A malvertising campaign that’s lasted almost half a year is staying alive thanks to infected web advertisements being circulated by otherwise clean ad networks.
The campaign, now in its fifth month, relies on the Dynamic Domain Name System (DDNS) to keep it from being caught according to a report from Symantec’s Security Response blog that likens its relationship to a “never-ending story.”
Attackers have been leveraging the ads by inserting their own obfuscated JavaScript into ad network ads. The JavaScript helps attackers gauge whether or not victims are running older versions of Internet Explorer and from there, installs tracking cookies and redirects users to a sketchy domain of their choosing.
The domains change often – Symantec notes it’s seen the campaign filter users through more than 50 different URLs since its inception in October 2012.
Once guided to the site, the campaign recognizes the user’s build of Java so multiple JAR files can be dropped onto the system.
The JAR files target a handful of IE-related Java vulnerabilities (CVE-2012-4681 and CVE-2013-0422) and builds a dynamic-link library (DLL) which then allows attackers to download malware to the machine.
According to Cisco’s 2013 Annual Security Report issued last month, malvertising, the delivery of malware via online ads, “played a more significant role in web malware encounters in 2012 than in 2011,” with about 83 percent of malware on the web coming from malicious iframes and scripts last year.