New Stegano Exploit Kit Hides Malvertising Code In Banner Pixels (bleepingcomputer.com) 207
An anonymous reader quotes a report from BleepingComputer: For the past two months, a new exploit kit has been serving malicious code hidden in the pixels of banner ads via a malvertising campaign that has been active on several high profile websites. Discovered by security researchers from ESET, this new exploit kit is named Stegano, from the word steganography, which is a technique of hiding content inside other files. In this particular scenario, malvertising campaign operators hid malicious code inside PNG images used for banner ads. The crooks took a PNG image and altered the transparency value of several pixels. They then packed the modified image as an ad, for which they bought ad displays on several high-profile websites. Since a large number of advertising networks allow advertisers to deliver JavaScript code with their ads, the crooks also included JS code that would parse the image, extract the pixel transparency values, and using a mathematical formula, convert those values into a character. Since images have millions of pixels, crooks had all the space they needed to pack malicious code inside a PNG photo. When extracted, this malicious code would redirect the user to an intermediary ULR, called gate, where the host server would filter users. This server would only accept connections from Internet Explorer users. The reason is that the gate would exploit the CVE-2016-0162 vulnerability that allowed the crooks to determine if the connection came from a real user or a reverse analysis system employed by security researchers. Additionally, this IE exploit also allowed the gate server to detect the presence of antivirus software. In this case, the server would drop the connection just to avoid exposing its infrastructure and trigger a warning that would alert both the user and the security firm. If the gate server deemed the target valuable, then it would redirect the user to the final stage, which was the exploit kit itself, hosted on another URL. The Stegano exploit kit would use three Adobe Flash vulnerabilities (CVE-2015-8651, CVE-2016-1019 or CVE-2016-4117) to attack the user's PC, and forcibly download and launch into execution various strains of malware.
Re: (Score:1)
All the more reason to use an ad blocker extension. Let the e-beggar sites that pester you about having an ad blocker know why you do. Maybe they'll finally get a clue and shut down or find a legitimate way to make money.
Re: For the best custom hostsfile creator (Score:1)
does it work on linux or android.
does it protect lynx.
If not, then not interested.
Re: Hosts work on Linux & Android (Score:1)
so thats a no then....
ok, ill stick with mvps.org then.
Re: My program imports MVPS data (& more) (Score:1)
you obviously know nothing about android. you can only change the hosts file on a rooted android phone. which is basically a compromised phone before you even start.
Re: You're obviously illiterate (I said that) (Score:1)
a rooted phone is gauranteed to send all your private data to a malicious ip address, wont even use a dns lookup. whats the point in changing the hosts file on a device already hard coded to send everything on the device to the bad guys. why are you recommending android users compromise their device?
Re: Hosts work on Linux & Android (Score:1)
this isnt true any more. i had several malvertisers try and push an install of an unknown rpm through chrome before i added the winhelp mvps hosts file to the system. If id been using something like ubuntu instead of an otherwise hardened system they would quite possibly have been successful.
Re: (Score:2)
Re: (Score:1)
not afaik.
sudo still installs stuff as root, installing a malicious rpm will give that rpm, even by sudo, access to the entire system.
Re: (Score:1)
You really cant "harden" any of the old versions of windows though (thousands of zero days knocking around for what are now unsupported systems), and stuff written from earlier than 2007 doesn't really apply to any of the new versions of windows.
While a solid host file is essential (and as you say, there are lots of free ones around now), it wont protect you from material served from hijacked dns, which is fairly common practice now.
Re: (Score:1)
So when your DNS gets hijacked, every single person using your program gets hijacked to?
Wow. That's inviting a very big law suit.
Or you just cache the users repsonses? in which case, hijacked once, hijacked forever?
Re: (Score:1)
You think I'd be willing to share my zero days?
heh, interesting.....
Re: (Score:1)
how much you paying?
zero days are valuable you know...
or is your "fair challenge" not really that fair.
cos I'll take cash over ego or your appreciation any day of the week.
Re: Thanks for proving my point (Score:1)
ill put up if you put up.
zero days typically fetch at least $10,000.
why should i waste that on you?
