Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
Advertising Security Java Privacy Software The Internet Technology

New Stegano Exploit Kit Hides Malvertising Code In Banner Pixels (bleepingcomputer.com) 207

An anonymous reader quotes a report from BleepingComputer: For the past two months, a new exploit kit has been serving malicious code hidden in the pixels of banner ads via a malvertising campaign that has been active on several high profile websites. Discovered by security researchers from ESET, this new exploit kit is named Stegano, from the word steganography, which is a technique of hiding content inside other files. In this particular scenario, malvertising campaign operators hid malicious code inside PNG images used for banner ads. The crooks took a PNG image and altered the transparency value of several pixels. They then packed the modified image as an ad, for which they bought ad displays on several high-profile websites. Since a large number of advertising networks allow advertisers to deliver JavaScript code with their ads, the crooks also included JS code that would parse the image, extract the pixel transparency values, and using a mathematical formula, convert those values into a character. Since images have millions of pixels, crooks had all the space they needed to pack malicious code inside a PNG photo. When extracted, this malicious code would redirect the user to an intermediary ULR, called gate, where the host server would filter users. This server would only accept connections from Internet Explorer users. The reason is that the gate would exploit the CVE-2016-0162 vulnerability that allowed the crooks to determine if the connection came from a real user or a reverse analysis system employed by security researchers. Additionally, this IE exploit also allowed the gate server to detect the presence of antivirus software. In this case, the server would drop the connection just to avoid exposing its infrastructure and trigger a warning that would alert both the user and the security firm. If the gate server deemed the target valuable, then it would redirect the user to the final stage, which was the exploit kit itself, hosted on another URL. The Stegano exploit kit would use three Adobe Flash vulnerabilities (CVE-2015-8651, CVE-2016-1019 or CVE-2016-4117) to attack the user's PC, and forcibly download and launch into execution various strains of malware.
This discussion has been archived. No new comments can be posted.

New Stegano Exploit Kit Hides Malvertising Code In Banner Pixels

Comments Filter:
  • by rmdingler ( 1955220 ) on Tuesday December 06, 2016 @08:34PM (#53437233) Journal
    Would you kindly disable Adblocker while visiting our site?

    Not no, hell no.

    • by wbr1 ( 2538558 )
      That is an interesting way to say fuck you. Wish I had good options for ad blockers on Android. (Shut up APK)
      • Re: (Score:2, Insightful)

        by Anonymous Coward

        That is an interesting way to say fuck you. Wish I had good options for ad blockers on Android. (Shut up APK)

        Firefox mobile for Android allows the ublock origin or adblocker plus extensions! It's the only way to surf. (no root needed)

        • by johanw ( 1001493 )

          Yes but there is more than ads in the browser. If you root your android you can install something like disable service and disable the ad and analytic services in Google Play Services, which will also get rid of most ads in apps.

      • If your device is rooted, just install AdAway + something like NoRoot Firewall. Block ads, decide which apps can connect to either the data or wifi (with bonus pre and post filtering options you can apply that are based on IP as well).

        • How is the performance on NoRoot Firewall? I used to use DroidWall, which is a frontend for iptables, but it hasn't been updated in years and I'm not sure it works properly on newer versions of Android.

    • This. When I find a site that asks to unblock advertisement and scripts, I simply go to another site.
  • Yeah but... (Score:5, Funny)

    by fustakrakich ( 1673220 ) on Tuesday December 06, 2016 @08:34PM (#53437237) Journal

    If you block the ad, you're a thief.

    • Re: Yeah but... (Score:3, Insightful)

      by Anonymous Coward

      I assume it's sarcasm... but that line does piss me off. Fucking short sighted ignorant pricks telling me to be subservient and just take this shit.

      People with DVRs aren't thiefs some how. Or people who mute their tv while ads are playing?

      • If I had mod, I'd +1, Insightful.

      • Re: (Score:3, Informative)

        How I choose to display the data on my screen is my business.

