Ad-borne Cryptowall ransomware is set to claim FRESH VICTIMS Security watchers are warning of a surge in CryptoWall ransomware victims this month that will coincide with a campaign to spread a new variant of the malware though advertising networks. More than 830,000 victims worldwide have been infected with the malware, a 25 per cent increase in infections since late August when there …
"...the advertising networks upon which they relied for dynamic content were inadvertently serving malware – which in turn, was not due to an explicit compromise of the networks; rather, it was due to the networks accepting ads from a malicious source without screening detection"
name the ad-slinger agencies. Then "customers" (if they don't already) can block them, people that pay for legit services can drop them and content filters (browser or software) can block them.
If say Amazon had hijacked pages that installed crap on a machine, we would soon know, so why are the ad-slingers getting away with it.
but whats "screening detection" ? if its new malware not detected by AVG or whatever the ad companies have installed on the machines that takes submissions , then they'd have a job as hard as the AV companies to detect anything. If they are detected by standard AV then who cares your machine should defend itself
just how wrong can one post be?
"Screening Detection" is trivially simple - even an advertising "executive" would be able to work out that a banner Ad is too big - that it's got something extra. They charge by the size of the data transmitted, and everyone (except malware providers) do all they can to minimise the size of their submitted code.
Any credible online advertising ageny won't be using anything like "AVG" - they'll actually have people who can examine the file in detail and will find the embedded code. The miscreants in this instance have identified and used Agencies with the technical know-how of "mark 63"
"just how wrong can one post be?"
I can't comment on super large ad agencies, but I can comment on smaller ad-fuelled businesses. Having actually worked for them in software development.
In a sufficiently large ad agency the person accepting flash files and media will simply use a back end CMS and may have the problem solving technical prowess to fix a paper jam in a printer.
The conversation between the developers and the business management when implementing that CMS would probably have gone along these lines:
Boss Guy: "We need to support flash advertising in the CMS"
*Developer shows uncomfortable face*
Boss Guy: "There a problem there?"
*Developer considers suggesting that flash might very, very, very occasionally carry malicious code, but doesn't want to present such an esoteric risk to the boss and come off sounding like someone who doesn't want to get the work done with a go get'em attitude when everyone else also uses flash.*
Developer: "Well, it wont play nice with apple iThings."
Boss Guy: "Well, I guess we'll just have to encourage people to move to HTML5 ads in the long term."
Ultimately, it's stories of people getting burnt by flash that will change conversations like the one above. Until then, it's very easy to be the person with 20:20 vision in hindsight and more importantly, you have to make a business case for spending time on things and it's very difficult to justify hundreds of man hours of reverse engineering code 'just in case'.
I have no doubt that this sort of malware will indeed change attitudes in time, but for now I think if you did a little work for ad agencies you'd understand why this sort of thing happens.
I would say that 'easily finding' malicious flash code when you don't know what you're looking for would be a bit like 'easily finding' OpenSSL and bash vulnerabilities in 2012. There's a reason why anti virus companies employ very skilled people who had to climb a steep learning curve.
The downvotes don't make mark 63 wrong, also thanks to g00se for pointing out the underlying mechanism. How would you detect malware in a flash file a customer submitted to you? Would you attempt a security analysis before sending it on beyond a check with an anti virus? Flash isn't *supposed* to be able to be compromised like that.
Arguably the bad decision was made when flash was used for advertising, but can you imagine arguing with your boss about letting through a flash advert if you're an advertising company technical advisor? The notion of decompiling and reverse engineering every flash file to check it for safety is unworkable.
I dare say this sort of exploitation was inevitable as flash for advertising became the complacently accepted norm. I started using flashblock myself after one too many websites started playing movies and sound automatically (rude bastards).
It's easy to be reactionary and blame ad agencies, but the problem really lies with..... well.... using software. Proprietary or open source, there isn't a type of software that's immune from vulnerabilities.
The 'them' we need to name is actually Adobe (and often Java)
It's not 'ads' but their buggy bloatware that's to blame. Perhaps they should be footing the ransom bills as the price for maintaining a de facto monopoly on browser-based video?
http://www.proofpoint.com/threatinsight/posts/malware-in-ad-networks-infects-visitors-and-jeopardizes-brands.php
Using Adobe Flash, the malvertisements silently “pull in” malicious exploits from the FlashPack Exploit Kit. The exploits attack a vulnerability in the end-users’ browser and install CryptoWall 2.0 on end-users’ computer
Most of these activities are skirted by companies already. This just brings it to light.
When was the first time Adobe or similar started bundling in software with downloads? I've stopped using legitimate sites because of the oh so close to tipping into malware software they push on you if your not careful. That's before going over companies like "Youtube" or "Google's" own "legitimate" adds.
Father/Grandfather backups give more protection against this malware than any virus checker can hope. And is pretty useful when baby pours milk all over your motherboard and bounces the drive on the err driveway - probably a more likely demise for your truly beloved data.
At the cost of a few downvotes - I dare to say that so many Windows users think safety is and only is paying out to Norton & co. Few have any backup strategy that will survive this type of attack. Yet it isn't difficult.
