Java.com, TMZ Serving Malvertising Redirects to Angler Exploit Kit

Discussion in 'malware problems & news' started by ronjor, Aug 27, 2014.

  1. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,752
    Location:
    Texas
  2. Dragon1952

    Dragon1952 Registered Member

    Joined:
    Sep 16, 2012
    Posts:
    1,092
    Location:
    Hollow Earth - Telos
    The advertisement in this case included the Angler exploit kit. Upon landing on this exploit kit a few checks were done to confirm whether the user is running a vulnerable version of either Java, Flash or Silverlight. If the user was deemed vulnerable the exploit kit would embed an exploit initiating a download of a malicious payload, in this campaign it was the Asprox malware. This whole process of malvertising towards an exploit kit is also visualized in the image at the top of this post.
    Please note, a visitor does not need to click on the malicious advertisements in order to get infected. This all happens silently in the background as the ad is loaded by the user’s browser.....http://blog.fox-it.com/2014/08/27/malvertising-not-all-java-from-java-com-is-legitimate/
     
  3. Dragon1952

    Dragon1952 Registered Member

    Joined:
    Sep 16, 2012
    Posts:
    1,092
    Location:
    Hollow Earth - Telos
    In their paper, Vadim and Rahul look at a case study of malicious ads served by YouTube (demonstrating that even top brands are battling against this threat), and also study the more general case of malicious Flash banners and how they are obfuscated from researchers, while still delivering malware. We learned last month that this is a serious problem - when researchers found that cybercriminals had purchased advertising space onYahoo in order to serve the 'Cryptowall' ransomware.....https://www.virusbtn.com/blog/2014/08_15.xml
     
  4. FleischmannTV

    FleischmannTV Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    1,071
    Location:
    Germany
    http://malware.dontneedcoffee.com/2014/08/angler-ek-now-capable-of-fileless.html
     
  5. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,066
    Does it use dll injection or any other method? If dll injection is used, would SRP with dll monitoring turned on prevent it or not?
     
    Last edited: Sep 1, 2014
  6. trott3r

    trott3r Registered Member

    Joined:
    Jan 21, 2010
    Posts:
    830
    Location:
    UK
    It seems the exploit uses port 37702 so if i block this port in a firewall i will still be infected but no further malware will be downloaded?
     
  7. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    The Angler Exploit Kit was the most popular threat found in the paper in this test.
     
Loading...