YouTube Ads Lead To Exploit Kits, Hit US Victims

[RainfallWithin]

Article from blog.trendmicro.com and written by Joseph C Chen: http://blog.trendmicro.com/trendlabs-security-intelligence/youtube-ads-lead-to-exploit-kits-hit-us-victims/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Anti-MalwareBlog+%28Trendlabs+Security+Intelligence+Blog%29

 

Malicious ads are a common method of sending users to sites that contain malicious code. Recently, however, these ads have showed up on a new attack platform: YouTube.

 

Over the past few months, we have been monitoring a malicious campaign that used malicious ads to direct users to various malicious sites. Users in the United States have been affected almost exclusively, with more than 113,000 victims in the United States alone over a 30-day period.

 

Figure 1. Countries affected by this malicious ad campaign

 

Recently, we saw that this campaign was showing up in ads via YouTube as well. This was a worrying development: not only were malicious ads showing up on YouTube, they were on videos with more than 11 million views – in particular, a music video uploaded by a high-profile record label.

 

The ads we’ve observed do not directly lead to malicious sites from YouTube. Instead, the traffic passes through two advertising sites, suggesting that the cybercriminals behind this campaign bought their traffic from legitimate ad providers.

 

In order to make their activity look legitimate, the attackers used the modified DNS information of a Polish government site. The attackers did not compromise the actual site; instead they were able to change the DNS information by adding subdomains that lead to their own servers. (How they were able to do this is unclear.)

 

The traffic passes through two redirection servers (located in the Netherlands) before ending up at the malicious server, located in the United States.

 

The exploit kit used in this attack was the Sweet Orange exploit kit. Sweet Orange is known for using four vulnerabilities, namely:

 

CVE-2013-2460 – Java

CVE-2013-2551 – Internet Explorer

CVE-2014-0515 - Flash

CVE-2014-0322 – Internet Explorer

 

Based on our analyses of the campaign, we were able to identify that this version of Sweet Orange uses vulnerabilities in Internet Explorer. The URL of the actual payload constantly changes, but they all use subdomains on the same Polish site mentioned earlier. However, the behavior of these payloads are identical.

 

The final payloads of this attack are  variants of the KOVTER malware family, which are detected as TROJ_KOVTER.SM. This particular family is known for its use in various ransomware attacks, although they lack the encryption of more sophisticated attacks like Cryptolocker. The websites that TROJ_KOVTER.SM accesses in order to display the fake warning messages are no longer accessible.

 

Users who keep their systems up to date will not affected by this attack, as Microsoft released a patch for this particular vulnerability in May 2013. We recommend that read and apply the software security advisories by vendors like Microsoft, Java, and Adobe, as old vulnerabilities are still being exploited by attackers. Applying the necessary patches is essential part of keeping systems secure. Backing up files is also a good security practice to prevent data loss in the event of an attack like this.

 

With additional insight from Rhena Inocencio

 

The following hashes are detected as part of this attack:

 

09BD2F32048273BD4A5B383824B9C3364B3F2575

0AEAD03C6956C4B0182A9AC079CA263CD851B122

1D35B49D92A6E41703F3A3011CA60BCEFB0F1025

32D104272EE93F55DFFD5A872FFA6099A3FBE4AA

395B603BAD6AFACA226A215F10A446110B4A2A9D

6D49793FE9EED12BD1FAA4CB7CBB81EEDA0F74B6

738C81B1F04C7BC59AD2AE3C9E09E305AE4FEE2D

A1A5F8A789B19BE848B0F2A00AE1D0ECB35DCDB0

A7F3217EC1998393CBCF2ED582503A1CE4777359

C75C0942F7C5620932D1DE66A1CE60B7AB681C7F

E61F76F96A60225BD9AF3AC2E207EA340302B523

FF3C497770EB1ACB6295147358F199927C76AF21

 

We have already notified Google about this incident.

 

Personal Thoughts

I believe that Google will purposefully take as long as it can to solve this situation, as a result of them making money from the whole process.

 

This topic was explained by Linus on 17th October 2014 WAN Show: http://youtu.be/77ovvCwN-sA?t=1h10m40s

[dfsdfgfkjsefoiqzemnd]

Yet another reason to use an adblocker.

[Dietrichw]

Yet another reason to use an adblocker.

or don't use adblocker and be careful to not click on ads or links that you don't know where they will take you.

[Tagiau]

or don't use adblocker and be careful to not click on ads or links that you don't know where they will take you.

Or use adblock. 

[WhatTheQuack]

Or use adblock. 

