Malvertising is a troubling trend
It started three weeks ago when my application firewall sent out an alert about active malware known as the Angler exploit kit on one of my company’s computers. This came as a surprise, because my top-tier desktop antivirus software did not detect the malware, nor did my well-known, network-based malware detection product.
After some investigation, I found out why my desktop and network antivirus products were essentially blind to this version of Angler. The Angler exploit kit has been around for a couple of years in various forms, and until now it didn’t stand out as a particularly unusual threat. But it turns out that the newest version has some new and improved techniques to avoid detection, such as encryption and the exploitation of zero-day vulnerabilities that haven’t yet been incorporated into the mainstream antivirus products. It also runs only in the memory of the infected computer, instead of installing itself on the hard drive, which is where desktop antivirus products tend to focus their attention. This is the startling part — that the bad guys have found a way to effectively stay invisible.
The way that the Angler malware was delivered was also something different. It did not come through the usual channels of email phishing and shady websites. I discovered that the source of the infection was a malicious advertisement, one that was running on a mainstream news service! The news website sells ad space served up by an advertising company, which in turn sells that ad space to anybody willing to pay for it. In this case, the bad guys were paying for it. They signed up for ad space just like any other customer, but the advertisement they created — known as “malvertising” — exploited a zero-day (unpatched) vulnerability in Adobe Flash to run commands through the browser to the victim computers’ operating systems, without any knowledge or intervention by the end users. This is how they were able to install the Angler exploit kit on the employee’s work computer without anybody knowing. With no end-user intervention required, all of my employee training on how to avoid Web-based threats is useless. And with no bad website to block, because the malware was served up by official, reputable sources, my Web filtering can’t help. This is the troubling part.
I tried to contact the webmaster of the site that was compromised, which in this case was not the mainstream news agency but the third-party advertising agency the news site had sold space to. Nobody from the ad agency returned my calls. I would not be surprised if they found out what happened and decided to cover it up. I can’t imagine this situation is good for their business.
It’s a good thing I have a next-generation firewall. This product is capable of looking deep into the network traffic going to and from the Internet, to identify the source applications. In this case, the Angler exploit kit happened to be one of the applications the firewall was able to identify. The malicious traffic itself was encrypted, and to any other technology it looked just like SSL Web browsing. I set up a rule to block the Angler traffic, so future infections will not be able to phone home even if they successfully install on my company’s computers. And that’s already been put to the test, because I’ve experienced two more Angler infections since then. So even though my desktop and network antivirus technologies can’t seem to block Angler from infecting my work computers, at least I can silence it while I send someone out to eradicate the malicious software.
If this is the future of malware tactics, our job just got a lot harder.
This week's journal is written by a real security manager, "J.F. Rice," whose name and employer have been disguised for obvious reasons. Contact him at jf.rice@engineer.com.
Click here for more security articles.