Upload File

malvertising

15

Upload: nick-bilogorskiy

Post on 02-Aug-2015

69 views

Category:

Technology


0 download

Report

Tags:

TRANSCRIPT

Page 1: Malvertising
Page 2: Malvertising

Malvertising

Nick Bilogorskiy@belogorDirector of Security Research

Page 3: Malvertising

Malvertising is the use of online advertising to spread malware.

Malvertising involves injecting malicious ads into legitimate online advertising networks and web pages.

Anti-Malvertising.com

What is Malvertising

Page 4: Malvertising

How Malvertising works

df

UserVisits a popular

website, gets infected via exploit kit

WebsiteServes a banner ad,

sometimes malicious

AttackerCreates and injects malware ads into advertising network

Advertising NetworkSelects an ad based on auction, sends to the website

Page 5: Malvertising

Malvertising history timeline

Speedtest.net ad network OpenX serves malware ad

New York Times “Vonage” banner hijacked, installed FakeAV

2007 2008 2009 2010 2011 2012 2013 2014

Malvertising technique was first identified in Flash files

Malvertising uses dynamic domain names

HuffPo, LA Weekly malvertising ads reach 1.5 Billion users

Page 6: Malvertising

Rise of MalvertisingOTA stats

• Malvertising increased 200%+ in 2013 to over 209,000 incidents, generating 12.4B+ malicious ad impressions.

Google stats

• Google filtered 524 million 'bad' ads in 2014, and disabled 214,000 malware websites.

Cyphort stats

• Cyphort own data shows a 300% malvertising growth in 2014

Jun-14 Jul-14 Aug-14 Sep-14 Oct-14 Nov-14 Dec-14 Jan-15 Feb-15

Page 7: Malvertising

Techniques to avoid detection

o Enable malicious payload after a delay

o Only serve exploits to every 10th user

o Verifying user agents and IP addresses

o HTTPS redirectors

Page 8: Malvertising

o Exploit Kits infect you without a “click”o Examples: Angler, Sweet Orange, Nuclear, RIG

Fox-it.com

Page 9: Malvertising

© Copyright 2014 Cyphort, Inc. All rights reserved. Proprietary & Confidential

Clean.navy malvertising

CLEAN.NAVYFeb 25, 2015

Clean.navy subdomain is loading Angler Exploit Kit with the exploit for CVE-2014-6332 Windows OLE Automation Array Remote Code Execution Vulnerability.

www.cyphort.com/dod-contractors-website-clean-navy-serving-drive-exploits/

1 start www.***zone.info

2 redirect ads.adgoto.com

3 redirect shop.traditionalarrows.com

4 malware payload bolivi**e.clean.navy/lists/9***

Page 10: Malvertising

© Copyright 2014 Cyphort, Inc. All rights reserved. Proprietary & Confidential

AFFITURE malvertising

AFFITUREJan 22, 2015

20+ websites were delivering malvertising via affiliate.affyield.com using Angler exploit kit and zero-day Flash CVE-2015-0311 exploit.

www.cyphort.com/affyield-com-serving-zero-day-flash/

1 <infectedsite.biz> <infectedsite.biz>

2 redirect www.affyieldmb.com

3 redirect murzilka.eu

4 malware payload xxxxazot54moosa.in/xxx

Page 11: Malvertising

GOPEGO malvertising

GOPEGOFeb 4, 2015

gopego.com malvertising downloads CryptoWall ransomware. The attack serves an exploit package embedded in a flash file, including exploits which target four vulnerabilities. Among them the notorious CVE-2015-0311 .

www.cyphort.com/gopego-malvertising-cryptowall/CryptoWall

Page 12: Malvertising

© Copyright 2014 Cyphort, Inc. All rights reserved. Proprietary & Confidential

Huffington Post / AOL malvertising

HUFFINGTONPOSTJan 5, 2015

HuffPo, LA Weekly, WeatherBug and other sites reaching 1.5 Billion users, were serving malvertising via advertising.com and installing Kovter malware.

www.cyphort.com/huffingtonpost-serving-malware/

1 <infectedsite.biz> www.huffingtonpost.com

2 redirect advertising.com

3 redirect foxbusiness.com

4 malware payload Kuppicu.opoczno.pl:8080/books

Page 13: Malvertising

HuffingtonPost malware – Kovter analysis

o Kovter is an ad-fraud Trojan (MD5 sum: A2A6A36C94D4FF5B42C346F3A3A49E7)

o Communication to C&C is RC4 encrypted and BASE64 encoded

o If it detects any indication of analysis tools, virtualization and debugging tools,o it will POST the following data to a16-kite.pw then and exit

o Else, o it will post data to a16-car.biz and then it will wait for commands.

o The C&C server can issue the following commands:o RUN – execute a fileo UPDATE – update itselfo RESTARTo FEED – Ad Fraudo SLEEP

Page 14: Malvertising

Conclusionso Advertising networks get millions of

submissions, and it is difficult to filter out every single malicious one.

o Attackers will use a variety of techniques to hide from detection by analysts and scanners

o Advertising networks should use continuous monitoring – automated systems for repeated checking for malware ads, need to scan early and scan often, picking up changes in the advertising chains.

