SoylentNews is people
SoylentNews
The popular video streaming site DailyMotion has been hit by a malvertising attack. Malwarebytes explains:
We have been tracking an attack via .eu sites for several days but were missing the final payload. However, this changed when we managed to reproduce a live infection via an ad call coming from popular video streaming site DailyMotion, ranked among Alexa's top 100 sites.
This malversiting incident happened via real-time bidding (RTB) within the WWWPromoter marketplace. A decoy ad (pictured below) from a rogue advertiser initiates a series of redirections to .eu sites and ultimately loads the Angler exploit kit.
The bogus advertiser is using a combination of SSL encryption, IP blacklisting and JavaScript obfuscation and only displays the malicious payload once per (genuine) victim. In addition, Angler EK also fingerprints potential victims before launching its exploits to ensure the user is not a security researcher, honeypot or web crawler.
[...] The incident was resolved very rapidly once the proper contacts were made and the problem isolated. For this, we would like to them[sic] all parties involved in taking such prompt action, therefore limiting the potential damage to innocent users.
This particular malvertising attack is one of a few campaigns we have been tracking which is much more sophisticated than the average incidents we encounter daily. We can say that lately threat actors have really stepped up their game in terms of being very stealthy and making a particular ad call look benign when reproduced in a lab environment. Indeed, the problem comes when we suspect foul play but can't prove it with a live infection. It is difficult to convince ad networks to take action, when on the surface there's nothing wrong with a particular advertiser.
Here's some more information about the Angler exploit kit.
(Score: 3, Interesting) by Anonymous Coward on Wednesday December 09 2015, @02:29PM
It's about time that advertising networks are held responsible for the malware they distribute. Retroactive action is not sufficient; they should be required to proactively filter anything malicious out. Failure to do so should be considered criminal negligence.
(Score: 3, Insightful) by Whoever on Wednesday December 09 2015, @05:08PM
Responsible? Hah! These are the same people who get annoyed at the use of ad blockers. The web sites and the ad networks still got paid for distributing the malware. A little thing like exploits against their target users should not get in the way of their revenue.
Remember: you are the product, not the customer!
(Score: 2) by maxwell demon on Wednesday December 09 2015, @07:00PM
I don't think a court would care much about what those people get annoyed at.
The Tao of math: The numbers you can count are not the real numbers.
(Score: 2, Interesting) by Anonymous Coward on Wednesday December 09 2015, @02:39PM
Would it have affected those using adblockers?
(Score: 0) by Anonymous Coward on Wednesday December 09 2015, @02:41PM
If I own a home and regularly allow criminals to sleep in the next room while you visit. It is my fault, at least in some way, when they cut your throat.
(Score: 1, Touché) by Anonymous Coward on Wednesday December 09 2015, @05:19PM
And what if you didn't know the guy in the next room was liable/likely to do that? There's a difference, and it applies in this case.
(Score: 5, Informative) by FatPhil on Wednesday December 09 2015, @02:47PM
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 5, Funny) by E_NOENT on Wednesday December 09 2015, @02:59PM
I use adblock. uBlock. Privacy Badger. CatBlock. Ghostery. Tor. NoScript. And a bunch of other privacy guard plugins you probably never heard of.
I browse the web using a chrooted jail (inside a one-time use, stripped-down, throwaway OpenBSD VM) with an automated, scripted combination of WWW::Mechanize, curl, netcat, wget, 'strings,' and eLinks. I use a variety of increasingly specific HTML parsers to guarantee valid HTML, strip all tags, remove javascript, hyperlinks to one-pixel GIF trackers, inlined ad content, and references to Donald Trump.
I use /etc/hosts extensively to avoid bad sites:
bash-4.2$ grep 127.0.0.1 /etc/hosts| wc -l
743982
(I use several custom, transient, cloud-based, anonymized web crawlers to help me continually add to this file.)
All downloaded files are piped successively through an ASCII character filter (only ASCII codes 65-127 accepted), an antivirus mechanism, a spellchecker, a grammar checker, and a pretty printer. The output is then securely copied to another throwaway VM on another machine where the page is automatically opened in read-only mode in TECO. After reading a single page, all VMS are destroyed, and a low-level format is executed on the partition holding them. My main machines are all powered down for one full minute (to avoid any cold boot attacks) and restarted.
What am I missing?
I'm not in the business... I *am* the business.
(Score: 2, Funny) by Anonymous Coward on Wednesday December 09 2015, @03:04PM
You ask "What am I missing?". I'm inclined to say "a tinfoil cap".
(Score: 2, Funny) by Anonymous Coward on Wednesday December 09 2015, @04:00PM
Don't accept a tinfoil cap. Demand unlimited tinfoil.
(Score: 1, Touché) by Anonymous Coward on Wednesday December 09 2015, @03:20PM
Life, since you seem to have excess free time.
(Score: 2, Informative) by Anonymous Coward on Wednesday December 09 2015, @03:39PM
What am I missing?
