Thursday, March 31, 2011

Malvertising

Malvertising is where third-party ad servers serve up "poisoned" ads- fake anti-virus scams usually comprising a bit of social engineering and an exploit kit to make it a drive-by download if the social engineering fails. the attraction for cyber criminals is that they can get access to mainstream web sites by hacking third-party servers, or ad feeds into those servers- they can attack the weakest link and see their malware on the most trusted websites.

I've noticed a few stories about malvertising today, and a few different points leap out of the stories.

The BBC has a story here about malware on a government-backed website. Not that that surprises me- I've been saying for a long time that the idea that if you're careful where you surf, malware won't be a problem is deluded. What I noticed was this statement:
The exploit only affected users of Internet Explorer, including the most recent versions. Other browsers, including Firefox, were not affected.
Really? This is an exploit to which even the most recent versions of IE are vulnerable? Well, I've also been saying for a long time that Firefox is a safer browser for Windows, and I recently posted about IE getting pwned, but is IE really wide open to an exploit? (Since switching to Linux, I've followed the browser wars with less interest.)

The BBC has another story about malware on the London Stock Exchange site. The following grabbed my attention:
Security expert Paul Mutton fell victim when he viewed the site on 27 February.

He visited the LSE homepage to find out why some people reported that they could not access it.

The site was blocked by Firefox, he said, but accessible via Google's Chrome browser.

"It seemed to work with Chrome but then a few seconds later, without having to click on anything, pop-ups started to appear," he said.

The malicious code closed down several of the programs Mr Mutton was using and stopped new ones being started.

"I visited the site and it compromised my machine," said Mr Mutton.

Now if I was a security expert and had to visit a suspect site, I'd do it in Linux, to be honest. I assume Paul Mutton is a real security expert (this is the BBC) and had his system up-to-date (no vulnerable versions of Adobe PDF or Sun Java or Macromedia Flash installed), so where was the zero-day vulnerability? In Chrome, for all its claims of sandboxing? Or in the OS? Or in some other web-facing application?

My final BBC story reports on malware in Spotify. This story actually allows me to identify the vulnerability exploited- unsurprisingly, it's a fairly old vulnerability in Adobe PDF software- affecting version 8.1.2, when adobe is now shipping 9.4.2. These sort of exploits (affecting software other than the browser and OS- such as PDF readers) are actually as much of a risk as zero-day browser or OS vulnerabilities (meaning Microsoft, if you use IE on windows), which is why I found the previous two stories so surprising, as they suggest zero-day exploits in browsers or windows.
"Users with anti-virus software will have been protected," Spotify said in a statement.
Well, if you check the VirusTotal report available by following the links, you'll find this is horseshit- vulnerabilities may be years old, but if you still have the vulnerable software installed years later, you'll still be vulnerable to the latest malware, and the chance of your anti-virus program detecting that malware is slim.

No comments:

Post a Comment