3. Malvertising is the use of online advertising to spread
malware.
Malvertising involves injecting malicious ads into
legitimate online advertising networks and web pages.
Anti-Malvertising.com
What is Malvertising
4. How Malvertising works
df
User
Visits a popular
website, gets infected
via exploit kit
Website
Serves a banner ad,
sometimes malicious
Attacker
Creates and injects malware
ads into advertising network
Advertising Network
Selects an ad based on
auction, sends to the website
5. Malvertising history timeline
Speedtest.net ad
network OpenX
serves malware
ad
New York Times
“Vonage” banner
hijacked, installed
FakeAV
2007 2008 2009 2010 2011 2012 2013 2014
Malvertising
technique was
first identified
in Flash files
Malvertising uses
dynamic domain
names
HuffPo, LA
Weekly
malvertising
ads reach 1.5
Billion users
6. Rise of Malvertising
OTA stats
• Malvertising increased 200%+ in
2013 to over 209,000 incidents,
generating 12.4B+ malicious ad
impressions.
Google stats
• Google filtered 524 million 'bad' ads
in 2014, and disabled 214,000
malware websites.
Cyphort stats
• Cyphort own data shows a 300%
malvertising growth in 2014
7. Techniques to avoid detection
o Enable malicious
payload after a delay
o Only serve exploits to
every 10th user
o Verifying user agents
and IP addresses
o HTTPS redirectors
8. o Exploit Kits infect you without a “click”
o Examples: Angler, Sweet Orange, Nuclear, RIG
Fox-it.com
11. GOPEGO malvertising
GOPEGO
Feb 4, 2015
gopego.com malvertising downloads
CryptoWall ransomware.
The attack serves an exploit package
embedded in a flash file, including exploits
which target four vulnerabilities. Among
them the notorious CVE-2015-0311 .
www.cyphort.com/gopego-malvertising-
cryptowall/
13. HuffingtonPost malware – Kovter analysis
o Kovter is an ad-fraud Trojan (MD5 sum: A2A6A36C94D4FF5B42C346F3A3A49E7)
o Communication to C&C is RC4 encrypted and BASE64
encoded
o If it detects any indication of analysis tools, virtualization
and debugging tools,
o it will POST the following data to a16-kite.pw then and exit
o Else,
o it will post data to a16-car.biz and then it will wait for commands.
o The C&C server can issue the following commands:
o RUN – execute a file
o UPDATE – update itself
o RESTART
o FEED – Ad Fraud
o SLEEP
14. Conclusions
o Advertising networks get millions of
submissions, and it is difficult to filter out
every single malicious one.
o Attackers will use a variety of techniques to
hide from detection by analysts and scanners
o Advertising networks should use continuous
monitoring – automated systems for repeated
checking for malware ads, need to scan early
and scan often, picking up changes in the
advertising chains.
Malvertising is the practice of injecting malicious advertisements into legitimate online advertising networks.
It is served with the goal to compromises users and their devices. It can occur through deceptive advertisers
or agencies running ads or compromises to the ad supply chain including ad networks, ad exchanges and ad servers.
Malvertising is not new malware, just a different delivery vehicle.. Malvertising is popular because compromising websites that have high traffic is very effective for malware distrubution. And because attacking these sites ad networks is easier and requires less efforts thatn finding a vulnerability in the site software.
Websites or web publishers unknowingly incorporate a corrupted or malicious advertisement into their page. Once the advertisement is in place, and visitors begin clicking on it, their computer can become infected. Malvertising often involves the exploitation of trustworthy companies. Those attempting to spread malware place "clean" advertisements on trustworthy sites first in order to gain a good reputation, then they later "insert a virus or spyware in the code behind the ad, and after a mass virus infection is produced, they remove the virus", thus infecting all visitors of the site during that time period. The identities of those responsible are often hard to trace because the "ad network infrastructure is very complex with many linked connections between ads and click-through destinations." [8]
Malvertising was first identified by security experts in 2007, but the growing breadth of online advertising has made it more attractive to criminals as a way to reach millions of web users quickly and easily.
