Hackers Use Popular Web Sites, Ads to Infect PCs

Hackers co-opted several popular Web sites including comedycentral.com over the weekend, using them to infect thousands of computers with a virus that can be used to steal passwords, bank accounts and other personal information.

Displaying an increasingly sophisticated approach to online theft, the hackers gained control of a German online advertising services firm and served up thousands of Internet ads designed to send visitors to one of several Web sites where the hackers had installed the virus.

Hackers also can use the virus to plant programs on victims' computers that send out spam, flood monitors with pop-up advertising or attack other Web sites, said security researchers who analyzed the code.

The virus started spreading late Friday when people using some versions of Microsoft's Internet Explorer Web browser visited sites containing the ads, computer security experts said. The ads directed computers to download the virus from several Web sites, including comedycentral.com.

It does not affect computers that contain the Service Pack 2 software upgrade that Microsoft released in August for Windows XP customers. So far, the upgrade has been downloaded approximately 130 million times, according to Microsoft. There are an estimated 200 million XP users worldwide.

Customers using older Windows versions should update their anti-virus software, stay away from unfamiliar Web sites and set their browser security level to "high," said Stephen Toulouse, security program manager at Microsoft.

Sites that ran the poisoned ads included TheRegister.co.uk, a technology news publication, and Ilse.nl, one of the largest Internet companies in the Netherlands.

The ads were managed by Falk Solutions AG, a German company that handles online advertising for Web sites such as Sony Pictures Digital, NBC Universal Television Networks and A&E Television Networks.

Slightly more than 2 percent of the ads served during a six-hour period on Saturday contained the malicious computer code, according to a statement released by Falk. The company said the attackers reconfigured Falk's ad servers so that one in every 30 banner ads that ran on its clients' sites would redirect visitors to the Web sites hosting the virus.

None of the media companies that Falk serves responded to requests for comment.

Tony Fox, a spokesman for comedycentral.com, confirmed that the site hosted the virus until technicians discovered and removed the file on Saturday afternoon. Fox said the company is still trying to determine when and how the virus was placed on the server.

Joe Stewart, a researcher at Chicago-based Internet security firm Lurhq, said when the attacks first began Friday evening he spotted some ads linking to the same virus planted on the Web site of Lion's Gate Films. A spokeswoman declined to comment.

Santa Clara, Calif.-based anti-virus company McAfee Inc., detected more than 30,000 infection attempts since the attack started early Saturday morning, said Vincent Gullotto, senior director for the company's anti-virus emergency response team.

The virus tried to attack about 20,000 computers in the United States that use McAfee's anti-virus software for home users, Gullotto said. Another 9,000 attacks targeted European home users.

Toronto-based company Rydium, which places banner ads on Web sites using Falk's advertising technology, received a flood of calls Monday from customers who had gotten complaints that their Web sites were infecting visitors' computers, said spokeswoman Julie Ford.

The attack was similar to one last June that prompted warnings from U.S. government cyber-security officials. That virus infected the Web sites of the Kelley Blue Book automobile pricing guide and MinervaHealth Inc., a Jackson, Wyo., company that provides online financial services for hospitals and health care businesses.

The attack shows that the mere act of browsing the Internet has become a risky activity for many Internet users, said Marcus Sachs, a former White House cyber-security adviser and director of the SANS Internet Storm Center.

"It used to be that if you were a stupid or careless Web surfer, the worst that might happen is you get pop-ups and spyware installed on your PC," Sachs said. "But those rules have changed over the last year so that just by visiting a site -- even one you trust -- can bring not just a nuisance but serious damage."