Page 15: Malvertising

Thank youTwitter: @belogor

Slides on:Cyphort.com/labs/malwares-wanted/


Pandalabs Report 2016 Q2 - Panda Securityresources.pandasecurity.com/.../Pandalabs-2016-Q2-en.pdfTargeted attacks use vulnerabilities in the system. Website hacks and malvertising

The Hidden Enemy: Malvertising and Ransomware from 3rd... · Our team was fully exposed and this was a very scary time to say the least! ... (e.g. change from .XLS to something else)

Understanding Malvertising Through Ad-Injecting Browser ...expector.pdf · Understanding Malvertising Through Ad-Injecting Browser ... space on their web pages where online ads

Cybersecurity Awareness Training · malicious websites and drive-by downloads, P2P file sharing. malvertising, man-in-the-middle attacks, exploit kits. Social Engineering - Social

Web Security Research at Indiana University · Malvertising is a big issue 1% top publishers are infected Study on infrastructures can lead to a promising new direction 15x more coverage,

The Hidden Enemy: Malvertising and Ransomware€¦ · Ransomware. Overview This session will provide a better understanding of the impact of malvertising and ransomware. ... Malwarebytes

CSOHIMSS Lunch & Learn Webinar The Hidden Enemy ...csohio.himsschapter.org/.../CSOHIMSS_LunchLearn... · CSOHIMSS Lunch & Learn Webinar The Hidden Enemy: Malvertising and Ransomware

Measuring and Analyzing Search Engine Poisoning of ... · *.0catch.com 732 109 malvertising *.atspace.name 63 17 malvertising hdvidzpro.me 58 58 malvertising wanna .com 49 48 malvertising

ISSN 1361-3723 April 2011 …enbody/CFS_2011-04_Apr.pdf · Malvertising – exploiting web ... REGULARS Editorial 2 News in brief 4 Calendar 20 Contents computer FRAUD & ... pdf>

Revisiting Mobile Advertising Threats with MAdLifewei/papers/ · click fraud and malvertising. We discover that users of click fraud apps are much more likely to experience malvertising

UNCOVERING THE SECRETS OF MALVERTISING · AD TECH 101 In order to grasp why malvertising is such a profi table and ... better monetization downstream, which ironically is also true

Group Session: Malvertising : How To Detect and Deal With Malicious Ads

What is Malvertising? · 2014-11-18 · Infosecurity Magazine August 2014 “Malvertising Campaign may have exposed three million users per day” “Without having to click on anything,

Knowing Your Enemy: Understanding and Detecting ......frauds, etc. To understand the gravity of these malicious adver-tising activities, which we call malvertising, we perform a large-scale

Webinar: Operation DeathClick: Uncovering Micro-Targeted Malvertising Against US Defense Industrial Base

Malware's Most Wanted: Malvertising Attacks on Huffingtonpost, Yahoo, AOL

THIS WEEK Opps, did I do that! - Long Branch Public Schools · Malvertising is on the rise, with almost one in three ad net-works serving this repackaged e-threat, according to Bitde-fender

Cyberoam Security Predictions 2015€¦ · Malvertising (placing malware laden advertisements on reputed/popular webpages) is likely to become more of a nuisance in 2015. Ad networks

Knowing Your Enemy: Understanding and Detecting Malicious ......• Malvertising is a significant threat to the internet revenue model • much of the internet funded by advertising

NOTES ON CLICK FRAUD: AMERICAN STORY · 2014-09-23 · of 2013. An infection chain runs through a malvertising campaign with Java exploitation and ends up dropping a payload with

PAD: Programming Third-Party Web Advertisement Censorship · Malvertising campaigns are becoming a prominent threat. According to Cyphort Labs, “by 2013 malvertising increased to

Heat Software Cloudsec 2016 - Trend Micro Internet Security Pule… · Heat Software Cloudsec 2016 ... safe browsing practices, and malvertising. Security Reporting System Leverage

Malvertising: The Hidden Threat

Understanding Malvertising Through Ad-Injecting Browser ...wenke.gtisc.gatech.edu/papers/ · In addition to Hulk, other tools have been recently developed to assist users in identifying

A Bright New Dawn of Security - HITCONhitcon.org/2016/pacific/0composition/pdf/1201/1201 R0 0925 a brigh… · •Malvertising •World Wide Impact •Talos Threat Intelligence.

Web Privacy Beyond Extensions: New Browsers Are Pursuing … · 2020. 7. 7. · Chrome Edge / IE Firefox Safari Extensions ... edly abused by hackers to serve malware (so-called malvertising)

MalwareBytes - Malvertising and Ransomware

Endpoint Detection and Response Workshop · Some Good News –Use of Exploit Kits has fallen sharply 23 Fileless Attack Criminal uses o Infect victim via Malvertising o Deliver Ransomware,

Security Connections Newsletter September 2016 · September 2016 Featured News Talos Thwarts Global Malvertising Campaigns With the help of GoDaddy, Cisco’s Talos group prevented

Understanding Malvertising Through Ad-Injecting Browser ... · al.found thousands of suspicious extensions including those with ad-injecting practice. Despite effectiveness on identifying

The Malware Menace - Cisco · The Malware Menace: From 30,000 Feet to the Microscope Session ID ... Cisco Public Agenda Targeted Threats Spear Phishing Malvertising Exploit Kits Ransomware

Complaint of Disconnect, Inc. - Amazon S3 · Google Play mobile application store. Recently, Google removed Disconnects ^malvertising _ mobile application from the Play Store, leading

Understanding Malvertising Through Ad-Injecting Browser ...cybersecurity.uga.edu/publications/6_frp0779-xingA.pdftheir monetization strategy often facilitate the deployment of malver-tising

I have attached a photo of the 1962 Victorian Interservice … · 2020-03-08 · Malvertising using popular downloads. Habitually, threat actors find out which search terms are gaining

Panel 4 -- How to Avoid Malvertising Leading to Phishing ... 4... · 2007 – first recorded sighting of malvertising - based on a vulnerability in Adobe Flash (a product that continues