+Warwagon MVC Posted May 2, 2015 MVC Share Posted May 2, 2015 Researchers at Malwarebytes tracked stealthy attack campaign that infected some major websites with malicious ads harboring ransomware. RSA CONFERENCE -- San Francisco -- Cybercriminals deployed an Adobe Flash Player zero-day exploit embedded in online ads for close to two months in an attack that targeted US users with a ransomware payload, researchers said here today. The use-after-free vulnerability, CVE 2015-0313, was patched by Adobe on Feb. 2, and the day after, the attack campaign came to a screeching halt, according to researchers at Malwarebytes, which traced the zero-day's lifecycle after their systems detected the attacks in December of last year. The attackers injected the malware-ridden ads on the websites of Dailymotion, Huffington Post, answers.com, New York Daily News, HowToGeek.com, tagged.com, as well as a handful of other sites. "A zero-day was under everybody's nose for two months on top websites," says Pedro Bustamante, director of special projects for Malwarebytes. Bustamante says the researchers had never before seen a malvertising campaign like this one. The attackers used a popular advertising network, which Malwarebytes did not name but said is ranked as the number one such network by Comscore. Malwarebytes doesn't have a head count of victims hit with the ransomware, but traffic to the infected sites reached over 1 billion in February of this year. Not all of those victims obviously were infected--although they would not have to click on the infected ad to get infected, they had to meet the demographics the attackers were looking for, which were US consumers behind residential IP addresses. Each of the affected websites ran the malicious ads for an average of two days, and Malwarebytes in its research traced back its first detection and blocking of the zero-day exploit on Dec. 10, 2014. http://www.darkreading.com/attacks-breaches/zero-day-malvertising-attack-went-undetected-for-two-months/d/d-id/1320092 This just goes to show getting infected is not a matter of going to "Unsafe website" as a some people here always say. To think people say i'm paranoid to sandbox all of my web browsing This particular Malvertizing gave everybody Cryptowall. DConnell and goretsky 2 Share Link to comment Share on other sites More sharing options...
spaceelf Posted May 2, 2015 Share Posted May 2, 2015 Each of the affected websites ran the malicious ads for an average of two days, and Malwarebytes in its research traced back its first detection and blocking of the zero-day exploit on Dec. 10, 2014.? Which says nothing of when the other antiviruses also blocked it. vcfan 1 Share Link to comment Share on other sites More sharing options...
Max Norris Posted May 2, 2015 Share Posted May 2, 2015 To think people say i'm paranoid to sandbox all of my web browsing Newp, not paranoid at all, every browser I run is sandboxed, never mind a complete set of blockers/etc on every OS in the house.. it's not a convenience/annoyance thing anymore but security, never mind Flash isn't permitted either, just one big gaping security hole after another, pass. fusi0n 1 Share Link to comment Share on other sites More sharing options...
Torolol Posted May 3, 2015 Share Posted May 3, 2015 if user can simply infected from what was shown from an iframe, that are browser fault/vulnerability. Link to comment Share on other sites More sharing options...
techbeck Posted May 4, 2015 Share Posted May 4, 2015 Would explain what happened to a users Windows 7 system at work last week. His desktop contents and 6 flash drives all got infected by ransomware. Data lost. Yea, could possibly pay to get it unlocked but probably waste of money considering that a lot of time, the thief take your money and run. I did stress tp the user, again, that this is why things are kept on the network and not local on your system because if they were, we would have backups of everything. Link to comment Share on other sites More sharing options...
Guest Posted May 4, 2015 Share Posted May 4, 2015 To think people say i'm paranoid to sandbox all of my web browsing Who let you out of yer cave, ye paranoid wagon of war? Link to comment Share on other sites More sharing options...
HawkMan Posted May 4, 2015 Share Posted May 4, 2015 and exactly what did this super dangerous malware do when it "infected" you... Link to comment Share on other sites More sharing options...
