New Malware Spreads Through Web Advertising Channels

NEWS ANALYSIS: Security researchers find new malware that exploits legitimate advertising channels to attack and compromise computers.

Malvertizing 2

Adobe Flash has long been used as a path for attacking computers through their browsers because it's capable of executing code on remote Websites without users realizing it.

For this reason, Adobe has been in a constant war to find exploits and block them by providing updates to Flash as quickly as possible.

But it's also been possible to keep malware at bay simply by not clicking on a Flash-enabled icon or video. If you didn't click, nothing happened. Now that's changed.

Recently, readers of The Huffington Post were greeted with a Hugo Boss ad that simply installed malware, in this case a version of Cryptowall ransomware, when it appeared in the browser. It's worth noting that neither The Huffington Post nor Hugo Boss was involved in spreading the malware. Both were innocent parties.

What happened was a malware producer presented a falsified ad through a legitimate ad network, bid for placement and then sent the ad through. To make sure that the advertisement was accepted, the initial content for the ad was free of any malware.

Then, when it was time for the ad to be distributed, it was replaced with a "minor update" in the ad network, which then sent the advertisement through to end users just as it would a legitimate ad.

Involved were at least two major ad delivery networks, including Google's DoubleClick and Merchenta, which in turn apparently received the ad placements through Bidable, a self-service real-time bidding platform. "Bidable had a rogue customer," said Jerome Segura, senior security researcher at Malwarebytes, the security software company.

Segura said that the choice of the ad to infect was random and that the rogue customer was apparently acting as if it was handling advertising as a legitimate partner.

The problem came about because the manner in which online ads are handled is automated, and because of the volume, checking individual ads for malware is very difficult, and perhaps impossible. Worse, advertising agencies that submit the ads aren't really screening the ads effectively, Segura said.

While malware advertising, or "malvertising," isn't new, the manner in which cyber-criminals carry out this is. This is the first time that the malware infection has taken place entirely on its own because of a Flash vulnerability. With this new type of infection, all a user has to do is go to a site where the infected ad shows up; there is no necessity to open the ad, execute anything or be redirected to another site. In this new attack, the ad is the malware.

Wayne Rash

Wayne Rash

Wayne Rash is a freelance writer and editor with a 35 year history covering technology. He’s a frequent speaker on business, technology issues and enterprise computing. He covers Washington and...