Well, if you're only using ASCII codes 65-127 I'd say you're missing numbers, lots of punctuation, and the very important '<' & '>' that identify html tags.
(Score: 0) by Anonymous Coward on Thursday December 10 2015, @03:59AM
(Score: 5, Funny) by GreatAuntAnesthesia on Wednesday December 09 2015, @03:40PM
> What am I missing?
I implanted a miniature webcam in your dog.
(Score: 0) by Anonymous Coward on Wednesday December 09 2015, @03:41PM
Ctrl+F; Faraday
0 matches
I hope you enjoy getting infected across that air-gap!
(Score: 1) by jimtheowl on Wednesday December 09 2015, @04:04PM
"What am I missing?"
You're using bash.
;)
(Score: 4, Funny) by FatPhil on Wednesday December 09 2015, @04:17PM
Comedic subtlety
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 2) by Gravis on Wednesday December 09 2015, @04:20PM
I use adblock. uBlock. Privacy Badger. CatBlock. Ghostery. Tor. NoScript. And a bunch of other privacy guard plugins you probably never heard of.
I browse the web using a chrooted jail (inside a one-time use, stripped-down, throwaway OpenBSD VM) with an automated, scripted combination of WWW::Mechanize, curl, netcat, wget, 'strings,' and eLinks. I use a variety of increasingly specific HTML parsers to guarantee valid HTML, strip all tags, remove javascript, hyperlinks to one-pixel GIF trackers, inlined ad content, and references to Donald Trump.
...
What am I missing?
probably, your medication because that is overkill. disabling flash and installing uBlock and Privacy Badger is enough to get the job done.
(Score: 2) by LoRdTAW on Wednesday December 09 2015, @10:06PM
Humor eludes you.
(Score: 2) by HiThere on Wednesday December 09 2015, @11:52PM
To be fair, there wasn't that much humor there to be found.
Javascript is what you use to allow unknown third parties to run software you have no idea about on your computer.
(Score: 2) by xav on Thursday December 10 2015, @12:31AM
At last ! We have finally found the last user of the Mosaic web browser.
(Score: 0) by Anonymous Coward on Wednesday December 09 2015, @04:38PM
This would not be a thing if ad networks prohibited Flash and JS.
I guess redirects can hide nasty stuff, so the browser has to feel confident in blocking that stuff. (Implying the website should degrade gracefully in that case as well.)
(Score: 2) by takyon on Wednesday December 09 2015, @06:20PM
Get enough people to run adblockers/noscript/umatrix and you can be sure they will start serving up static ads through the web servers. I'm surprised we don't see more of it.
[SIG] 10/28/2017: Soylent Upgrade v14 [soylentnews.org]
(Score: 0) by Anonymous Coward on Wednesday December 09 2015, @07:05PM
You can't really do real-time bidding if you serve from the same web-server.
I think it should be possible to do real-time bidding without JS, but I may be mistaken.
I have noticed that Privacy Badger seems to disable ads: implying that real-time bidding does not work without tracking.
(Score: 2) by takyon on Wednesday December 09 2015, @08:01PM
I bet some sites are capable of doing it. Like the bigger ones, or ones with more reliable hosting (Amazon?)
And if it's JS you want, you can run it on the server now [wikipedia.org]!
More to the point, static ought to be an obvious fallback. Even if it's not in real-time and has less tracking potential, it's better than nothing.
[SIG] 10/28/2017: Soylent Upgrade v14 [soylentnews.org]
(Score: 2) by sjames on Wednesday December 09 2015, @08:56PM
So? It hasn't killed advertising in newspapers, magazines, on TV, billboards, public buses, tee shirts, cars, toilets, walls everywhere, on soundly sleeping dogs, people's faces, etc.
If they can't do it safely and responsibly, then they can't do it.
(Score: 0) by Anonymous Coward on Wednesday December 09 2015, @09:55PM
As they said, adblockers killing teh internets! Don't use adblockers! You are perfectly safe without adblockers, as payed professionals reviews each ad!
(Score: 0) by Anonymous Coward on Wednesday December 09 2015, @10:08PM
A while back, I read about malware trying to detect if it was running in a VM and if so, it assumed it was in a researcher's sandbox and would not detonate its payload. My thought was "This is awesome, they have outsmarted themselves...we just need to make our machines appear to be sandboxes and they will be invulnerable."
(Score: 3, Interesting) by acharax on Thursday December 10 2015, @02:00AM
This actually works against some crypto malware that checks for Sandboxie and VirtualBox services/executeables and refuses to run if they are present. It can however backfire because there's also boobytrapped malware that will launch a destructive payload specifically when it is ran in such a context as to twart analysis.
Some older bots (2008-2009) used to check for certain files in the drive root to determine whenever a system was already infected.
(Score: 0) by Anonymous Coward on Thursday December 10 2015, @06:47PM
When malware meant that you'd have an ambulance driving around your screen?
(Score: 0) by Anonymous Coward on Thursday December 10 2015, @08:17PM
No, I remember the days when malware would corrupt your file system.