Malvertising

By: Dilan Samarasinghe, SOC Analyst

The MS-ISAC has recently observed an increase in malware that is most often disseminated through malvertising. Malvertising, or malicious advertising, is the use of online, malicious advertisements to spread malware and compromise systems. Generally this occurs through the injection of unwanted or malicious code into ads. Malicious actors then pay legitimate online advertising networks to display the infected ads on various websites, exposing every user visiting these sites to the potential risk of infection. Generally, the legitimate advertising networks and websites are not aware they are serving malicious content.

Why does malvertising work?

Each day, a large number of ads are submitted to the various advertising networks throughout the world, making it very difficult for the advertising networks to perform a thorough analysis of each ad. Often advertisers work on a complaint based system, wherein if a complaint is lodged against an ad or ads from a specific group/company a deep analysis is then performed at that time. Many websites, especially large ones with several hundred thousand users per day, rely on third party vendors and software in order to display its ads, which in turn reduces the direct oversight and the amount of vetting that takes place. This automation makes online ads vulnerable to malvertising.

In addition, it is very difficult for cybersecurity experts to identify exactly which ad is malicious because the ads on a webpage constantly change. This means that one visitor may be infected, but the next ten, who visit the exact same webpage, won’t be infected.

How does malvertising work?

Malicious actors hide a small piece of code deep within a legitimate looking advertisement, which will direct the user’s machine to a malicious or compromised server. When the user’s machine successfully makes a connection to the server, an exploit kit hosted on that server executes. An exploit kit is a type of malware that evaluates a system, determines what vulnerabilities exist on the system, and exploits a vulnerability. From there, the malicious actor is able to install malware by utilizing the security bypass created by the exploit kit. The additional software could allow the attacker to perform a number of actions including, allowing full access to the computer, exfiltrating financial or sensitive information, locking the system and holding it ransom via ransomware, or adding the system to a botnet so it can be used to perform additional attacks. This entire process occurs behind the scenes, out of sight of the user and without any interaction from the user.

The Most Popular Exploit Kit

One of the most popular exploit kits currently in use is the Angler Exploit Kit. Angler employs a number of evasion techniques in order to avoid being detected. For example, the URL of the landing page the user’s computer connects to, where the exploit kit is hosted, is often generated dynamically. This makes it difficult to detect because the URL is constantly changing. Angler also has the functionality to determine if it is being run inside of a virtual machine, thus making it difficult for cybersecurity analysts to perform analysis on it. Finally, multiple layers of obfuscation exist in Angler, built on top of each other with various encoding schemes (base64, RC4, etc.) to hide the code that executes when the vulnerable user visits the server.

Angler uses a variety of vulnerabilities in Adobe Flash, Microsoft Silverlight, and Oracle Java. These are all extremely common extensions running on many popular web browsers. When the user’s computer visits the server hosting the exploit kit, the system is scanned to determine which versions of the above software are running on the user’s browser. From there, Angler picks the best vulnerability for exploiting the victim.

A Very Real Threat

There are numerous examples of popular websites inadvertently hosting malicious advertisements. According to the news media, popular sites belonging to the New York Times, BBC, AOL and the NFL were the target of malvertising campaigns as recently as March 2016. In this instance, the malicious code was delivered through a compromised ad network. After the exploit kit ran, the malware that was downloaded onto vulnerable systems was a variant of Trojan Bedep. This malware typically provides the malicious actor a backdoor through which they can access the infected system and download additional files on to it. Some reports also indicated the attacker then infected the machine with a ransomware known as Teslacrypt. Ransomware is a type of malware that encrypts files on a user’s machine, and then demands payment in order to decrypt them.

The news media reported another example of a large-scale malvertising campaign in September 2015. In this case, the attacker utilized a number of large ad networks, as well as a number of smaller ones and the campaign went undiscovered for almost three weeks. Many large sites with millions of visitors per month were affected, including eBay UK, answers.com, and drudgereport.com. The attackers also took great care in hiding their activities, creating legitimate appearing companies to place the ads.

How To Combat It

Unfortunately, due to the way this attack vector works, it is quite difficult for users to protect themselves against it. The best course of action is to ensure that all utilized software and extensions (particularly the web browser, as well as Flash and Java) are kept up-to-date. Where possible, if your browser allows for it disable the use of Flash or set it to require user interaction in order to run. When browsing the Internet, make sure to close browser windows when not in use, since this will minimize the number of ads displayed and minimize the likelihood of a malicious ad appearing. Consider the use of an add-on ad blocker in order to block automated scripts from running on visited websites.

Sources: