Web Users Must Stay Extra Wary to Fend Off Stealthy 'Malvertising'

NEWS ANALYSIS: Computer users have to be more wary than ever to avoid malware infection via "malvertising" downloads, but there are ways to protect yourself.

Stealthy Malvertising 2

I was visiting a Website belonging to a well-known Macintosh publication reading details about the iPhone SE when a window appeared in the lower right corner of my screen.

It was an alert saying that the Malwarebytes security software I use had detected an intrusion attempt, and that the malware was being quarantined. A few minutes later, it happened again.

At that point, I recalled Robert Lemos' article on infected ad networks along with a newsletter I'd received the day before from Malwarebytes describing new levels of threats from malware appearing to be legitimate advertising. The malvertising now seems to be showing up on major Websites using well-known ad networks such as Google's DoubleClick.

The problem, it seems, is worse than most people suspect. The reason that malvertising is being distributed by the top ad networks is because the malware writers are actually buying ads and then feeding the ad servers content that is infected with malware, but the latest tactics are even more sinister. Now the malware can simply infect your computer without any action on your part. No longer do you have to click on an infected link.

In fact, according to Jerome Segura, senior security researcher at Malwarebytes, the newest types of malvertising will run on your computer, deliver their payload of malware and you'll never realize they were there at all until the payload executes or your security software catches it.

Unfortunately, it's not certain that your security software will catch anything because the malware creators will scan their products before sending them out to make sure that they aren't readily picked up by antivirus software.

"It's interesting to see the steps the rogue advertisers take to defraud the ad network," Segura said. "They use existing domains and create a subdomain." Segura said the malvertisements will then begin by impersonating a legitimate Website and serve material that's not infected for long enough to be accepted by most security white lists, and only then will they start serving malware. "Some wait for as long as six months," he said.

To make it harder to catch the rogue advertisers, the path taken by the malware has also become more sophisticated. Where once an infected banner ad would simply take you to the download site and start transferring malware, that's changed.

"Now it's doing fingerprinting to see if it's a real user," Segura said. Then the rogue site will take additional steps to make sure they have a real user rather than a honey pot, which is a site that's designed to catch malware servers, or security researchers scanning for malware.

Segura said that the fingerprinting process will check to see if the computer is using a residential IP address, whether it’s running a real copy of Windows on a real machine or whether it's actually running in a virtual environment.

Wayne Rash

Wayne Rash

Wayne Rash is a freelance writer and editor with a 35 year history covering technology. He’s a frequent speaker on business, technology issues and enterprise computing. He covers Washington and...