
An exploit kit hiding in the pixels of malicious ads - ivank
http://www.welivesecurity.com/2016/12/06/readers-popular-websites-targeted-stealthy-stegano-exploit-kit-hiding-pixels-malicious-ads/
======
eps
They pack malware code into an alpha channel of the ad image and then use
inoccuous looking JS code (which happens to be delivered with the ad) to
extract and execute it. This allows them to sneak their goods past the ad
network review.

Neat, but not _that_ impressive.

~~~
forrestthewoods
Moral of the Story: There's no such thing as an innocuous eval()?

~~~
gurgus
This isn't a useful answer for you at all, but I thought I'd mention that
there are "kind of" innocuous eval()'s such as Angular's eval() [1] where
instead of JS being evaluated (which can lead to nasty things), an Angular
expression is evaluated, which is a bit safer.

Obviously what I've just said doesn't help solve any problems here, but
thought I'd throw it in there anyway :)

[1]
[https://docs.angularjs.org/api/ng/type/$rootScope.Scope#$eva...](https://docs.angularjs.org/api/ng/type/$rootScope.Scope#$eval)

~~~
234dd57d2c8db
This is false, Angular expressions / sandbox are NOT security. They are not
safer at all. Do not execute untrusted Angular expressions.

------
matt_wulfeck
I really don't want to block all ads. I want companies to earn revenue from
their readers. But this has to stop if I'm ever going to surf the net
unprotected.

~~~
tdb7893
What I don't understand is why ads themselves need JS. You would think that
all they need is an image and a link.

~~~
stevesearer
My site's advertising is comprised of self-hosted, static images so it isn't
impossible. They are also much more relevant than most websites' ads because I
target the ads based on the content.

------
Splines
> _It is particularly interested in presence software containing the following
> strings in their filenames:_

Makes me wonder if there is a benefit in making a real machine appear to be a
VM (or even if its possible).

~~~
dom0
Hm! Interesting idea.

~~~
john_reel
I’ve used Windows with the name “currentuser” to appear to be Norman Sandbox
for a few years now.

------
gurneyHaleck
So much for CORS policies.

If browsers restricted cross-origin sharing of image resources to same domain
only, bazillions of dollars in tracking pixel revenue would evaporate.

Deep inspection of image rasters by script execution isn't going to get locked
down anytime soon, I surmise.

~~~
vortico
Actually this is a good idea. Is there a way to make Firefox behave like this?
I'm interested how broken the web would become, or if it would actually make
the web faster and more usable by only loading content relevant to the
website.

~~~
shakna
My guess would be a lot, with s3 providing so much of static content, or via
3rd party CDNs.

~~~
mtgx
More or less than if browsers had blocked Flash say 3 years ago?

Because I think that's the standard. If they can do it for Flash, then they
can do it for anything else, too. They just need to set a deadline with a
reasonable amount of time before it's reached so that all developers can
adhere to the new specs.

I really hate the attitude of "well, too many websites/apps would be broken so
I guess we'll never do it, or we'll just wait for the web to collapse first so
that everyone agrees we should do it" from "platform" (in this case browser)
vendors.

If it's that bad, then just set a 2 year, 3 year, or even 5 year deadline for
the change (perhaps with some intermediary progressive blocking, like it's
happening for Flash).

It pisses me off because it seems the same is happening with ASLR on Linux
[1]. We've had it for 15 years, but nobody is willing to force developers to
use it "because it would break things". Screw that. Set a deadline and do it
already. If their apps can't make such a change in 3 years, then I could care
less that their apps will stop working. Critical vulnerabilities that allow
dangerous exploits to happen also "break a lot of things", and not just
themselves either, but the firefighting patches that come after them, too.

