Upload File

malvertising

15

Upload: nick-bilogorskiy

Post on 02-Aug-2015

69 views

Category:

Technology


0 download

Report

Tags:

TRANSCRIPT

Page 1: Malvertising
Page 2: Malvertising

Malvertising

Nick Bilogorskiy@belogorDirector of Security Research

Page 3: Malvertising

Malvertising is the use of online advertising to spread malware.

Malvertising involves injecting malicious ads into legitimate online advertising networks and web pages.

Anti-Malvertising.com

What is Malvertising

Page 4: Malvertising

How Malvertising works

df

UserVisits a popular

website, gets infected via exploit kit

WebsiteServes a banner ad,

sometimes malicious

AttackerCreates and injects malware ads into advertising network

Advertising NetworkSelects an ad based on auction, sends to the website

Page 5: Malvertising

Malvertising history timeline

Speedtest.net ad network OpenX serves malware ad

New York Times “Vonage” banner hijacked, installed FakeAV

2007 2008 2009 2010 2011 2012 2013 2014

Malvertising technique was first identified in Flash files

Malvertising uses dynamic domain names

HuffPo, LA Weekly malvertising ads reach 1.5 Billion users

Page 6: Malvertising

Rise of MalvertisingOTA stats

• Malvertising increased 200%+ in 2013 to over 209,000 incidents, generating 12.4B+ malicious ad impressions.

Google stats

• Google filtered 524 million 'bad' ads in 2014, and disabled 214,000 malware websites.

Cyphort stats

• Cyphort own data shows a 300% malvertising growth in 2014

Jun-14 Jul-14 Aug-14 Sep-14 Oct-14 Nov-14 Dec-14 Jan-15 Feb-15

Page 7: Malvertising

Techniques to avoid detection

o Enable malicious payload after a delay

o Only serve exploits to every 10th user

o Verifying user agents and IP addresses

o HTTPS redirectors

Page 8: Malvertising

o Exploit Kits infect you without a “click”o Examples: Angler, Sweet Orange, Nuclear, RIG

Fox-it.com

Page 9: Malvertising

© Copyright 2014 Cyphort, Inc. All rights reserved. Proprietary & Confidential

Clean.navy malvertising

CLEAN.NAVYFeb 25, 2015

Clean.navy subdomain is loading Angler Exploit Kit with the exploit for CVE-2014-6332 Windows OLE Automation Array Remote Code Execution Vulnerability.

www.cyphort.com/dod-contractors-website-clean-navy-serving-drive-exploits/

1 start www.***zone.info

2 redirect ads.adgoto.com

3 redirect shop.traditionalarrows.com

4 malware payload bolivi**e.clean.navy/lists/9***

Page 10: Malvertising

© Copyright 2014 Cyphort, Inc. All rights reserved. Proprietary & Confidential

AFFITURE malvertising

AFFITUREJan 22, 2015

20+ websites were delivering malvertising via affiliate.affyield.com using Angler exploit kit and zero-day Flash CVE-2015-0311 exploit.

www.cyphort.com/affyield-com-serving-zero-day-flash/

1 <infectedsite.biz> <infectedsite.biz>

2 redirect www.affyieldmb.com

3 redirect murzilka.eu

4 malware payload xxxxazot54moosa.in/xxx

Page 11: Malvertising

GOPEGO malvertising

GOPEGOFeb 4, 2015

gopego.com malvertising downloads CryptoWall ransomware. The attack serves an exploit package embedded in a flash file, including exploits which target four vulnerabilities. Among them the notorious CVE-2015-0311 .

www.cyphort.com/gopego-malvertising-cryptowall/CryptoWall

Page 12: Malvertising

© Copyright 2014 Cyphort, Inc. All rights reserved. Proprietary & Confidential

Huffington Post / AOL malvertising

HUFFINGTONPOSTJan 5, 2015

HuffPo, LA Weekly, WeatherBug and other sites reaching 1.5 Billion users, were serving malvertising via advertising.com and installing Kovter malware.

www.cyphort.com/huffingtonpost-serving-malware/

1 <infectedsite.biz> www.huffingtonpost.com

2 redirect advertising.com

3 redirect foxbusiness.com

4 malware payload Kuppicu.opoczno.pl:8080/books

Page 13: Malvertising

HuffingtonPost malware – Kovter analysis

o Kovter is an ad-fraud Trojan (MD5 sum: A2A6A36C94D4FF5B42C346F3A3A49E7)

o Communication to C&C is RC4 encrypted and BASE64 encoded

o If it detects any indication of analysis tools, virtualization and debugging tools,o it will POST the following data to a16-kite.pw then and exit

o Else, o it will post data to a16-car.biz and then it will wait for commands.

o The C&C server can issue the following commands:o RUN – execute a fileo UPDATE – update itselfo RESTARTo FEED – Ad Fraudo SLEEP

Page 14: Malvertising

Conclusionso Advertising networks get millions of

submissions, and it is difficult to filter out every single malicious one.

o Attackers will use a variety of techniques to hide from detection by analysts and scanners

o Advertising networks should use continuous monitoring – automated systems for repeated checking for malware ads, need to scan early and scan often, picking up changes in the advertising chains.

