back to article Ad-borne Cryptowall ransomware is set to claim FRESH VICTIMS

Security watchers are warning of a surge in CryptoWall ransomware victims this month that will coincide with a campaign to spread a new variant of the malware though advertising networks. More than 830,000 victims worldwide have been infected with the malware, a 25 per cent increase in infections since late August when there …

  1. Anonymous Coward
    Mushroom

    Well lets name them....

    "...the advertising networks upon which they relied for dynamic content were inadvertently serving malware – which in turn, was not due to an explicit compromise of the networks; rather, it was due to the networks accepting ads from a malicious source without screening detection"

    name the ad-slinger agencies. Then "customers" (if they don't already) can block them, people that pay for legit services can drop them and content filters (browser or software) can block them.

    If say Amazon had hijacked pages that installed crap on a machine, we would soon know, so why are the ad-slingers getting away with it.

    1. mark 63 Silver badge

      Re: Well lets name them....

      but whats "screening detection" ? if its new malware not detected by AVG or whatever the ad companies have installed on the machines that takes submissions , then they'd have a job as hard as the AV companies to detect anything. If they are detected by standard AV then who cares your machine should defend itself

      1. AlbertH

        Re: Well lets name them....

        just how wrong can one post be?

        "Screening Detection" is trivially simple - even an advertising "executive" would be able to work out that a banner Ad is too big - that it's got something extra. They charge by the size of the data transmitted, and everyone (except malware providers) do all they can to minimise the size of their submitted code.

        Any credible online advertising ageny won't be using anything like "AVG" - they'll actually have people who can examine the file in detail and will find the embedded code. The miscreants in this instance have identified and used Agencies with the technical know-how of "mark 63"

        1. HMB

          Re: Well lets name them....

          "just how wrong can one post be?"

          I can't comment on super large ad agencies, but I can comment on smaller ad-fuelled businesses. Having actually worked for them in software development.

          In a sufficiently large ad agency the person accepting flash files and media will simply use a back end CMS and may have the problem solving technical prowess to fix a paper jam in a printer.

          The conversation between the developers and the business management when implementing that CMS would probably have gone along these lines:

          Boss Guy: "We need to support flash advertising in the CMS"

          *Developer shows uncomfortable face*

          Boss Guy: "There a problem there?"

          *Developer considers suggesting that flash might very, very, very occasionally carry malicious code, but doesn't want to present such an esoteric risk to the boss and come off sounding like someone who doesn't want to get the work done with a go get'em attitude when everyone else also uses flash.*

          Developer: "Well, it wont play nice with apple iThings."

          Boss Guy: "Well, I guess we'll just have to encourage people to move to HTML5 ads in the long term."

          Ultimately, it's stories of people getting burnt by flash that will change conversations like the one above. Until then, it's very easy to be the person with 20:20 vision in hindsight and more importantly, you have to make a business case for spending time on things and it's very difficult to justify hundreds of man hours of reverse engineering code 'just in case'.

          I have no doubt that this sort of malware will indeed change attitudes in time, but for now I think if you did a little work for ad agencies you'd understand why this sort of thing happens.

          I would say that 'easily finding' malicious flash code when you don't know what you're looking for would be a bit like 'easily finding' OpenSSL and bash vulnerabilities in 2012. There's a reason why anti virus companies employ very skilled people who had to climb a steep learning curve.

      2. HMB

        Re: Well lets name them....

        The downvotes don't make mark 63 wrong, also thanks to g00se for pointing out the underlying mechanism. How would you detect malware in a flash file a customer submitted to you? Would you attempt a security analysis before sending it on beyond a check with an anti virus? Flash isn't *supposed* to be able to be compromised like that.

        Arguably the bad decision was made when flash was used for advertising, but can you imagine arguing with your boss about letting through a flash advert if you're an advertising company technical advisor? The notion of decompiling and reverse engineering every flash file to check it for safety is unworkable.

