updated 11:45 pm EDT, Wed August 27, 2014
Security firms says malvertising hit sites such as Java, DeviantArt and Photobucket
A "malvertising" campaign made the rounds last week hitting at least eight high-profile websites according to security firm Fox-IT. The firma noticed that the sites were redirecting their visits to other places, allowing it to discover that sites were using vulnerabilities in software like Java and Flash to inject malicious programs. The purpose of the "malvertising" was to infect machines with botnet malware involved in boosting advertisement clicks.
Between August 19 and 22 at least eight websites were identified by the security firm as redirecting their visitors to install the exploit kit. Java, DeviantArt, Ebay.ie, IBTimes, TMZ, Photobucket, Kapaza.be and TVgids.nl were all identified and being involved in the malware injections. While none of the sites were compromised themselves, their advertising bidding system allowed the redirects to occur.
In this case, ads served from AppNexus were the source of the "malvertising" the sites were running, which were mostly likely unknown to them at the time. Fox-IT states that it let AppNexus know about the affected ads to quickly put an end to the infections. Because of the nature of bidding for advertising slots, it's hard to know the good from the bad ads, leaving some to be left up for long periods of time.
Another problem for the ad system is how they work through what is referred to as retargeting. The practice of retargeting involves tracking data stored in cookies or other types of files. Nefarious parties can use this system to their advantage, causing users to eventually end up on an ad that leads to malware. Data within these files allows advertisers to serve up different ads to visitors than what was seen on a previous visit. Often the sites involved don't know that they are running retargeting advertising because of the bidding system utilized for revenue.
"The way it works is that a user with an interesting set of tracking cookies and other metadata for a certain ad provider is retargeted from the original advertisement content on the website to the modified or personalized data," said Fox-IT. "We have seen examples where the website that helped with the ad redirect to infect a user had no idea it was helping the delivery of certain content for a certain ad provider."
Through Fox-IT's research into the malware ads, it was found that they were using the Angler exploit kit. When a user would land on the kit, it would run a check to see if there were vulnerable versions of Flash, Java or Silverlight. If so, it would drop in an exploit that would begin a malicious download. In this specific case, it was initially found to be Asprox, but was later updated to be a similar malware called Rerdom.
The Rerdom malware is a click fraud binary which is used to exploit advertising for financial gain. Like some other malware, it preserves itself in several ways to keep it from being flushed out with a system reboot. The StopMalvertising website notes that it installs itself as a service with a "quasi-random name," but it also modifies start-up registry entries. For Windows XP users, it also schedules itself as a task to run every hour. The site offers a comprehensive guide in how the Asprox/Rerdom system works.
As with many infections, there are no guaranteed ways to stop them. Outside of keeping up-to-date with versions of plug-ins like Java and Flash, it's also recommended to activate click-to-play for browsers. Firefox and Chrome both have the feature built-in, whiles others like Safari need to install plug-ins like ClickToFlash. Ad blockers can help, but they aren't a catch all solution since ads can be served in other programs as well.