[1]
[https://lwn.net/SubscriberLink/708196/845f9287f1936dcf/](https://lwn.net/SubscriberLink/708196/845f9287f1936dcf/)

~~~
shakna
I have no problems breaking the existing web for a more secure web tomorrow.
None whatsoever.

I've been highly irritated by people freaking out that Flash is started to get
blocked - despite it being deprecated in those browsers for _years_. It wasn't
exactly a surprise.

But I guess that's the crap that hits us. No one will make a damned change
till they're forced to do it right now.

I'm somewhat sick of advertising networks serving malware. JavaScript is
Turing Complete, and leaky as hell. There is no safe way to use it for ads, so
don't let you clients use it!

The modern web relying on huge megabytes worth of data has led to us needing
CDNs and other 3rd party providers.

Anytime a websites uses a 3rd party provider, it opens a hole in itself, and
with the insane complexity of a modern browser... That's just asking for
trouble.

But asking Google to give up the practices they use to forward their own
agendas, like advertising, and their walled garden of AMP, won't happen.

Chrome has the usage that it can exhibit considerable force on the other
browsers, and the reverse isn't true.

EDIT: In other words, I completely agree with you, but cry when I see that
state of things. Just want that to be clear.

------
aikah
And then networks and publishers complain about users blocking ads. That's why
people should block ads served by third parties. It's not just about visual
nuisance but security first and foremost.

------
singularity2001
"If it detects anything suspicious, it will not attempt to download the
payload. ( kasper _, avast_ , f-secu*, wireshark.exe, ollydbg.exe ...)"

wireshark as antivir ... nice to have ;)

------
matheusmoreira
Ads turned into stegotext carrying an exploit as payload? Yet another reason
to block them.

------
unabridged
I have to see warnings for weak certificates, but loading 3rd party scripts is
ok by default. When browsers are written by ad companies or beholden to ad
companies, this is what you get.

Apple and Firefox (if Yahoo will let them) need to step up and block 3rd party
scripts by default. Maybe even Chrome would get in on it if there was special
whitelisting for Google's analytics.

~~~
TeMPOraL
That would kill 90% of the web, because people love to load Bootstrap, jQuery
and Google ajax crap from 3rd party CDNs. Can we just please get content-based
hashing and stop with this JS outsourcing bullshit?

~~~
Klathmon
Content based caching would be a massive security nightmare.

All you'd need to do is serve up the same asset as any other site on the web
and you could instantly know if the user has been there recently.

No need for tracking at all, just serve this up to people who go to HN, this
to the redditors, this to anyone that was recently on 4chan...

Or let's take it a step further. I could reasonably figure out what your user-
page on HN looks like to you when you're logged in. I'll serve that up to all
my visitors and when I get a cache-hit I know it's you!

------
EJTH
When will people just learn to disable flash on their browsers?

------
mixedbit
If the attacker fully controls the decoding JavaScript, I don't get why the
exploit is encoded in the banner and not directly included in JavaScript?

~~~
_nalply
Because they wanted to fly under the radar. It's hiding in plain sight.

~~~
taeric
To add to this. You could get the javascript flying for a time before
activating it with the image. Effectively inoculating some protection measures
to your activation agent.

------
mdrzn
> _Using the known Internet Explorer vulnerability CVE-2016-0162, the encoded
> script attempts to verify that it is not being run in a monitored
> environment such as a malware analyst’s machine._

So this would work only on Internet Explorer?

~~~
MoOmer
No, the paranoid developers wanted to use that exploit to check if it was on
an analyst's machine. That's an imposed restriction, not an inherent
constraint.

------
LDM
If you're an engineer and are fascinated by this subject, I'm interested to
hear from you. Our startup specializes in the real time detection and blocking
of these malicious ads.

Contact details in my bio.

~~~
codeddesign
This is an ad server though right? Or are you able to monitor 3rd party
providers?

------
pm24601
So the simplest way to avoid getting exploited is to always run wireshark?

Sounds better than an out of date AV solution!

(and cheaper)

------
amenod
I am not quite sure how they got to running JS on victim's browser in the
first place? I would guess any JS being loaded is from ad network. I know IE
had this vulnerability where it would ignore MIME type and would guess file
type from content (so attacker could server a specially crafted image which
would be interpreted as JS), but that should be long patched... Or did they
act as an ad network themselves?

~~~
detaro
(at least most) Ad networks deliver JS provided by the advertiser as well.

------
ommunist
This is incredible piece of IT. Interesting, which ad networks are used?

------
peteretep
Wonder how long until corporate IT policies mandate the use of adblockers

------
laurent123456
The other day there was this article claiming that virus scanners do more harm
than good, but in this particular case it's interesting to see that they would
have prevented the exploit.

------
Exuma
I love how it discards 42 bytes of the beginning of the image... the answer to
the meaning of life :D

