Ad-based Trojan hits MySpace, Bebo and others

Users of high profile sites including MySpace, The Sun, Bebo and PhotoBucket have been exposed to a Trojan hidden within adverts.

The sites all ran advertising in recent weeks from the Right Media online ad exchange which were unknowingly infected with the Downloader.VBS.Agent.n Trojan.

"This is another example of how legitimate 'trusted' websites can unknowingly host malware," said Dan Nadir, vice president of product strategy at ScanSafe.

"Online ads have become a primary target for malware authors because they offer a stealthy way to distribute malware to a wide audience."

Nadir explained that the malware was particularly dangerous because it required no user interaction for infection to take place.

ScanSafe estimates that up to 12 million ads may have been delivered, exposing a large number of users to the Trojan.

The security vendor saw a surge in blocks of the Trojan beginning on 8 August and continuing until early September.

Nadir added that it will be very difficult to track down the source of the malware because the hacker used the distributed nature of online advertising to spread the code to hundreds of sites.

One of the infected adverts used a Flash file to generate an invisible iFrame. This was linked to an IP address containing obfuscated visual basic script that used the well-known MDAC exploit to download a Trojan executable.

ScanSafe believes that the malicious script inside the Flash ad avoided detection by Right Media because of the clever use of a referrer check. This meant that the advert only became active when delivered by a particular ad server.

The Downloader.VBS.Agent.n malware downloads other programs which are launched on the victim's machine without knowledge or consent.

ScanSafe said that several well known sites, including TomsHardware, have unwittingly hosted malware that was inserted via infected online ads.