Slashdot Mirror

← Back to Stories (view on slashdot.org)

New Stegano Exploit Kit Hides Malvertising Code In Banner Pixels (bleepingcomputer.com)

Posted by BeauHD on from the hidden-in-plain-sight dept.

An anonymous reader quotes a report from BleepingComputer: For the past two months, a new exploit kit has been serving malicious code hidden in the pixels of banner ads via a malvertising campaign that has been active on several high profile websites. Discovered by security researchers from ESET, this new exploit kit is named Stegano, from the word steganography, which is a technique of hiding content inside other files. In this particular scenario, malvertising campaign operators hid malicious code inside PNG images used for banner ads. The crooks took a PNG image and altered the transparency value of several pixels. They then packed the modified image as an ad, for which they bought ad displays on several high-profile websites. Since a large number of advertising networks allow advertisers to deliver JavaScript code with their ads, the crooks also included JS code that would parse the image, extract the pixel transparency values, and using a mathematical formula, convert those values into a character. Since images have millions of pixels, crooks had all the space they needed to pack malicious code inside a PNG photo. When extracted, this malicious code would redirect the user to an intermediary ULR, called gate, where the host server would filter users. This server would only accept connections from Internet Explorer users. The reason is that the gate would exploit the CVE-2016-0162 vulnerability that allowed the crooks to determine if the connection came from a real user or a reverse analysis system employed by security researchers. Additionally, this IE exploit also allowed the gate server to detect the presence of antivirus software. In this case, the server would drop the connection just to avoid exposing its infrastructure and trigger a warning that would alert both the user and the security firm. If the gate server deemed the target valuable, then it would redirect the user to the final stage, which was the exploit kit itself, hosted on another URL. The Stegano exploit kit would use three Adobe Flash vulnerabilities (CVE-2015-8651, CVE-2016-1019 or CVE-2016-4117) to attack the user's PC, and forcibly download and launch into execution various strains of malware.

17 of 207 comments (clear)

  1. If if they say "Please!" by rmdingler · · Score: 5, Insightful
    Would you kindly disable Adblocker while visiting our site?

    Not no, hell no.

    --
    Happiness in intelligent people is the rarest thing I know.

    Ernest Hemingway

    1. Re:If if they say "Please!" by Anonymous Coward · · Score: 2, Insightful

      That is an interesting way to say fuck you. Wish I had good options for ad blockers on Android. (Shut up APK)

      Firefox mobile for Android allows the ublock origin or adblocker plus extensions! It's the only way to surf. (no root needed)

    2. Re:If if they say "Please!" by johanw · · Score: 2

      Yes but there is more than ads in the browser. If you root your android you can install something like disable service and disable the ad and analytic services in Google Play Services, which will also get rid of most ads in apps.

  2. Yeah but... by fustakrakich · · Score: 5, Funny

    If you block the ad, you're a thief.

    --
    “He’s not deformed, he’s just drunk!”
    1. Re: Yeah but... by Anonymous Coward · · Score: 3, Insightful

      I assume it's sarcasm... but that line does piss me off. Fucking short sighted ignorant pricks telling me to be subservient and just take this shit.

      People with DVRs aren't thiefs some how. Or people who mute their tv while ads are playing?

    2. Re: Yeah but... by ArchieBunker · · Score: 2, Informative

      How I choose to display the data on my screen is my business.

      --
      Only the State obtains its revenue by coercion. - Murray Rothbard
    3. Re:Yeah but... by UnknownSoldier · · Score: 4, Insightful

      Actually the ad is stealing MY bandwidth.

      So kindly fuck off your with your trojan pixels.

    4. Re: Yeah but... by geekmux · · Score: 2, Interesting

      How I choose to display the data on my screen is my business.

      And how they deliver data to your screen for free is their business.

