Malvertising on the Rise

Discussion in 'Anti-Virus' started by David Kaye, Oct 2, 2010.

  1. David Kaye

    David Kaye Guest

    Malvertising is on the rise. A lot of this results in DNS redirects in your
    registry. I caught 3 of them in the last few days, 2 customers and one on one
    of my test computers. I went to Google and Yahoo searches for my customer's
    website and pulled them onto my own computer.

    Malvertising involves either the hijacking of websites or malware companies
    specifically buying ads on search engines.

    The DNS entries so far tend to resolve to Odessa (Ukraine) and the Cocos
    (Keeling) Islands.
     
    David Kaye, Oct 2, 2010
    #1
    1. Advertisements

  2. From: "David Kaye" <>

    < snip >

    | Malvertising involves either the hijacking of websites or malware companies
    | specifically buying ads on search engines.

    < snip >

    Try again...
     
    David H. Lipman, Oct 2, 2010
    #2
    1. Advertisements

  3. David Kaye

    David Kaye Guest

    And what exactly do you mean by the snide comment?
     
    David Kaye, Oct 2, 2010
    #3
  4. David Kaye

    David Kaye Guest

    Rather than just give a comment that serves nobody, why don't you tell us
    everything you know about malvertising attacks. I'm sure lots of people
    (including me) would benefit from your wisdom.
     
    David Kaye, Oct 2, 2010
    #4
  5. David Kaye

    VanguardLH Guest

    Please PROVE that any registry entries result in DNS redirects. Perhaps
    what you meant to say was the 'hosts' file or a TCP stack intercepter.
    If there are registry entries that can effect the same DNS redirects as
    does using a 'hosts' file than I'd like to know how it's done.
     
    VanguardLH, Oct 2, 2010
    #5
  6. From: "David Kaye" <>



    | Rather than just give a comment that serves nobody, why don't you tell us
    | everything you know about malvertising attacks. I'm sure lots of people
    | (including me) would benefit from your wisdom.

    Actually, The SMEs in this subject matter are Sandi and Kimberly who track, blog, and get
    action taken.

    http://msmvps.com/blogs/spywaresucks/Default.aspx

    http://www.bluetack.co.uk

    You will find it is often the case of embbeded URLs taking you to malicious sites from
    within Flash file advertisements. Thus malvertisements.

    Either the Flash files are direct exploits are just well crafted.

    Legitimate web sites host advertisements for revenue and they work with various
    advertising organizations. How the agreements are performed and how the malvertisements
    work their way into the stream is where I draw the blank. However, the Flash Files are
    introtuced into the advertising stream. They are rotated in and out so you won't always
    see them. They often use GEO IP location so some locales may be targeted and other
    locales may never see the malvertisment. Investigators often have to use proxies just to
    see them if they are in a non-targeted location.

    The following SWF example is a malvertisement that will change its behavior depending on
    the timezone:
    http://wepawet.cs.ucsb.edu/view.php?hash=848aa101875896b14c486a3c3d7524d2&type=swf

    Ebay example:
    http://msmvps.com/blogs/spywaresucks/archive/2009/04/27/1691362.aspx

    http://www.bluetack.co.uk/forums/index.php?s=f0e730c04af50dbd0281c2f24aa513a2&showtopic=18064&st=240&p=91752&#entry91752
     
    David H. Lipman, Oct 2, 2010
    #6
  7. A lot of malware, no matter the source, uses the DNS changing or "hosts"
    file modification to send the victim to evil servers.
    Did you notice that sometimes, when revisited, the site *doesn't* offer
    malware (kind of a hit-or-miss proposition)?
    Hmmm, it has more to do with advertising services whos servers may have
    been compromised or whos content may have been poisoned.
    What malware is being served up?
     
    FromTheRafters, Oct 2, 2010
    #7
  8. I was going to ask this, but I just figured he simply meant that the
    primary and secondary DNS settings had been altered.

    If you haven't noticed, he doesn't know much about the subject.
     
