Ten-fold rise in malicious ads bedevils publishers, consumers

Discussion in 'malware problems & news' started by ronjor, Nov 3, 2011.

Thread Status:
Not open for further replies.
  1. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,728
    Location:
    Texas
    http://lastwatchdog.com/ten-fold-rise-malicious-ads-bedevils-publishers-consumers
     
  2. HKEY1952

    HKEY1952 Registered Member

    Joined:
    Jul 22, 2009
    Posts:
    648
    Location:
    HKEY/SECURITY/ (value not set)
    .....that raises the question.....could RSS Feeds be an possible breach in security?

    As RSS Feeds communication with the Browser are next to impossible to disable completely.


    HKEY1952
     
  3. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    This should make it perfectly clear that the "common sense" approach, eg "don't visiting questionable sites" is no longer sufficient.
     
  4. moontan

    moontan Registered Member

    Joined:
    Sep 11, 2010
    Posts:
    3,931
    Location:
    Québec
    i think the common sense approach these days should be to have your browser sandboxed and not install the malware yourself. ;)
    an AV, either real-time or on-demand is a must.

    of course, the Joe and Jane Average of this world will have to be babysitted to be secure.
     
    Last edited: Nov 3, 2011
  5. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Malvertisements haven't been seen too much in the news for a while, and it seems they have really proliferated!

    For those who don't know how malvertisements specifically work, the article mentions two things worth looking at further.

    1) Blackhole Exploit Kit

    REFERENCES

    malvertisement (malicious advertisement or malvertising)
    http://searchsecurity.techtarget.co...ement-malicious-advertisement-or-malvertising
    Malvertising: The Use of Malicious Ads to Install Malware
    https://www.infosecisland.com/blogv...-Use-of-Malicious-Ads-to-Install-Malware.html
    ___________________________________________________________________________________________​


    2) Security Sphere 2012 [fake security program]

    Again, from the article:
    REFERENCES

    Malvertising lifecycle case study 1--OpenX compromise on speedtest.net, spreading Security Sphere 2012 fake antivirus
    http://blog.armorize.com/2011/10/malvertising-lifecycle-case-study-openx.html
    speedtest.net spreading Security Sphere 2012
    https://www.wilderssecurity.com/showthread.php?t=309608
    Security Sphere 2012 Attack on Popular Torrent Site
    http://news.yahoo.com/security-sphere-2012-attack-popular-torrent-160500397.html
    Scareware Spread From Popular Torrent Site via 'Malvertizing'
    http://www.pcworld.com/article/2420...om_popular_torrent_site_via_malvertizing.html
    Malvertisements also use social engineering tricks.

    REFERENCE

    What is Security Sphere 2012?
    http://www.2-viruses.com/remove-security-sphere-2012
    Finally, preventative measures advice:

    REFERENCES

    Security Sphere 2012 - Sneaky Malware That Rips Users Off
    http://www.212articles.com/security-sphere-2012-sneaky-malware-that-rips-users-off/
    malvertisement (malicious advertisement or malvertising)
    http://searchsecurity.techtarget.co...ement-malicious-advertisement-or-malvertising
    ----
    rich
     
    Last edited: Nov 4, 2011
  6. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    That is becoming a royal pain in itself, especially when they're Facebook addicts. I've got a PC sitting here that I've cleaned before that I'm not looking forward to, black screened.

    Which most users will find completely unacceptable.
     
  7. dw426

    dw426 Registered Member

    Joined:
    Jan 3, 2007
    Posts:
    5,543
    White-listing applications isn't that big of a deal, if you can find something that can do it without a lot of convoluted setup. If you're like me, you don't have all the security policy stuff that higher versions of Windows gives you. Therefore, you have to rely on 3rd party methods...which includes HIPS...that is far too difficult to deal with for most people, things like Anti-Executable...which is 50 freaking bucks, and so on.

    Being able to say that only the installed programs you have right now on your disk can run, is a great boon to security...if you follow it through. The problem is, most programs also want you to white list the services and half a billion Windows files as well, which kills any average users' interest right on the spot.

    Of course, you also still have to deal with those approved apps getting owned..Java and Flash, anyone? I'm not sure such a policy would prevent such things. The closest thing I have seen to such a policy, while maintaining a simple setup/use, is Returnil with its "trust only what is on disk" option.
     
  8. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Anti-executable, which you mention, does something similar.

    Anti-Executable doesn't care what approved applications do, as long as any executable file they attempt to launch is whitelisted (already on disk).

    Thus, for Java.exe which is whitelisted, it can execute its normal functions, but in this exploit triggered from a Blackhole web site, Java.exe is blocked from attempting to launch a non-whitelisted (not already on disk) java archive executable file, jar_cache####.tmp

    [​IMG]

    From what you describe, Returnil's "trust only what is on disk" option would seem to do the same thing.


    ----
    rich
     
  9. dw426

    dw426 Registered Member

    Joined:
    Jan 3, 2007
    Posts:
    5,543
    Thanks, Rmus :thumb: So it would prevent malicious takeovers after all. Yes, from what I have read of the newer Returnil versions, that trust option does exactly that. Seeing as that is the case, I'd actually be tempted to recommend Returnil over Sandboxie to some people. I completely believe in and trust Sandboxie, but, with the anti-executable being a mere check-mark away, instead of lots of "Start/Run/Internet" configuring, and the fact that needed files are just as easily saved via the "virtual disk" provided, Returnil seems to be a simpler solution. You also have the benefit of the entire system sandboxed, rather than on an application basis.
     
  10. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Is it really sandboxed?

    That word is used rather loosely these days.

