malvertising
TRANSCRIPT
Malvertising is the use of online advertising to spread malware.
Malvertising involves injecting malicious ads into legitimate online advertising networks and web pages.
Anti-Malvertising.com
What is Malvertising
How Malvertising works
df
UserVisits a popular
website, gets infected via exploit kit
WebsiteServes a banner ad,
sometimes malicious
AttackerCreates and injects malware ads into advertising network
Advertising NetworkSelects an ad based on auction, sends to the website
Malvertising history timeline
Speedtest.net ad network OpenX serves malware ad
New York Times “Vonage” banner hijacked, installed FakeAV
2007 2008 2009 2010 2011 2012 2013 2014
Malvertising technique was first identified in Flash files
Malvertising uses dynamic domain names
HuffPo, LA Weekly malvertising ads reach 1.5 Billion users
Rise of MalvertisingOTA stats
• Malvertising increased 200%+ in 2013 to over 209,000 incidents, generating 12.4B+ malicious ad impressions.
Google stats
• Google filtered 524 million 'bad' ads in 2014, and disabled 214,000 malware websites.
Cyphort stats
• Cyphort own data shows a 300% malvertising growth in 2014
Jun-14 Jul-14 Aug-14 Sep-14 Oct-14 Nov-14 Dec-14 Jan-15 Feb-15
Techniques to avoid detection
o Enable malicious payload after a delay
o Only serve exploits to every 10th user
o Verifying user agents and IP addresses
o HTTPS redirectors
o Exploit Kits infect you without a “click”o Examples: Angler, Sweet Orange, Nuclear, RIG
Fox-it.com
© Copyright 2014 Cyphort, Inc. All rights reserved. Proprietary & Confidential
Clean.navy malvertising
CLEAN.NAVYFeb 25, 2015
Clean.navy subdomain is loading Angler Exploit Kit with the exploit for CVE-2014-6332 Windows OLE Automation Array Remote Code Execution Vulnerability.
www.cyphort.com/dod-contractors-website-clean-navy-serving-drive-exploits/
1 start www.***zone.info
2 redirect ads.adgoto.com
3 redirect shop.traditionalarrows.com
4 malware payload bolivi**e.clean.navy/lists/9***
© Copyright 2014 Cyphort, Inc. All rights reserved. Proprietary & Confidential
AFFITURE malvertising
AFFITUREJan 22, 2015
20+ websites were delivering malvertising via affiliate.affyield.com using Angler exploit kit and zero-day Flash CVE-2015-0311 exploit.
www.cyphort.com/affyield-com-serving-zero-day-flash/
1 <infectedsite.biz> <infectedsite.biz>
2 redirect www.affyieldmb.com
3 redirect murzilka.eu
4 malware payload xxxxazot54moosa.in/xxx
GOPEGO malvertising
GOPEGOFeb 4, 2015
gopego.com malvertising downloads CryptoWall ransomware. The attack serves an exploit package embedded in a flash file, including exploits which target four vulnerabilities. Among them the notorious CVE-2015-0311 .
www.cyphort.com/gopego-malvertising-cryptowall/CryptoWall
© Copyright 2014 Cyphort, Inc. All rights reserved. Proprietary & Confidential
Huffington Post / AOL malvertising
HUFFINGTONPOSTJan 5, 2015
HuffPo, LA Weekly, WeatherBug and other sites reaching 1.5 Billion users, were serving malvertising via advertising.com and installing Kovter malware.
www.cyphort.com/huffingtonpost-serving-malware/
1 <infectedsite.biz> www.huffingtonpost.com
2 redirect advertising.com
3 redirect foxbusiness.com
4 malware payload Kuppicu.opoczno.pl:8080/books
HuffingtonPost malware – Kovter analysis
o Kovter is an ad-fraud Trojan (MD5 sum: A2A6A36C94D4FF5B42C346F3A3A49E7)
o Communication to C&C is RC4 encrypted and BASE64 encoded
o If it detects any indication of analysis tools, virtualization and debugging tools,o it will POST the following data to a16-kite.pw then and exit
o Else, o it will post data to a16-car.biz and then it will wait for commands.
o The C&C server can issue the following commands:o RUN – execute a fileo UPDATE – update itselfo RESTARTo FEED – Ad Fraudo SLEEP
Conclusionso Advertising networks get millions of
submissions, and it is difficult to filter out every single malicious one.
o Attackers will use a variety of techniques to hide from detection by analysts and scanners
o Advertising networks should use continuous monitoring – automated systems for repeated checking for malware ads, need to scan early and scan often, picking up changes in the advertising chains.