
Steganography Based Ad Payload That Drops Shlayer Trojan on Mac Users - saidajigumi
https://blog.confiant.com/confiant-malwarebytes-uncover-steganography-based-ad-payload-that-drops-shlayer-trojan-on-mac-cd31e885c202
======
saidajigumi
This is precisely why an ad-blocker is a non-negotiable part of defense in
depth. I'm sympathetic to web publishers who legit need the ad revenue to
operate, but they're caught in the middle: asking me to drop this critical
layer of protection is a non-starter.

~~~
MRD85
I had my experience with this in 2006 or 2007. I was younger then and I was
served a malicious ad on a video game website. This ad was only showing for 1
in every 1000 or so users, which made it quite difficult to detect back then.
Ever since then I've run an adblocker and/or scriptblocker.

I'm constantly asked by websites to drop my ad blocker but why would I do
that? If they want to serve ads than maybe there is a way they can do it
themselves, as opposed to a third party serving them.

~~~
jnbiche
> If they want to serve ads than maybe there is a way they can do it
> themselves, as opposed to a third party serving them

Indeed there is a way. And if they do it the old-fashioned way, using static
ad assets, then the ads aren't typically blocked by ad blockers, anyway (at
least not automatically).

Furthermore, these kinds of embedded, static ads lead to more honest,
authentic relationships between content providers, advertisers, and viewers.

~~~
fatboy
From what I’ve been told by the web team at the company I work at, images get
blocked by ad blockers if they match the industry-standard advert sizes for
banners etc. We serve our own ads that we sell directly to businesses related
to our content, but it’s often done through the customer’s PR agency, who sort
out the ads for various different outlets, and are not interested in making
different sizes that wouldn’t be blocked just for us.

~~~
romwell
>PR agency are not interested in making sizes that wouldn’t be blocked

Sounds like the PR agency is interested in making ads which nobody would see.
Great job, PR agency.

------
mikeash
I’m amazed that web sites still let ads run arbitrary scripts. Serve and image
and/or some text along with a link and call it done. If interactivity is
somehow really necessary, define a few templates and allow no deviation from
them.

But I guess these sites would rather just continue to be a conduit for
screwing with their viewers.

~~~
sourthyme
Why aren't these ad scripts sandboxed? I thought you can't have arbitrary code
from cross site domains have access.

~~~
Macha
Because the advertisers want to be able to load it with scripts to track stuff
like viewability, fraud etc., and since they have the money they ultimately
have the power.

------
eliya_confiant
Hi everyone, I'm the author of the blog post. We at Confiant help websites to
protect their users by detecting and blocking malvertising. We are hiring in
our security and engineering teams.

If you're interested in working to combat the problem outlined in the blog
post, we would love to hear from you! Please reach out to me [eliya AT
confiant DOT com].

I will be back a little bit later to answer some of the questions that I see
here in the comments as well. Thanks!

------
tracker1
I think it's time to require bonded advertisers on advertising platforms. If
you deliver third party content, you should be legally and financially
responsible for it. Period. Google and others should be able to police their
platform. They aren't... advertisers should have to put up a given dollar
amount to advertise on the platform. If malware is detected, they get
blackballed.

------
rrggrr
ELI5: Do I need to actively do something to be impacted, or is it enough to
passively visit the infected site/ad?

~~~
gcb0
if you're not using an Ad blocked, start now. or quit pretending you care
about safety. sadly there's no middle ground.

~~~
jszymborski
Slightly tangential, but people like to get on a moral high-ground and posture
about content creator revenue, but do I really have to care about people not
making a revenue from distributing malware and selling my browsing behaviour
that's being tracked across the web?

We really need to stop pretending that ad networks are these neutral entities.
They are a backdoor that inserted on every website, and I shouldn't have to
justify plugging it up, you should have to explain why you've sold my
security.

~~~
mnm1
Not to mention the extreme negative psychological and societal consequences of
these ad companies. There's no way ad companies are anything but an extreme
negative even if they fix their security and only deliver inert payloads. Ad
companies were a sickness for society and individuals in the days of TV and
newspapers and they are a sickness now. Starving them out of business could be
seen as a moral duty to oneself and a benefit to society. If content creators
choose to partner with such ad companies, they should accept their fate, that
of the ad companies. Or they can figure out a better business model. It's not
up to the rest of society to sacrifice itself and the well-being of the people
in the rest of society so some ad men can make billions or for some content
creators to put out a bunch of content that's almost certainly just garbage.
We in the rest of society, owe these ad men and anyone who aligns with them
nothing. They're lucky that as a society we allow their sick, disgusting
manipulation of others to continue ... for now.

------
iheartpotatoes
20 years since Melissa.

TWENTY YEARS.

And people still click on things they shouldn't be clicking on.

It is amazing the brainpower that goes into developing processes like this
just to trick a person into doing what they've been told NOT to do.

I understand every new generation of user's needs to be reminded this. Of
course, right? Kids grow up, and have to be taught basic online hygiene.

Maybe it is time to do away with the entire paradigm of "click to install" and
have authenticated package managers for everything.

Would that solve the problem? If the only way to install software was through
an "app/apt-store" where everything is fingerprinted? This reminds me of the
article on HN a few days ago about enabling HTTPS and Tor for apt. I learned a
lot about how apt verifies untouched packages are installed.

Why isn't that the ONLY method to add software to a computer?

Just seems like we are attacking the wrong problem. People still get STIs
because they don't want to use a condom (or don't know how to use one). My
analogy sucks, but if we got rid of sex we wouldn't have STIs, by definition.
Ok, F for that metaphor, but am I going in the right direction?

------
ISPblocking
Is there any point at which ISPs block these known malware domains? It seems
like they are using the same site (veryield-malyst.com) over and over to
distribute the payload in repeated malware campaigns. Why haven't the major
ISPs blocked access to that domain?

> The `veryield-malyst` domain, as a case in point, has been active for
> months, but only recently are VeryMal starting to smuggle it using
> steganography. Here’s one of their tags ad tags from early November for
> comparison:

So we've known since at least November that this site is bad, but it's still
serving this stuff up today? WTF?

------
mschuster91
Funny enough, just today it came out Google plans to neuter ad blockers by
disabling the extension API they are using
([https://www.heise.de/newsticker/meldung/Kontroverse-
Plaene-W...](https://www.heise.de/newsticker/meldung/Kontroverse-Plaene-
Werbeblockern-droht-in-Chrome-das-Aus-4286274.html)).

So, Google, tell me what options do I have? Switch to CPU and memory hog
Firefox, to the new Internet Explorer called Safari, or watch while ads that I
can't block fuck up my computer?

