Internet advertisement networks provide attackers with an effective venue for targeting numerous computers through malicious banner ads.
Such malvertisements may take the form of Flash programs that look like regular ads, but contain code that attacks the visitor's system directly or redirects the browser to a malicious website.
Malicious ads can also be implemented without Flash by simply redirecting the destination of the ad after the launch of the campaign.
How are such campaigns conducted? What, if anything, can we do about them? We can begin making sense of malicious ad practices by examining some examples of high-profile malvertising incidents.
High-Profile Malvertising Incidents
Rik Ferguson from Trend Micro described an incident when the New York Times was hosting a banner ad that attempted to social-engineer people into installing a rogue antivirus tool.
According to Rik, "the problem may have been ongoing for upwards of 24 hours" before the New York Times noticed the malicious nature of the ad and disabled it.
In another example, the London Stock Exchange website was also observed inadvertently serving malicious ads to its users, as described by Paul Mutton. This incident was traced to a possible breach at Unanimis--the company serving the ads the London Stock Exchange and many other companies.
Elad Sharf from Websense analyzed the Unanimis malvertising incident that affected a number of high profile web properties. He noted that such malvertising campaigns are attractive to attackers because they "can be easily spread across a large number of legitimate Websites without directly compromising those Websites."
Mary Landesman from ScanSafe/Cisco pointed out that the list of popular websites serving malicious ads in the recent years included Hoovers.com, USNews.com, Tucows.com, TheOnion.com, SpeedTest.net and many others.
She also explained that malvertisements aren't limited to a particular ad network; they've been "delivered via DoubleClick (Google), YieldManager (Yahoo!), and rad.msn.com (Microsoft)," and also through webmail services, such as Windows Live (Hotmail) and Yahoo! Mail.
Jiri Sejtko from Avast! also reported that large scale ad-networks are often responsible for delivering malvertisements. For one malvertising campaign tracked by Avast!, the most compromised services were YieldManager.com (Yahoo!) and Fimserve.com (FOX Audience Network), which delivered more than half of the malicious ads in that incident.
While most of the malvertising campaigns have affected users of web browsers, an incident involving Spotify showed that applications can be used as a similar attack vector. Patrik Runald at Websense described how Spotify, a music streaming service, was displaying a malicious ad to the users of its media-playing application.
The app rendered the ad and its malicious code as if it were a browser without requiring user interaction. "If you had Spotify open but running in the background, listening to your favorite tunes, you could still get infected."
The wide reach that attackers can have by delivering client-side attacks through advertisement networks--and the difficulty with which we've hard curtailing malvertising practices--suggests that this attack vector isn't likely to disappear soon. We need to find a better way of dealing with it.
The Mechanics of Malicious Ads
One approach to conducting a malvertising campaign involves an image ad that people click on to visit the advertised website. In this context, the advertised website turns out to be malicious in itself or redirects to a malicious site.
For example, Kimberly from StopMalvertising described one malvertisement that took the person clicking on the ad to popadscdn.net, which redirected to pop.biyoetanol.net, which redirected to ad.amiadrugaddict.info, which eventually redirected to the Blackhole Exploit Kit hosted at 0d1.cz.cc.
If redirected to a site hosting an exploit kit, the victim's system is subjected to one or more attacks on the browser or the software that the browser can invoke, such as Acrobat Reader or Java Runtime.
The exploit kit's code probes the victim's browser environment to determine which vulnerability to attempt exploiting. Some of the malicious sites implement another approach, relying on social engineering to trick the visitor into installing malicious software.
Malicious ads might also take the form of Flash programs. Flash provides the attacker with the ability to use ActionScript to embed "business logic" directly into the ad. As the result, the malicious code can execute as soon as the person's browser displays the advertisement, without having to wait for the user to click on the ad.
Furthermore, the Flash-based ad can incorporate logic that decides when to attack the user and whom to attack. The ad might trigger a malicious action on a particular date; this is typically done to delay the attack until after the advertising network examined and approved the ad. For instance, the ad can begin redirecting victims to a malicious site only during a weekend, and may decide to only go after people in a particular location.
The Flash advertisement's logic may also evade detection by only attacking the user once--such ads typically use a cookie-like Local Shared Object (LSO) to avoid attacking the user if he has already been targeted.
These and other techniques are described in the paper Analyzing and Detecting Malicious Flash Advertisements by Ford, Cova, Kruegel and Vigna.
How Malicious Ads Are Deployed
Sometimes, attackers compromise the ad network's IT infrastructure to distribute malvertisements. This allows the attacker to directly control what banner ads are displayed, offering the ability of serving malvertisements or modifying legitimate ads to include malicious code or destinations.
This seems to have been the case in the Unanimis incident that affected websites such as the London Stock Exchange. According to SC Magazine, Unanimis confirmed that the malvertisements were the result of unauthorized access to their systems.
Another, perhaps more common approach to injecting malvertisements into the web ecosystem involves impersonating agencies that supposedly represent legitimate clients wishing to advertise. This approach involves attackers spending money to pay for the malicious ad campaign. (But it takes money to make money, right? In any case, they are probably paying with stolen funds.)
