Category Archives: malvertising

FBI announces international cyberbusts: scareware peddlers and malvertisers taken out

Twenty years ago, people used to ask, “Why do virus writers do it?”

That was a tricky question to answer, since there was often little motivation beyond notoriety – being recognised in the counterculture as a virus writer.

These days, you can explain virus writing Jeopardy-style instead. (Jeopardy is a back-to-front US game show in which the quizmaster gives an answer, and the contestants win by giving a question which produces it.) Like this: “To make lots of money online from victims all over the world with very little effort.”

Now, the question people usually ask is, “It seems so easy to be a cybercrook – why don’t the police do something about it?” One answer is that evidence can be tricky to acquire, and jurisidiction tricky to establish, when doing something about cybercrime. A crook in Belgium can defraud someone in Australia via a malicious advert served from China which tricks them into a credit card transaction in Canada processed by a server in Finland.

Despite the technical and legal hassles, the cops sometimes do get their man – or men. The US federal police force, the FBI, just announced some important international success against two cybergangs.

The operation, codenamed Trident Tribunal, lead both to arrests and to the significant disruption of their criminal operations.

The first cybergang was allegedly responsible for selling scareware, better known as fake anti-virus software. I’m sure you’re familiar with it: a popup advises you you’re at risk; then a ‘free scan’ finds a raft of ‘threats’; and a cleanup button offers to fix your woes. But the cleanup isn’t free. So you pay up, and the ‘threats’ are ‘removed’. For now, anyway.

The FBI estimates that this group tricked nearly a million people into buying its fraudulent software. With a price point from $50 to $130 (depending on how many ‘extras’ the victim gets talked into), this netted them over $72,000,000.

The second cybergang provided malvertising services. This is a technique which lets you sneak adverts for fraudulent services – notably, for scareware – onto respectable websites. The group allegedly created a fake advertising agency, and gave themselves a fake commission from a hotel chain to buy online ads in a Minneapolis newspaper. The ads were approved by the newspaper, but the fake agency ran malverts instead.

According to the FBI, it looks as though just two guys were able to make more than $2,000,000 in that scam.

Given the global scale of cybercrime, this may seem like a small victory for law enforcement. But it is a victory nevertheless.

The really good news here is that the anti-cybercrime operations above saw the successful co-operation of law enforcement teams in twelve countries: USA, Ukraine, Latvia, Germany, Netherlands, Cyprus, France, Sweden, Lithuania, Romania, Canada, and the UK.

Now we know the answers.

“Why do virus writers do it?” Sadly, because they can hope for revenues of about $75 per ‘sale’ by peddling an online sack of lies to one million ‘customers’.

“Why don’t the police do something about it?” Happily, they do.



Share/Save

Compromised ads leading to TDSS rootkit infections

As we all know, compromised sites play an important role in web distributed malware, acting as the conduit, guiding user traffic to further malicious content. Sometimes, the attackers get lucky, and succeed in compromising a high profile, popular site. Another way to increase the number of users exposed to the attack is to compromise advertising content, thereby exposing all users of any 3rd party sites that happen to load the ads.

Late yesterday evening, we started to see evidence of such an attack – Sophos products were blocking certain ad content as Mal/Iframe-U.

Knowing that detection and what it looked for, I was pretty sure that the ad server of Campus Party was compromised.

Sure enough, I could see that in addition to the desired ads (for the July Campus Party event in Valencia), the content also contained malicious JavaScript (highlighted in yellow):

Not the first time I have seen an OpenX ad-server getting compromised, and I suspect it won’t be the last.

Deobfuscating the JavaScript reveals the payload. As our Mal/Iframe-U detection name suggests, it is an iframe to load further malicious content from a remote server.

This initiates the attack, triggering a chain of events summarised below:

  • ad content (pro-actively blocked as Mal/Iframe-U) silently loads content from the attack site.
  • user’s browser and browser plug-ins are inspected to determine most appropriate exploit content to load. For this a legitimate library is used.
  • exploit content (e.g. Mal/HcpExpl-A, Troj/Lifsect-A, Mal/ExpJS-M) is loaded in order to infect the user with malware. At the time of writing, the exploit site is currently serving up a rootkit which Sophos products detect as Mal/TDSSPack-AX.

As is typically the case for today’s web attacks, all of the script components used are heavily obfuscated in an attempt to thwart detection efforts and hinder analysis.

We have already informed those at Campus Party about this issue in order that they can get the malvertising attack cleaned up as soon as possible. In fact as I type, I can see that the ad server is already offline, presumably whilst they resolve the issue. Kudos to them for actioning this quickly!

As to the root cause of the compromise, I do not know exactly how the server was compromised. However, given history, my money would be on an out of date or unpatched version of OpenX.

Copyright © 2014. Powered by WordPress & Romangie Theme.