Malvertising attack techniques dissected
At Virus Bulletin 2014, Bromium presented a research report that highlights the severe risk of malicious ad networks infecting end users. This research provides a real-world study of malvertising captured on YouTube, Yahoo and several top Alexa sites to demonstrate how obfuscated JavaScript delivers malicious code through Flash ads.
“Bypassing ad network defences provides the perfect opportunity for attackers to target millions of users, so it is no coincidence that there has been an uptick in the number of malvertisments,” said Rahul Kashyap, chief security architect, Bromium. “The scale of this problem is as large as the Internet itself.”
In this research report, Bromium explains how a malicious ad network on YouTube would deliver obfuscated JavaScript code through Flash movies. The code added an iframe to redirect users to a malicious URL serving the Styx exploit kit, a well-known banking Trojan.
In the past six months, the percentage of malicious pages detected on YouTube has decreased overall, even as more Trojans have been created, which suggests attacks have improved in obfuscating malicious content.
Bromium notes a key feature of ad networks is the ability to target certain audiences, such as users of a specific browser or operating system. A similar functionality is usually implemented in exploit kits, which provide cyber criminals with automation to test and selectively deploy malware on vulnerable machines. Malvertising is not targeting ads, it is targeting victims.
The research concludes that the scale of Web advertising is too great to realistically review all rich media for malware, and detection-based solutions can be easily circumvented or result in unacceptable rates of false alarms. However, isolating the content with micro-virtualization or blocking it may greatly mitigate the threat.