        I dare say this sort of exploitation was inevitable as flash for advertising became the complacently accepted norm. I started using flashblock myself after one too many websites started playing movies and sound automatically (rude bastards).

        It's easy to be reactionary and blame ad agencies, but the problem really lies with..... well.... using software. Proprietary or open source, there isn't a type of software that's immune from vulnerabilities.

    2. g00se
      FAIL

      Re: Well lets name them....

      The 'them' we need to name is actually Adobe (and often Java)

      It's not 'ads' but their buggy bloatware that's to blame. Perhaps they should be footing the ransom bills as the price for maintaining a de facto monopoly on browser-based video?

      http://www.proofpoint.com/threatinsight/posts/malware-in-ad-networks-infects-visitors-and-jeopardizes-brands.php

      Using Adobe Flash, the malvertisements silently “pull in” malicious exploits from the FlashPack Exploit Kit. The exploits attack a vulnerability in the end-users’ browser and install CryptoWall 2.0 on end-users’ computer

    3. TheVogon

      Re: Well lets name them....

      Just make sure 'System Protection' is turned on, and then you can restore previous versions of files....

  2. mark 63 Silver badge

    So thanks to bitcoin this kind of activity can "get paid" with zero chance of tracing the recipients? They dont even have to set up dodgy accounts that they fill up, transfer and dump?

    1. Anonymous Coward
      Anonymous Coward

      Most of these activities are skirted by companies already. This just brings it to light.

      When was the first time Adobe or similar started bundling in software with downloads? I've stopped using legitimate sites because of the oh so close to tipping into malware software they push on you if your not careful. That's before going over companies like "Youtube" or "Google's" own "legitimate" adds.

    2. TheVogon

      "So thanks to bitcoin this kind of activity can "get paid" with zero chance of tracing the recipients? They dont even have to set up dodgy accounts that they fill up, transfer and dump?"

      So just like cash and Western Union money transfer then.

  3. Stuart 22

    Complacency

    Father/Grandfather backups give more protection against this malware than any virus checker can hope. And is pretty useful when baby pours milk all over your motherboard and bounces the drive on the err driveway - probably a more likely demise for your truly beloved data.

    At the cost of a few downvotes - I dare to say that so many Windows users think safety is and only is paying out to Norton & co. Few have any backup strategy that will survive this type of attack. Yet it isn't difficult.

    1. Terry 6 Silver badge

      Re: Complacency

      Agree, but then I also wonder who clicks on these adverts. I may be wrong but I am guessing they're not ads for the more mainstream types of product.

      1. waldo kitty
        Facepalm

        Re: Complacency

        Terry 6: Agree, but then I also wonder who clicks on these adverts. I may be wrong but I am guessing they're not ads for the more mainstream types of product.

        clicking is not required in many cases... they're known as drivebys and they bounce you along the distribution chain while supposedly gathering the mess to be displayed in the ad... just visiting a site with malicious ads and getting hit by one of those ads can land you in a world of hurt...

        the icon is not aimed at you personally...

        1. Terry 6 Silver badge

          Re: Complacency

          No, fair enough. I should have realised that. Wasn't thinking I guess.

        2. Justin Goldberg

          Re: Complacency

          For the record, I have never been hit with malware in Google Chrome. I've intentionally downloaded malware and spyware to test various scanners in a malware environment, though, but that was intentional

      2. Andrew 59
        Stop

        Re: Complacency

        @Terry 6:

        As someone else said while I was writing this: That's the problem. You don't have to click on anything. You browse to a page that has a dodgy ad and, voila, the ad exploits a vulnerability in Flash to drive-by download the virus exe to your system.

        The advert itself might look like it's a blank white screen or an ad for the latest Norton or whatever.

        I think the only way to stop this is for everyone to stop clicking on adverts. No exceptions. Then online advertising becomes unviable for whoever is paying the ad companies. So they stop paying.

