Stories
Slash Boxes
Comments

SoylentNews is people

Submission Preview

Link to Story

Millions exposed to malvertising that hid attack code in banner pixels

Accepted submission by Fnord666 at 2016-12-08 12:43:01
Security

Fnord666 [soylentnews.org] writes:

Author Dan Goodin at Ars Technica has an interesting article about a malvertising campaign [arstechnica.com] that set new levels for sneakiness.

Millions of people visiting mainstream websites over the past two months have been exposed to a novel form of malicious ads that embed attack code in individual pixels of the banners.

Researchers from antivirus provider Eset said "Stegano," as they've dubbed the campaign, dates back to 2014. Beginning in early October, its unusually stealthy operators scored a major coup by getting the ads displayed on a variety of unnamed reputable news sites, each with millions of daily visitors. Borrowing from the word steganography—the practice of concealing secret messages inside a larger document that dates back to at least 440 BC—Stegano hides parts of its malicious code in parameters controlling the transparency of pixels used to display banner ads. While the attack code alters the tone or color of the images, the changes are almost invisible to the untrained eye.

The malicious script is concealed in the alpha channel that defines the transparency of pixels, making it extremely difficult for even sharp-eyed ad networks to detect. After verifying that the targeted browser isn't running in a virtual machine or connected to other types of security software often used to detect attacks, the script redirects the browser to a site that hosts three exploits for now-patched Adobe Flash vulnerabilities.

"We can say that even some of the other major exploit kits, like Angler and Neutrino, are outclassed by the Stegano kit in terms of referrals—the websites onto which they managed to get the malicious banners installed," Eset researchers wrote in a report published Tuesday. "We have observed major domains, including news websites visited by millions of people every day, acting as 'referrers' hosting these advertisements. Upon hitting the advertising slot, the browser will display an ordinary-looking banner to the observer. There is, however, a lot more to it than advertising."

Eset has an article [welivesecurity.com]that digs into the technical details of the exploit and the mechanisms it uses to perform its attack.

Finally, Eset competitor Malwarebytes also has a take on this malware [malwarebytes.com] that ties it back to a group known as AdGholas.

Original Submission