2007 – Malvertising technique was first identified in Flash files
2009 – New York Times “Vonage” banner hijacked, installed FakeAV
2011 – Speedtest.net ad network OpenX serves serves malware ad
2013 - The campaign is still active and uses Dynamic Domain Name System (DDNS) to prevent itself from being tracked.
2014 – HuffPo, LA Weekly malvertising ads reach 1.5 Billion users
In 2009, the banner feed of The New York Times was hacked for the weekend of September 11 to 14, causing some readers to see advertisements telling them their systems were infected and trying to trick them into installing infected software on their computers. According to spokeswoman Diane McNulty, "the culprit approached the newspaper as a national advertiser and had provided apparently legitimate ads for a week", and the ads were switched to the virus alert malvertisement afterwards. The New York Times suspended third-party advertisements to address the problem, and even posted advice for readers regarding this issue on its technology blog
Here are some numbers related to the rise of the malvertising threat. According to Online Trust Alliance research, malvertising increased by over 200% in 2013 to over 209,000 incidents, generating over 12.4 billion malicious ad impressions. Majority of malicious ads infecting users’ computers via “drive by downloads,” which occur when a user innocently visits a web site, with no interaction or clicking required. Furthermore Cisco’s Annual Security Report found that online ads were the second most common source of Web malware encounters–16% of all encounters Cisco observed and 182 times more likely than viewing adult content. From our own data we collected from Cyphort crawler – we can see 300% increase in malvertising..
. Google published Fighting Bad Advertising Practices on the Web — 2014 Year in Review report, in which they mentioned they filtered half a billion bad ads in 2014 and disabled 2014,000 malware websites.
But lets take a step back and talk alittle bit about how online advertising works in general to understand the context of this problem.
It’s common practice to outsource the advertising on websites to third-party specialists. These companies re-sell this space, and provide software which allows people to upload their own adverts, bidding a certain amount of money to ‘win’ the right for more people to see them. This often provides a weak point, and cyber criminals have numerous clever ways of inserting their own malicious adverts into this self-service platform. Once loaded, all they have to do is set a price per advert, to compete with legitimate advertisers, and push it live. The ad networks get millions of ads submitted to them and any one of those could be malvertising. They try to detect and filter malicious ads from their systems, but it is challenging. The potential damage is high, as ad networks have a very deep reach and can infect many people quickly. The attackers are accustomed to tricking the networks by making "armored" malverts, where they use various techniques to appear legitimate to the analysts, but infect the users nonetheless. For instance they will enable the malicious payload after a delay of several days after the ad is approved. Another way is to only serve the exploits to every 10th user, or every 20th user who views the ad. Verifying user agents and ip addresses also is a common strategy to hide from analysts and automated malware detection. The attackers can implement various targeting strategies for malware infection, which appear normal in the context of advertisement, but in effect evade certain security detection. The use of redirection via HTTPS is unique (Hypertext Transfer Protocol Secure, a communications protocol for secure encrypted communication). It makes it harder to analyse the origin of attack because even if a security company has the recorded network traffic it is impossible to decrypt and reconstruct the origin of the malware redirect.
A common misconception is that you must click on ads to get infected, which is sometimes true, but often not. Online ads appear to be an image hosted on the website, but they’re neither hosted on that website nor just an image. Ad networks, which are not under the control of the host website, decide which ad to send you, but often don’t actually deliver the ads. Instead, the ad networks instruct your browser to call a server designated by the advertiser. Also, ads often deliver files and entire programs to your browser. To infect you, HTML-based Javascript or Flash-based ActionScript covertly routes your browser to a different server that hosts an exploit kit. Flash is scary because it embeds sophisticated logic into the ad, which manipulates your browser as the ad is displayed. Ads can be instructed to only attack you and others at particular times and geographies. Some examples are delaying the attack until after the ad network examines and approves the ad; or until holidays, when it’s peak time for people to surf and off time for advertisers’ personnel to promptly remove offending ads.
http://blog.fox-it.com/2014/08/27/malvertising-not-all-java-from-java-com-is-legitimate/
In our most recent Malvertising discovery in February - we found that Clean.navy subdomain is loading Angler Exploit Kit with the exploit for CVE-2014-6332 Windows OLE Automation Array Remote Code Execution Vulnerability.
