Upload
cyphort
View
427
Download
1
Tags:
Embed Size (px)
Citation preview
Your speakers today
Nick Bilogorskiy@belogor
Director of Security Research
Anthony JamesVP of Marketing and Products
Agenda
o Malvertising explainedo Exploit Kitso Case Studieso Stats and Trendso Wrap-up and Q&A
Cyph
ort L
abs
T-sh
irt
Threat Monitoring & Research team
________
24X7 monitoring for malware events
________
Assist customers with their Forensics and Incident Response
We enhance malware detection accuracy
________
False positives/negatives
________
Deep-dive research
We work with the security ecosystem
________
Contribute to and learn from malware KB
________
Best of 3rd Party threat data
Malvertising is the use of online advertising to spread malware.
Malvertising involves injecting malicious ads into legitimate online advertising networks and web pages.
Anti-Malvertising.com
What is Malvertising
How Malvertising works
df
UserVisits a popular
website, gets infected via exploit kit
WebsiteServes a banner ad,
sometimes malicious
AttackerCreates and injects malware ads into advertising network
Advertising NetworkSelects an ad based on auction, sends to the website
Malvertising history timeline
Speedtest.net ad network OpenX serves malware ad
New York Times “Vonage” banner hijacked, installed FakeAV
2007 2008 2009 2010 2011 2012 2013 2014
Malvertising technique was first identified in Flash files
Malvertising uses dynamic domain names
HuffPo, LA Weekly malvertising ads reach 1.5 Billion users
Poll Question #1
o How many ad impressions were driven by malvertisingin 2013?o Over 10 milliono Over 1 Billiono Over 10 Billion
Rise of MalvertisingOTA stats
• Malvertising increased 200%+ in 2013 to over 209,000 incidents, generating 12.4B+ malicious ad impressions.
Google stats
• Google filtered 524 million 'bad' ads in 2014, and disabled 214,000 malware websites.
Cyphort stats
• Cyphort own data shows a 300% malvertising growth in 2014
Jun-14 Jul-14 Aug-14 Sep-14 Oct-14 Nov-14 Dec-14 Jan-15 Feb-15
A u d i e n c e
Online Advertising Complexity
o 5.3 Trillion online ads served, $100+ Billion dollars spent
A dv er tis er s
Online Advertising Complexity
Karina Sanz
Publ isher s
Agencies
Media Buying Platforms DSPs
Creative OptimizationData
Optimization
Ad OpsAd Servers
Ad Servers
Ad Exchanges SSPs
Ad Networks
Sharing Data/Social Tools
Data Suppliers
DMP’s and Data Aggregators
VerificationAttributionAnalytics
Yield Optimization
Publisher Tools
A u d i e nc e
A dv er tis er s
The combination of technology and services that connect Advertisers with Publishers can be a complex process with many parties involved.
Online Advertising Complexity
Karina Sanz
Publ isher s
Agencies
Media Buying Platforms DSPs
Creative OptimizationData
Optimization
Ad OpsAd Servers
Ad Servers
Ad Exchanges SSPs
Ad Networks
Sharing Data/Social Tools
Data Suppliers
DMP’s and Data Aggregators
VerificationAttributionAnalytics
Yield Optimization
Publisher Tools
A u d i e nc e
A dv er tis er s
Almost everyone of them vulnerable to malware injection
Online Advertising Complexity
TDBank has 11 calls to third-party servers ESPN has 83 calls to third-party servers
TMZ.com has 352 calls …
Techniques to avoid detection
o Enable malicious payload after a delay
o Only serve exploits to every 10th user
o Verifying user agents and IP addresses
o HTTPS redirectors
What is an Exploit Kit
o Exploit kit is a delivery mechanism for a variety of different types of malware
o First exploit kit was WebAttacker developed in 2006 and sold for $20 dollars
secpod.org
o Exploit Kits infect you without a “click”o Examples: Angler, Sweet Orange, Nuclear, RIG
Fox-it.com
© Copyright 2014 Cyphort, Inc. All rights reserved. Proprietary & Confidential
Clean.navy malvertising
CLEAN.NAVYFeb 25, 2015
Clean.navy subdomain is loading Angler Exploit Kit with the exploit for CVE-2014-6332 Windows OLE Automation Array Remote Code Execution Vulnerability.
www.cyphort.com/dod-contractors-website-clean-navy-serving-drive-exploits/
1 start www.***zone.info
2 redirect ads.adgoto.com
3 redirect shop.traditionalarrows.com
4 malware payload bolivi**e.clean.navy/lists/9***
© Copyright 2014 Cyphort, Inc. All rights reserved. Proprietary & Confidential
AFFITURE malvertising
AFFITUREJan 22, 2015
20+ websites were delivering malvertising via affiliate.affyield.com using Angler exploit kit and zero-day Flash CVE-2015-0311 exploit.