    FromTheRafters, Oct 3, 2010
    #8
  9. From: "FromTheRafters" <>


    | I was going to ask this, but I just figured he simply meant that the
    | primary and secondary DNS settings had been altered.

    | If you haven't noticed, he doesn't know much about the subject.

    Yes, when dealing with DNS alterations we are dealing with a who different class of
    malware, DNSChangers.

    They are malware that either alter the DNS server entries of the TCP/IP stack of an
    infected host or modify the DNS entries of a SOHO Router.

    When we are dealing with DNS tabel alterations within a host, we do have a a change in
    Registry entries. But that is only because it is the Registry which the node information
    of the TCP/IP stack.
     
    David H. Lipman, Oct 3, 2010
    #9
  10. David Kaye

    David Kaye Guest

    Huh? A simple look at 017 in the HJT log shows it quite clearly. HJT then
    allows you to delete the entries or you cn manually go into the registry keys
    and delete them.
     
    David Kaye, Oct 3, 2010
    #10
  11. David Kaye

    David Kaye Guest

    One customer gets redirects at every attempt, the other and my own get only
    occasional redirects. However, the DNS entry changes were present on all
    computers. I'm assuing that the difference is that some DNS servers only
    occasionally redirect and otherwise pass through in order to cover their
    tracks.

    Now, this is an area in which I have no expertise: Can some tell me a way I
    can set permissions on the DNS entries in the registry to prohibit changes?
    Perhaps in .reg script form? I'd be most appreciative.

    Well, they could be compromised or they could actually be serving up
    paid-for banner ads that are themselves malware. I mean, heck, what's to
    prevent this? Are Google and Yahoo going to test each and every dot quad
    address appearing in every ad to see if it links to malware? And if those
    links look benign 1 out of 4 times or whatever, there's not much chance
    Google and Yahoo would even catch them.
    For the most part they're all ads, not malware. Malware (MBAM, SpySweeper,
    Trend) and rootkit scans (Trend, ComboFix, etc) on all 3 computers show
    nothing. The only thing visible so far is DNS server redirects, which are
    visible in HJT line 017.

    In the case of the personal chef I deal with, her ads have been for websites
    about cooking schools, cookbooks, and travel. In the case of the real estate
    broker I'm dealing with, his ads have been for real estate companies such as
    Century 21 real estate. All ads so far look to be from legitimate companies,
    except for a couple which are malware "scare scans" ("Your computer is
    infected").

    These came to light because the personal chef does daily Google and Yahoo
    seraches on keywords to see if her resultset position moves from day to day.
    (She's a bit anal that way, but she also depends 100% on her Google placements
    for new customers.) Sometimes a click will land the browser (any browser) on
    her page, sometimes on travel, cookbooks, etc. Other times her page will come
    up as well as pop-unders (pop-up blockers aren't blocking).
     
    David Kaye, Oct 3, 2010
    #11
  12. David Kaye

    David Kaye Guest

    Something interesting here is that the UID
    ({4AADF3A1-9F99-4D7A-BC53-CD95F6B4F3D9) shown below appears to be bogus. It
    refers back to a NirSoft tool (SmartSniff) on my computer, but otherwise has
    no connection to it. It could likely be a coincidence that the UID for the
    registry entry was chosen by happenstance. Since I removed SmartSniff some
    time ago, there are no registry entries relating to it. at least none that I
    can find.

    Here is a clip from the HJT log:

    O17 -
    HKLM\System\CCS\Services\Tcpip\..\{4AADF3A1-9F99-4D7A-BC53-CD95F6B4F3D9}:
    NameServer = 93.188.163.74,93.188.166.109
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer =
    93.188.163.74,93.188.166.109
    O17 -
    HKLM\System\CS2\Services\Tcpip\..\{4AADF3A1-9F99-4D7A-BC53-CD95F6B4F3D9}:
    NameServer = 93.188.163.74,93.188.166.109
    O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer =
    93.188.163.74,93.188.166.109
    O17 -
    HKLM\System\CS3\Services\Tcpip\..\{4AADF3A1-9F99-4D7A-BC53-CD95F6B4F3D9}:
    NameServer = 93.188.163.74,93.188.166.109
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer =
    93.188.163.74,93.188.166.109
     
    David Kaye, Oct 3, 2010
    #12
  13. David Kaye

    VanguardLH Guest

    Unless you are going to boot using the menu to select "Last known good
    configuration", why are you worring about entries under CS2 & CS3?