The website belongs to a US Department of Defense contractor – Werth Sanitary Supply Co., Inc. , of 916 Fesler Street El Cajon, California.
Werth Sanitary is a woman owned small business specializing in Bio-Based & U.S. Navy Shipboard Approved Cleaners on GSA and DOD EMALL Contract.
We have reached out to Werth and notified them about this issue. This is very serious, because compromising contractor’s assets is a common way into secure networks, for instance hackers have used access credentials stolen from refrigeration and HVAC system contractor Fazio Mechanical Services to gain access to Target in 2013. Before that , in 2013 – 50 successful intrusions were made into US government contractors’ systems, and of those, 20 were attributed to an advanced persistent threat, likely China, according to the Inquiry into Cyber Intrusions Affecting U.S. Transportation Command Contractors.
In late January we discovered another malvertising campaign, with more than 20 websites used. Here is list of domains that were infected
www.womenfriction.biz
www.netcq.net
www.buzzgfx.com
www.findingresult.com
www.hawaaweb.com
www.munworks.com
www.panosapps.com
www.poisonloaf.eu
www.castlive.tv
All of these sites were redirecting the users to an ad from an affiliate ad-network, affiliate.affyield.com, which claims to be a part of Affiture, subsidiary of CPXI, a privately held digital advertising company based in New York on Times Square. It has 170 employees, a revenue of 116 Million dollars and was listed on Forbes list of America’s Most Promising Companies.
In a unique twist – an exploit for a zero-day Flash vulnerability was used. This vulnerability was not publicly disclosed at the time we first detected the attack on Jan 21. The exploit kit is Angler and the malware payload appears to be Bedep.We recommended to the users to disable Flash in their browser, if you have to go to the sites above. use a JavaScript/Flash blocker like NoScript Firefox plugin or ScriptSafe Chrome plugin. –
On February 4, 2015, Cyphort Labs detected another malvertising campaign originating from gopego.com. The site displays a malicious advertisement that redirects to other malicious links and eventually downloads CryptoWall ransomware. The attack serves an exploit package embedded in a flash file, including exploits which target four vulnerabilities. Among them the notorious CVE-2015-0311 which hit affyield.com a few days back. -
The final payload is a variant of Cryptowall version 3.0 (also known as Crowti). Similar to its predecessor, it uses RSA-2048 algorithm to encrypt files on the hard disk. It also drops the following already well known files in each of the affected directories. These files contain instructions on how to pay the ransom.
Once it finished encrypting files, the malware visits the url http://paytoc4gtpn5czl2.torpaysolutions.com/hkmxYL and demands victims to pay US$500 using Bitcoin in order to receive the decryption key that allows them to recover their files. It also displays a countdown of 168 hours (7 days) to pay the ransom. If the victim does not obey, the price will increase to USD $ 1,000 after the countdown. –
The ransomware program provides users with links to several Tor gateways leading to CryptoWall decryption services hosted on the Tor network. There have been reports also that this new version of cryptowall use I2P (Invisible Internet Project) anonymity networks to carry out communication between victims and controllers to hide from researchers and law enforcement officials. -
In our most famous discovery, around the New Year’s time – we found the advertising.com ad network compromise that lead to major websites displaying malvertising. These attacks are the work of the Kovter gang which has been busy hitting major other players (ie. YouTube) during the past year. We have observed several high level domains being victim of malvertising with a combined monthly traffic of 1.5 billion visitors.
According to Cyphort Labs the malvertising was served from advertising.com. Over the past several days, Cyphort Labs has seen other sites that contained ads from advertising.com redirecting visitors to malware.
These include FHM, RTV6, GameZone, LA Weekly, soapcentral.com and WeatherBug.
The attackers used a mix of HTTP and HTTPS redirects to hide the servers involved in this attack. Cyphort Labs explains the HTTPS redirector is hosted on a Google App Engine page, which makes analysis based on traffic PCAPs more difficult, because HTTPS traffic is encrypted
Explaining the threat, Bilogorskiy wrote that navigating to The Huffington Post website – or another website hosting an advertisement from the AOL ad network, adtech[dot]de – ultimately resulted in the user being redirected to a landing page serving what appeared to be the Sweet Orange Exploit Kit.
