The London Stock Exchange website exposed some visitors to drive-by malware attacks today. Merely viewing the homepage at www.londonstockexchange.com (without clicking on anything) caused my Windows computer to be compromised by malware. This malware was apparently delivered through third-party advertisements which appeared on the site.
The malware was a classic spoof antivirus program which used a software vulnerability to download and install native executable code. The spoof program appeared in the system tray and prevented other processes such as Task Manager being run, falsely claiming that they were infected with a virus. The malware then tried to extort payment to fix the artificial problem it had created. It also replaced the wallpaper image with the following message:
Google's Safe Browsing diagnostic page for www.londonstockexchange.com also confirmed the presence of suspicious content on the LSE website today:
Of the 281 pages we tested on the site over the past 90 days, 65 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2011-02-27, and the last time suspicious content was found on this site was on 2011-02-27.
Malicious software includes 2 scripting exploit(s), 2 trojan(s), 1 exploit(s). Successful infection resulted in an average of 5 new process(es) on the target machine.
Accordingly, the site ended up being blocked by the Chrome and Firefox web browsers, which both make use of Google's malware blocklist.
LSE have now disabled the affected adverts from appearing on their site, thus preventing malware reaching its visitors. For clarity, the LSE website itself was not compromised. Because the malware was distributed via an advertising network, many other sites may also have been affected.
Unanimis, which hosted adverts used on the LSE website, subsequently issued the following statement:
Malware was detected on the Unanimis network which affected some advertisements on our network. Other than the banner advertisements in question, the malware does not impact or affect any other parts of a website. The affected advertisements have been removed and all sites continue to operate normally. For clarity the LSE website was not impacted by this Malware, not did it propagate malware.