Id never get my ppl that way it seams.
Re: (Score:2)
What a terrible argument. If your code is so good, just open-source it and stop using the "everybody uses it so it's good" fallacy. Everybody uses windows.
Well, I guess you only need to fool the dumbest people ...
Re: (Score:1)
If if they say "Please!" (Score:5, Insightful)
Not no, hell no.
Re: (Score:2)
Re: (Score:2, Insightful)
That is an interesting way to say fuck you. Wish I had good options for ad blockers on Android. (Shut up APK)
Firefox mobile for Android allows the ublock origin or adblocker plus extensions! It's the only way to surf. (no root needed)
Re: (Score:3)
Yes but there is more than ads in the browser. If you root your android you can install something like disable service and disable the ad and analytic services in Google Play Services, which will also get rid of most ads in apps.
Re: (Score:1)
If your device is rooted, just install AdAway + something like NoRoot Firewall. Block ads, decide which apps can connect to either the data or wifi (with bonus pre and post filtering options you can apply that are based on IP as well).
Re: (Score:2)
How is the performance on NoRoot Firewall? I used to use DroidWall, which is a frontend for iptables, but it hasn't been updated in years and I'm not sure it works properly on newer versions of Android.
Re: (Score:2)
Re: (Score:2)
Tried it in Firefox with uBlock installed. Complains, says it might not run. Doesn't do anything upon clicking 'start test'.
Then I try it on a browser with no ad blocker. The one I have handy is Edge (because I never use it). I see ads. The test still doesn't do anything.
I've seen better speed testers to be honest.
Yeah but... (Score:5, Funny)
If you block the ad, you're a thief.
Re: Yeah but... (Score:3, Insightful)
I assume it's sarcasm... but that line does piss me off. Fucking short sighted ignorant pricks telling me to be subservient and just take this shit.
People with DVRs aren't thiefs some how. Or people who mute their tv while ads are playing?
Re: (Score:2)
If I had mod, I'd +1, Insightful.
Re: (Score:3, Informative)
How I choose to display the data on my screen is my business.
Re: (Score:3, Interesting)
How I choose to display the data on my screen is my business.
And how they deliver data to your screen for free is their business.
Re: (Score:2)
Not my fault their business model is not profitable.
Re: (Score:2)
Not my fault their business model is not profitable.
Not their fault your web browser is insecure?
Re: (Score:2)
And how they deliver data to your screen for free is their business.
Should they then be liable when their ads serve malware/viruses?
Re: (Score:2)
It's not for free. I pay for my ISP and so do they. Websites are supposed to cost money. If they want to require a paid account then that is up to them and very doable. But if they want to attract people then they can pay for their site. There is no reason other than a money grab to see any ad on any website.
You do realize all those kids who grew up paying nothing for YouTube/Facebook/Webmail/Social Media Entertainment are starting to run small companies, right?
In other words, that whole theory of yours that all this shit is supposed to cost money is falling on deaf ears. To them, even an ISP charging for internet access is a crime against humanity.
Re: (Score:2)
Re: (Score:2)
They aren't. People who skip ads simply are marked as not watching the ad. Not watching the ad reduces a programs "C" rating, which means the program's ad rates go down (less eyeballs == less money). Programming budget is a fraction of the ad money it makes so it has to adapt.
Ratings you see and hear on the news about a program are one of three - SD (same day), SD+3 (Same Day + 3 days later) or SD+7. These are basical
Re: (Score:2)
Re: (Score:2)
in theory you could send a malformed signal to the TV. A while back there was a PNG exploit that caused an overflow of the displaying program to run code.
Since most TV streams are compressed though I'm not sure if this would be viable in the real world.
Re: (Score:2)
Re: Yeah but... (Score:1)
they tested making that compulsory. but the buggers just stopped turning the tv on in the first place. which would cause problems for government sponsored brainwashing programs.
Re:Yeah but... (Score:5, Insightful)
Actually the ad is stealing MY bandwidth.
So kindly fuck off your with your trojan pixels.
Re: (Score:2)
Get real.
Comment removed (Score:5, Interesting)
Re: (Score:3, Insightful)
Nothing we say is going to change a thing. It's best to just block them and move on. Let it be their problem.
