May 26, 2017

HDD Plus Malware Spread by DoubleClick and MSN

The first two weeks of December has seen the HDD Plus malware spread throughout the Internet using the world’s largest ad serving platforms, namely DoubleClick and MSN, by using drive-by download malvertising.

HDD Plus is ransomware in that when it gets installed on a victim’s computer it holds the computer hostage by displaying threatening messages, that the system is failing, and asks the victim to purchase a license to fix the problems.

DoubleClick and MSN are implicated because when users visit websites that use their banner ads a malicious javascript is served from (that’s with three f’s), which in turn starts a drive-by download process. If HDD Plus installs successfully the victims computer has been infected without the victim doing anything or clicking on anything.

The attack uses a modified version of the Eleonore exploit pack and uses vulnerabilities in Microsoft Internet Explorer 6 & 7, the Java runtime environment (before update 19, the current version is update 23) and several weaknesses in Adobe Acrobat (including the Reader). By using exploits in Java and Acrobat, PCs using alternative browsers like Firefox or Chrome are also vulnerable.

This latest attack underlines again the need to keep your computer up to date (including not only the browser but also other applications like Java and Acrobat Reader).

A detailed technical report of how HDD Plus is spreading through these ad networks can be found here while information on removing HDD Plus can be found here and here.