        Eventually, the ad men go out of business and the Internet is a better place without them.

        I already turned off JavaScript in my primary browser because ads kept redirecting me to 'shag a neighbour' type websites without me doing anything but load a page on, say, a news or comedy website.

        And as for backups, my best idea so far is a Linux server (raspberry pi with a USB hard disk or two) that drags files across from shared folders on my computer to a read-only network share that it holds, keeping old versions of files as long as the available disk space allows. That way all your files are backed up and you can go back to how any file was before it got encrypted.

        That requires you to over provision your backup hard disk, of course, and you still need to nuke Windows if you get infected.

        Sorry. That turned into more of a rant than I expected.

      3. leexgx

        Re: Complacency

        you do not need to click on Just been on the Page is enough to screw you and they can be Prime website that have mass of traffic

        the ads are loaded with scripts that are setup to cycle until they hit the one that makes the browser run an exploit in the browser and run the code that runs cryptolocker or alike (lucky all the ones i removed was the scareware versions that all they did was set all the files to system+hidden, cryptolocker actually encrypts the files so pay or lose your files if you never backed up and most do not)

    2. Anonymous Coward
      Anonymous Coward

      Re: Complacency

      I think it's been noted that the ransomware doesn't make demands right away. Instead, it starts silently encrypting stuff bit by bit, probably trying to slip itself INTO your backups.

      1. Anonymous Coward
        Anonymous Coward

        Re: Complacency

        And once a file has been encrypted, any automated cloud backup solution you may have will then immediately back up that encrypted version for you.

        1. Anonymous Coward
          Anonymous Coward

          Re: Complacency

          Which is a reason I don't use cloud backups or if I did it would only be one of my backups.

          Instead I have backup software (storagecraft shadow protect desktop edition - ditched acronis it was awful as was the support) running which does full/incremental backups of my pc which has raid disks to a 4TB external drive. I then have a small linux server which drags the lastest full/incremental backup from my pc to itself via a secure connection as it does for all my other backups and puts them on its own external drive.

          I off site a copy regularly by burning to DVD.

          So I should be able to restore to a point in time which is ok and if I have too then I can try and recover other unencrypted files as I need.

          1. AlbertH

            Re: Complacency

            AC - There are several immediately obvious (and some more subtle) flaws in your overly extensive back-up strategy, and you'll be just as likely to be a victim of this ransomware scam if you're still using Windows to face the internet.

    3. AlbertH
      Linux

      Re: Complacency

      Sadly, Windows (l)users still believe that they're invulnerable if they have tha latest MS updates, and they have a "firewall", "anti-virus", "anti-trojan", "anti-malware", "anti-hijack" and all the rest of the completely bogus "security" software slowing their already Windoze-crippled machines to a crawl.

      None of them believe it can ever happen to them, and when it does, they fork out their hard-earned because they never backed up anything. Stupidity can be VERY expensive!

  4. Scott Broukell

    AdBlocker / NoScript

    Question - Would either of the above addons, individually or in tandem, effectively prevent such driveby infection?

    1. Charles 9

      Re: AdBlocker / NoScript

      Only if the ad is not of a domain that's required for the site to run. If the ad's domain happens to coincide with a part of the site that's required for operation (not unheard of), then you're caught between Scylla and Charybdis. The only way to get proper site operation is to open yourself up to that drive-by.

      1. Conrad Longmore

        Re: AdBlocker / NoScript

        NoScript is very effective in blocking this sort of thing, but it does break a lot of things in the process. And as Charles 9 says, AdBlock and similar tools are only effective against known ad networks, although often those are the networks being abused.

        Ultimately the problem is that ads are what makes the web go round. If everybody blocked ads then a lot of sites would become uneconomical to run (there are of course other ways of displaying ads other than using an ad network).