        • Re: (Score:3, Interesting)

          by geekmux ( 1040042 )

          How I choose to display the data on my screen is my business.

          And how they deliver data to your screen for free is their business.

          • Not my fault their business model is not profitable.

            • by Jeremi ( 14640 )

              Not my fault their business model is not profitable.

              Not their fault your web browser is insecure?

          • by Win0ver ( 613215 )

            And how they deliver data to your screen for free is their business.

            Should they then be liable when their ads serve malware/viruses?

      • by tlhIngan ( 30335 )

        People with DVRs aren't thiefs some how. Or people who mute their tv while ads are playing?

        They aren't. People who skip ads simply are marked as not watching the ad. Not watching the ad reduces a programs "C" rating, which means the program's ad rates go down (less eyeballs == less money). Programming budget is a fraction of the ad money it makes so it has to adapt.

        Ratings you see and hear on the news about a program are one of three - SD (same day), SD+3 (Same Day + 3 days later) or SD+7. These are basical

        • At least normal TV advertising has no way to run suspicious codes and install malware on your TV setup. The problem is not exactly the advertising itself, the problem is the shit they insert into the advertisement and that makes mandatory for you to block it.
          • in theory you could send a malformed signal to the TV. A while back there was a PNG exploit that caused an overflow of the displaying program to run code.

            Since most TV streams are compressed though I'm not sure if this would be viable in the real world.

        • That's why DVR users aren't thieves - in the end, the programming they like gets cancelled, so in the end they just hurt themselves in the long run.

          That assumes they would have watched the same shows with ads. I can honestly say that I wouldn't, because in 2001 I canceled my cable completely because I found US TV unwatchable because of the ads. It wasn't until four or five years later that I "came back", and that was a combination of my soon-to-be wife wanting TV, and me requiring we have a DVR as part of

      • they tested making that compulsory. but the buggers just stopped turning the tv on in the first place. which would cause problems for government sponsored brainwashing programs.

    • Re:Yeah but... (Score:5, Insightful)

      by UnknownSoldier ( 67820 ) on Tuesday December 06, 2016 @09:10PM (#53437355)

      Actually the ad is stealing MY bandwidth.

      So kindly fuck off your with your trojan pixels.

      • Advertisements in magazines and newspapers take up pages, which make them heavier. It takes extra energy to carry the extra weight, and making the extra energy requires extra food. Advertisements steal the food from my mouth!
        Get real.
    • Re:Yeah but... (Score:5, Interesting)

      by hairyfeet ( 841228 ) <bassbeast1968&gmail,com> on Wednesday December 07, 2016 @12:04AM (#53437997) Journal

      I have the perfect comeback to those ignorant fucks..."Are YOU gonna accept responsibility and pay for any and all damages if your site serves malware? No? Then you are knowingly aiding and abetting malware vendors, kindly fuck off".

      If they want to be treated like legitimate businesses? Then they have to accept the responsibility legitimate businesses have. If a business doesn't secure their premises and cause harm to their patrons? They are responsible for the clean up, look at the mounds of money TJ Maxx and Target had to pay for their lack of security, but these websites want us to treat them as legitimate businesses show the same lack of responsibility as some fly by night topsite? Sorry can't have your cake and eat it too, either you have the same responsibilities as a real business or you don't deserve any more consideration than a cracksite or any other dodgy place on the wild web.

      • Re: (Score:3, Insightful)

        Nothing we say is going to change a thing. It's best to just block them and move on. Let it be their problem.

        • Nothing we say is going to change a thing. It's best to just block them and move on. Let it be their problem.

          Actually, what would be best would be to make websites criminally liable if they deliver a malicious ad to your PC. That'll get people working on securing their networks, and make most ad networks dry up in a hurry after serving as a source of revenue.

          • Actually, what would be best would be to make websites criminally liable if they deliver a malicious ad to your PC.

            Yeah, we could do that, but personally, I hold the operating system responsible. I don't care how malicious the code is, the OS should run in protected ROM. So if we're going to start suing people, let's start with Microsoft and Apple, unless of course they decide to open up the source code... Going after the websites is a slippery slope, subject to political opinions as to what is "malicious".