Re: (Score:2)
Nothing we say is going to change a thing. It's best to just block them and move on. Let it be their problem.
Actually, what would be best would be to make websites criminally liable if they deliver a malicious ad to your PC. That'll get people working on securing their networks, and make most ad networks dry up in a hurry after serving as a source of revenue.
Re: (Score:1)
Actually, what would be best would be to make websites criminally liable if they deliver a malicious ad to your PC.
Yeah, we could do that, but personally, I hold the operating system responsible. I don't care how malicious the code is, the OS should run in protected ROM. So if we're going to start suing people, let's start with Microsoft and Apple, unless of course they decide to open up the source code... Going after the websites is a slippery slope, subject to political opinions as to what is "malicious".
Re: (Score:2)
Re: (Score:1)
Yeah but... That' not really what I'm talking about. It's that nobody will sue you if you distribute a fix for a Linux flaw, not even Linus, as far as I can tell. Since we don't have that luxury with MS or Apple, we should be able to hold them responsible for their screw ups. The point is that they should either fix it, or let somebody else do it. There should be consequences for locking us out.
Regardless, the OS, no matter whose, should be protected inside of ROM.
Re: (Score:1)
Let me expand on that a bit. If there were to be a law that makes blocking illegal, then yes we should be able to sue those who host malware. But since we can easily block it, then I don't see the need for that. The weak point is in the OS. That's their attack vector, it should be ours too
Re: (Score:2)
Darn, you made me feel so guilty! ;)
But I don't block ads, I just run NoScript. If they can't make ads that work without javascript, that's their problem. And any ad network that lets advertisers bundle javascript is incompetent or evil or both. It's called a "malware distribution network", not an ad network.
Re: (Score:1)
I bet there are some well-educated nutjobs with MBAs and JDs who actually thing that as well..
When I build my next site (Score:1)
Is malware like this proof of economic stagnation? (Score:5, Insightful)
First of all, Jesus H. Chist, I'm continually amazed at the lengths people will go and the sheer brainpower employed in malware and hacking generally. I've gotten to the point where I go to hang a towel over the mirror in the bathroom because I'm worried someone has hacked the mirror and then figure, fuck it, they probably also hacked the towel.
Secondly, is this level of malware sophistication evidence that there's economic stagnation?
I'm assuming this is software designed to create botnets or measly bank account info or whatnot and the author(s) make some money but not griping about the lack of space for their megayacht next season at Monaco kinds of money.
Is the fact that people do this kind of really clever shit for more or less ordinary income, is it proof that the economy is in some way broken? I would think that people this smart, in a functional economy, would be in real demand to do productive economy kinds of things.
Is this art now gone? (Score:2)
A question to the readers: I've been trying to view this online comic [platinumgrit.com] for awhile now.
The problem is, the comic itself is written in Flash, and I can't think of any way to enable flash without downloading all the Adobe crap, or installing a browser extension that's horribly unsafe to use. My best guess is to do all this in a separate VM specifically tuned to do this one task, and then delete it when done.
Make an entire system specific to reading one website? That seems like a lot of work.
Is there some sort o
Re: (Score:2)
Re: (Score:3)
Just use Chrome, which has its own Flash baked-in.
Re: (Score:2)
First of all, Jesus H. Chist, I'm continually amazed at the lengths people will go and the sheer brainpower employed in malware and hacking generally. I've gotten to the point where I go to hang a towel over the mirror in the bathroom because I'm worried someone has hacked the mirror and then figure, fuck it, they probably also hacked the towel.
Thanks for that laugh. The analogy was rather hilarious. Now I think I'll have a good cry over the reality of it.
Secondly, is this level of malware sophistication evidence that there's economic stagnation?...Is the fact that people do this kind of really clever shit for more or less ordinary income, is it proof that the economy is in some way broken?
Yes, perhaps it is. Another example would be the evolution of ransomware. Started out as a rather brilliant idea from a hacking standpoint to extort humans for more or less ordinary income.
I would think that people this smart, in a functional economy, would be in real demand to do productive economy kinds of things.