www.cyphort.com/affyield-com-serving-zero-day-flash/
1 <infectedsite.biz> <infectedsite.biz>
2 redirect www.affyieldmb.com
3 redirect murzilka.eu
4 malware payload xxxxazot54moosa.in/xxx
GOPEGO malvertising
GOPEGOFeb 4, 2015
gopego.com malvertising downloads CryptoWall ransomware. The attack serves an exploit package embedded in a flash file, including exploits which target four vulnerabilities. Among them the notorious CVE-2015-0311 .
www.cyphort.com/gopego-malvertising-cryptowall/CryptoWall
© Copyright 2014 Cyphort, Inc. All rights reserved. Proprietary & Confidential
Huffington Post / AOL malvertising
HUFFINGTONPOSTJan 5, 2015
HuffPo, LA Weekly, WeatherBug and other sites reaching 1.5 Billion users, were serving malvertising via advertising.com and installing Kovter malware.
www.cyphort.com/huffingtonpost-serving-malware/
1 <infectedsite.biz> www.huffingtonpost.com
2 redirect advertising.com
3 redirect foxbusiness.com
4 malware payload Kuppicu.opoczno.pl:8080/books
HuffingtonPost malware – Kovter analysis
o Kovter is an ad-fraud Trojan (MD5 sum: A2A6A36C94D4FF5B42C346F3A3A49E7)
o Communication to C&C is RC4 encrypted and BASE64 encoded
o If it detects any indication of analysis tools, virtualization and debugging tools,o it will POST the following data to a16-kite.pw then and exit
o Else, o it will post data to a16-car.biz and then it will wait for commands.
o The C&C server can issue the following commands:o RUN – execute a fileo UPDATE – update itselfo RESTARTo FEED – Ad Fraudo SLEEP
Crawler Trends and Stats
o 35% of the domains we found were infected more than once (repeated infections)
o AskMen.com - Jun 2014o Indowebster - Sep 2014o ThePirateBay.se - Oct 2014o HuffingtonPost.com, LAWeekly,
WeatherBug.com - Jan 2015
Poll Question #2
o On which day of the week is malvertising most active?o Mondayo Wednesdayo Sundayo All days equally
Monday
Tuesday
Wednesday
Thursday
Friday
Saturday
Sunday
0 100 200 300 400 500 600
Day of the Week
Most attacks on Weekends
Malvertising chain length
o Varies from 1 to 15 redirectors, 3.8 on average.
1 2 3 4 5 6 7 8 9 10 12 13 150
50
100
150
200
250
300
350
Redirection chain length
Redirection chain length
Longest malvertising chain example: ArticleField.com
1. www.articlefield.com
2. w1ns.com
3. thfire.com
5. adsppperv.com
6. www.blog-hits.com
7. tracking1112.com
8. townsearchguides.com
9. tracki112.com
10. c.feed-xml.com
11. 109.206.188.72
12. 216.172.54.28
13. scriptforclick.com
15. spreadsheets.wiaawy.eu
14. dealsadvlist.com
4. www.thfire.com
Infected: Payload:
Infected domains
fr
de
tv
it
info
ir
ru
org
net
com
0 200 400 600 800 1000 1200 1400 1600 1800 2000
Infected TLDs
Russia1%
Austria1%
Thailand1%
Ukraine1%
Korea 2%
Hong Kong2%
Italy2%
Canada2%
China2%
Spain3%
EU3%
Netherlands4%
UK4%
France6%
Germany8%
US59%
Infected Hosting Country Origin
Payload domains
eu
vu
in
us
ua
biz
org
pl
net
com
0 200 400 600 800 1000 1200
Payload TLDs
Switzerland1%
Canada1%
France1%
Germany2%
Korea2%
Russia2%
UK3%
EU5%
Turkey11%
US72%
Payload Hosting Country Origin
Conclusionso Advertising networks get millions of submissions, and it is
difficult to filter out every single malicious one. o Attackers will use a variety of techniques to hide from
detection by analysts and scannerso Advertising networks should use continuous monitoring –
automated systems for repeated checking for malware ads, need to scan early and scan often, picking up changes in the advertising chains.
o Ad networks should have the latest security intelligence to power these monitoring systems.
o The risk increases on weekends and holidays.
References:https://otalliance.org/system/files/files/resource/documents/report_-_online_advertising_hidden_hazards_to_consumer_security_date_privacy_may_15_20141.pdfhttps://blog.opendns.com/2014/06/12/ads-security-dont-mixhttp://www.cyphort.com/huffingtonpost-infected-again/http://adwords.blogspot.com/2015/02/fighting-bad-advertising-practices-on.htmlhttp://in.reuters.com/article/2014/10/16/cybersecurity-military-idINKCN0I52D820141016http://www.slideshare.net/ksanz15/understanding-the-online-advertising-technology-landscapehttp://blog.fox-it.com/2014/08/27/malvertising-not-all-java-from-java-com-is-legitimate/http://www.slideshare.net/mhmoo/us-digitalfutureinfocus2013-27520934http://www.insideprivacy.com/files/2014/05/PSI-Report.pdfhttp://blog.fox-it.com/2014/08/27/malvertising-not-all-java-from-java-com-is-legitimate/http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-evolution-of-exploit-kits.pdfhttp://secpod.org/blog/?p=1207