Zero-Day Malvertising Attack Went Undetected For Two Months


Recommended Posts

 

Researchers at Malwarebytes tracked stealthy attack campaign that infected some major websites with malicious ads harboring ransomware.

 

RSA CONFERENCE -- San Francisco -- Cybercriminals deployed an Adobe Flash Player zero-day exploit embedded in online ads for close to two months in an attack that targeted US users with a ransomware payload, researchers said here today.

 

The use-after-free vulnerability, CVE 2015-0313, was patched by Adobe on Feb. 2, and the day after, the attack campaign came to a screeching halt, according to researchers at Malwarebytes, which traced the zero-day's lifecycle after their systems detected the attacks in December of last year. The attackers injected the malware-ridden ads on the websites of Dailymotion, Huffington Post, answers.com, New York Daily News, HowToGeek.com, tagged.com, as well as a handful of other sites.

 

"A zero-day was under everybody's nose for two months on top websites," says Pedro Bustamante, director of special projects for Malwarebytes.

 

Bustamante says the researchers had never before seen a malvertising campaign like this one. The attackers used a popular advertising network, which Malwarebytes did not name but said is ranked as the number one such network by Comscore.

 

Malwarebytes doesn't have a head count of victims hit with the ransomware, but traffic to the infected sites reached over 1 billion in February of this year. Not all of those victims obviously were infected--although they would not have to click on the infected ad to get infected, they had to meet the demographics the attackers were looking for, which were US consumers behind residential IP addresses.

 

Each of the affected websites ran the malicious ads for an average of two days, and Malwarebytes in its research traced back its first detection and blocking of the zero-day exploit on Dec. 10, 2014.

 

http://www.darkreading.com/attacks-breaches/zero-day-malvertising-attack-went-undetected-for-two-months/d/d-id/1320092

 

This just goes to show getting infected is not a matter of going to "Unsafe website" as a some people here always say.

 

To think people say i'm paranoid to sandbox all of my web browsing :D

 

This particular Malvertizing gave everybody Cryptowall.

  • Like 2
Link to comment
Share on other sites

Each of the affected websites ran the malicious ads for an average of two days, and Malwarebytes in its research traced back its first detection and blocking of the zero-day exploit on Dec. 10, 2014.?

 

Which says nothing of when the other antiviruses also blocked it.

Link to comment
Share on other sites

To think people say i'm paranoid to sandbox all of my web browsing :D

Newp, not paranoid at all, every browser I run is sandboxed, never mind a complete set of blockers/etc on every OS in the house.. it's not a convenience/annoyance thing anymore but security, never mind Flash isn't permitted either, just one big gaping security hole after another, pass.
Link to comment
Share on other sites

Would explain what happened to a users Windows 7 system at work last week.  His desktop contents and 6 flash drives all got infected by ransomware.  Data lost.  Yea, could possibly pay to get it unlocked but probably waste of money considering that a lot of time, the thief take your money and run.  I did stress tp the user, again, that this is why things are kept on the network and not local on your system because if they were, we would have backups of everything.

Link to comment
Share on other sites

To think people say i'm paranoid to sandbox all of my web browsing :D

 

Who let you out of yer cave, ye paranoid wagon of war? :p

Link to comment
Share on other sites

and exactly what did this super dangerous malware do when it "infected" you...

 

Encrypts your hard drive, any other hard drives / backup drives in or connected to your computer , USB keys connected to the computer , or network drives mapped to the computer with write access.

Link to comment
Share on other sites

and exactly what did this super dangerous malware do when it "infected" you...

 

Never heard of ransomware before?  Encrypts every save file....PDF....DOC...XLS...images...and they are unreadable unless you pay some unknown entity to send you info on how to decrypt the data.  And paying does not guarantee they will tell you.  So basically you are screwed.  I have seen ransomware on every version of Windows back to XP so far and is IMO the moist pain in the ass of all the malware.

Link to comment
Share on other sites

Just as a FYI, there's a new ransomware decrypting tool that may/may not work the next time any of you run into this.

https://noransom.kaspersky.com/

 

Only if the malware that encrypts the files is still present on the PC.  A lot of times, AV removes the malware program and leaves the files encrypted. 

Link to comment
Share on other sites

Only if the malware that encrypts the files is still present on the PC.  A lot of times, AV removes the malware program and leaves the files encrypted. 

 

Plus it doesn't Magically decrypt files. They just shut down some of the servers and have obtained a large lot of decryption keys.

Link to comment
Share on other sites

Encrypts your hard drive, any other hard drives / backup drives in or connected to your computer , USB keys connected to the computer , or network drives mapped to the computer with write access.

This ###### is scary..  Any businesses been hit with any crytoware? Thinking about that keeps me up at night..lol

Link to comment
Share on other sites

This ###### is scary..  Any businesses been hit with any crytoware? Thinking about that keeps me up at night..lol

 

Which is why a nightly backup connected to your computer is nice, but so is one that is not connected to the computer and is taken off site and updated monthly. At least then you'd only be a month back.

Link to comment
Share on other sites

This is why adblockers and sandboxes are relevant, they stop malware before they can get into your system.

Link to comment
Share on other sites

This is why adblockers and sandboxes are relevant, they stop malware before they can get into your system.

 

Exactly. Myself any my parents at their house, all their systems are running Sandboxie.

Link to comment
Share on other sites

Exactly. Myself any my parents at their house, all their systems are running Sandboxie.

 

I use Malwarebytes' Anti-Exploit and Anti-Malware, along with Panda Cloud Antivirus.  I use Chrome, which has its own built-in sandbox.

 

In my case, is it a good idea to run Sandboxie with Chrome (browser inside a sandbox, inside another sandbox)?  I read that this interferes with Anti-Exploit protection for Chrome, so that's why I haven't done this yet.

Link to comment
Share on other sites

I use Malwarebytes' Anti-Exploit and Anti-Malware, along with Panda Cloud Antivirus.  I use Chrome, which has its own built-in sandbox.

 

In my case, is it a good idea to run Sandboxie with Chrome (browser inside a sandbox, inside another sandbox)?  I read that this interferes with Anti-Exploit protection for Chrome, so that's why I haven't done this yet.

 

I would trust Sandboxie before i would trust Chrome's sandbox.

Link to comment
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.