Skip to content

OPLIN 4cast #520: More than meets the eye

Posted in 4cast

Last week, Eset Research posted a report about malware they had discovered which gathered information about infected computers and reported it back to the attack server. That, unfortunately, is not unusual. What is unusual about this exploit is the way it is delivered to the victim computer — the attack code is hidden inside an image that looks like an ad. It is interesting to see the clever way this was done, and also the development of the exploit over time. It is also important to note that the protection against this attack (as with so many other attacks) is simply keeping your software patched and up to date.

  • For two years, criminals stole sensitive information using malware hidden in individual pixels of ad banners (Boing Boing | Cory Doctorow)  “The criminals were able to send banner ads and javascript to their targets’ computers by pushing both into ad networks. These networks aggressively scan advertisers’ javascript for suspicious code, so the criminals needed to sneak their bad code past these checks. To do this, they made tiny alterations to the transparency values of the individual pixels of the accompanying banner ads, which were in the PNG format, which allows for pixel-level gradations in transparency. The javascript sent by the attackers would run through the pixels in the banners, looking for ones with the telltale alterations, then it would turn that tweaked transparency value into a character. By stringing all these characters together, the javascript would assemble a new program, which it would then execute on the target’s computer.”
  • Millions exposed to malvertising that hid attack code in banner pixels (Ars Technica | Dan Goodin)  “The ads promote applications calling themselves ‘Browser Defence’ and ‘Broxu’ and targeted people who visited the news sites using Internet Explorer browsers. The script concealed in the pixels exploited a now-patched IE vulnerability indexed as CVE-2016-0162 to obtain details about the visitors’ computers. Among other things, the script checked for the presence of packet capture, sandboxing, and virtualization software and a variety of security products. Machines that didn’t exhibit signs of the software and contained a vulnerable version of Flash were then redirected to the exploit site, which would serve one of two families of malware.”
  • Malicious online ads expose millions to possible hack (IT World | Michael Kan)  “Hackers have used similar so-called malvertising tactics to secretly serve malicious coding over legitimate online advertising networks. It’s an attack method that has proven to be successful at quickly spreading malware to potentially millions.”
  • Readers of popular websites targeted by stealthy stegano exploit kit hiding in pixels of malicious ads (Security Newspaper)  “An earlier variant of this stealthy exploit pack has been hiding in plain sight since at least late 2014, when we spotted it targeting Dutch customers. In spring 2015 the attackers focused on the Czech Republic and now they have shifted their focus onto Canada, Britain, Australia, Spain and Italy. In the earlier campaigns, in an effort to masquerade as an advertisement, the exploit kit was using domain names starting with ‘ads*.’ and URI names containing watch.flv, media.flv, delivery.flv, player.flv, or mediaplayer.flv. In the current campaign, they have improved their tactics significantly. It appears that the exploit pack’s targeting of specific countries is a result of the advertising networks the attackers were able to abuse.”

Articles from Ohio Web Library: