The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1

Pegel now in banners

Eugene Aseev
Kaspersky Lab Expert
Posted September 17, 15:11  GMT

We're still monitoring Pegel, and we've come across something which piqued our interest: redirects to malicious websites hosting exploits weren't only coming from infected legitimate sites, but also from flash ads on legitimate sites. Not really standard, so we decided to take a closer look.

The browser displays flash ads which are used in this way just like a normal banner, and if you click, you do end up on an advertising site.

But when we analyzed the ActionScript code of the ad, we found the following script which runs when the ad is loaded:

So when the banner's displayed, a script on the cybercriminals' server is run, and it's this script that redirects the user to a web page hosting exploits. It looks as though the static banners had been replaced with a very specific type of flash ad. Only one question remained: how was this done?

As it turned out, all the websites which got infected in this way have OpenX, a banner platform, installed. A new OpenX module was released in December last year: Open Flash Chart 2. This module contains a vulnerability (which was identified in the beta version) that makes it possible for cybercriminals to upload executable code to a server.

It seems that the developers of OpenX didn't know about the vulnerability. Consequently, a vulnerable version of the module was made available for download, and a lot of resources (such as thepiratebay.org, esarcasm.com and tutu.ru) which use OpenX and the vulnerable module ended up infected.

The cybercriminals have tried to ensure that OpenX users can't update to the most recent version of the product (which has fixed the vulnerability) and they've DDoSed openx.org. At the time of writing, the website was still down; however, the link to the new distributive is working, so you can download the new package from here.

If you've got OpenX installed, then either update to the new version, or temporarily delete the file admin/plugins/videoReport/lib/ofc2/ofc_upload_image.php from the directory where OpenX is installed.


Oldest first
Threaded view

Erik Geurts

2010 Sep 20, 16:15

Corrections for multiple errors in this report

I'm afraid there are multiple errors in this report.

OpenX is open source ad server software, available for download at http://www.openx.org/ad-server/download. OpenX offers a plugin framework, enabling the OpenX developers and third party developers to add functionality, in much the same way as this is done in products like WordPress and Magento.

The OpenX developers have created the OpenX Video Ads plugin, and we at AdserverPlugins.com have developed the Statistics as Graphs plugin. Both of these plugins use an third party component named Open Flash Charts 2 (OFC) for the display of graphs about the performance of the advertisments. OFC is also open source software.

Recently a vulnerability was discovered in OFC, which allowed hackers to abuse OFC and thus attack the OpenX software. As soon as this was discovered, fixes have been released for both the OpenX software (which includes the Video Ads plugin), and the Statistics as Graphs plugin.

The latest version of OpenX can always be downloaded from:

The new version of the Statistics as Graphs plugin can be downloaded from our site www.adserverplugins.com


Eugene Aseev

2010 Sep 20, 17:48

Re: Corrections for multiple errors in this report

Sorry for not fully clarifying the module structure.

But the vulnerability in OFC was discovered in December 2009 (sorry, recently?), and up to the attack both OpenX plugins contained vulnerable version of OFC?


Erik Geurts

2010 Sep 21, 19:14

Re: Corrections for multiple errors in this report

Hi Eugene,

The author of the OFC2 software has last update his software on July 28, 2009. There is no clue whatsoever on that site about any recent discoveries.

I think you're right that the vulnerability may have been known for a while, but we only found out about it when the vulnerability was starting to be exploited this month. When we found out, we immediately published an updated version of our plugin, and OpenX.org did the same with their Video Ads plugin. The author of OFC2 made no effort to respond to this issue.

If you would like to comment on this article you must first

Bookmark and Share