Stories
Slash Boxes
Comments

SoylentNews is people

SoylentNews is powered by your submissions, so send in your scoop. Only 17 submissions in the queue.

DailyMotion Hit by Malvertising Attack Using the Angler Exploit Kit

posted by cmn32480 on Wednesday December 09 2015, @02:13PM   Printer-friendly
from the hook-line-and-sinker dept.

takyon writes:

The popular video streaming site DailyMotion has been hit by a malvertising attack. Malwarebytes explains:

We have been tracking an attack via .eu sites for several days but were missing the final payload. However, this changed when we managed to reproduce a live infection via an ad call coming from popular video streaming site DailyMotion, ranked among Alexa's top 100 sites.

This malversiting incident happened via real-time bidding (RTB) within the WWWPromoter marketplace. A decoy ad (pictured below) from a rogue advertiser initiates a series of redirections to .eu sites and ultimately loads the Angler exploit kit.

The bogus advertiser is using a combination of SSL encryption, IP blacklisting and JavaScript obfuscation and only displays the malicious payload once per (genuine) victim. In addition, Angler EK also fingerprints potential victims before launching its exploits to ensure the user is not a security researcher, honeypot or web crawler.

[...] The incident was resolved very rapidly once the proper contacts were made and the problem isolated. For this, we would like to them[sic] all parties involved in taking such prompt action, therefore limiting the potential damage to innocent users.

This particular malvertising attack is one of a few campaigns we have been tracking which is much more sophisticated than the average incidents we encounter daily. We can say that lately threat actors have really stepped up their game in terms of being very stealthy and making a particular ad call look benign when reproduced in a lab environment. Indeed, the problem comes when we suspect foul play but can't prove it with a live infection. It is difficult to convince ad networks to take action, when on the surface there's nothing wrong with a particular advertiser.

Here's some more information about the Angler exploit kit.

Original Submission

 
This discussion has been archived. No new comments can be posted.
DailyMotion Hit by Malvertising Attack Using the Angler Exploit Kit | Log In/Create an Account | Top | 31 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 0) by Anonymous Coward on Wednesday December 09 2015, @10:08PM

    by Anonymous Coward on Wednesday December 09 2015, @10:08PM (#274139)

    A while back, I read about malware trying to detect if it was running in a VM and if so, it assumed it was in a researcher's sandbox and would not detonate its payload. My thought was "This is awesome, they have outsmarted themselves...we just need to make our machines appear to be sandboxes and they will be invulnerable."

  • (Score: 3, Interesting) by acharax on Thursday December 10 2015, @02:00AM

    by acharax (4264) on Thursday December 10 2015, @02:00AM (#274201)

    This actually works against some crypto malware that checks for Sandboxie and VirtualBox services/executeables and refuses to run if they are present. It can however backfire because there's also boobytrapped malware that will launch a destructive payload specifically when it is ran in such a context as to twart analysis.

    Some older bots (2008-2009) used to check for certain files in the drive root to determine whenever a system was already infected.