~~~
dwighttk
aw man... what OS are you on? Chrome is the CPU and memory hog on macOS...
Though I guess Firefox isn't that far behind.

~~~
mschuster91
Same as you - macOS. I regularly have ~250-300 tabs open on my MBP (though I
admit, I cheat via using The Great Suspender), the only time it hogs CPU is
when some nasty advertising on sueddeutsche.de or Facebook decide they need to
warm my lap.

In addition, I vastly prefer Chrome's devtools. Nothing comes close, and I
believe this is a huge part of why developers are so Chrome-loyal.

~~~
mnm1
That's actually a huge part of why I switched and stayed with FF: their dev
tools are now much superior to Chrome. No more clicking an XHR link in the
console only to be taken to the network tab and have to manually locate that
XHR. No more random caching of code even with 'disable caches' on. Among many,
many other improvements. I would highly recommend giving FF dev tools another
shot.

------
herodotus
Spam emails with embedded links don't use steganography, but they use a
similar redirect attack. I have reverse engineered many of them, and, for a
lot of them, I am struck by the sense of whimsy in the choice of variable
names the attackers use. Clearly, they are having fun doing these scripts. It
always struck me as sad that these possibly talented (and apparently pretty
happy) developers have been steered into crime instead of a probably lucrative
honest career in software.

------
tbabb
That's it. I'm disabling JS by default.

~~~
4ec0755f5522
You will be astounded how much of the web breaks. I know you think you know,
but it's worse than you can imagine. The number of sites that can't even
display their images, the amount of third party css that is needed and won't
load, dropdowns, search buttons, and endless Big Red Banners telling you that
you need to enable javascript.

I am 100% in agreement JS is the problem and should be abandoned. But the web
falls apart if you disable it.

source: disabled JS on iOS safari. I leave it disabled but have to open other
browser all the time. Even stupid HuffPo "click to read" is JS. So when I
click 'news' links from the main news widget they open in Safari and I can't
read the article I have to copy and paste into Chrome (which does have JS
enabled).

There's no way this is an ok user experience. But JS is not an ok security
experience. I'm like F THIS I'M SWITCHING TO LYNX. :-(

~~~
dreamcompiler
Exactly this. Ten years ago, sites would fail gracefully if the client didn't
have JS enabled. But today, all the cool web kids want to do "100% client-side
rendering" which means the page is completely blank if you disable JS. For a
very few web sites, this makes sense. For the vast majority, it does not.

------
sourthyme
Maybe I'm missing something, but why is Apple fonts required here?

~~~
callinyouin
Seems like an odd method, but I believe that is how they are specifically
targeting macOS machines for this particular malware.

~~~
eliya_confiant
That's correct. It's just a subtle way of doing OS fingerprinting.

------
tracker1
Maybe it's time to limit browser to 2 levels of IFrame and 2 redirects in an
IFrame... let the ad companies figure out how to pass/share their data
directly instead of adding payload to the browser. It's entirely possible for
the ad networks to proxy their requests instead of layers of IFrames, scripts
and redirects.

The other side is that any advertising re-sellers should have to put up a
bond/insurance against serving malware. If you get busted, you're out. It's up
to the advertising companies to ensure that they don't deliver malware. If a
campaign includes malware, then it's a $10K fine + $1 for every time that
campaign was shown.

------
ghego1
I think the title is a bit misleading, as it is still required a user action
to actually infect the device

------
DGAP
Any published IOCs for this? Any hashes for the malware itself?

------
gcb0
tl;dr malicious Ad stores payload in image. it then executes it with eval()

if publisher had minimal CSP eval protection on Ads it will be safe. but I
guess that would break every ad, even Google's.

in the end, same old everything. just a slightly clever way to avoid static
analysis, that is also not new at all.

