Malvertising Attacks on Huffingtonpost, Yahoo, AOL Cyphort Labs has reported an uptick in drive-by-infection through malvertising in 2014 and sounded alarms for the web property owners regarding this emerging trend. We believe that this trend presents a significant cybersecurity challenge in 2015. In this session, we will discuss this increasing trend of drive-by attacks by dissecting examples of recent web infections, as well as share observed, sophisticated behavior of modern exploit pack and the challenges for research and discovery. As we present exploit kit information, trends and statistics from research derived from our Cyphort Crawler, you will gain an awareness and an understanding of these malvertising threats to better protect your site visitors from malware infection.

2. Malvertising
@belogor

3. Your speakers today
Nick Bilogorskiy
@belogor
Director of Security Research
Anthony James
VP of Marketing and Products

4. Agenda
o Malvertising explained
o Exploit Kits
o Case Studies
o Stats and Trends
o Wrap-up and Q&A
CyphortLabsT-shirt

5. Threat Monitoring &
Research team
________
24X7 monitoring for
malware events
________
Assist customers with
their Forensics and
Incident Response
We enhance malware
detection accuracy
________
False positives/negatives
________
Deep-dive research
We work with the
security ecosystem
________
Contribute to and learn
from malware KB
________
Best of 3rd Party threat
data

6. Malvertising is the use of online advertising to spread
malware.
Malvertising involves injecting malicious ads into
legitimate online advertising networks and web pages.
Anti-Malvertising.com
What is Malvertising

7. How Malvertising works
df
User
Visits a popular
website, gets infected
via exploit kit
Website
Serves a banner ad,
sometimes malicious
Attacker
Creates and injects malware
ads into advertising network
Advertising Network
Selects an ad based on
auction, sends to the website

8. Malvertising in the News

9. Malvertising history timeline
Speedtest.net ad
network OpenX
serves malware
ad
New York Times
“Vonage” banner
hijacked, installed
FakeAV
2007 2008 2009 2010 2011 2012 2013 2014
Malvertising
technique was
first identified
in Flash files
Malvertising uses
dynamic domain
names
HuffPo, LA
Weekly
malvertising
ads reach 1.5
Billion users

10. Poll Question #1
o How many ad impressions were driven by malvertising
in 2013?
o Over 10 million
o Over 1 Billion
o Over 10 Billion

11. Rise of Malvertising
OTA stats
• Malvertising increased 200%+ in
2013 to over 209,000 incidents,
generating 12.4B+ malicious ad
impressions.
Google stats
• Google filtered 524 million 'bad' ads
in 2014, and disabled 214,000
malware websites.
Cyphort stats
• Cyphort own data shows a 300%
malvertising growth in 2014

12. A
u
d
i
e
n
c
e
Online Advertising Complexity
o 5.3 Trillion online ads served, $100+ Billion dollars spent
A
d
v
e
r
t
i
s
e
r
s

13. Online Advertising Complexity
Karina Sanz
P
u
b
l
i
s
h
e
r
s
Agencies
Media Buying
Platforms
DSPs
Creative
Optimization
Data
Optimization
Ad OpsAd Servers
Ad Servers
Ad Exchanges
SSPs
Ad Networks
Sharing Data/
Social Tools
Data Suppliers
DMP’s and Data
Aggregators
Verification
Attribution
Analytics
Yield Optimization
Publisher Tools
A
u
d
i
e
n
c
e
A
d
v
e
r
t
i
s
e
r
s
The combination of technology and services that connect Advertisers with Publishers can be a complex process with
many parties involved.

14. Online Advertising Complexity
Karina Sanz
P
u
b
l
i
s
h
e
r
s
Agencies
Media Buying
Platforms
DSPs
Creative
Optimization
Data
Optimization
Ad OpsAd Servers
Ad Servers
Ad Exchanges
SSPs
Ad Networks
Sharing Data/
Social Tools
Data Suppliers
DMP’s and Data
Aggregators
Verification
Attribution
Analytics
Yield Optimization
Publisher Tools
A
u
d
i
e
n
c
e
A
d
v
e
r
t
i
s
e
r
s
Almost everyone of them vulnerable to malware injection

15. Online Advertising Complexity
TDBank has 11 calls to third-party servers
ESPN has 83 calls to third-party servers
TMZ.com has 352 calls …

16. Online Advertising Complexity: RTB

17. Techniques to avoid detection
o Enable malicious
payload after a delay
o Only serve exploits to
every 10th user
o Verifying user agents
and IP addresses
o HTTPS redirectors

18. What is an Exploit Kit
o Exploit kit is a delivery mechanism
for a variety of different types of
malware
o First exploit kit was WebAttacker
developed in 2006 and sold for
$20 dollars
secpod.org

19. o Exploit Kits infect you without a “click”
o Examples: Angler, Sweet Orange, Nuclear, RIG
Fox-it.com

20. Exploit Kits popularity
TrendMicro 2014 stats

21. Malvertising Case Studies

22. Clean.navy malvertising
© Copyright 2014 Cyphort, Inc. All rights reserved. Proprietary & Confidential
CLEAN.NAVY
Feb 25, 2015
Clean.navy subdomain is loading Angler
Exploit Kit with the exploit for CVE-2014-
6332 Windows OLE Automation Array
Remote Code Execution Vulnerability.
www.cyphort.com/dod-contractors-website-
clean-navy-serving-drive-exploits/
1 start www.***zone.info
2 redirect ads.adgoto.com
3 redirect shop.traditionalarrows.com
4 malware payload bolivi**e.clean.navy/lists/9***

