Malvertising: A New Form of Exploit Where No Website Is Safe

When browsing the Internet, one might not consider that threats may be present on the more commonly visited websites, cleverly hidden by their creators. However, the recent actions of a particular exploit kit prove that threats have the potential to hide just about anywhere.

The exploit kit in question, Stegano, was found to be hiding its payload in the banner ads of high profile news websites.

Stegano operates by hiding in plain sight, so to speak, concealing its malicious code inside a PNG image’s Alpha Channel. This image was then spread as an advertisement banner through many advertising mediums, promoting applications called “Broxu” and, somewhat ironically, “Browser Defense.” What’s even worse, Stegano only requires the user to visit a page that is displaying the malicious advertisement to infect them, some of them being trusted news sites.

Once the site is accessed, Stegano automatically collects information about the visitor’s computer and sends it back to the attacker. If the visitor is running Microsoft’s Internet Explorer, a vulnerability in the browser will silently redirect it to another website. This second website utilizes Flash Player exploits to collect information regarding the target’s security measures, checks that it’s not being monitored, then downloads its payload as a gif image. Once downloaded, the payload is decrypted and launched, typically delivering multiple trojans, backdoor exploits, spyware, and the means to access and steal files from the host system.

This entire process is handled within 2-3 seconds, making it nearly impossible for a user to notice and react preventively. So, how does one protect themselves against a threat that actively camouflages itself on trustworthy sites? Simply by making sure one’s software is fully up-to-date. Windows 10 utilizes Windows Update to automatically push security updates, and a user has the ability to double-check that all updates have been downloaded on the Windows Update settings screen. Once they’ve navigated to the Windows Update settings, they will be able to confirm that their system is up-to-date, or identify which updates are available to them.

Third-party apps might be a little trickier to keep track of, as there is no standard method of announcing that an update is available. However, some will automatically update themselves whenever possible, and there are a variety of tools available to help you keep track of those that don’t.

Since these attacks were discovered, Adobe has released patches to disable those Flash Player exploits that allowed Stegano to operate. Beyond installing these patches, there’s relatively little else that a user can do to stop Stegano, which means that diligence in your monitoring and maintenance practices is a necessity. By keeping your apps updated, and keeping an eye out for any new updates as they are released, you help to ensure that your business remains safe from any new vulnerabilities that have reared up.

If you’re currently a client of Directives, you have little to worry about. We ensure our clients have the latest stable updates and security patches.