Is This Malware 'South Park'-Inspired?

Malicious advertising, or malvertising, continues to pose a profound hazard, making visits to some of the Internet’s most popular websites a dicey proposition.

Cisco researchers have identified a criminal ring, christened the “Kyle and Stan” Malvertising Network (a likely reference to two of the main characters on “South Park”), that distributes sophisticated, mutating malware to Windows and even Mac computers.

Malicious ads that come and go are systematically appearing on amazon.com, ads.yahoo.com, www.winrar.com, youtube.com and 74 other domains, many of them high-traffic ones, listed here.

Since about 2007, cybergangs have been spreading infections designed to implant a back door giving them full control of your computing device. This happens imperceptibly when you click to an infected Web page. Lately, they’ve been embedding such infections in online ads, and paying for these malvertisements to appear in a sporadic pattern that’s difficult to defend.

This technique poses an insidious risk. The malicious code stealthily redirects victims to a website controlled by the attacker that’s poised to download malware onto the computing device.

“The attackers are purely relying on social engineering techniques, in order to get the user to install the software package,” reports Cisco researcher Armin Pelkmann. “The impressive thing is that we are seeing this technique not only work for Windows, but for Mac operating systems alike.”

Amazon Source

Amazon continues to be be a major source of malicious ads. This is not a surprise for IT security professionals. The U.S. was a top destination of malware in the world in the fourth quarter of 2013, according to a Washington Post news story.

The Post found that Amazon Web Services hosted four of the biggest malware-hosting sites, which represented 6% of all malware in the fourth quarter of 2013. Of the global hosting providers, Amazon had the biggest concentration of malware.

Although Amazon has tried to stop malware from being distributed through its hosting network, cybercriminals are still using Amazon’s cloud service not only to host malware but also to crack passwords.

The top search engines — Google and Microsoft Bing — haven’t been standing pat. Their Web crawlers, which continually index billions of Web pages, are tuned to blacklist any Web page carrying malicious content. This has substantially reduced the number of tainted pages that turn up in the answers to search queries.

What’s more, all the major antivirus vendors, from Symantec and McAfee on down, maintain Web crawlers specifically seeking out infected pages and adding them to blacklists fed into their virus-scanning services.

Playing Possum

Of course, the bad guys have swiftly jumped ahead. The latest Web infections are designed to play possum when a search engine or antivirus Web crawler comes calling. Bad guys do this by employing a blacklist of their own, one that contains the known IP addresses of the good-guy crawlers.

They also continue to look for smaller websites where it’s still possible for them to easily seed an infection directly onto a poorly defended Web page.

Borrowing targeting technology from the advertising industry, the bad guys are also customizing when — and to whom — they deliver malicious ads.

“Protecting ad network infrastructure is a hard problem to solve,” says Matt Huang vice president of product management at messaging security vendor Proofpoint. “The ad ecosystem is so big with such sophistication that it’s hard to pin point which party in the ad serving chain is ultimately responsible for the malicious ad.”

It’s often the case that the website that displays the ad and the end user who sees the ad have “no control over what ads will be displayed.” Huang says. “This becomes a perfect playground for attackers. The technology is readily available, the cost is cheap, and the impact is not only great, but can be precisely targeted.”

No doubt the gang behind the “Kyle and Stan” malvertising network agree.

What can you, as an individual do? Keep your antivirus software updated, and for that matter, keep all updates related to your browser, operating systems and key applications current. Updating your software is necessary because the bad guys are continually ferreting out security holes, which the good guys then patch. This cycle shows no signs of ending any time soon.

Also, use the scanning system that comes with your antivirus suite. It will stop the lion’s share of the known websites being used to send malware to victims’ computing devices.