+Warwagon MVC Posted May 4, 2015 Author MVC Share Posted May 4, 2015 and exactly what did this super dangerous malware do when it "infected" you... Encrypts your hard drive, any other hard drives / backup drives in or connected to your computer , USB keys connected to the computer , or network drives mapped to the computer with write access. fusi0n 1 Share Link to comment Share on other sites More sharing options...
techbeck Posted May 4, 2015 Share Posted May 4, 2015 and exactly what did this super dangerous malware do when it "infected" you... Never heard of ransomware before? Encrypts every save file....PDF....DOC...XLS...images...and they are unreadable unless you pay some unknown entity to send you info on how to decrypt the data. And paying does not guarantee they will tell you. So basically you are screwed. I have seen ransomware on every version of Windows back to XP so far and is IMO the moist pain in the ass of all the malware. Link to comment Share on other sites More sharing options...
spaceelf Posted May 4, 2015 Share Posted May 4, 2015 Just as a FYI, there's a new ransomware decrypting tool that may/may not work the next time any of you run into this. https://noransom.kaspersky.com/ fusi0n 1 Share Link to comment Share on other sites More sharing options...
techbeck Posted May 4, 2015 Share Posted May 4, 2015 Just as a FYI, there's a new ransomware decrypting tool that may/may not work the next time any of you run into this. https://noransom.kaspersky.com/ Only if the malware that encrypts the files is still present on the PC. A lot of times, AV removes the malware program and leaves the files encrypted. Link to comment Share on other sites More sharing options...
+Warwagon MVC Posted May 4, 2015 Author MVC Share Posted May 4, 2015 Only if the malware that encrypts the files is still present on the PC. A lot of times, AV removes the malware program and leaves the files encrypted. Plus it doesn't Magically decrypt files. They just shut down some of the servers and have obtained a large lot of decryption keys. Link to comment Share on other sites More sharing options...
fusi0n Posted May 4, 2015 Share Posted May 4, 2015 Encrypts your hard drive, any other hard drives / backup drives in or connected to your computer , USB keys connected to the computer , or network drives mapped to the computer with write access. This ###### is scary.. Any businesses been hit with any crytoware? Thinking about that keeps me up at night..lol Link to comment Share on other sites More sharing options...
+Warwagon MVC Posted May 4, 2015 Author MVC Share Posted May 4, 2015 This ###### is scary.. Any businesses been hit with any crytoware? Thinking about that keeps me up at night..lol Which is why a nightly backup connected to your computer is nice, but so is one that is not connected to the computer and is taken off site and updated monthly. At least then you'd only be a month back. fusi0n 1 Share Link to comment Share on other sites More sharing options...
link6155 Posted May 5, 2015 Share Posted May 5, 2015 This is why adblockers and sandboxes are relevant, they stop malware before they can get into your system. +Warwagon 1 Share Link to comment Share on other sites More sharing options...
+Warwagon MVC Posted May 5, 2015 Author MVC Share Posted May 5, 2015 This is why adblockers and sandboxes are relevant, they stop malware before they can get into your system. Exactly. Myself any my parents at their house, all their systems are running Sandboxie. Link to comment Share on other sites More sharing options...
halomaster Posted May 5, 2015 Share Posted May 5, 2015 Exactly. Myself any my parents at their house, all their systems are running Sandboxie. I use Malwarebytes' Anti-Exploit and Anti-Malware, along with Panda Cloud Antivirus. I use Chrome, which has its own built-in sandbox. In my case, is it a good idea to run Sandboxie with Chrome (browser inside a sandbox, inside another sandbox)? I read that this interferes with Anti-Exploit protection for Chrome, so that's why I haven't done this yet. Link to comment Share on other sites More sharing options...
+Warwagon MVC Posted May 5, 2015 Author MVC Share Posted May 5, 2015 I use Malwarebytes' Anti-Exploit and Anti-Malware, along with Panda Cloud Antivirus. I use Chrome, which has its own built-in sandbox. In my case, is it a good idea to run Sandboxie with Chrome (browser inside a sandbox, inside another sandbox)? I read that this interferes with Anti-Exploit protection for Chrome, so that's why I haven't done this yet. I would trust Sandboxie before i would trust Chrome's sandbox. Link to comment Share on other sites More sharing options...
Recommended Posts