Hacker Lexicon: Malvertising, the Hack That Infects Computers Without a Click

Discussion in 'malware problems & news' started by ronjor, Dec 9, 2015.

  1. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,726
    Location:
    Texas
  2. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
    Great example of how just accessing a compromised web page can infect you.

    A couple of notable quotes:

    a spate of recent attacks have utilized zero day exploits, which means that even fully up-to-date software could be compromised—but attacks using those are relatively rare at this point.

    More recently, hackers have
    been taking advantage of HTTPS, making it more difficult to track them down.
     
  3. MisterB

    MisterB Registered Member

    Joined:
    May 31, 2013
    Posts:
    1,103
    Location:
    Southern Rocky Mountains USA
    A script blocker that disables 3rd party iFrames will prevent this at the browser level. An adblocker more than likely will too. uMatrix + uBlock would be very effective. Using a LUA with a few ACL, SRP or Applocker tweaks will prevent the exploit from doing anything at the OS level in Windows. I don't think Linux users will have anything to worry about.
     
  4. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Very informative article, Ron! Including links for more information.

    The article explains that these attacks use redirection techniques:
    This is an important point, for I've encountered some who mistakenly think the news site (in this case) is infected with malware, when, rather, it has been compromised with a booby-trapped advertisement that takes the user away from the news site.

    The use of SSL redirectors was mentioned. A nice summary here:
    Report: Malvertisers now using SSL redirects
    http://www.csoonline.com/article/29...ort-malvertisers-now-using-ssl-redirects.html
    And a diagram:

    http://www.cyphort.com/100m-huffington/
    The article and some of the linked articles refer to the use of zero-day exploits. They seem to be targeting a plug-in:

    https://blogs.sophos.com/2015/07/21/a-closer-look-at-the-angler-exploit-kit/
    While all of this seems rather ominous, I noted this observation and similar in some of the articles:
    Or the user may not have plug-ins enabled globally, meaning that upon being redirected to the attacker's (not trusted) site, the exploit would fail to start.

    ----
    rich
     
  5. MisterB

    MisterB Registered Member

    Joined:
    May 31, 2013
    Posts:
    1,103
    Location:
    Southern Rocky Mountains USA
    Such attacks sound ominous but they are in most cases easily foiled. I just listed a few easy and free ways but didn't even think of plugins which I mostly disable and in the case of flash, set to click to play. Then there is emet and other anti exploit software that can be installed. The impression I get from this article is that the ad served exploits are looking for low hanging fruit and succeeding by the amount of exposure the ads get. If they are loaded on thousands of systems, they are bound to find some weak and vulnerable setups. I appreciate reading about them, in any case, because the best way to know if a security setup is going to be effective is to study the way malware works and infects computers.
     
  6. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,054
Loading...