            • Sigh....how to write a Linux virus in 5 easy steps using the same tricks malware uses [geekzone.co.nz], BTW wanna guess what kernel hosts the OS that has surpassed Windows in infections [nasdaq.com] and has for over 5 years? That's right sparky LINUX.

              So your vaunted "source" means absolutely nothing, its classic security by obscurity. wanna guess how much of your average Linux distro is actually vetted, as reported a couple years back by a scan of github access by a security firm? Less than 2%, that is all, the other 98% hadn't been tou

              • Yeah but... That' not really what I'm talking about. It's that nobody will sue you if you distribute a fix for a Linux flaw, not even Linus, as far as I can tell. Since we don't have that luxury with MS or Apple, we should be able to hold them responsible for their screw ups. The point is that they should either fix it, or let somebody else do it. There should be consequences for locking us out.

                Regardless, the OS, no matter whose, should be protected inside of ROM.

          • Let me expand on that a bit. If there were to be a law that makes blocking illegal, then yes we should be able to sue those who host malware. But since we can easily block it, then I don't see the need for that. The weak point is in the OS. That's their attack vector, it should be ours too

    • Darn, you made me feel so guilty! ;)

      But I don't block ads, I just run NoScript. If they can't make ads that work without javascript, that's their problem. And any ad network that lets advertisers bundle javascript is incompetent or evil or both. It's called a "malware distribution network", not an ad network.

  • I'm going to much more efficient. "Avoid the middleman! Download this malware, straight from me to you!"
  • by swb ( 14022 ) on Tuesday December 06, 2016 @09:02PM (#53437333)

    First of all, Jesus H. Chist, I'm continually amazed at the lengths people will go and the sheer brainpower employed in malware and hacking generally. I've gotten to the point where I go to hang a towel over the mirror in the bathroom because I'm worried someone has hacked the mirror and then figure, fuck it, they probably also hacked the towel.

    Secondly, is this level of malware sophistication evidence that there's economic stagnation?

    I'm assuming this is software designed to create botnets or measly bank account info or whatnot and the author(s) make some money but not griping about the lack of space for their megayacht next season at Monaco kinds of money.

    Is the fact that people do this kind of really clever shit for more or less ordinary income, is it proof that the economy is in some way broken? I would think that people this smart, in a functional economy, would be in real demand to do productive economy kinds of things.

    • A question to the readers: I've been trying to view this online comic [platinumgrit.com] for awhile now.

      The problem is, the comic itself is written in Flash, and I can't think of any way to enable flash without downloading all the Adobe crap, or installing a browser extension that's horribly unsafe to use. My best guess is to do all this in a separate VM specifically tuned to do this one task, and then delete it when done.

      Make an entire system specific to reading one website? That seems like a lot of work.

      Is there some sort o

    • First of all, Jesus H. Chist, I'm continually amazed at the lengths people will go and the sheer brainpower employed in malware and hacking generally. I've gotten to the point where I go to hang a towel over the mirror in the bathroom because I'm worried someone has hacked the mirror and then figure, fuck it, they probably also hacked the towel.

      Thanks for that laugh. The analogy was rather hilarious. Now I think I'll have a good cry over the reality of it.

      Secondly, is this level of malware sophistication evidence that there's economic stagnation?...Is the fact that people do this kind of really clever shit for more or less ordinary income, is it proof that the economy is in some way broken?

      Yes, perhaps it is. Another example would be the evolution of ransomware. Started out as a rather brilliant idea from a hacking standpoint to extort humans for more or less ordinary income.

      I would think that people this smart, in a functional economy, would be in real demand to do productive economy kinds of things.

      Across history, countless times we've caught ourselves laughing at how much more con artists could earn by walking the legal line instead of the life of crime. That said, this economy rewards the world's g

    • by Anonymous Coward

      Secondly, is this level of malware sophistication evidence that there's economic stagnation?

