I was visiting a Website belonging to a well-known Macintosh publication reading details about the iPhone SE when a window appeared in the lower right corner of my screen.
It was an alert saying that the Malwarebytes security software I use had detected an intrusion attempt, and that the malware was being quarantined. A few minutes later, it happened again.
At that point, I recalled Robert Lemos’ article on infected ad networks along with a newsletter I’d received the day before from Malwarebytes describing new levels of threats from malware appearing to be legitimate advertising. The malvertising now seems to be showing up on major Websites using well-known ad networks such as Google’s DoubleClick.
The problem, it seems, is worse than most people suspect. The reason that malvertising is being distributed by the top ad networks is because the malware writers are actually buying ads and then feeding the ad servers content that is infected with malware, but the latest tactics are even more sinister. Now the malware can simply infect your computer without any action on your part. No longer do you have to click on an infected link.
In fact, according to Jerome Segura, senior security researcher at Malwarebytes, the newest types of malvertising will run on your computer, deliver their payload of malware and you’ll never realize they were there at all until the payload executes or your security software catches it.
Unfortunately, it’s not certain that your security software will catch anything because the malware creators will scan their products before sending them out to make sure that they aren’t readily picked up by antivirus software.
“It’s interesting to see the steps the rogue advertisers take to defraud the ad network,” Segura said. “They use existing domains and create a subdomain.” Segura said the malvertisements will then begin by impersonating a legitimate Website and serve material that’s not infected for long enough to be accepted by most security white lists, and only then will they start serving malware. “Some wait for as long as six months,” he said.
To make it harder to catch the rogue advertisers, the path taken by the malware has also become more sophisticated. Where once an infected banner ad would simply take you to the download site and start transferring malware, that’s changed.
“Now it’s doing fingerprinting to see if it’s a real user,” Segura said. Then the rogue site will take additional steps to make sure they have a real user rather than a honey pot, which is a site that’s designed to catch malware servers, or security researchers scanning for malware.
Segura said that the fingerprinting process will check to see if the computer is using a residential IP address, whether it’s running a real copy of Windows on a real machine or whether it’s actually running in a virtual environment.
Web Users Must Stay Extra Wary to Fend Off Stealthy ‘Malvertising’
The fingerprinting will reveal what security products are being used and whether the potential target meets other criteria, and which point it launches the exploit kit.
In addition, the fingerprinting process will then catalog the IP address and won’t serve more malware. This makes it harder to track down, and it ensures that they’re not trying to infect the same computer more than once. I found this out when I went back to the same Macintosh publication and tried to get the malware blocked again. It didn’t reappear.
Fortunately, there are solutions. The most important is to keep your computers rigorously up to date. Being even a few days late in fixing a zero-day vulnerability can open your computer to infection. This also means making sure you have the most current version of the operating system on your computers, so if you’re using Windows, it should be Windows 10.
Next, you need to make sure you have the right anti-malware protection on your computer and on your network. This includes having current, up to date, security software on each machine. A good antivirus package is essential, but you also need a behavior-based security package to pick up malware that doesn’t match the signatures in your other products.
Your network should have a strong, configurable, hardware firewall of some type. Preferably this should be a next-generation security device that can identify malware through machine learning, but also prevents certain types of traffic from entering or leaving the network.
The best known of these devices come from Barracuda and Palo Alto Networks, but it’s important to know that such devices do require administration by someone with a clue, because they’re not really plug and play devices.
Finally, there are ad blockers. Segura said that because they prevent ads from being served to your computer, they will also block malicious ads. However, he said that this isn’t a sure-fire way to prevent malware delivery and it limits many other things you can do on the internet. Segura said that if ad blockers are broadly used, it will also begin to impact material that’s currently available for free on the Internet.
Unfortunately, the obvious step of requiring the ad networks to police what they are distributing on the Web is very hard to do. The writers of malvertising go to great lengths to avoid detection by the ad networks, including by serving legitimate ads for however long it takes before no one notices that the content has changed to malware.
In the meantime, it’s up to you and your organization. If you follow the best practices, keep current backups and train your staff, the chances of a successful infection are minimized. Today I was able to catch a malvertising attack. You should be able to do the same.