Across history, countless times we've caught ourselves laughing at how much more con artists could earn by walking the legal line instead of the life of crime. That said, this economy rewards the world's g
Re: (Score:1)
Secondly, is this level of malware sophistication evidence that there's economic stagnation?
I'm assuming this is software designed to create botnets or measly bank account info or whatnot and the author(s) make some money but not griping about the lack of space for their megayacht next season at Monaco kinds of money.
Is the fact that people do this kind of really clever shit for more or less ordinary income, is it proof that the economy is in some way broken? I would think that people this smart, in a functional economy, would be in real demand to do productive economy kinds of things.
A problem solved by software can often be copied for essentially zero. The initial cost may be relatively high, but let's say ordinary salary numbers, particularly in foreign countries, so what in the $30k range... If they can infect say 30k computers say 4 times a year. The computers could easily be different... That yields needing to make roughly, on average, $0.25 a computer. There is a lot of hand waving there, but I assume most of it is purely the economies of scale. Also, once a vulnerability is
Re: (Score:2)
Interesting point of view. It might also be proof that software quality has improved a lot, and there aren't so many 'normal' holes to drive through anymore...
Re: (Score:2)
Re: (Score:2)
PS: Does Google ads filter the malicious JS code?
Doubtful. the code was only the key and transform function, the payload was the transparency data of the image its self.
I'm sure they're going to start blocking it now, but there is no way they would have caught this in a normal screening.
Re: (Score:2)
I don't think the economy is broken, well, it might be but even if it were 100% healthy, we'd still have these people. Mostly, they are people who do not fit into companies working for someone else. They are freelancers. They do not have what it takes to start their own legitimate company. In the past, we'd call them pickpockets or snake oil salesmen or in some cases, politicians. The intertubes are just vehicles for them. If they weren't doing it there, they'd find some other form of criminal vice. Their l
Re: (Score:3)
I get that we'd always have people at the margin who have above average intelligence but otherwise to fit into a worker mold and wind up as criminals of varying levels of success. Usually, though, they seem to suffer from various other pathologies -- substance abuse, psychological defects, the kind of panoply of sociological misintegration that limits not only their legitimate success but their ability to make even life below the line very successful.
Maybe there's just a correlation between high levels of
Re: (Score:2)
Is the fact that people do this kind of really clever shit for more or less ordinary income, is it proof that the economy is in some way broken?
The economy undoubtedly is broken in many ways, but I think exploits like this are less about the economy and more about programmers getting bored and wanting to show off how clever they are; and if they can also make some money doing it, so much the better.
Re: (Score:1)
Banner Ads? (Score:1)
Am I the only one that sees the root cause? (Score:2)
Re: (Score:1)
Re: (Score:2)
Vector animation is smaller than video (Score:2)
If you can't communicate your ad with a static image, a video
A scripted vector animation has a smaller file size (and thus costs you less to view in overage fees payable to your ISP) than the equivalent H.264 or VP8 video. But I don't see how a scripted vector animation of considerable complexity can be done with CSS transitions alone. It's usually script writing to a canvas or script manipulating CSS element styles or SVG paths.
Re: (Score:2)
Re: (Score:2)
Scripted vector animations [mozilla.org] can fuck right off, too.
Re: (Score:2)
I don't want to see animated ads. When I do, I tend to go post something nasty about the company using it on G+. But thanks to AdBlock and NoScript, I usually don't actually see such travesties.
People who make singing, dancing ads should be slapped across the face with my cock.
Re: (Score:2)
People who make singing, dancing ads should be slapped across the face with my cock.
I'm thinking my 8lb splitting maul would be better.
Re: (Score:2)
Time to break out the tweezers and magnifying glass.
So you can find all the pieces of your face?
Re: (Score:2)
maybe the world is better off without your doohickey
That's kind of the point. If the world actually needed a zebra scented butt razor, they wouldn't have to resort to shitty ads in the first place, and when you've got no real selling features your best option is to just shove your shit in everyone's face. They all want to make a buck, whether they deserve to or not.
