer and had RealNetworks' popular RealPlayer media player program installed on their PCs, Symantec said in an analysis written by three company researchers. This is the first time that malware has piggybacked on Internet ads served from a major advertising firm.

The attack should be a warning to the Web, said Andrew Storms, director of security operations at nCircle Network Security. "So much of the content we consume today comes from many syndication services," Storms said in an e-mail interview. "We trust that the content provided to us by Internet 'blue chips' is safe from malware.

"This should be a wakeup call for sites which offer syndicated content," Storms said. "They need to take a more active role in ensuring the security of [that] content."

Working off reports last week that RealPlayer and Internet Explorer could be exploited to infect Windows computers, Symantec researchers Aaron Adams, Raymond Ball and Anthony Roe used a compromised company honeypot to trace an attack back to 24/7 Real Media's server. Although Symantec didn't speculate on how the server was compromised, it did lay out the attack's progression.

How the hack worked

After they'd gotten access to the server, the attackers added code that embedded an IFrame in every advertisement. The invisible IFrame contained instructions to redirect any browser that rendered the ad to another, unauthorized IP address. In other words, users who surfed to a theoretically trustworthy site that contained ads inserted by New York-based 24/7 were, in fact, secretly shunted to the second, malicious site.

Script hosted on that second site sniffed users' machines to determine if they were vulnerable to the unpatched RealPlayer vulnerability before actually launching an attack, according to Symantec. "The script first tests the user-agent supplied by the browser ensuring that it is Internet 6 or 7 and the system is identified as NT 5.1 [Windows XP] or NT 5.0 [Windows 2000]," Adams, Ball and Roe said in a report. Other sniff tests included one to identify the version of RealPlayer on the vulnerable PC.

If the computer met the attack criteria, a second exploit script was executed, which in turn downloaded and installed a Trojan horse to the PC. The Trojan horse was a variation of "Zonebac," malware first detected last year that disables a slew of security software and lowers Internet Explorer's security settings, said the analysts. On Friday, Symantec called the original Zonebac "fairly unsophisticated" but added that the variant in the RealPlayer attack "retrieves information from numerous Web sites."

Symantec was not available over the weekend to answer questions about the nature of that information or to provide any other details of the attack.

"What's most interesting about the exploit is where it is hosted," the three researchers said. "The compromise of an ad server can greatly increase the effectiveness of the attack. It is so effective because it allows an attacker to target victims that are browsing trusted or well-known Web sites."

In the specific attack that Symantec monitored, the advertisement -- which was for job-hunting site -- had been placed on a site hosted by, a Web hosting service owned by Lycos that offers both free and for-a-fee plans. "The Web site that triggered the breach on the DeepSight honeypot was ',' containing [an] embedded script ... which loaded the compromised advertisement and then in turn loaded the exploit," said the Adams, Ball and Roe report. "To emphasize the severity of this attack, [the ad script] is embedded and called in every user Web page (URLs formatted like '') at least," they added.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Gregg Keizer

Show Comments


James Cook University - Master of Data Science Online Course

Learn more >


Victorinox Werks Professional Executive 17 Laptop Case

Learn more >

Sansai 6-Outlet Power Board + 4-Port USB Charging Station

Learn more >



Back To Business Guide

Click for more ›

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Louise Coady

Brother MFC-L9570CDW Multifunction Printer

The printer was convenient, produced clear and vibrant images and was very easy to use

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?