As you read these words, malicious ads on legitimate websites are targeting visitors with malware. But that malware doesn't infect their computers, researchers said. Instead, it causes unsecured routers to connect to fraudulent domains.
Using a technique known as steganography, the ads hide malicious code in image data. The hidden code then redirects targets to webpages hosting DNSChanger, an exploit kit that infects routers running unpatched firmware or are secured with weak administrative passwords. Once a router is compromised, DNSChanger configures it to use an attacker-controlled domain name system server. This causes most computers on the network to visit fraudulent servers, rather than the servers corresponding to their official domain.
Patrick Wheeler, director of threat intelligence for security firm Proofpoint, told Ars:
Millions of people visiting mainstream websites over the past two months have been exposed to a novel form of malicious ads that embed attack code in individual pixels of the banners.
Researchers from antivirus provider Eset said "Stegano," as they've dubbed the campaign, dates back to 2014. Beginning in early October, its unusually stealthy operators scored a major coup by getting the ads displayed on a variety of unnamed reputable news sites, each with millions of daily visitors. Borrowing from the word steganography—the practice of concealing secret messages inside a larger document that dates back to at least 440 BC—Stegano hides parts of its malicious code in parameters controlling the transparency of pixels used to display banner ads. While the attack code alters the tone or color of the images, the changes are almost invisible to the untrained eye.
The malicious script is concealed in the alpha channel that defines the transparency of pixels, making it extremely difficult for even sharp-eyed ad networks to detect. After verifying that the targeted browser isn't running in a virtual machine or connected to other types of security software often used to detect attacks, the script redirects the browser to a site that hosts three exploits for now-patched Adobe Flash vulnerabilities.