Malvertising and You

So, in a couple of my previous articles I described how web advertising works, why it works the way it does, and why it’s not going away any time soon. The great thing about web advertising is that it gets so much visibility (though not as much of that visibility converts directly into revenue as advertisers would like). That visibility implies wide penetration. And, that penetration can (and is!) taken advantage of by the bad guys.

The usual approach is to establish groups of shell companies that begin to buy advertising, either by pretending to be a real organization or by impersonating one. Malvertisers have, at times, compromised the ad network systems themselves, but this is more rare. Socially engineering the ads into an existing network is usually easier.  These initial purchases can be legitimate and they may help establish a positive reputation for those companies as they expand their presence. As malicious advertising is detected relatively quickly, these groups are disbanded immediately after submitting a malicious campaign.

Favorite Malvertising Tricks 

Submitting the malicious campaign isn’t hard. The campaign itself will either compromise users via drive-by downloads, browser exploitation, or typical link exploitation. Drive-by downloads will do things like drop malicious DLLs (see my previous articles on DLL Hijacking) onto hosts and hijacking usually benign calls into those libraries. If possible, this approach is a favorite as the user doesn’t need to be involved. The code contained in the advertisement itself is sufficient to compromise the visiting user’s system. Browser exploitation is a great way to compromise a user’s system too, if possible. Both of these attack vectors depend on the state of the browser though, and require either an older, unpatched browser or a new, unpatched browser bug. Older browsers are becoming more and more rare today, and 0-day bugs are getting harder to find and more expensive to exploit, so these kinds of approaches are hard to pull off. That being said, ironically, many companies and organizations today are actually running older, outmoded browsers. These are the kinds of targets criminal organizations prefer, and because of slower technology refresh policies, they’re more vulnerable than ever. The final, and most common approach today, is link exploitation. This essentially treats malvertising content as another vector into an organization, like a phishing email. Once the user clicks on the ad, the user’s browser is redirected via some kind of fast-flux DNS scheme to a server hosting an exploit kit. This exploit kit will then subject the browser to a wide range of attacks, very likely finding some exploit the browser is susceptible to, and then compromising the browser and the host system. These kinds of approaches can potentially use Flash or Java as a payload platform as well.

Millions of Web ads are delivered every day into companies and government organizations worldwide. It was only a matter of time until that vector was exploited and used to attack these organizations.

Protecting Yourself 

To protect yourself from malvertising, you should follow the advice you’ve heard over and over again with respect to browser configurations and system protections. Most of these attacks can be thwarted with good systems hygiene. Don’t run old browsers and don’t automatically play flash animations. Disable Java in the browser. Run a tier-one malware defense product (intrinsic solutions aren’t usually updated with new signatures quickly enough). Don’t browse the web from privileged accounts. Don’t click on ads—if you’re interested in a product, navigate to it via some other channel. And finally, you can install an ad blocker—after all, if the ads can’t be delivered, they can’t infect you.