        1. Mark 85

          Re: AdBlocker / NoScript

          So basically, I understand you and Charles9 right, one just shouldn't surf except to known, trusted sites? Or run a locked down VM that gets deleted after every session on the OS of choice?

          1. Charles 9

            Re: AdBlocker / NoScript

            Careful with the VM. Some malware's smart enough to detect this and use an exploit to redpill its way out to the metal. As for known, trusted sites, the problem is that the malware targets ad networks USED by known, trusted sites. That's the key to a drive-by attack; they target sideloads used by otherwise-popular sites. Ideally, they want to use an ad system that's part and parcel with some key part of the site, making it practically unavoidable.

    2. AlbertH

      Re: AdBlocker / NoScript

      AdBlocker / NoScript

      Question - Would either of the above addons, individually or in tandem, effectively prevent such driveby infection?

      Nope. It's trivially easy to bypass these. Some legitimate adverts already do!

  5. Anonymous Coward
    Anonymous Coward

    I've installed Cryptoprevent

    plus use Adblock on almost all websites. Should reduce the risk.

    1. AlbertH
      Devil

      Re: I've installed Cryptoprevent

      Bwah ha hahahahaha!!!!!!!!

      See "complacency" above.......

  6. Justin Goldberg

    The servers are using ONIONHOST.torpayusd.com (which seems really a web redirect to the tor2web service). Mistoprav LTD is the company behind it.

    They have also registered tor4pay.com and tor2pay.com

  7. enerider
    Windows

    VM for fun and profit?

    Easiest solution I could think of would be to have a VM to use for web browsing.

    The choice of OS in the VM won't matter too much doing things this way - even if there is a disk space cost. But the disk space cost I think is minimal, as it doesn't really need backed up. If the VM gets malware'd to oblivion, you can simply nuke it and start fresh.

    Better yet, have it snapshotted then revert to the snapshot when you're done. Snapshots could also be done following updates, patches, etc.

    A small, ready-to-roll distibution like Damn Small Linux would be ideal for this kind of thing - less patching to worry about and fresh versions of the OS are a ~50MB download for the entire thing. Also snapshots would not really be needed - just boot from the ISO in the VM.

    1. Charles 9

      Re: VM for fun and profit?

      Until the malware starts packing a redpill exploit...

      1. Anonymous Coward
        Anonymous Coward

        Re: VM for fun and profit?

        Can someone who knows explain this?

        1. Pookietoo

          Re: Can someone who knows explain this?

          Explain what - running an expendable virtual machine, or breaking out of a virtual machine to attack the host?

        2. Charles 9

          Re: VM for fun and profit?

          "Redpill" comes from the Matrix universe. In the Matrix, most humans are lulled into believing the world they're in is real, but it's not. People who were scouted and took a "red pill" eventually were disconnected from the Matrix and exposed to the real world. Someone a few years ago proposed a malware which would transparently wrap the existing OS into a virtual machine which was then controlled by a hypervisor in the malware. Thus the reverse was also conceived: a malware that could detect the presence of a VM and, knowing this, found a way to break out into the hypervisor. Such a malware that could do that can be termed a "redpill," similar to the Matrix scenario.

          1. Anonymous Coward
            Anonymous Coward

            Re: VM for fun and profit?

            Upvote for the idea that a Malware could run the OS as a VM inside the malware... wow, that's both scary, and wonderfully awesome.

      2. enerider

        Re: VM for fun and profit?

        Fair point - hypervisor exploits are a definite attack vector.

        So do you rotate hypervisors as well?

        Or do you BSD and simply jail a few things? :-)

        It's always a race of attackers and defenders, and that part isn't likely to change any time soon.

  8. mr. deadlift
    Pint

    wrong job path.

    so these blokes/ladies criminals pull millions in a matter of months and here i am, grinding away cleaning up after them for a pittance. the irony, she burns. shouldn't complain i guess. i have job.

    beer for friday down here in oz, see you all monday, sans crypto'd i hope.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like