RSA 2016: Fingerprinting the latest twist used for malvertising attacks
Malwarebytes released a new study at RSA 2016 this week that looks into the updated techniques and technologies being used in malvertising campaigns that are proving particularly hard for security analysts and advertisers to spot.
The new technique used is fingerprinting, Malwarebytes senior security researcher Jerome Segura told SCMagazineUK.com at RSA. Fingerprinting uses a a vulnerability in Internet Explorer's XMLDOM ActiveX control (CVE-2013-7331) that allows it to search the computer to see if it is a viable target.
This bit of code, in this case embedded in a GIF file, included in an ad banner checks the site out prior to launching an attack to see if it is protected by security software from one of the major security providers or if it is a honeypot. If the computer is not a potential target the malware simply remains benign by not showing the malicious banner, Segura said. Bypassing these protected computers also helps the malware remain hidden from the security providers allowing the malvertising campaigns to run undetected for extended periods of time.
In addition, to spot checking for security, this attack only works against genuine residential IP addresses. This helps ensure that it does not have to tangle with any enterprise level defences.
Segura pointed out that the malvertising attacks are pervasive and can be found in dozens of ad networks, including some of the most popular like DoubleClick.
The United States and Canada have had the majority of infection so far, 41.7 percent and 13.7 percent, respectively and in most cases the end result is a ransomware attack that is downloaded via the Angler Exploit Kit, Segura said.