      I'm assuming this is software designed to create botnets or measly bank account info or whatnot and the author(s) make some money but not griping about the lack of space for their megayacht next season at Monaco kinds of money.

      Is the fact that people do this kind of really clever shit for more or less ordinary income, is it proof that the economy is in some way broken? I would think that people this smart, in a functional economy, would be in real demand to do productive economy kinds of things.

      A problem solved by software can often be copied for essentially zero. The initial cost may be relatively high, but let's say ordinary salary numbers, particularly in foreign countries, so what in the $30k range... If they can infect say 30k computers say 4 times a year. The computers could easily be different... That yields needing to make roughly, on average, $0.25 a computer. There is a lot of hand waving there, but I assume most of it is purely the economies of scale. Also, once a vulnerability is

    • Interesting point of view. It might also be proof that software quality has improved a lot, and there aren't so many 'normal' holes to drive through anymore...

    • Malware nowadays is not written by some script kiddie in his parent's basement. Malware creation is funded by crime rings in third-world countries who employ developers to analyze known exploits and code-hiding techniques, and hence the malware attacks are very sophisticated. This is what I say to various relatives who come and say their computer "is so slow it must have a virus". Modern malware tries to be as stealthy as possible, so slowing down your PC is the last thing they want to do. But that Avast ho
      • PS: Does Google ads filter the malicious JS code?

        Doubtful. the code was only the key and transform function, the payload was the transparency data of the image its self.
        I'm sure they're going to start blocking it now, but there is no way they would have caught this in a normal screening.

    • by gtall ( 79522 )

      I don't think the economy is broken, well, it might be but even if it were 100% healthy, we'd still have these people. Mostly, they are people who do not fit into companies working for someone else. They are freelancers. They do not have what it takes to start their own legitimate company. In the past, we'd call them pickpockets or snake oil salesmen or in some cases, politicians. The intertubes are just vehicles for them. If they weren't doing it there, they'd find some other form of criminal vice. Their l

      • by swb ( 14022 )

        I get that we'd always have people at the margin who have above average intelligence but otherwise to fit into a worker mold and wind up as criminals of varying levels of success. Usually, though, they seem to suffer from various other pathologies -- substance abuse, psychological defects, the kind of panoply of sociological misintegration that limits not only their legitimate success but their ability to make even life below the line very successful.

        Maybe there's just a correlation between high levels of

    • by Jeremi ( 14640 )

      Is the fact that people do this kind of really clever shit for more or less ordinary income, is it proof that the economy is in some way broken?

      The economy undoubtedly is broken in many ways, but I think exploits like this are less about the economy and more about programmers getting bored and wanting to show off how clever they are; and if they can also make some money doing it, so much the better.

    • My guess is that most of these scams bring in revenue in the 1000's or tens of 1000's so certainly well below the "griping about the lack of space for their megayacht next season at Monaco". But remember that in some parts of the world, coding is cheap and what we might think of as a low income wage goes a long way.
  • Banner ads are still a thing? I haven't seen one in years. Guess those ad blockers are paying off.
  • Not really an issue for me as this one of the reasons I use an ad blocker. The part I found mind boggling is "a large number of advertising networks allow advertisers to deliver JavaScript code with their ads". That is just plain wrong. How can any website sell advertising with a clear conscious if they are going to allow effectively unknown people to run code on their visitor's PCs?
    • The major issue is that HTML5 could have been replaced FLASH if they would have come up with some decent features. But that committee decided to focus on all kinds of side-issues that no one was interested in. So in order to do something FLASH like, Javascript is needed.
      • Yeah, but the whole point is to PREVENT anyone from doing something "Flash like". We don't want programmable ads -- that's untrusted code. If you can't communicate your ad with a static image, a video, and a "click for more info" link, you need a better ad dept... if your product is so bad that the only way you can get people to buy it is with invasive advertising, maybe the world is better off without your doohickey.
        • If you can't communicate your ad with a static image, a video

          A scripted vector animation has a smaller file size (and thus costs you less to view in overage fees payable to your ISP) than the equivalent H.264 or VP8 video. But I don't see how a scripted vector animation of considerable complexity can be done with CSS transitions alone. It's usually script writing to a canvas or script manipulating CSS element styles or SVG paths.

