Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Malvertising Could Replace Exploit Kits: Researchers

In a paper presented on Thursday at the Virus Bulletin conference in Seattle, Bromium researchers analyzed malvertising attacks and the reasons for which they’ve become a preferred method of malware distribution for many cybercriminal groups.

In a paper presented on Thursday at the Virus Bulletin conference in Seattle, Bromium researchers analyzed malvertising attacks and the reasons for which they’ve become a preferred method of malware distribution for many cybercriminal groups.

Over the past months, there have been numerous reports from security companies on successful malvertising campaigns. Through malicious advertisements distributed via popular ad networks, cybercriminals reached the visitors of several high-profile websites such as Amazon, YouTube, Yahoo, Java.com, DeviantArt and many others.

“Drive-by download” is one of the most efficient malware distribution methods. In these operations, the attacker uses spam or compromised sites to redirect victims to a page hosting an exploit kit. The exploit kit then leverages vulnerabilities in the software running on the victim’s machine to serve malware.

Malvertising However, Bromium researchers Rahul Kashyap and Vadim Kotov have pointed out in their paper that using ad networks to redirect potential victims to the exploit kit is much more efficient because the attackers can reach millions of people with a minimum of effort.

In fact, the experts believe advertising networks could become the next primary attack vector as they might turn out to be even more efficient than exploit kits.

One important advantage of using ad networks for distributing malware is that the attacker can specify the targeted audience. For example, Google subsidiary DoubleClick, which was recently involved in a major malvertising operation, allows advertisers to select the users they are targeting based on parameters such as language, country, operating system, browser, device and search topics.

“Similar functionality is usually implemented in exploit kits, but in this case it is completely handled by the advertising network. Setting operating system to Windows XP and browser to Internet Explorer allows an attacker to use old exploits that are publicly available and proven effective. With this configuration they don’t need to worry about such defenses as ASLR, EMET etc,” Kashyap and Kotov explained in their paper. “Language and country parameters allow at attacker to focus on a specific geographical location. is handy if an attacker has a working scheme of monetizing stolen bank cards or victim personal data in a particular country.”

Malvertising usually goes hand in hand with exploit kits. However, because of the opportunities offered by Flash, cybercriminals could soon start launching attacks from the banner itself. The experts believe Flash banners are the most dangerous type of ads from a security standpoint. That’s because they’re highly prevalent, they’re not actually malicious so they’re more difficult to detect and block, and the ActionScript scripting language for Flash is powerful enough, the researchers said.

Malvertising attacks that leverage Flash banners are not uncommon. Bromium analyzed one such attack in February, and Malwarebytes observed a campaign back in June. The Flash banners either redirect users to a malicious page after they’re clicked, or they add a stealthy redirect to the page in the form of an iframe. However, experts believe the banners themselves could soon incorporate exploit kits.

“The problem with attacking from the Flash banner directly is there are size constraints defined by the ad network and it is usually up to 200K. The banner must look normal and should not contain any suspicious elements such as a huge chunk of high entropy data. This constraint could be overcome though by deploying steganography and hiding malicious code in the image,” the researchers said.

While they haven’t seen any malicious banners that incorporate a fully functional exploit kit,  Kashyap and Kotov believe it could be done.

“From our investigation we conclude that ad networks could be leveraged to aid or even substitute for current exploit kits. Loose security policies, high prevalence and powerful scripting capabilities make it a viable tool for malware distribution,” the researchers concluded.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cybercrime

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cybercrime

A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...

Cybercrime

Video games developer Riot Games says source code was stolen from its development environment in a ransomware attack

Cybercrime

CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.