    As David noted earlier, the DNS servers are recorded in the registry and
    this is where the malware could specify different servers to which you
    connect. I forgot about the TCP properties that are stored in the
    registry. This is indeed a place where redirection would be possible
    but not in the normal sense of "redirection". When you said "redirect"
    then I thought of something else. Pointing you at a different DNS
    server than you thought you were using really isn't what I think of when
    someone mentions redirection.

    This seems something that could be addressed at the router and in its
    firewall. While it's possible, I have not yet experienced nor heard of
    malware that reprograms the router, especially if non-blank login
    credentials are required for access. If the router refused to pass on
    any port 53 connect requests other than those directed to itself then
    these DNS changer pests would be rendered impotent. The router would
    reject passing on the off-network port 53 requests and instead send back
    an IP address pointing to its own web page to tell the user that they
    MUST use the router's DNS redirector. The router doesn't run a true DNS
    server but simply fails the DNS lookup and passes it on to wherever it
    has been configured to connect for a DNS server. So the user has to go
    through the router's DNS server to get to the DNS server that the admin
    for that network has determined will get used. Alas, this doesn't seem
    something available in the typical consumer-grade routers so it seems a
    feature that should be added the local software security software
    installed on a host to monitor for changes to the TCP properties
    recorded in the registry.

    If we go back to the age-old recommendation of having users login under
    a limited user account then isn't the possibility removed for malware
    running under that LUA token of changing the TCP properties to specify a
    different DNS server?
     
    VanguardLH, Oct 3, 2010
    #13
  14. David Kaye

    VanguardLH Guest

    Some security products include both DNS and 'hosts' file checkers. For
    example, in TallEmu's Online Armor, they will check for and alert on
    changes made to the 'hosts' file. In Online Armor, they also have a DNS
    Checker which is described by "stops programs from manipulating your
    Windows settings to misdirect you to fake sites." I'm guessing this is
    monitoring for changes to the TCP properties in the registry. Alas,
    their DNS Checker and Hosts Checker are available only in their payware
    version of OnlineArmor. WinPatrol, even in its free version, includes
    an option to monitor for changes to the 'hosts' file; however, it
    doesn't monitor for changes to the TCP settings in the registry.
     
    VanguardLH, Oct 3, 2010
    #14
  15. David Kaye

    David Kaye Guest

    I simply pasted the entries from the HJT log to show that indeed registry
    entries have been changed to point to a rogue DNS. I believe these are
    located in Ukraine.
     
    David Kaye, Oct 3, 2010
    #15
  16. Yes, even when a victim uses the "bad" DNS service, that service can
    sometimes provide good lookups.
    As far as I know, there are no preventative measures, but you could
    surely replace "good" information upon reboot with a script.
    This kind of adware is considered malware - because of the surreptitious
    way it gets installed.
    Malicious adware still tries to be efficient adware - the customized
    adware indicates to me that there is spyware involved as well.
    Even legitimate advertising annoys me, so this stuff really sucks. :eek:)
     
    FromTheRafters, Oct 3, 2010
    #16
  17. David Kaye

    David Kaye Guest

    I know there are ways to lock certain registry entries because I've seen
    malware do it, but I have absolutely no knowledge of how this works, nor do
    any of my MSDN references say anything about this.

    I suppose I'll write a registry reset script to replace the DNS entries at
    every boot-up.

    Earlier this evening (last evening, it's 6:00am now!) I did some research on
    an infection/redirect I got Friday night on my honeypot machine. Turns out
    there was an executable that was installed at 12:39am in the user temp
    directory that the thorough scan of MBAM found.

