Contributor: John Harrison

Symantec has been tracking a large malvertising campaign for over 5 months now. The campaign is still active and uses Dynamic Domain Name System (DDNS) to prevent itself from being tracked.

The campaign spread rapidly and compromised popular domains and adult websites. High profile domains with an Alexa ranking of 5,000 or under have also been compromised. Some compromised websites were cleaned after notice from Symantec products alerted users when the sites were visited. However, many of the domains remain compromised.

The interesting thing about infections delivered through malvertising is that it does not require any user action (like clicking) to compromise the system and it does not exploit any vulnerabilities on the website or the server it is hosted from. Infections delivered through malvertising silently travel through Web page advertisements served by online marketing services.

Symantec has tracked this campaign over the last four months. The campaign is still active and continues to compromise users.

Figure 1. Recent malvertising detections

The infection cycle starts with the attackers creating malicious ads and injecting obfuscated JavaScript. These ads are then hosted on advertising networks across different clean domains which, in turn, compromises the users visiting those domains.

Some obfuscated JavaScript is shown in the following screenshot.

Figure 2. Malvertising using obfuscated JavaScript

The malicious JavaScript can be divided into four parts.

Check for the presence of the Internet Explorer browser with ActiveX enabled because this script only affects Internet Explorer users.

Figure 3. Check for IE browser that has ActiveX enabled

Implement cookies to track compromised computers, deliver targeted ad-redirects, and track URLs.

Figure 4. Tracking implementation

Select random domain name from list. (Symantec has observed the use of over 50 different dynamic domains hosted on multiple servers in the last five months.)

Figure 5. Use of dynamic domains

Create a hidden iFrame and pair dynamic domains with common directory names such as news, finance, songs, and forums.

Figure 6. Pairing dynamic domains with common directory names

This iFrame then redirects users to a final URL created by appending common directory names with dynamic domains. For example:

[RANDOM CHARACTERS].blogdns.com/forum

[RANDOM CHARACTERS].dyndns.biz/news

[RANDOM CHARACTERS].is-an-accountant.com/finance

The final URL generated in the above step then redirects to a page where Java fingerprinting is done and a malicious .jar file is executed accordingly. We have seen variations in .jar file extensions. Apart from “.jar”, we have seen the use of extensions related to image formats (e.g. .gif and .jpg), as seen in Figure 7.

Figure 7. JAR file with .gif file extension

Multiple JAR files are dropped based on the Java runtime version of the affected user. We have observed the JAR files exploiting vulnerabilities identified as Oracle Java Runtime Environment Remote Code Execution Vulnerability (CVE-2012-4681) and Oracle Java Runtime Environment CVE-2013-0422 Multiple Remote Code Execution Vulnerabilities (CVE-2013-0422). The following screenshot shows an obfuscated Java class file extracted from the JAR file which targets CVE-2013-0422.

Figure 8. Java class file targeting CVE-2013-0422

Once the Java vulnerability is exploited successfully and the Java sandbox restriction is bypassed, the JAR file creates dynamic-link library (DLL) entries inside a temporary directory and adds the corresponding registry entries on a compromised computer. The DLL names are randomly generated each time the JAR file is complied. Example file names observed in analysis include:

%Temp%\spoolsv.dll

%Temp%\winlogon.dll

%Temp%\java.dll

%Temp%\alg.dll

%Temp%\firefox.dll

These DLL files then download other malware onto the compromised computer.

Malvertisement is a growing issue, increasing 20 times over from 2010 to 2012. More than 50 percent of publishers have experienced a malvertising incident one or more times.

Symantec customers are already protected from these attacks using multilayered protection provided by our security products. Symantec Endpoint Protection 11 and 12 include the Network Threat Protection - IPS technology that proactively protects against malvertisements and the resulting drive-by download. Enterprise customers must ensure that they have enabled Network Threat Protection within their product for protection. All Norton solutions have the Network Threat Protection technology automatically enabled in their products.

The following is a partial list of IPS Signatures that block the Web attack toolkit from dropping the malware from the malvertisement:

Symantec antivirus also detects the dropped payload as Backdoor.Trojan and the corresponding JAR files as Trojan.Maljava.

Symantec has recently launched Symantec AdVantage, which is a cloud based anti-malvertisement product with sophisticated detection and reporting capabilities that helps prevent ad publishers and distributors from propagating malware to customers.

Symantec recommends that website owners that include advertising on their websites check out the anti-malvertisement guidelines recommended by the Online Trust Alliance (OTA). The Online Trust Alliance is a non-profit with the mission to enhance online trust, while promoting innovation and the vitality of the Internet. Symantec is a founding member of the Online Trust Alliance.

Users with the latest Java update (Java 7 update 13) are currently no longer at risk through silent exploitation. To avoid being exploited, it is recommended that users continuously apply the latest updates to their operating systems, software, and antivirus and IPS definitions.