...and contribute to one of the reasons why these ads exist 

[aidenrelkoff]

or don't use adblocker and be careful to not click on ads or links that you don't know where they will take you.

invisible adds

 

 

there a thing... you can accidentally click on them

 

plus i just dont want to see them at all.... i watch perfectly LEGAL tv sites and they have pop up adds that annoy the crap out of me, i just dont what them at all.....

 

 

btw, i have adblock disabled on LTT

[Dietrichw]

Or use adblock. 

sure, if you want to be a dick to the people who work hard to make the content that entertains you.

[Tagiau]

...and contribute to one of the reasons why these ads exist

But with adblock, I won't see them. So they can exists, doesn't hurt me. And if I was to stop using adblock, I could us ghostery which does the exact same, somewhat. 

[WhatTheQuack]

But with adblock, I won't see them. So they can exists, doesn't hurt me. And if I was to stop using adblock, I could us ghostery which does the exact same, somewhat. 

 

 

sure, if you want to be a dick to the people who work hard to make the content that entertains you.

 

Boom

[mansoor_]

On one hand gigabit fibre, self driving cars and augmented reality; on the other mundane ad exploits.

[dfsdfgfkjsefoiqzemnd]

btw, i have adblock disabled on LTT

 

I'll do the same as soon as they get rid of all the analytics and tracking junk.  Don't want none of that and I'm more than happy to pay a fee to make up for blocking the ads.

 

[Colonel_Gerdauf]

Until the advertising networks gets this under some control, I will have full adblock active; no whitelist, no exception!

[Tagiau]

sure, if you want to be a dick to the people who work hard to make the content that entertains you.

I am only entertained by potato's. So yeah 

[dfsdfgfkjsefoiqzemnd]

sure, if you want to be a dick to the people who work hard to make the content that entertains you.

IMO those people need to be rewarded for their work indeed.  However I'm not prepared to give up my online privacy or my PC's security to do so. 

[Dietrichw]

I am only entertained by potato's. So yeah 

if you are entertained by potatoes I have to ask. How did you get adblock on an Xbox or Playstation? 

[Photonic]

Personal Thoughts

I believe that Google will purposefully take as long as it can to solve this situation, as a result of them making money from the whole process.

I dont think so i have seen the same ads for ages before i used adblock and google has done nothing about them

[Tagiau]

if you are entertained by potatoes I have to ask. How did you get adblock on an Xbox or Playstation? 

My ps3 runs linux. so that should help. 

[TheMidnightNarwhal]

or don't use adblocker and be careful to not click on ads or links that you don't know where they will take you.

Or use adblock and stop companies trying to sell you shit, or now seing fucking justin bieber when watching music...

[Trik'Stari]

Who in the hell clicks on ads anyways? If your interested in it, google it.

[Almercenary]

Don't click on ads on youtube fullstop. Watch them, give people money, don't give the advertisers the money.

[colonel_mortis]

I'll do the same as soon as they get rid of all the analytics and tracking junk.  Don't want none of that and I'm more than happy to pay a fee to make up for blocking the ads.

 

The NewRelic and Google Analytics are simply used to track site usage statistics and monitor the site's usage and performance.

The Google adsense cookie gives personalised ads to you; you can opt out of it at http://www.google.com/ads/preferences

The Facebook and G+ cookies are to allow the "Like" and "+1" buttons at the bottom of the site to function, although I'm not aware of anyone who uses them

 

As for the story, this is very worrying. I had thought that Google reviews all sites that publish Google ads (and reviews the ads themselves) to make sure that they are free of malware and are safe to be directed to. The fact that this has got past their system, however they managed it, is not a good sign, and potentially indicates that there may be more similar malware out there on even the biggest legitimate sites that is yet to be discovered.

[GzeroD]

 

Personal Thoughts

I believe that Google will purposefully take as long as it can to solve this situation, as a result of them making money from the whole process.

 

I think that is counter productive for them they don't want to get a reputation for having malware in their ads because if it becomes a bigger issue websites will switch to another advertisers, and then the ad space they sell will be worth less.. they stand to lose much more money if this is not resolved quickly. 

[Misanthrope]

Score one for us adblock users.

[Thony]

...and contribute to one of the reasons why these ads exist

Ads existed before adblock, not vice versa lol. Explain how use of adblock makes ppl to create malicious ads please, im all ears.

[geforceftw]

sure, if you want to be a dick to the people who work hard to make the content that entertains you.

What about all the ads that are dicks? like the HELLO ad...