Malvertising at the watering hole…

The basic definition of malvertisement is:

infected online advertisement.

The legitimate website is supporting its operation cost by displaying adds from advertisement clearing houses. The actual add is downloaded in the background by your browser and the content of it is loaded, usually on the right side of the main content, but can be anywhere, including popping up the ad.

The ads can be useful for some people, but mainly annoying to others. It’s a business model where you receive “free” content and the website in question earns money to operate the site. You don’t necessarily need to click on the link in the ad to generate income for the website, just displaying the ad earns income for the website. The size of the income does increase, if and when the visitor clicks on the ad.

So, what’s wrong with this business model? The short answer is… nothing. The long answer…

The advertisement clearing houses collects potential clients, pretty much in discriminatively since their income depends on clients advertising products. Clearing houses also sell the client advertisement to other clearing houses, in addition to advertising companies selling it to these clearing houses. The cross selling is mainly due to the clearing house clients, some have more than others and in targeted advertisement it is important which website(s) will display the ad(s). As such, by the time the advertisement makes its way to the website, the actual ad could be originating from US, Europe, Asia, etc., and may have been going through 6-10 online advertisement companies.

The problem is that neither of the companies, including the website where it’s displayed, check the content of the advertisement for malware. As such, hackers love this venue for distributing their malware. They can create their ad, including malware, that may mimic legitimate products, and purchase advertisement time at the targeted website through the advertisement clearing house network. While the link is in their ad, you don’t need to click on the link to have the malware executed. It will load in the background as the website in question loads and in five minutes flat, your system is compromised.

So, what can you do against malvertisement based attacks? After all, like most people, you cannot give up visiting favored sites…

Notifying the website in question doesn’t do much good, especially after your system had been infected by the malware. The best a notification can achieve is that the malvertisment will be removed from the website, that will prevent other people getting their systems infected. Hackers will just purchase ad time with different fake brand name, may use the same malware, or create a new one.

Antivirus isn’t provide much of a protection against malware in advertisement, since the malware utilized isn’t know as of yet. Once it is known and blocked by antivirus, the hackers will create a new malware, and the perpetual cycle of unknown to known malware begins…

So, does that mean that there isn’t really much one can do, other than not using the internet? No, not really….

Let’s look at how the malware works in the malvertisement. The “payload” in the malware exploits known vulnerabilities in different applications. Different, as in most malware will try exploiting 3-4 different but vulnerable applications. Here’s a list of vulnerabilities that had been exploited in a recent malvertisement:

  • CVE-2013-2551 (Internet Explorer)
  • CVE-2014-0322 (Internet Explorer)
  • CVE-2010-0188 (Adobe PDF Reader)
  • CVE-2013-2460 (Java)
  • CVE-2014-0497 (Flash)
The underscored first four digit in the CVE numbers indicates the year the vulnerability had been discovered, while the second four digit is a serial number for the vulnerability for all applications, operating systems, etc., in the given year.

The list above is a mixture of old and new vulnerabilities where the malware will try exploiting the applications. Once the exploit had been fully executed, the malware will stop processing the rest of the vulnerabilities. The order of list arbitrary in this blog, it does not indicate the actual order how the malware will process them.

So, what does this information tell you?

I can just hear you say, “I know, I know!”, and you are correct. Keeping your system and applications up to date will prevent most of the malvertisement or malware exploiting your system. Just keep doing it and you should be much better off than most people who do not…

Malware and their target…

Malware targets applications, hardware, and operating systems (OS) by exploiting known/unknown vulnerabilities in their software code. Why is that important to know? Well, knowing which components of your computer used for exploit is half of the battle in protecting your system. If you don’t want to read about this subject and just want to protect your system, here’s a shortcut for protecting against malware…; the link will take you to my blog on the subject…

Comparing malware introduced in subsequent years, in our examples below 2012 vs. 2013, will not just identify the main targets, but also show the direction that the malware heading. It should also remove some of the myth, that people have about system vulnerabilities… Let’s look at the target types first, shall we?

Image source: Netwar Project

Malware targets:

By and large, the applications are the most targeted software for exploits, followed by hardware and operating systems. Let’s leave the hardware out of this analysis, that’s another blog, and continue with the operating system platforms.

Operating system:

The operating system vulnerability had increased by close to 300% across all popular platforms, pretty much evenly. The number of critical vulnerabilities increase from year to year had been from 30 to close to 100%. The greater number of vulnerabilities for Windows platform is largely due to the greater operating system market share for Windows. Believe it or not, hackers do know about ROI (Return on Investment) and prefer to target Windows platform dues to its market saturation.


The vulnerability of the Mozilla browsers seems to start decreasing as its market share decreasing, while Chrome had about 50% increase due to its growing market share. Internet Explorer (IE) vulnerabilities on the other hand tripled from year to year, keep in mind that IE numbers include version 6 to 10. In another word, non-supported but still used versions.


JAVA is one of the hackers favored applications, right after the Adobe software. It’s easy to program a JAVA applet and most people do have JAVA installed. It does help that the auto update feature is broken most of the times and the security updates aren’t as frequent as they should be.

Adobe Acrobat Reader:

The Adobe Acrobat Reader is probably the hackers most favored application. Practically everyone with computer has this application and Adobe isn’t known for creating secured code and/or releasing security patches in a timely manner.

Adobe Flash:

The number of Flash Player vulnerabilities had actually decreased from year to date. That’s good news, but mainly due to the news that Adobe had announced that stopped developing flash for the mobile platform. The replacement for flash will be HTLM version 5 and Adobe AIR. Hopefully, the desktop platform will be the next where flash disappears.

There are other hackers favored applications, such as Microsoft Office, media players, etc., but these applications did not have the size of growth year-to-year as the applications listed above.

So, again, why is that important to know? Well, if you keep your operating system and applications up to date, you’ve just substantially decreased the chance of your system being exploited…