08-11-2014 05:28 AM
By John Leyden, 11 Aug 2014
Crooks are using Yahoo!'s advertising network to infect PCs with the CryptoWall ransomware, it's claimed.
Windows software nasty CryptoWall encrypts a victim's files using an OpenSSL-generated key pair before demanding a ransom to decrypt the data. It communicates with its masters using RC4-encrypted messages to command servers hidden in the Tor network, we're told.
It was initially spread by spamming email inboxes with "incoming fax" scans or links to files held in cloud storage that were booby-trapped with malicious code.
The malware then evolved to use poisoned web advertisements – or malvertising – to spread across the internet.
Typically, when someone clicks on an ad, the site displaying the advert, and the advertising network serving it, take a small fee for referring the visitor to the advertiser's website. It appears CryptoWall victims are lured into clicking on adverts, which refer the browser along a chain of websites until it reaches a server that exploits a vulnerability to infect the computer.