Faked Flash-based ads on HuffPo, other sites downloaded extortionware

Discussion in 'malware problems & news' started by ronjor, Apr 17, 2015.

  1. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,727
    Location:
    Texas
    http://arstechnica.com/security/201...-huffpo-other-sites-downloaded-extortionware/
     
  2. hawki

    hawki Registered Member

    Joined:
    Dec 17, 2008
    Posts:
    1,954
    Location:
    DC Metro Area
    Do you have to actually click-on the ads or can you be infected just by visiting the page the ads are on?

    Dumb question for many here, but I have never been clear about this.
     
  3. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,727
    Location:
    Texas
  4. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Hi hawki,

    Both actions are used by the malvertising authors.

    The link Ron posted shows how the exploit works once you have been redirected. Here is some more detail as to how it is triggered on the page serving up the advertisement:

    http://www.tomsguide.com/us/malvertising-what-it-is,news-19877.html
    ----
    rich
     
  5. Daveski17

    Daveski17 Registered Member

    Joined:
    Nov 11, 2008
    Posts:
    8,028
    Location:
    Lloegyr
    It's not a dumb question. I once got a trojan from accidentally clicking on a flash ad. I was ignorant about buffer overflow attacks then though and I still blame my inability to use a laptop trackpad properly. ;)

    Drive-bys scare the living [expletive deleted] out of me! :eek:
     
  6. RJK3

    RJK3 Registered Member

    Joined:
    Apr 4, 2011
    Posts:
    854
    It's a fair question, and I think it's critical to understand the mechanisms for infection. Malvertising can involve both the scenarios you mention:
    1. Social engineering - get the user to click on the ad and choose to install software. Usually the fake infection warnings, drivers or codecs out of date, etc;
    2. Web exploit: Redirect to an exploit kit via a hidden iframe, and silently install malware.
    Essentially web exploits ("drive by downloads") attempt to exploit vulnerabilities in software in order to install malware without any user intervention. This means that a user just needs to visit a compromised site in order to get infected, assuming there are no protections or mitigations in place.

    Exploit kits are collections of these exploits put together. They target vulnerabilities in common browsers and operating systems, as well as browser plugins such as Java, Adobe PDF, Adobe Flash, and Microsoft Silverlight. Generally hidden iframes are the usual way that people encounter an exploit kit, either from when a trusted website is compromised to include them - or in the case of malvertising, when the ad network is compromised. The advertisement is normal (e.g. gif or png) but includes a hidden iframe which redirects the browser to a third party site where the exploit kit is located.

    In the two cases mentioned in article ronjor posted, the advertisements themselves were malicious with a Flash .SWF file that contained an exploit. So yes, just visiting the site and having the ad load in the background was enough for some people to get infected.

    Knowing the mechanisms then gives clues on how to prevent infection from malvertising, e.g:
    • Up-to-date software (most exploits target patched vulnerablities, although each year we see more unpatched vulnerabilities used in high-profile, zero-day attacks);
    • Limited attack surface ("Ask to activate" plugins, uninstall unnecessary plugins, etc);
    • Adblocking;
    • Control which third party scripts you run e.g. NoScript, or IE security hardening;
    • Anti-exploits: EMET, Malwarebytes Anti-Exploit, and HitManPro Alert which can stop the exploits themselves;
    • Containment (Sandboxing, software policies, applocker, anti-executables, run browser with limited privileges, or as a limited user, etc).

    Hope this helps. It's by no means an exhaustive list.
     
  7. RJK3

    RJK3 Registered Member

    Joined:
    Apr 4, 2011
    Posts:
    854
    With a decent security setup, then it's actually very difficult in practice to get infected from drive-by downloads :) I always have to disable a lot of layers before I can even get an exploit kit to drop files, and even then they can't run.

    The thing that bothers me is the theoretical risk of a zero-day Flash exploit on a whitelisted site, (i.e. the Flash content is hosted on a site I've explicitly allowed to activate the Flash plugin) in combination with a fileless or memory-only payload.
     
  8. Daveski17

    Daveski17 Registered Member

    Joined:
    Nov 11, 2008
    Posts:
    8,028
    Location:
    Lloegyr
    Well, hopefully I've learned a bit since I contracted that trojan. I now know about browser hardening amongst other things, back then I didn't even use an adblocker. Plus, I'm in Linux as much as Windows these days, which is tad safer I believe.
     
  9. TheWindBringeth

    TheWindBringeth Registered Member

    Joined:
    Feb 29, 2012
    Posts:
    2,084
    Per element click-to-play might reduce potential exposures.

    One thing I've seen (Firefox setups) is the SWF being downloaded even before that. Which makes me wonder if there is *any* potentially exploitable parsing/processing going on before the click-to-play happens.
     
  10. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    I agree here.

    I didn't use to worry about this too much, but malvertising trickery has become very sophisticated, to wit:

    Flash EK Strikes Again via Google's DoubleClick
    https://blog.malwarebytes.org/malvertising-2/2015/04/flash-ek-strikes-again-via-googles-doubleclick/
    (we might argue that checks shouldn't be skipped, but that is another topic)

    Thus, now I manually turn on plugins when needed.

    Adobe has a test site for Shockwave, Flash, etc, and I just checked mine:

    https://www.adobe.com/shockwave/welcome/

    plugin-test_shockwave.jpg


    plugin-test_flash.jpg

    I used a PDF test file with i-frame code to attempt to auto-load a PDF file:

    Code:
        if((name.indexOf("Adobe Acrobat") != -1) || (name.indexOf("Adobe PDF") != -1))
                {
                    document.write('<i-frame src="test.pdf"></iframe>');
                }
    
    plugin-test_pdf.jpg



    ----
    rich
     
  11. hawki

    hawki Registered Member

    Joined:
    Dec 17, 2008
    Posts:
    1,954
    Location:
    DC Metro Area
    WOW! Thanks guys for providing more than enough info to scare the &^*% out of me!

    I don't remember what the program was or even what type of program it was (was from yesteryear) but gave an option having to do with scanning, blocking,or not allowing i-frames.
     
  12. RJK3

    RJK3 Registered Member

    Joined:
    Apr 4, 2011
    Posts:
    854
    I had a look at Click to Play per-element, but it's no longer supported in Pale Moon. Thanks for the thought. I think though for me it would be too inconvenient for general use, without a corresponding increase in security.

    Perhaps I'll just use a locked down sandbox with read access restrictions and a separate browser without anything juicy information, purely for dealing with sites that are more likely to host malicious Flash content. Otherwise even a compromised browser process running in low or medium integrity can do a lot of damage, even if just to my information security.

    As long as exploit kits keep being hosted on third party websites, it makes it easy for us to simply block the scripts. Similarly, while most of them continue to use droppers for a persistent infection, then it's not hard in practice to block their write or run access.
     
Loading...