Malvertizing Oracle-Sun

Over the past couple months, some advertising networks have been distributing ads that redirect browsers to sites hosting exploits.

Spotify’s advertising network was most recently outed (note that it is the third party banner ads rotating through the client’s ad frames). Most of the redirections we have been been monitoring have sent users to a variety of servers in the .cc TLD. We have been working with providers to ensure the ads aren’t on their networks, but the groups have been active in rotating malvertizing banners through multiple networks.

The hits on these ads, for the most part, have redirected browsers to Java, Adobe and Microsoft HCP related exploits. We are detecting this exploit content with a variety of names: Exploit.Java.CVE-2010-0840.a-f, Trojan-Downloader.Java.Openconnection.dt, Trojan.Win32.FakeWarn.d, Exploit.HTML.CVE-2010-1885.aj, Exploit.Script.Generic, Exploit.JS.Pdfka.cwm, Exploit.JS.Pdfka.dhm and more. All are a part of the Blackhole Exploit kit. At some point, our broader solutions kick in and just block connections with the web pages altogether.

Most of the redirects that we saw early on were from unusual adult interest sites, but the distributors have become more aggressive and managed to rotate their ads through major IM, webtailers’ regional sites and webmail provider sites too. At least that group of ads seem to have been dealt with properly. However, unpatched and unprotected systems that are being successfully exploited and download a variety of malware from these sites, including FakeAv, the more serious TDSS rootkit, Papras and Zbot banking credential stealers, among others.

The Blackhole exploit kit may not have the largest install base online, but because its hosters are abusing some of the bigger advertising networks to co-ordinate redirection to their exploit pages on these .cc servers. Accordingly, detections for their Java, pdf and hcp exploits are very high. Every eight hours during higher activity, our KSN network counts the prevention of a very high volume of attacks from .cc domains.

Malvertizing Oracle-Sun

Su dirección de correo electrónico no será publicada. Los campos obligatorios están marcados con *



MosaicRegressor: acechando en las sombras de UEFI

Encontramos una imagen de firmware de la UEFI infectada con un implante malicioso, es el objeto de esta investigación. Hasta donde sabemos, este es el segundo caso conocido en que se ha detectado un firmware malicioso de la UEFI usado por un actor de amenazas.

Dark Tequila Añejo

Dark Tequila es una compleja campaña maliciosa que tiene por objetivo a los usuarios ubicados en México, con el propósito principal de robar información financiera, así como credenciales de acceso a sitios populares que van desde versionado de código fuente a cuentas de almacenamiento de archivos en línea y de registro de dominios web.

Suscríbete a nuestros correos electrónicos semanales

Las investigaciones más recientes en tu bandeja de entrada