Researchers observed two bugs being exploited: CVE-2013-2551, a use-after-free vulnerability in Microsoft Internet Explorer, and CVE-2014-6332, a Windows OLE Automation Array vulnerability in Microsoft Internet Explorer, Bilogorskiy said.
In the end, the exploit kit downloaded a Kovter trojan used for advertising click fraud, Bilogorskiy said. In early January, he explained that the attack requires no user interaction, and that users are infected if they simply navigate to the affected site and their browsers or plugins are vulnerable.
Bilogorskiy said that Kovter – an advanced malware that detects analysis, virtualization and debugging tools – has ad fraud and ransomware variants, and that Cyphort Labs believed it was ransomware that was being delivered when the attack was first observed in early January. Cyphort Labs analyzed that variant of Kovter in an in-depth follow-up post published in the middle of January.
“It is [for] automatically clicking online advertisements, thus generating revenue for the ad-hosting website,” Bilogorskiy said. “The variant used here is very similar [to the one used in early January], but connects to a different command-and-control backend. It also uses a different key for the communication to the command-and-control server.”
Cyphort Labs notified AOL of the issue and researchers have not observed any adtech[dot]de infections since Monday, Bilogorskiy wrote. However, he added that two other advertising network involved in the campaign were still serving malicious advertisements as of Tuesday: adxpansion[dot]com and ad[dot]directrev[dot]com.
Advertising networks get millions of submissions, and it is difficult to filter out every single malicious advertisement, Bilogorskiy said, explaining attackers will use a variety of techniques to hide from analysts and automated malware detection.
“Advertising networks should use continuous monitoring – automated systems for repeated checking for malware ads,” Bilogorskiy said. “They need to scan early and scan often, picking up changes in the advertising chains. Ad networks should have the latest security intelligence to power these monitoring systems.”
http://www.zdnet.com/article/malvertising-campaign-strikes-news-outlets-through-aol/
Kovter is an ad-fraud Trojan . It simulates user visiting pages with ads.
By automatically ‘clicking’ online advertisements, it generates revenue for the ad-hosting website. All these requests are made in the background and game the system while the victim is none the wiser.
As outlined by a study conducted by the Association of National Advertisers ad-fraud will cost global advertisers around $6.3 billion dollars in 2015 –
All network communication of Kovter to its C&C is RC4 encrypted and BASE64 encoded
If it detects any indication of analysis tools, virtualization and debugging tools, it will POST the following data to a16-kite.pw then and exit
Else, it will post data to a16-car.biz and then it will wait for commands.
The C&C server can issue the following commands:
RUN – execute a file
UPDATE – update itself
RESTART
FEED – Ad Fraud
SLEEP
By defrauding advertisers, Kovter are adding insult to injury, as the malware was not distributed through advertisers, it is also hitting them with the payload.
Advertising networks get millions of submissions, and it is difficult to filter out every single malicious advertisement.
Attackers will use a variety of techniques to hide from analysts and automated malware detection.
Some of these techniques are:
a) enable the malicious payload after a delay of several days after the ad is approved.
b) only serve the exploits to every 10th user, or every 20th user who views the ad
C) . Verifying user agents and ip addresses also is a common strategy to hide from analysts and automated malware detection.
d) The use of redirection via HTTPS is unique (Hypertext Transfer Protocol Secure, a communications protocol for secure encrypted communication).
In terms of the mechanics of how it happened exactly in this case, when user opens HuffingtonPost web site, several scripts are executed from the advertising network to show ads. One of these scripts loads an external function through HTTPS from Google AppSpot, and this function loads another redirect through HTTPS. And only then the user receives the redirect to malware payload. It makes it harder to analyse the origin of attack because even if a security company has the recorded network traffic it is impossible to decrypt and reconstruct the origin of the malware redirect.
Advertising networks should use continuous monitoring – automated systems for repeated checking for malware ads, need to scan early and scan often, picking up changes in the advertising chains.
Ad networks should have the latest security intelligence to power these monitoring systems.