23. AFFITURE malvertising
© Copyright 2014 Cyphort, Inc. All rights reserved. Proprietary & Confidential
AFFITURE
Jan 22, 2015
20+ websites were delivering malvertising via
affiliate.affyield.com using Angler exploit kit
and zero-day Flash CVE-2015-0311 exploit.
www.cyphort.com/affyield-com-serving-zero-
day-flash/
1 <infectedsite.biz> <infectedsite.biz>
2 redirect www.affyieldmb.com
3 redirect murzilka.eu
4 malware payload xxxxazot54moosa.in/xxx

24. GOPEGO malvertising
GOPEGO
Feb 4, 2015
gopego.com malvertising downloads
CryptoWall ransomware.
The attack serves an exploit package
embedded in a flash file, including exploits
which target four vulnerabilities. Among
them the notorious CVE-2015-0311 .
www.cyphort.com/gopego-malvertising-
cryptowall/

25. Huffington Post / AOL malvertising
© Copyright 2014 Cyphort, Inc. All rights reserved. Proprietary & Confidential
HUFFINGTONPOST
Jan 5, 2015
HuffPo, LA Weekly, WeatherBug and other
sites reaching 1.5 Billion users, were serving
malvertising via advertising.com and installing
Kovter malware.
www.cyphort.com/huffingtonpost-serving-
malware/
1 <infectedsite.biz> www.huffingtonpost.com
2 redirect advertising.com
3 redirect foxbusiness.com
4 malware payload Kuppicu.opoczno.pl:8080/books

26. HuffingtonPost malware – Kovter analysis
o Kovter is an ad-fraud Trojan (MD5 sum: A2A6A36C94D4FF5B42C346F3A3A49E7)
o Communication to C&C is RC4 encrypted and BASE64
encoded
o If it detects any indication of analysis tools, virtualization
and debugging tools,
o it will POST the following data to a16-kite.pw then and exit
o Else,
o it will post data to a16-car.biz and then it will wait for commands.
o The C&C server can issue the following commands:
o RUN – execute a file
o UPDATE – update itself
o RESTART
o FEED – Ad Fraud
o SLEEP

27. Crawler Trends and Stats
o 35% of the domains we found were infected
more than once (repeated infections)
o AskMen.com - Jun 2014
o Indowebster - Sep 2014
o ThePirateBay.se - Oct 2014
o HuffingtonPost.com, LAWeekly,
WeatherBug.com - Jan 2015

28. Poll Question #2
o On which day of the week is malvertising most active?
o Monday
o Wednesday
o Sunday
o All days equally

29. 0 100 200 300 400 500 600
Monday
Tuesday
Wednesday
Thursday
Friday
Saturday
Sunday
Day of the Week
Most attacks on Weekends

30. Malvertising chain length
o Varies from 1 to 15 redirectors, 3.8 on average.
0
50
100
150
200
250
300
350
1 2 3 4 5 6 7 8 9 10 12 13 15
Redirection chain length
Redirection chain length

31. Longest malvertising chain example: ArticleField.com
1. www.articlefield.com
2. w1ns.com
3. thfire.com
5. adsppperv.com
6. www.blog-hits.com
7. tracking1112.com
8. townsearchguides.com
9. tracki112.com
10. c.feed-xml.com
11. 109.206.188.72
12. 216.172.54.28
13. scriptforclick.com
15. spreadsheets.wiaawy.eu
14. dealsadvlist.com
4. www.thfire.com

32. Infected domains
0 200 400 600 800 1000 1200 1400 1600 1800 2000
fr
de
tv
it
info
ir
ru
org
net
com
Infected TLDs
Russia
1%
Austria
1%
Thailand
1% Ukraine
1%
Korea
2%
Hong
Kong
2%
Italy
2%
Canada
2%
China
2%
Spain
3%
EU
3%
Netherlands
4%UK
4%
France
6%
Germany
8%
US
59%
Infected Hosting
Country Origin

33. Payload domains
0 200 400 600 800 1000 1200
eu
vu
in
us
ua
biz
org
pl
net
com
Payload TLDs
Switzerland
1%
Canada
1% France
1%
Germany
2%
Korea
2% Russia
2%
UK
3% EU
5%
Turkey
11%
US
72%
Payload Hosting
Country Origin

34. Conclusions
o Advertising networks get millions of submissions, and it is
difficult to filter out every single malicious one.
o Attackers will use a variety of techniques to hide from
detection by analysts and scanners
o Advertising networks should use continuous monitoring –
automated systems for repeated checking for malware ads,
need to scan early and scan often, picking up changes in the
advertising chains.
o Ad networks should have the latest security intelligence to
power these monitoring systems.
o The risk increases on weekends and holidays.

35. Thank You!
Twitter: @belogor
Previous MMW slides on
http://cyphort.com/labs/
malwares-wanted/

36. References:
https://otalliance.org/system/files/files/resource/documents/report_-
_online_advertising_hidden_hazards_to_consumer_security_date_privacy_may_15_20141.pdf
https://blog.opendns.com/2014/06/12/ads-security-dont-mix
http://www.cyphort.com/huffingtonpost-infected-again/
http://adwords.blogspot.com/2015/02/fighting-bad-advertising-practices-on.html
http://in.reuters.com/article/2014/10/16/cybersecurity-military-idINKCN0I52D820141016
http://www.slideshare.net/ksanz15/understanding-the-online-advertising-technology-landscape
http://blog.fox-it.com/2014/08/27/malvertising-not-all-java-from-java-com-is-legitimate/
http://www.slideshare.net/mhmoo/us-digitalfutureinfocus2013-27520934
http://www.insideprivacy.com/files/2014/05/PSI-Report.pdf
http://blog.fox-it.com/2014/08/27/malvertising-not-all-java-from-java-com-is-legitimate/
http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-evolution-of-
exploit-kits.pdf
http://secpod.org/blog/?p=1207