    My understanding of a sandbox is that it contains stuff that has been executed, and can later be disposed of by emptying the sandbox.

    Doesn't Returnil's Anti-execution protection prevent the execution of anything not whitelisted?

    Correct me if I'm in error. It might be wise to clarify the terminology so that people coming here for information have a clear understanding of how the various products work.


    ----
    rich
     
  11. dw426

    dw426 Registered Member

    Joined:
    Jan 3, 2007
    Posts:
    5,543
    You're right, actually. I tend to find myself using the terms virtual system and sandbox interchangeably, and they're completely different. I should have stated that Returnil makes a virtual copy of your entire system, where Sandboxie does it on an application. Both default installs of Sandboxie and Returnil allow everything to execute, however, and both can "dump" it all. Of course the method of dumping is different.

    In my opinion, Returnil, when used properly and with some thought, has the upper hand both in safety and useability. The reason being that the protection is more thorough and there is really no configuring to be done, outside of setting up the virtual disk. Reboot software is, admittedly, an issue, but both are outstanding tools, and should be used by anyone wishing to "K.I.S.S" security and not be terribly inconvenienced.
     
  12. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    All sandboxing means is that there are restrictions applied. Virtualization isn't necessary.
     
  13. dw426

    dw426 Registered Member

    Joined:
    Jan 3, 2007
    Posts:
    5,543
    It's the configuring and setting up that makes a world of difference to most users, though. I don't wish to knock Sandboxie, as I myself use it. But, if handed a really new user who knew nothing of security, let alone tools used, I'd pick Returnil over it. Simply because of ease of use and setup.
     
  14. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    If I could configure Sandboxie myself for the user I'd prefer it.
     
  15. Coldmoon

    Coldmoon Returnil Moderator

    Joined:
    Sep 18, 2006
    Posts:
    2,981
    Location:
    USA
    In computing, a "sandbox" is simply an environment where something can run isolated from the real system. The difference is in where that takes place and how large the fantasy world created needs to be...

    With something like SBIE, there are a number of complexities that require it to simulate real responses from the OS to create the environment that allows the program to run in a small, isolated portion of the OS. In the case of RVS/RSS, the "sandbox" is actually the disk where Windows itself is the child in the sandbox rather than the toy in the sandbox and anything it does is pure fantasy until it is released from said sandbox.

    Where some confusion comes in, is in the fact that many different technologies can be considered a sandbox which makes it a general term rather than something specific like say describing birds generally and Crows specifically.

    Yes, but it depends on the settings level. In the moderate configuration (known services), executables CAN run even if they are not specifically white listed. It is in the most restrictive setting that the executables themselves are blocked from running if unknown.

    Please let me know if this makes it clearer...

    Mike
     
  16. dw426

    dw426 Registered Member

    Joined:
    Jan 3, 2007
    Posts:
    5,543
    Either way, if we could manage to convince most people to run either one, it would be of great benefit to all.

    @Coldmoon: I neglected to mention there were different anti-executable settings (and forgot myself), thank you :) I too feel that Sandboxie is more complex to get "perfected", shall we say. For me, it wouldn't make much difference, as I'm used to tinkering with settings. But, for people like my family (who are very much your "average user", Sandboxie and any other security that requires attention, would just end up getting ignored or tossed.
     
  17. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Yes, thanks!

    Back to the topic of malvertising, it seems there are a number of solutions that would prevent a user from being infected by the remote code execution components of a malvertising attack.

    My favorite quote from one of the articles:

    ----
    rich
     
  18. dw426

    dw426 Registered Member

    Joined:
    Jan 3, 2007
    Posts:
    5,543
    Between blocking ads and having anti-execution in place (along with updated software), I don't see these malicious ads as a threat. Heck, an ad-blocker alone goes a long way towards it. Just another threat easily avoided with some proper care and attending to.
     
  19. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,728
    Location:
    Texas
    Spread the news to those that don't know. ;)
     
  20. dw426

    dw426 Registered Member

    Joined:
    Jan 3, 2007
    Posts:
    5,543
    Sadly some still wouldn't get it if all the world leaders got in a room together (that would be fun to watch) and beamed the news via satellite, mandating that every newsroom in the world had to broadcast it. I know that sounds a little out there that it's that bad now, but it sure seems to be. Interrupt Facebook, web games/streams and all the other toys that are so hot now, and people have epileptic seizures.

    They want vendors to protect them, which is the first problem, and they want that protection whilst staying out of their way, which is the other problem. The only software I know of that does that is a simple, no frills AV..and we all know how those are working out these days.
     
  21. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    That's where it becomes unacceptable. The average user wants to install games, toys, screen savers, or gets coerced by some offer, voiding the base policy of only installed apps can run. Users who will accept a policy of "only installed apps are allowed" would be happy with Live CDs.
    A default-deny policy that includes tight control over parent-child dependencies can prevent the compromised app from installing or launching a malicious executable. As with many things, the amount of integration for convenience of use will determine how effective the attack would be. If all of these are allowed in the browser, and the browser is IE6, it's probably "game over". If the content can be saved and run in its own free standing application, its access to the rest of the system and the internet can be severely restricted, leaving it little chance of properly, if it can run at all. Each user has to decide on the right security/convenience balance for themselves. Definitely not something I can imagine the average user doing or even thinking about.
     
  22. vasa1

    vasa1 Registered Member

    Joined:
    May 1, 2010
    Posts:
    4,152
    Seamless integration and the "user experience" are being touted as virtues but can end up being portals to all sorts of things.
     
Loading...
Thread Status:
Not open for further replies.