Page 15: Malvertising

Thank youTwitter: @belogor

Slides on:Cyphort.com/labs/malwares-wanted/


Group Session: Malvertising : How To Detect and Deal With Malicious Ads

NOTES ON CLICK FRAUD: AMERICAN STORY · 2014-09-23 · of 2013. An infection chain runs through a malvertising campaign with Java exploitation and ends up dropping a payload with

Webinar: Operation DeathClick: Uncovering Micro-Targeted Malvertising Against US Defense Industrial Base

MQ Automation-Config Management using Amazon S3 · 2017. 9. 29. · Blogging on general IT, security, malvertising. How to hire me: MQ web site and blog: (Slides are uploaded here)

Hot Topics in Cybersecurity & Employee Privacy · 2017-11-13 · ‣Keylogger - logs sequential strokes to figure out login credentials ‣Malvertising - malicious online advertising

Measuring and Analyzing Search Engine Poisoning of ... · *.0catch.com 732 109 malvertising *.atspace.name 63 17 malvertising hdvidzpro.me 58 58 malvertising wanna .com 49 48 malvertising

What is Malvertising? · 2014-11-18 · Infosecurity Magazine August 2014 “Malvertising Campaign may have exposed three million users per day” “Without having to click on anything,

The Hidden Enemy: Malvertising and Ransomware from 3rd... · Our team was fully exposed and this was a very scary time to say the least! ... (e.g. change from .XLS to something else)

Understanding Malvertising Through Ad-Injecting Browser ...cybersecurity.uga.edu/publications/6_frp0779-xingA.pdftheir monetization strategy often facilitate the deployment of malver-tising

Understanding Malvertising Through Ad-Injecting Browser ...wenke.gtisc.gatech.edu/papers/ · In addition to Hulk, other tools have been recently developed to assist users in identifying

Ransomware is Big Business - Tech Community · 2016-09-23 · Infection Vector User clicks malicious link to a compromised site or malvertising OR user clicks links in phishing emails

User Experience - AdMonsters · Malvertising—malware delivered via digital advertising— ... threat. Since we can now better trace outbreak sources, exchanges and other ad tech

Web Security Research at Indiana University · Malvertising is a big issue 1% top publishers are infected Study on infrastructures can lead to a promising new direction 15x more coverage,

Advertsing Integrity: Malvertising, etc

Web Privacy Beyond Extensions: New Browsers Are Pursuing … · 2020. 7. 7. · Chrome Edge / IE Firefox Safari Extensions ... edly abused by hackers to serve malware (so-called malvertising)

Complaint of Disconnect, Inc. - Amazon S3 · Google Play mobile application store. Recently, Google removed Disconnects ^malvertising _ mobile application from the Play Store, leading

Uncovering The Secrets of Malvertising · Uncovering The Secrets of Malvertising Jérôme Segura, @jeromesegura, Lead Malware Intelligence Analyst Chris Boyd, @paperghost, Lead Malware

THIS WEEK Opps, did I do that! - Long Branch Public Schools · Malvertising is on the rise, with almost one in three ad net-works serving this repackaged e-threat, according to Bitde-fender

Malvertising: The Hidden Threat

Heat Software Cloudsec 2016 - Trend Micro Internet Security Pule… · Heat Software Cloudsec 2016 ... safe browsing practices, and malvertising. Security Reporting System Leverage

Understanding Malvertising Through Ad-Injecting Browser ... · to potential customers. To monetize their online services and appli-cations, most modern websites act as ad publishers

PAD: Programming Third-Party Web Advertisement Censorship · Malvertising campaigns are becoming a prominent threat. According to Cyphort Labs, “by 2013 malvertising increased to

Understanding Malvertising Through Ad-Injecting Browser ... · al.found thousands of suspicious extensions including those with ad-injecting practice. Despite effectiveness on identifying

Advertsing Integrity: Malvertising, etc.espcoalition.org/sites/default/files/news-items/Malvertising for...Cyphort: +325% during 2014; ... As much as half of non-mobile display now

Endpoint Detection and Response Workshop · Some Good News –Use of Exploit Kits has fallen sharply 23 Fileless Attack Criminal uses o Infect victim via Malvertising o Deliver Ransomware,

A Bright New Dawn of Security - HITCONhitcon.org/2016/pacific/0composition/pdf/1201/1201 R0 0925 a brigh… · •Malvertising •World Wide Impact •Talos Threat Intelligence.

Revisiting Mobile Advertising Threats with MAdLifewei/papers/ · click fraud and malvertising. We discover that users of click fraud apps are much more likely to experience malvertising

Cybersecurity Awareness Training · malicious websites and drive-by downloads, P2P file sharing. malvertising, man-in-the-middle attacks, exploit kits. Social Engineering - Social

Understanding Malvertising Through Ad-Injecting Browser ...expector.pdf · Understanding Malvertising Through Ad-Injecting Browser ... space on their web pages where online ads

Panel 4 -- How to Avoid Malvertising Leading to Phishing ... 4... · 2007 – first recorded sighting of malvertising - based on a vulnerability in Adobe Flash (a product that continues

Agenda - Data Connectors · Some Good News –Use of Exploit Kits has fallen sharply 19 Fileless Attack Criminal uses o Infect victim via Malvertising o Deliver Ransomware, CryptoJackers,

FakeAV: Journey From Trojan to a Persistent Threat · Malvertising DeepSec 2011 Serving FakeAV through Advertising networks. Malvertising JavaScript used in New York Times newspaper

UNCOVERING THE SECRETS OF MALVERTISING · AD TECH 101 In order to grasp why malvertising is such a profi table and ... better monetization downstream, which ironically is also true

I have attached a photo of the 1962 Victorian Interservice … · 2020-03-08 · Malvertising using popular downloads. Habitually, threat actors find out which search terms are gaining

Integrity of the Ad Supply Chain Anti-Malvertising Best ...•Malvertising: can generally refer to “malicious” advertising of various sorts; connotation today is malware drive-by