malvertising

15

Upload: nick-bilogorskiy

Post on 02-Aug-2015

69 views

Category:

Technology


0 download

TRANSCRIPT

Malvertising

Nick Bilogorskiy@belogorDirector of Security Research

Malvertising is the use of online advertising to spread malware.

Malvertising involves injecting malicious ads into legitimate online advertising networks and web pages.

Anti-Malvertising.com

What is Malvertising

How Malvertising works

df

UserVisits a popular

website, gets infected via exploit kit

WebsiteServes a banner ad,

sometimes malicious

AttackerCreates and injects malware ads into advertising network

Advertising NetworkSelects an ad based on auction, sends to the website

Malvertising history timeline

Speedtest.net ad network OpenX serves malware ad

New York Times “Vonage” banner hijacked, installed FakeAV

2007 2008 2009 2010 2011 2012 2013 2014

Malvertising technique was first identified in Flash files

Malvertising uses dynamic domain names

HuffPo, LA Weekly malvertising ads reach 1.5 Billion users

Rise of MalvertisingOTA stats

• Malvertising increased 200%+ in 2013 to over 209,000 incidents, generating 12.4B+ malicious ad impressions.

Google stats

• Google filtered 524 million 'bad' ads in 2014, and disabled 214,000 malware websites.

Cyphort stats

• Cyphort own data shows a 300% malvertising growth in 2014

Jun-14 Jul-14 Aug-14 Sep-14 Oct-14 Nov-14 Dec-14 Jan-15 Feb-15

Techniques to avoid detection

o Enable malicious payload after a delay

o Only serve exploits to every 10th user

o Verifying user agents and IP addresses

o HTTPS redirectors

o Exploit Kits infect you without a “click”o Examples: Angler, Sweet Orange, Nuclear, RIG

Fox-it.com

© Copyright 2014 Cyphort, Inc. All rights reserved. Proprietary & Confidential

Clean.navy malvertising

CLEAN.NAVYFeb 25, 2015

Clean.navy subdomain is loading Angler Exploit Kit with the exploit for CVE-2014-6332 Windows OLE Automation Array Remote Code Execution Vulnerability.

www.cyphort.com/dod-contractors-website-clean-navy-serving-drive-exploits/

1 start www.***zone.info

2 redirect ads.adgoto.com

3 redirect shop.traditionalarrows.com

4 malware payload bolivi**e.clean.navy/lists/9***

© Copyright 2014 Cyphort, Inc. All rights reserved. Proprietary & Confidential

AFFITURE malvertising

AFFITUREJan 22, 2015

20+ websites were delivering malvertising via affiliate.affyield.com using Angler exploit kit and zero-day Flash CVE-2015-0311 exploit.

www.cyphort.com/affyield-com-serving-zero-day-flash/

1 <infectedsite.biz> <infectedsite.biz>

2 redirect www.affyieldmb.com

3 redirect murzilka.eu

4 malware payload xxxxazot54moosa.in/xxx

GOPEGO malvertising

GOPEGOFeb 4, 2015

gopego.com malvertising downloads CryptoWall ransomware. The attack serves an exploit package embedded in a flash file, including exploits which target four vulnerabilities. Among them the notorious CVE-2015-0311 .

www.cyphort.com/gopego-malvertising-cryptowall/CryptoWall

© Copyright 2014 Cyphort, Inc. All rights reserved. Proprietary & Confidential

Huffington Post / AOL malvertising

HUFFINGTONPOSTJan 5, 2015

HuffPo, LA Weekly, WeatherBug and other sites reaching 1.5 Billion users, were serving malvertising via advertising.com and installing Kovter malware.

www.cyphort.com/huffingtonpost-serving-malware/

1 <infectedsite.biz> www.huffingtonpost.com

2 redirect advertising.com

3 redirect foxbusiness.com

4 malware payload Kuppicu.opoczno.pl:8080/books

HuffingtonPost malware – Kovter analysis

o Kovter is an ad-fraud Trojan (MD5 sum: A2A6A36C94D4FF5B42C346F3A3A49E7)

o Communication to C&C is RC4 encrypted and BASE64 encoded

o If it detects any indication of analysis tools, virtualization and debugging tools,o it will POST the following data to a16-kite.pw then and exit

o Else, o it will post data to a16-car.biz and then it will wait for commands.

o The C&C server can issue the following commands:o RUN – execute a fileo UPDATE – update itselfo RESTARTo FEED – Ad Fraudo SLEEP

Conclusionso Advertising networks get millions of

submissions, and it is difficult to filter out every single malicious one.

o Attackers will use a variety of techniques to hide from detection by analysts and scanners

o Advertising networks should use continuous monitoring – automated systems for repeated checking for malware ads, need to scan early and scan often, picking up changes in the advertising chains.

Thank youTwitter: @belogor

Slides on:Cyphort.com/labs/malwares-wanted/