Press Blog

Kaspersky Lab Expert Comments on Yahoo Advertisement Malware

It was recently reported that some advertisements on Yahoo Inc’s European website contained malware, potentially infecting thousands of users. Affected users were redirected to an exploit kit, which exploits vulnerabilities in Java software and installs a variety of malware on to the user’s computer. Yahoo Inc. has since removed the malicious ads, and is continuously monitoring and blocking any ads used for this purpose. Researchers say that this malware potentially infected approximately 27,000 users every hour; however, Yahoo Inc. has yet to confirm the number of impacted users.

Kaspersky Lab expert Dmitry Bestuzhev provides insight on the malware, explaining the origins of the malware and where the victims are mainly located. The original exploit used in the attack was submitted to VirusTotal on January 3, 2014 and was detected by only 2 of 48 AV vendors, one of which was Kaspersky Lab. Kaspersky Lab blocked the exploit heuristically as HEUR:Exploit.Java.Generic

According to Dmitry, once the exploit compromised the user’s system, it dropped a malicious binary, which was also submitted to VirusTotal on the same day – January 3, 2014 – and was detected by 8 of 48 AV vendors, which Kaspersky Lab was again one of. Kaspersky detected the malware as Backdoor.Win32.PcClient.fouk

As a result, Kaspersky Lab products detected and blocked the attack the same day it occurred.

Kaspersky Lab statistics based on Kaspersky Security Network technology show that the original exploit affected users mainly in France, but also in the USA, Germany and Spain. The dropped binary affected users in France, USA, Germany and Peru.