Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Response

Unexpected Reality In Search of American Idol

Created: 02 Feb 2009 21:52:21 GMT • Updated: 23 Jan 2014 18:37:44 GMT
Eric Chien's picture
0 0 Votes
Login to vote

If you were searching the Internet for videos of the American Idol TV show, you might have received a bigger dose of reality than you were expecting. Unfortunately, one of the more popular video link aggregators was hosting infected advertisements on their site. 

Advertising networks are a popular platform with malicious code authors when trying to gain a widespread distribution of their malware. They provide advertising networks with a URL that is supposed to point to their advertisement, but instead of only displaying an ad, they redirect the users to a rogue website. In this case, the advertisement was redirecting Web browsers to a PDF file that was using the Adobe Reader 'util.printf()' JavaScript Function Stack Buffer Overflow Vulnerability to install a malicious executable on the browser’s host system. (Please note that this vulnerability is resolved in Adobe Reader 8.1.3 and Adobe Reader 9.)

 

 

 

 

In addition to ensuring that a computer is fully patched against this vulnerability, some more advanced users may also want to modify their Adobe Reader preferences to disable JavaScript under the Edit | Preferences | JavaScript menu. By doing so, anytime you open a PDF with potentially malicious JavaScript, you will be prompted first instead of the file opening immediately. Selecting “No” can prevent the JavaScript from executing. In addition, by doing so you can recognize when your browser has been surreptitiously redirected to a PDF with JavaScript, as shown in the above screenshot.

Users of Symantec security products would have also detected and blocked this particular attack as Bloodhound.Exploit.213. Fortunately, our visits show that the ad network cleaned up this particular rogue advertisement a while ago, but nevertheless it serves as a reminder—Symantec recommends that users should avoid such sites and directly visit the website of the official owner of the content.