17 Apr Boston Aftermath Michael
10 Jan Java 0day Mass Exploit Distribution Kurt Baumgartner
07 Feb Malicious ads on security websites Dmitry Bestuzhev
15 Jul The most innocent as vectors to increase the Pay-per-Click business Jorge Mieres
04 May Malvertising on ImageShack David Jacoby
26 Mar Malvertizing Continued - Spotify's Ad Networks Outed Kurt Baumgartner
Join our blog
You can contribute to our blog if you have +100 points. Comment on articles and blogposts, and other users will rate your comments. You receive points for positive ratings.
While many are still in shock after the Boston Marathon bombings on 16 April, it didn't take long for cyber criminals to abuse that tragic incident for their dirty deeds.
Today we already started receiving emails containing links to malicious locations with names like "news.html". These pages contain URLs of non-malicious youtube clips covering the recent event. After a delay of 60 seconds, another link leading to an executable file is activated.
The malware, once running on an infected machine, tries to connect to several IP addresses in Ukraine, Argentina and Taiwan.
Kaspersky Lab detects this threat as "Trojan-PSW.Win32.Tepfer.*".
MD5sums of some of the collected samples:
Our thoughts and prayers are with our colleagues in Massachusetts and others affected by the tragic events in Boston.
Just a quick note, it's only the second week of January, but early 2013 brings with it the first Java 0day mass exploit distribution of the year.
There appears to be multiple ad networks redirecting to Blackhole sites, amplifying the mass exploitation problem. We have seen ads from legitimate sites, especially in the UK, Brazil, and Russia, redirecting to domains hosting the current Blackhole implementation delivering the Java 0day. These sites include weather sites, news sites, and of course, adult sites. A few obfuscated files are being delivered to victim systems with names like Stretch.jar, Edit.jar, UTTER-OFFEND.JAR, and more. The first appearance of the exploit's prevention in our KSN community seemed to be January 6th. But as we dig back further, we find related samples from mid-December. So, we have been preventing this 0day in particular for quite some time. At this point, it seems that the first instance of the particular 0day jar file contents ITW is 7550ce423b2981ad5d3aaa5691832aa6. Filenames for the class files remain the same until recently. It would be interesting to see an earlier instance.
Update (2012.01.10 3:30 p.m. MT) - Metasploit developers have added an exploit module targeting this vulnerability CVE-2013-0422.
It is clear that cybercriminals do not have any code of ethics. Consequently, even the most innocent are not exempt from a malicious attacker’s perspective, and are often used as a means to allow them to generate higher economic returns, in this case, through the abuse of clicks.
The following image provides clear evidence of this. Designed with an interface that’s "user friendly" for kids, this website invites you to download a threat detected by Kaspersky Lab as not-a-virus: AdWare.Win32.BHO.tbz.
Today while conducting research on the alleged Latvian power hack, I came across some interesting malvertising on imageshack, where pictures of the purported hack have been hosted.
Advertising on the page loads a exploitable Java vulnerability that Kaspersky recognizes as Exploit.HTML.CVE.2010-4452.m, which then tries to download Trojan.win32.TDSS.cgir. TDSS as some of you may recognize is a rootkit that can access Windows at its lowest levels and can prove extremely difficult to remove.
Upon opening the page, the advertisement loads, and a connection to http://--removed--ediagroup.com/enc/jv.html is made. This launches the actual exploit. A second page http://--removed--ediagroup.com/load.php?2 is loaded which drops the Trojan containing the TDSS malware.
Kaspersky already detects both the exploit, as well as the Trojan payload. This serves as a reminder of the importance of keeping your Anti-virus up to date.
We will update with further details as they become available.
Spotify's advertising network was most recently outed (note that it is the third party banner ads rotating through the client's ad frames). Most of the redirections we have been been monitoring have sent users to a variety of servers in the .cc TLD. We have been working with providers to ensure the ads aren't on their networks, but the groups have been active in rotating malvertizing banners through multiple networks.