14 Jan, 2019

Malvertising Hides Behind Legitimate Applications

Malvertising often rides on a legitimate application, allowing it to take actions that the user hasn't authorized - or worse.
"Malvertising" — the injection of malicious code into sites by placing ads — is a sneaky threat. It subverts sites which users think are trustworthy. Often just viewing the ad, without clicking on anything, is enough for it to have a nasty effect. Website protection methods need to guard against hostile code in third-party ads.

In one of our customer cleanups, we discovered a case where malvertising rides on a legitimate application. This one looks relatively harmless, but it takes actions that the user hasn't authorized, and the technique could easily do much worse things. It looks like a test of the scheme's effectiveness.
When 'No' Means 'Yes'
This isn't quite the usual form of malvertising. When a user tries to visit the affected site, a notification comes up instead. The user is asked to install a new version of Flash Player, with the usual encouragements Adobe would offer ("Super fast and user-friendly interface," etc.). The dialog presents two buttons, LATER and UPDATE. Both buttons do the same thing. They download the update from the Adobe Creative Cloud server. It's the real update. Some people may have reasons not to want to update Flash on their machines, but normally it's a good thing to do, or at least harmless.

What happens next is more troubling, though still not disastrous. The browser sends a GET request to a site which is a known distributor of malware. It gets back a count of infected machines. The malware site now has the IP address of the machine and knows the trick worked. The visitor never gets to view the website.

Advertisers could use a variant of this technique to inflate their click-through counts. If they collect advertising fees from a company whose products they're offering (e.g., Adobe), they get to count every "no" as a "yes" and collect payment for every visit to the site. We at Quttera flag that a type of activity as a scam.

Just to be clear, Adobe was not involved in this deception, and the problem has nothing to do with the many bugs that have turned up in Flash over the years. The download could have been anything. It seems that the malware downloaded the file just to get a census of machines where the scheme succeeded.
Subverting jQuery
Before any of these events happened, the perpetrator had replaced jquery.js on the website with an altered version. Huge numbers of websites use jQuery, to the point that developers treat it almost as part of JavaScript's core functionality. Many of them share the same copy from a trusted server, such as jquery.com or googleapis.com. Others, such as this site, host their own copy.

When people are looking for malware, they often don't think of questioning jQuery. Just for that reason, it's been a popular target for years. If their anti-malware software says something is wrong in jQuery, users and even administrators might dismiss it as a false positive.

Defeating website security to infiltrate jQuery can happen in several ways. Malware may get a foothold on the site and alter jquery.js. It may then delete itself to avoid detection. Website software packages, such as plugins, may come with a version of jQuery which is already compromised. A download site may offer a malicious version, which site owners will install on their sites.

The deadliest are supply-chain attacks, where a bad version of a file gets onto a widely used distribution site for software. Even if it's caught quickly, this kind of attack can deliver malware to many sites that are eager to get the "new version." In one of the worst cases, the official site for a popular file cleaning tool held an infected version of the software, which many users downloaded. Ironically, it's often users' zeal to stay safe with the latest updates, which puts them in danger.
Service - With Something Extra
Legitimate downloads of Flash combined with not-so-legitimate actions are a popular malware trick. Some malware installs Flash but also installs cryptocurrency mining software. Users see that Flash has really been updated and passes all malware checks, and they relax.[refer our posts on cryptojacking malware for more info]

Flash's reputation as buggy, vulnerable software actually helps the fake installers. People know how important it is to install fixes to it, so they're eager to accept any update they see. Adobe plans to retire Flash completely in 2020. It has an antiquated code base which is difficult to maintain. There are better ways in HTML5 to perform the functions which Flash used to do. Users need to be wary of any popup dialog that offers to update Flash. The safe way to update it is through the browser's standard procedures.

When a dialog proceeds to download Flash even against the user's request, it's harder to do anything. Even disabling Flash won't help. The dialog is there only to make users think they must have clicked the wrong button and be less suspicious.
Website Protection
Website security isn't easy to achieve and maintain. Owners need to make their sites as bulletproof as possible, but they can't assume they've succeeded.

Software should come only from legitimate, trusted sources. Anyone can offer a copy of jquery.js, but you should accept it only from an authorized site. Other sites may not intentionally offer tainted software, but they aren't always as good at their own site security.

Malware which infiltrates websites is often subtle. The goal isn't to do quick damage, but to spread to as many computers as possible and quietly gather information from them. They try to be invisible, or they disguise themselves as something beneficial.

Frequent scanning of a website is an effective form of protection. If the version of jQuery which it hosts doesn't match any release, something is wrong and needs prompt fixing. This is, by the way, one of several reasons why you shouldn't put custom modifications into jQuery. Scans won't be able to tell your changes from unauthorized hacks by someone else.

Signing up for ThreatSign gives your website that protection. Prompt detection of problems and malware removal will greatly reduce the chance of malvertising and other harm to your users. Trust in your site remains high, and your visitors can view it or make e-commerce purchases without interference. It's a good investment in website security.