Terry 6: Agree, but then I also wonder who clicks on these adverts. I may be wrong but I am guessing they're not ads for the more mainstream types of product.
clicking is not required in many cases... they're known as drivebys and they bounce you along the distribution chain while supposedly gathering the mess to be displayed in the ad... just visiting a site with malicious ads and getting hit by one of those ads can land you in a world of hurt...
the icon is not aimed at you personally...
@Terry 6:
As someone else said while I was writing this: That's the problem. You don't have to click on anything. You browse to a page that has a dodgy ad and, voila, the ad exploits a vulnerability in Flash to drive-by download the virus exe to your system.
The advert itself might look like it's a blank white screen or an ad for the latest Norton or whatever.
I think the only way to stop this is for everyone to stop clicking on adverts. No exceptions. Then online advertising becomes unviable for whoever is paying the ad companies. So they stop paying.
Eventually, the ad men go out of business and the Internet is a better place without them.
I already turned off JavaScript in my primary browser because ads kept redirecting me to 'shag a neighbour' type websites without me doing anything but load a page on, say, a news or comedy website.
And as for backups, my best idea so far is a Linux server (raspberry pi with a USB hard disk or two) that drags files across from shared folders on my computer to a read-only network share that it holds, keeping old versions of files as long as the available disk space allows. That way all your files are backed up and you can go back to how any file was before it got encrypted.
That requires you to over provision your backup hard disk, of course, and you still need to nuke Windows if you get infected.
Sorry. That turned into more of a rant than I expected.
you do not need to click on Just been on the Page is enough to screw you and they can be Prime website that have mass of traffic
the ads are loaded with scripts that are setup to cycle until they hit the one that makes the browser run an exploit in the browser and run the code that runs cryptolocker or alike (lucky all the ones i removed was the scareware versions that all they did was set all the files to system+hidden, cryptolocker actually encrypts the files so pay or lose your files if you never backed up and most do not)
Which is a reason I don't use cloud backups or if I did it would only be one of my backups.
Instead I have backup software (storagecraft shadow protect desktop edition - ditched acronis it was awful as was the support) running which does full/incremental backups of my pc which has raid disks to a 4TB external drive. I then have a small linux server which drags the lastest full/incremental backup from my pc to itself via a secure connection as it does for all my other backups and puts them on its own external drive.
I off site a copy regularly by burning to DVD.
So I should be able to restore to a point in time which is ok and if I have too then I can try and recover other unencrypted files as I need.
Sadly, Windows (l)users still believe that they're invulnerable if they have tha latest MS updates, and they have a "firewall", "anti-virus", "anti-trojan", "anti-malware", "anti-hijack" and all the rest of the completely bogus "security" software slowing their already Windoze-crippled machines to a crawl.
None of them believe it can ever happen to them, and when it does, they fork out their hard-earned because they never backed up anything. Stupidity can be VERY expensive!
Only if the ad is not of a domain that's required for the site to run. If the ad's domain happens to coincide with a part of the site that's required for operation (not unheard of), then you're caught between Scylla and Charybdis. The only way to get proper site operation is to open yourself up to that drive-by.
NoScript is very effective in blocking this sort of thing, but it does break a lot of things in the process. And as Charles 9 says, AdBlock and similar tools are only effective against known ad networks, although often those are the networks being abused.
Ultimately the problem is that ads are what makes the web go round. If everybody blocked ads then a lot of sites would become uneconomical to run (there are of course other ways of displaying ads other than using an ad network).
Careful with the VM. Some malware's smart enough to detect this and use an exploit to redpill its way out to the metal. As for known, trusted sites, the problem is that the malware targets ad networks USED by known, trusted sites. That's the key to a drive-by attack; they target sideloads used by otherwise-popular sites. Ideally, they want to use an ad system that's part and parcel with some key part of the site, making it practically unavoidable.
Easiest solution I could think of would be to have a VM to use for web browsing.
The choice of OS in the VM won't matter too much doing things this way - even if there is a disk space cost. But the disk space cost I think is minimal, as it doesn't really need backed up. If the VM gets malware'd to oblivion, you can simply nuke it and start fresh.
Better yet, have it snapshotted then revert to the snapshot when you're done. Snapshots could also be done following updates, patches, etc.
A small, ready-to-roll distibution like Damn Small Linux would be ideal for this kind of thing - less patching to worry about and fresh versions of the OS are a ~50MB download for the entire thing. Also snapshots would not really be needed - just boot from the ISO in the VM.
"Redpill" comes from the Matrix universe. In the Matrix, most humans are lulled into believing the world they're in is real, but it's not. People who were scouted and took a "red pill" eventually were disconnected from the Matrix and exposed to the real world. Someone a few years ago proposed a malware which would transparently wrap the existing OS into a virtual machine which was then controlled by a hypervisor in the malware. Thus the reverse was also conceived: a malware that could detect the presence of a VM and, knowing this, found a way to break out into the hypervisor. Such a malware that could do that can be termed a "redpill," similar to the Matrix scenario.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