    5. Re:Yeah but... by hairyfeet · · Score: 4, Interesting

      I have the perfect comeback to those ignorant fucks..."Are YOU gonna accept responsibility and pay for any and all damages if your site serves malware? No? Then you are knowingly aiding and abetting malware vendors, kindly fuck off".

      If they want to be treated like legitimate businesses? Then they have to accept the responsibility legitimate businesses have. If a business doesn't secure their premises and cause harm to their patrons? They are responsible for the clean up, look at the mounds of money TJ Maxx and Target had to pay for their lack of security, but these websites want us to treat them as legitimate businesses show the same lack of responsibility as some fly by night topsite? Sorry can't have your cake and eat it too, either you have the same responsibilities as a real business or you don't deserve any more consideration than a cracksite or any other dodgy place on the wild web.

      --
      ACs don't waste your time replying, your posts are never seen by me.
    6. Re:Yeah but... by fustakrakich · · Score: 3, Insightful

      Nothing we say is going to change a thing. It's best to just block them and move on. Let it be their problem.

      --
      “He’s not deformed, he’s just drunk!”
  3. Is malware like this proof of economic stagnation? by swb · · Score: 5, Insightful

    First of all, Jesus H. Chist, I'm continually amazed at the lengths people will go and the sheer brainpower employed in malware and hacking generally. I've gotten to the point where I go to hang a towel over the mirror in the bathroom because I'm worried someone has hacked the mirror and then figure, fuck it, they probably also hacked the towel.

    Secondly, is this level of malware sophistication evidence that there's economic stagnation?

    I'm assuming this is software designed to create botnets or measly bank account info or whatnot and the author(s) make some money but not griping about the lack of space for their megayacht next season at Monaco kinds of money.

    Is the fact that people do this kind of really clever shit for more or less ordinary income, is it proof that the economy is in some way broken? I would think that people this smart, in a functional economy, would be in real demand to do productive economy kinds of things.

  4. Stegano Exploit Kit on Ads by b783719 · · Score: 2

    The summary was missing details, but this link explains a bit more.

    http://www.welivesecurity.com/...

    At least you'll know how it works. Also, go down to the list and see if you have at least one of those security products and it'll skip the payload. :)

  5. Re:Is this art now gone? by Khyber · · Score: 2

    Just use Chrome, which has its own Flash baked-in.

    --
    Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
  6. Specific malicious domains from ESET by Anonymous Coward · · Score: 2, Informative

    See subject: A list of specific hosts from ESET's research to enter into your custom hosts file to protect vs. Stegano:

    0.0.0.0 browser-defence.com
    0.0.0.0 broxu.com
    0.0.0.0 conce.republicoftaste.com
    0.0.0.0 compe.quincephotographyvideo.com
    0.0.0.0 ntion.atheist-tees.com
    0.0.0.0 entat.usedmachinetools.co
    0.0.0.0 connt.modusinrebus.net
    0.0.0.0 ainab.photographyquincemiami.com
    0.0.0.0 rated.republicoftaste.com
    0.0.0.0 rence.backstageteeshirts.com

    FROM http://www.welivesecurity.com/...

    APK

    P.S.=> All I can say to ESET is "Good job guys, & Thank you - keep up the good work!"... apk

  7. technique presented some time ago as stegosploit by Gunstick · · Score: 2

    And that technique can go way further.
    https://www.youtube.com/watch?...

    --
    Atari rules... ermm... ruled.
  8. Miranda by MrMonty · · Score: 2

    Miranda

  9. Re:Is malware like this proof of economic stagnati by swb · · Score: 2

    I get that we'd always have people at the margin who have above average intelligence but otherwise to fit into a worker mold and wind up as criminals of varying levels of success. Usually, though, they seem to suffer from various other pathologies -- substance abuse, psychological defects, the kind of panoply of sociological misintegration that limits not only their legitimate success but their ability to make even life below the line very successful.

    Maybe there's just a correlation between high levels of computer skills and these same sociological maladjustments, and the medium provides an outlet previously unavailable which offers reduced risk and greater rates of success.