Malvertising campaign strikes top websites worldwide

RV_ · March 16, 2016

OK the article has the complete skinny but the short version is there are lots of websites that got malware loads in their ads and you can get infected by some just from going to the page. Folks if you read these and just ignore the parts you may feel are too techy you will at least learn how to spot attacks coming. This one spreads bot data theft malware, but also ransomware which is a locked up computer that you have to ransom to get it unscrambled by paying a $100-$1000.00 ransom for the key to unlock it. Note that some are not vulnerable. Read the red highlights I added. If your system is patched with all Windows updates to date, it can't infect your system. Remember that 60% of the world's users don't do their Windows updates that come out the second Tuesday of each month at 12 PM local time.

I had been to all the infected websites over the weekend and wondered how I was lucky enough to avoid it as another member here got. Then I read the parts I highlighted in red in the excerpt below.

The lesson here is to keep your systems up to date! Anti malware programs on an unpatched system is not protected. Updates are the first line of defense, after user habits and knowledge online, meaning users knowing what to look for.

Excerpt:

"Web domains including The New York Times, BBC, AOL and MSN became victims of the campaign, designed to spread the Angler exploit kit.

Trend Micro reports that the campaign may have affected tens of thousands of users within only 24 hours of being live.

Malvertising is the use of malicious adverts to spread malware. Many Internet domains rely on adverts supplied by third-party ad networks in order to generate enough revenue to stay afloat, and unfortunately, sometimes fraudulent and fake adverts slip through the net.

It is important to note that legitimate websites which serve malicious ads are often as much of a victim as their users since they do not have control over these external ad networks.

Either way, though, once a malicious ad is successfully hosted on a legitimate website, it can link to domains controlled by cyberattackers and files such as the Angler exploit kit.

In some cases, simply loading the page is enough for the malicious ad to check for browser vulnerabilities and potentially infect a visitor's system.

The fraudulent advert used in the campaign contained a heavily-obfuscated JavaScript file with more than 12,000 lines of code -- almost 11,000 more than usual -- which included protections to avoid detection for as long as possible.

The malicious ad attempted to filter out both security researchers and website visitors with antivirus products and patched systems, which would ensure exploit would not be successful.

However, if a visitor was using an unpatched system and has no anti-malware scans running, the victim would be sent to the Angler kit, which contained both the Bedep Trojan and TeslaCrypt ransomware. This exploit kit is the only one currently known to include an exploit for Microsoft's Silverlight vulnerability, which was patched in January this year."

The full article with linlks to the sources and more info go here: http://www.zdnet.com/article/malvertising-campaign-strikes-top-websites-worldwide/?tag=nl.e566&s_cid=e566&ttag=e566&ftag=TRE49e8aa0

Dutch_12078 · March 16, 2016

I wonder if standard ad blockers like AdBlock Plus are enough to defeat these intrusions.

RV_ · March 17, 2016

Uh, no.

skp51443 · March 17, 2016

I don't keep track of the ad blockers very closely but any of them that allow "acceptable ads" are certainly vulnerable. "Acceptable ads" - that, really means the ad company kicked back some cash to the ad-blocker's authors and meets whatever standards they have set. So if BrentsMedia.com had kicked back and gotten listed the bad ads would fly right through the "acceptable ad" blocker.

Using an ad blocker that rejected everything and only allowed what you had given permission to load might be better, but far from perfect. Adding on a Java script blocker set to deny all scripts unless individually allowed and disabling Java would add more protection. Still both are going to leave you vulnerable if anywhere you have allowed gets compromised and the amount of effort and frustration involved in deciding what to allow is not trivial. Without a lot of effort you'd be left with the worst of both situations, a lot of web pages wouldn't work because you hadn't given them the permissions they desire and you'd allowed something you thought was safe and they got tricked by the bad folks running this type of scam.

Dutch_12078 · March 17, 2016

AdBlocker Plus does have the acceptable ads "feature", but it's very easy to opt out of the ads.

RV_ · March 17, 2016

Guys,

Please read the excerpt and the full articles ads in the links provided.

Y'all are going around the block when the prevention is simple. I highlighted it in red above. It is easy peasy to block this attack. It is using old already patched Windows vulnerabilities to get in, one more than a year since it was patched. If you want to mitigate this attack, just do all your Windows updates to date, and have at least Defender or MSE running, or any real time scanning Anti-Virus program.

Read this part again:

"The malicious ad attempted to filter out both security researchers and website visitors with antivirus products and patched systems, which would ensure exploit would not be successful.