And they should be free to try to make a buck. But we should also be free to tell them to piss off. Unfortunately the world these days seems to value corporate freedom far more than individual
Cruising the information superhighway through a VM (Score:2)
For all reasons mentioned and past exploits I can see cruising the internet through a VM becoming very popular. Especially since some new NAS are coming with the ability to run a VM.
Re: (Score:2)
Not likely:
a) At best, you've just moved the problem to securing the host system. Which if you're running a bare metal VM like ESXi or Hyper-V is certainly easier than securing an entire OS that needs to explicitly allow userland programs to do arbitrary things. But its not a null issue.
b) VMs would need to become far, far less annoying to use. Basically until such time that OS's do something like load every single app into its own sandbox, invisible to the user, this won't happen on any sort of large sc
Re: (Score:2)
Microsoft's Virtual PC gave us "B" before they abandoned the whole idea in favor of Hyper-V. As for "C" people already intentionally lose date through things like FF's "incognito" mode. The stuff they want to keep usually ends up in the cloud anyway where stronger security measures can be applied.
Re: (Score:2)
Virtual PC gave us "B"
I don't recall that being significantly easier to setup than say VMWare Player. Perhaps a bit better but you still had to do things like install your guest OS, configure hardware devices and so on. Definitely not simple enough to be considered invisible to the user.
XP Mode was getting closer from that aspect.. if running Word or IE just magically loaded into a sandbox then we'd be getting closer to what I'm referring to, though that's got all of its own challenges as noted.
people already intentionally lose date through things like FF's "incognito" mode
Some people do. For some speci
Legal? (Score:2)
Question (Score:2)
Is BleepingComputer the latest Medium.com? Because it seems like every time I come to Slashdot there's yet another story from that site...
Stegano Exploit Kit on Ads (Score:2)
The summary was missing details, but this link explains a bit more.
http://www.welivesecurity.com/... [welivesecurity.com]
At least you'll know how it works. Also, go down to the list and see if you have at least one of those security products and it'll skip the payload. :)
Stopped... (Score:1)
...reading at, "This server would only accept connections from Internet Explorer users." Now feeling smug.
Re: (Score:1)
Don't be. The reason the "Nigerian princes" all speak in terrible English isn't because they can't type, or can't hire someone who can. Getting their advert in front of your eyes is the easy part. They want to ring all the alarms that smart people have, so that they don't waste their time trying to scam smart people. This is much the same. Focus on the small part of the internet that makes for good food, and filter out the rest.
The real problem (Score:2)
a large number of advertising networks allow advertisers to deliver JavaScript code with their ads
Third-party code. 'Nuff said.
Re: (Score:2)
Don't forget -
b) Internet Explorer
c) Flash
Re: (Score:2)
Not just IE and Flash. Unpatched IE and Flash, running no ad blockers. That's pretty much asking to be electronically mugged these days.
Fines. I demand them. (Score:1)
Fine the ad creator. Can't find him? Fine the ad provider. Can't find him? Fine the owner of the site itself.
I want fines and I want jail time for malvertising. Heads must roll. This has gone on long enough.
The reason the gate targets Internet Explorer? (Score:2)
The reason it only targets Internet Explorer is that the exploit only works on Microsoft windows.
technique presented some time ago as stegosploit (Score:3)
And that technique can go way further.
https://www.youtube.com/watch?... [youtube.com]
Miranda (Score:2)
Miranda
Specific malicious domains from ESET (Score:2, Informative)
See subject: A list of specific hosts from ESET's research to enter into your custom hosts file to protect vs. Stegano:
0.0.0.0 browser-defence.com
0.0.0.0 broxu.com
0.0.0.0 conce.republicoftaste.com
0.0.0.0 compe.quincephotographyvideo.com
0.0.0.0 ntion.atheist-tees.com
0.0.0.0 entat.usedmachinetools.co
0.0.0.0 connt.modusinrebus.net
0.0.0.0 ainab.photographyquincemiami.com
0.0.0.0 rated.republicoftaste.com
0.0.0.0 rence.backstageteeshirts.com
FROM http://www.welivesecurity.com/... [welivesecurity.com]
APK
P.S.=> All I can say to ESET i
Re: (Score:1)