The Kyle and Stan malvertising network has a much bigger reach than first reported—about nine times bigger.
In the two weeks since Cisco’s first report on the malicious ad distribution campaign, researchers had a chance to look closer at telemetry data, connect more dots and learn that nearly 6,500 malicious domains are involved—more than nine times the 703 originally reported. As a result, Cisco said that more than 31,000 connections have been made to these domains, more than three times the 9,541 originally reported.
Researchers Craig Williams and Armin Pelkmann were also able to trace the attack back to 2012, proving that it’s been active much longer than last May as originally reported.
“We think it’s been a reasonably successful campaign [for the attacker],” Williams said, adding that the numbers correspond to the number of times an attack was detected and blocked by a Cisco security device. “Considering the number of times we’ve seen it, we think it’s significant.”
Kyle and Stan stands out from other malvertising networks in that it has been able to drop ads on mammoth websites, including Amazon, and that there are Windows and Mac OS X flavors of the malware. Each time a victim is compromised, a unique spin on the malware is dropped on the machine, each with subtle differences in how it’s packed that result in the generation of a one-of-a-kind MD5 checksum, the researchers said.
Once a victim visits a website that’s hosting the malicious ad, their browser is redirected twice, depending on the browser header; Windows and Mac users are eventually sent to a URL hosting the appropriate malware for each platform. Once on the final download URL, spyware/adware or a browser hijacker is either automatically downloaded to the compromised machine, or the victim is tricked into installing it because it’s bundled with legitimate software such as a media player.
“We’ve reversed the malware files, and there is a unique part in every file that makes the checksum that is computed completely different,” Pelkmann said. “There are sophisticated techniques being used to store and obfuscate data on the site. The attacker is deliberately using this to fool antivirus and other detection systems.”
Malvertising campaigns work because if an attacker is able to get a malicious ad on a network—by either compromising a host serving ads or by legitimately hosting an ad and paying a network to distribute it—they can grow a campaign much quicker than if via spam or phishing emails.
“It’s kind of the next evolution of malware. With a drive-by download, the attacker is stuck with the situation of how to get people to view the website; they can send out a massive email campaign, or get the malware embedded on a site somehow,” Williams said. “The latter is often the most successful. If you can get 1 percent of viewers to see your ad, you’ll have a high success rate versus that of a spam campaign.”
Consumers who are likely to have less than adequate detection technologies on their devices, or are apt to click through indiscriminately on a download, are most susceptible to malvertising infections.
“Ad Block would really help, or turning off JavaScript when there’s no need for it,” Williams said. “There are a lot of ways to go about it.”