However, if a visitor was using an unpatched system and has no anti-malware scans running, the victim would be sent to the Angler kit, which contained both the Bedep Trojan and TeslaCrypt ransomware. This exploit kit is the only one currently known to include an exploit for Microsoft's Silverlight vulnerability, which was patched in January this year."

The first sentence reads that the malicious ad checked to see if the viewer had a patched system, and/or an anti virus running, it filtered these out because those would ensure the attack would be unsuccessful.

If your system is up to date on both Windows updates, and antivirus, it will not work because the vulnerabilities are (1.) Patched already an not vulnerable to attack that way any more, and or (2.) Since one attack vulnerability is a year old since it was found and patched, it would also be picked up by up to date anti virus signature files as an old vulnerability and stopped.

If you don't want to do your Windows patches, and/or run a free up to date A/V program paid or free, this attack is the least of your worries.

You guys are hyping this above what it is. I posted so folks who do not realize that attacks are targeting patched vulnerabilities that they need to get patched fast.

Along the same lines, I patch my systems just after they are released at noon local time, every second Tuesday of the month. If there are any out of cycle patches I usually read about them and pass them along here too.

Security of the systems is easy as it is generally just once a month, and takes just a few minutes with a fast connection. If I had a slow or limited connection on the road I would be sitting in a Starbucks or other free WiFi connectivity location and do them ASAP there, rather than have them come up unexpectedly and take all day on a slow one. Two reasons for that. one is that with the bad guys reverse engineering the patches, sometimes they are attacking the just patched vulnerabilities trying to catch the folks that don't allow automatic updates or do them ASAP like I do manually, before they do the updates.

This is no big deal unless you don't do Windows updates. Or OSX or Linux updates and patches for that matter, which both also do automatic updates. I have read about some Linux folks that don't so updates for their systems because of setting changes or other reasons. Torvalds just released the new kernel 4.5 update BTW for the noobs to Linux.

But gone are the days of running scans daily and running all kinds of bloatware to keep malware from getting in. The main OS' are so secure today that the usual methods of attack are social engineering getting you to click on something that seems too good to be true, or getting through the third party ubiquitous apps like Flash and Java.

I don't have any Java on my systems. If I need it for a specific task, I load the current version for it, then uninstall it as soon as I am done. Flash is automagically updated with Windows or within a day or three of the Windows updates like this past Tuesday the 8th of March patches. Flash was not updated until a few days later, on Thursday I think it was.

I am still reading about folks who spend hours a months doing all kinds of unnecessary scanners and utilities etc. I do nothing at all but have Defender running in the background, with Malwarebytes Premium running real time scanning in tandem with it. * Both set to auto update.

If I think something may have gotten in ( Nothing has on any alert, they got them all) I don't run hours long scans or tedious tweakers. I run a fast Norton Power Eraser scan ( https://security.symantec.com/nbrt/npe.aspx ) which starts on a restart to check for rootkits which are all but non existent on newer computers with both the safe boot hardware as well as the Windows safe boot software.**

If you are spending even an hour a week running scan and other utility programs it is simply not necessary. Automatic scan are second to keeping the Windows updates done either automagically, or like I do manually, when they are made available, the second Tuesday of the month, at noon local times, to be sure they are done before any reverse engineering can be done.

* (Warning, only Malwarebytes real time can be run with any other active scanning AV program. Never run two real time scanners unless one of the two is Malwarebytes as that WILL do all kinds of unwanted things to your computer's boot and running activities.)

** (If you upgraded from Windows 7, your computer will have the software but not the hardware/firmware safe boot)

Dutch_12078 · March 17, 2016

My interest was not in protecting my own systems or ones I support, Derek, I know they're ok. I was thinking more of the unaware that might at least get some protection from the common ad blocking browser tools that many folks install. Of course there are better defenses...

RV_ · March 17, 2016

No problem Dutch, for the ones you support make sure they keep their systems Windows updates up to date if out of your direct control. That mitigates these attacks completely, and most of the other script kiddie attacks. Keeping folks from overriding their training to click on something to override protections, or accept a download that a website says they need is well, untrainable.

Dutch_12078 · March 17, 2016

That's a given, Derek...

Pieere · March 19, 2016

My smartphone got hit with ransomware from malvertising, but Mcaffe Live caught it and let me quarantine and then delete it!

RV_ · March 19, 2016

I am wondering what I will get for my Windows phones. Today they aren't under any attacks I am aware of. We are in the security by obscurity phase but that can change any time. Some big changes with Windows 10 mobile upgrade I understand. Oh well, doing yet another beta should end up with an improved device and ease of use/security.