        • by Altrag ( 195300 )

          maybe the world is better off without your doohickey

          That's kind of the point. If the world actually needed a zebra scented butt razor, they wouldn't have to resort to shitty ads in the first place, and when you've got no real selling features your best option is to just shove your shit in everyone's face. They all want to make a buck, whether they deserve to or not.

          And they should be free to try to make a buck. But we should also be free to tell them to piss off. Unfortunately the world these days seems to value corporate freedom far more than individual

  • For all reasons mentioned and past exploits I can see cruising the internet through a VM becoming very popular. Especially since some new NAS are coming with the ability to run a VM.

    • by Altrag ( 195300 )

      Not likely:
      a) At best, you've just moved the problem to securing the host system. Which if you're running a bare metal VM like ESXi or Hyper-V is certainly easier than securing an entire OS that needs to explicitly allow userland programs to do arbitrary things. But its not a null issue.

      b) VMs would need to become far, far less annoying to use. Basically until such time that OS's do something like load every single app into its own sandbox, invisible to the user, this won't happen on any sort of large sc

      • Microsoft's Virtual PC gave us "B" before they abandoned the whole idea in favor of Hyper-V. As for "C" people already intentionally lose date through things like FF's "incognito" mode. The stuff they want to keep usually ends up in the cloud anyway where stronger security measures can be applied.

        • by Altrag ( 195300 )

          Virtual PC gave us "B"

          I don't recall that being significantly easier to setup than say VMWare Player. Perhaps a bit better but you still had to do things like install your guest OS, configure hardware devices and so on. Definitely not simple enough to be considered invisible to the user.

          XP Mode was getting closer from that aspect.. if running Word or IE just magically loaded into a sandbox then we'd be getting closer to what I'm referring to, though that's got all of its own challenges as noted.

          people already intentionally lose date through things like FF's "incognito" mode

          Some people do. For some speci

  • And this isn't illegal?
  • Is BleepingComputer the latest Medium.com? Because it seems like every time I come to Slashdot there's yet another story from that site...

  • The summary was missing details, but this link explains a bit more.

    http://www.welivesecurity.com/... [welivesecurity.com]

    At least you'll know how it works. Also, go down to the list and see if you have at least one of those security products and it'll skip the payload. :)

  • by Anonymous Coward

    ...reading at, "This server would only accept connections from Internet Explorer users." Now feeling smug.

    • by Anonymous Coward

      Don't be. The reason the "Nigerian princes" all speak in terrible English isn't because they can't type, or can't hire someone who can. Getting their advert in front of your eyes is the easy part. They want to ring all the alarms that smart people have, so that they don't waste their time trying to scam smart people. This is much the same. Focus on the small part of the internet that makes for good food, and filter out the rest.

  • a large number of advertising networks allow advertisers to deliver JavaScript code with their ads

    Third-party code. 'Nuff said.

  • by Anonymous Coward

    Fine the ad creator. Can't find him? Fine the ad provider. Can't find him? Fine the owner of the site itself.

    I want fines and I want jail time for malvertising. Heads must roll. This has gone on long enough.

  • "This server would only accept connections from Internet Explorer users. The reason is that the gate would exploit the CVE-2016-0162 vulnerability that allowed the crooks to determine if the connection came from a real user or a reverse analysis system employed by security researchers."

    The reason it only targets Internet Explorer is that the exploit only works on Microsoft windows.
  • by Gunstick ( 312804 ) on Wednesday December 07, 2016 @07:42AM (#53439087) Homepage

    And that technique can go way further.
    https://www.youtube.com/watch?... [youtube.com]

  • Miranda

The game of life is a game of boomerangs. Our thoughts, deeds and words return to us sooner or later with astounding accuracy.

Working...