    At the same minute other things such as a Javascript engine update, Real
    Player update, etc. were also installed. At that moment I had been
    visiting the WSM Radio website looking to play some excerpts from the Grand
    Ole Opry broadcasts. Since I went directly to grandoleopry.com (which
    redirected to opry.com) and did not use a search engine this trip, I must
    assume that the opry website is infected.

    Also, about half an hour ago I did some Googling on "malvertising" and about
    10 or 12 entries down in the resultset I clicked on something that loaded a
    scareware webpage portending to "scan" my computer and show lots of red
    warnings. This is exactly the same page that appeared on my customer's (the
    chef) computer.

    I could NOT navigate away from the page, even by clicking the go-away button
    (the X) on any open window in IE 8.0. I went to the Task Manager and shut
    down IE from there.

    I immediately did 3 root scans and found nothing. I also did not find any DNS
    entries with HJT, nor any malware with a thorough MBAM scan.

    This leads me to believe that Google's search engine itself is infected.
     
    David Kaye, Oct 3, 2010
    #17
  18. From: "David Kaye" <>


    | I know there are ways to lock certain registry entries because I've seen
    | malware do it, but I have absolutely no knowledge of how this works, nor do
    | any of my MSDN references say anything about this.

    | I suppose I'll write a registry reset script to replace the DNS entries at
    | every boot-up.

    | Earlier this evening (last evening, it's 6:00am now!) I did some research on
    | an infection/redirect I got Friday night on my honeypot machine. Turns out
    | there was an executable that was installed at 12:39am in the user temp
    | directory that the thorough scan of MBAM found.

    | At the same minute other things such as a Javascript engine update, Real
    | Player update, etc. were also installed. At that moment I had been
    | visiting the WSM Radio website looking to play some excerpts from the Grand
    | Ole Opry broadcasts. Since I went directly to grandoleopry.com (which
    | redirected to opry.com) and did not use a search engine this trip, I must
    | assume that the opry website is infected.

    | Also, about half an hour ago I did some Googling on "malvertising" and about
    | 10 or 12 entries down in the resultset I clicked on something that loaded a
    | scareware webpage portending to "scan" my computer and show lots of red
    | warnings. This is exactly the same page that appeared on my customer's (the
    | chef) computer.

    | I could NOT navigate away from the page, even by clicking the go-away button
    | (the X) on any open window in IE 8.0. I went to the Task Manager and shut
    | down IE from there.

    | I immediately did 3 root scans and found nothing. I also did not find any DNS
    | entries with HJT, nor any malware with a thorough MBAM scan.

    | This leads me to believe that Google's search engine itself is infected.


    Google's search engine is NOT infected and it is premature to deduce the Grand Ole Opry is
    infected.

    Google:
    Please research SEO Poisoning

    Grand Ole Opry:
    As I noted about malvertisements and Flsah file redirects. If it is a case of
    malvertisement the web site doe NOT get infected. The user browses the web site and gets
    advertisements. Some may be malvertisements and will redirect the viewer to a malicious
    web site. This redirection is NOT caused by the site you are vieweing rather the site you
    are viewing pulls advertisments from 3rd party web sites and embedded in the Flash files
    are codes for redirection.
     
    David H. Lipman, Oct 3, 2010
    #18
  19. This is just the social engineering website that convinces one to
    install the malware (sometimes also an exploit server), since you didn't
    install (click your approval, or there were no successful exploits) the
    rogue, there is nothing to detect.
    That's a wrong conclusion IMO. Google's results may have been
    manipulated, but that is not an infection.
     
    FromTheRafters, Oct 3, 2010
    #19
  20. David Kaye

    ASCII Guest

    Maybe something like this would zap that hung browser
    http://ddhomepage.tripod.com/appswat.html
    ....or you could use the "Terminate All Programs" feature of Sandboxie.
    You do run any online applications sandboxed, don't you?
     
    ASCII, Oct 3, 2010
    #20
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.