In a paper presented on Thursday at the Virus Bulletin conference in Seattle, Bromium researchers analyzed malvertising attacks and the reasons for which they’ve become a preferred method of malware distribution for many cybercriminal groups.
Over the past months, there have been numerous reports from security companies on successful malvertising campaigns. Through malicious advertisements distributed via popular ad networks, cybercriminals reached the visitors of several high-profile websites such as Amazon, YouTube, Yahoo, Java.com, DeviantArt and many others.
“Drive-by download” is one of the most efficient malware distribution methods. In these operations, the attacker uses spam or compromised sites to redirect victims to a page hosting an exploit kit. The exploit kit then leverages vulnerabilities in the software running on the victim’s machine to serve malware.
However, Bromium researchers Rahul Kashyap and Vadim Kotov have pointed out in their paper that using ad networks to redirect potential victims to the exploit kit is much more efficient because the attackers can reach millions of people with a minimum of effort.
In fact, the experts believe advertising networks could become the next primary attack vector as they might turn out to be even more efficient than exploit kits.
One important advantage of using ad networks for distributing malware is that the attacker can specify the targeted audience. For example, Google subsidiary DoubleClick, which was recently involved in a major malvertising operation, allows advertisers to select the users they are targeting based on parameters such as language, country, operating system, browser, device and search topics.
“Similar functionality is usually implemented in exploit kits, but in this case it is completely handled by the advertising network. Setting operating system to Windows XP and browser to Internet Explorer allows an attacker to use old exploits that are publicly available and proven effective. With this configuration they don’t need to worry about such defenses as ASLR, EMET etc,” Kashyap and Kotov explained in their paper. “Language and country parameters allow at attacker to focus on a specific geographical location. is handy if an attacker has a working scheme of monetizing stolen bank cards or victim personal data in a particular country.”
Malvertising usually goes hand in hand with exploit kits. However, because of the opportunities offered by Flash, cybercriminals could soon start launching attacks from the banner itself. The experts believe Flash banners are the most dangerous type of ads from a security standpoint. That’s because they’re highly prevalent, they’re not actually malicious so they’re more difficult to detect and block, and the ActionScript scripting language for Flash is powerful enough, the researchers said.
Malvertising attacks that leverage Flash banners are not uncommon. Bromium analyzed one such attack in February, and Malwarebytes observed a campaign back in June. The Flash banners either redirect users to a malicious page after they’re clicked, or they add a stealthy redirect to the page in the form of an iframe. However, experts believe the banners themselves could soon incorporate exploit kits.
“The problem with attacking from the Flash banner directly is there are size constraints defined by the ad network and it is usually up to 200K. The banner must look normal and should not contain any suspicious elements such as a huge chunk of high entropy data. This constraint could be overcome though by deploying steganography and hiding malicious code in the image,” the researchers said.
While they haven’t seen any malicious banners that incorporate a fully functional exploit kit, Kashyap and Kotov believe it could be done.
“From our investigation we conclude that ad networks could be leveraged to aid or even substitute for current exploit kits. Loose security policies, high prevalence and powerful scripting capabilities make it a viable tool for malware distribution,” the researchers concluded.