For example, a scammer contacted Gawker Media pretending to be a popular ad agency:
"I work with Automotive and Entertainment clients in Spark. First and foremost, we want to run a performance campaign for Suzuki across your network. Our budget to start is $25k+."
In their phone and email interactions the scammer sounded professional and knowledgeable and was able to fool Gawker's ad sales representatives into placing the accepting and displaying the ads that turned out to be malicious.
Sometimes attackers pretend to be associated with legitimate and well-known ad agencies. In other cases, attackers represent fake ad agencies pretending to represent legitimate clients who wish to launch an advertising campaign.
They might even present the ad network with a falsified Letter of Mandate, claiming that the company being advertised authorized the ad agency to act on its behalf. For instance, SkyAuction.com reported the following incident according to the Spyware Sucks blog:
"We were contacted by another company today that were duped into hosting one of the fraudulent ads for a couple of days (which have since been taken down). It seems that the source of the ads is a company called NetMediaGroup (http://www.netmediagroup.net). They are claiming to represent us and even provided a fake letter of mandate."
Attackers can deploy malicious advertisements by compromising the ad networks systems or by purchasing campaigns that distribute the malicious ads. These tactics allow attackers to run malicious code in browsers and applications of numerous users across the web, providing an effective initial attack vector.
Malvertising: How Malicious Ad Campaigns Are Protected
The script executes in the victim's browser, recreating the original script on the file and executing it to implement the client-side attack.
ActionScript included in malicious Flash ads can be obfuscated as well using a variety of techniques. One of these methods is implemented using a commercial (and non-malicious in itself) tool SWF Encrypt, rendering the code within a Flash program virtually unreadable.
Another approach to protecting a malvertising campaign is to time it to take place over the weekend. The ad is often scheduled to begin displaying on Friday evening, but the malicious logic isn't activated until early Saturday morning. This timing is designed to make it less likely that the advertisement network's employees will be able to detect and quickly react to the malicious nature of the ad, since the staff probably isn't at work during the weekend.
Unfortunately, it often takes a long time for the malicious ad to be disabled. Dasient's Q4 2010 Malware Update reported the average lifetime of a malvertising campaign being about 10 days. Interestingly, according to Dasient's data, Thursday appears to be the least popular day for malicious ads.
Attackers protect malvertising campaigns by carefully timing when the advertisements begin exhibiting malicious characteristics and also by obfuscating the code that implements the ad's logic. These actions make it difficult for ad networks and end-users' tools to distinguish between legitimate and malicious advertisements.
Dealing With Malicious Ads - Who and How?
Recommendations for ad networks for spotting potential malvertising campaigns include:
- Validate the integrity and authenticity of the entity wishing to place the ad by reviewing their credentials and documentation and by conducting a background search with financial review companies. Unfortunately, the documents are easily faked and review companies provide very limited coverage.
- Research advertisers with domain registry lookup tools looking for red flags, such as concealed contact details, recently-created or modified records or the use of webmail email addresses for domain contacts. This seems quite practical to me.
- Examine Flash ads with analysis tools, such as automated analyzers or web proxies. Unfortunately, the authors of malicious Flash ads are very good at concealing malicious logic, making it very hard to examine these programs to identify malware characteristics. (Perhaps ad networks could refuse accepting Flash ads with scripts that seem obscure or obfuscated.)
- Watch out for social engineering tricks, such as willingness to pay for the full campaign in cash, placing orders at the last moment or maintaining contact at odd hours. This is hard to do, considering how persuasive social engineers can be. Moreover, ad networks' sales people might prefer to get paid and deal with the potential malvertisement later, rather than saying "no" to a new customer.
These practices are either not being followed or are ineffective, given the apparent popularity and effectiveness of malicious ads.
In an article that explored who should kill off malvertisements, Trend Micro's Rik Ferguson pointed out that "website owners and ad networks alike suffer embarrassing brand damage when their customers are infected." However, I am not sure brand tarnishing provides sufficient incentives to motivate companies to address the problem:
- A website might suffer embarrassment when displaying a malicious advertisement;
- The site apologizes and points a finger at the ad network that served the ad;
- The network apologizes and disables the offending advertisement;
- The world moves on and forgets about the incident after a few days.
Moreover, ad networks probably keep the money they were paid for the campaign that turned out to be malicious. This creates an incentive to look the other way even when the ad network's sales staff notices red flags when processing the campaign.
When describing his experience supporting LAN operations for about 4 years, Michael Robinson observed that the majority of malware infections in that environment occurred through malvertisements. In response, the company's firewall engineers:
"Created rules to block traffic from 20 specific advertisers. By blocking only these sites, the number of malware infections on the LAN dropped by over 80%."
If blocking ads is as effective as what Michael experienced, then by adopting this practice on a larger scale--at the level network level as well as on individual workstations--organizations might create powerful incentives for ad networks to work more rigorously as investigating, identifying and responding to malvertising campaigns.
For now, individuals and organizations can minimize their exposure to malvertisements by minimizing their exposure to banner ads. Also, the standard practices for combating social engineering scams, client-side exploits and malware apply when dealing with the threat of malicious ads.
This article was originally published on Lenny Zeltser's information security blog. If this topic is interesting to you, take a look at the reverse-engineering malware and combating malware in the enterprise courses that Lenny teaches at SANS Institute.