The Register Among Sites Serving Banner Malware

Technology news site The Register today identified its ad serving provider, Falk AG, as the source of banner ads which spread an IFRAME exploit via its web site for more than six hours Saturday. The Register apologized to its readers and recommended that they check their machines for infections.

Reports Saturday noted that the exploit appeared on numerous European sites, but it appears U.S sites may have been affected as well. An analysis of the exploit by LURHQ noted that "one of the hacked sites included a well-known Hollywood film studio's website." Falk AG's client list includes numerous entertainment properties, including NBC/Universal, The Golf Channel, The A&E Network and Sony Pictures Digital. The Dutch news site Nu.nl has also acknowledged hosting the banner exploits.

The Register said it is pursuing details of the event from Falk, which is expected to have public comment about the incident Monday. The LURHQ analysis said some versions of the complex exploit installed adware onto users' computers, while other versions downloaded remote-access trojan.

Windows XP users who have installed Service Pack 2 were not affected by the IFRAME exploit due to buffer-overflow protection incorporated in SP2. But LURHQ said that may not last. "A new, unrelated exploit has just been released that allows remote code installs on SP2, and it is expected that adware vendors/trojan authors will begin to use it in the near future," the security service noted.

Other reports surfacing this weekend suggested that spyware and malware authors are making widespread use of Internet Explorer security holes to install software. Spyware researcher Ben Edelman encountered a URL that auto-installed 16 different spyware or adware programs. "I was not shown licenses or other installation prompts for any of these programs, and I certainly didn't consent to their installation on my PC," writes Edelman.

The latest incidents are prompting a fresh round of recommendations that Web users abandon Internet Explorer in favor of alternate browsers, at least until the IFRAME hole is addressed. The Internet Storm Center gave that advice in its initial reports Saturday, and The Register today urged readers to "strongly consider running an alternative browser (to Internet Explorer), at least until Microsoft deals with the issue."