Hacker News new | more | comments | ask | show | jobs | submit login
Steganography Based Ad Payload That Drops Shlayer Trojan on Mac Users (confiant.com)
128 points by saidajigumi 29 days ago | hide | past | web | favorite | 73 comments

This is precisely why an ad-blocker is a non-negotiable part of defense in depth. I'm sympathetic to web publishers who legit need the ad revenue to operate, but they're caught in the middle: asking me to drop this critical layer of protection is a non-starter.

I had my experience with this in 2006 or 2007. I was younger then and I was served a malicious ad on a video game website. This ad was only showing for 1 in every 1000 or so users, which made it quite difficult to detect back then. Ever since then I've run an adblocker and/or scriptblocker.

I'm constantly asked by websites to drop my ad blocker but why would I do that? If they want to serve ads than maybe there is a way they can do it themselves, as opposed to a third party serving them.

> If they want to serve ads than maybe there is a way they can do it themselves, as opposed to a third party serving them

Indeed there is a way. And if they do it the old-fashioned way, using static ad assets, then the ads aren't typically blocked by ad blockers, anyway (at least not automatically).

Furthermore, these kinds of embedded, static ads lead to more honest, authentic relationships between content providers, advertisers, and viewers.

From what I’ve been told by the web team at the company I work at, images get blocked by ad blockers if they match the industry-standard advert sizes for banners etc. We serve our own ads that we sell directly to businesses related to our content, but it’s often done through the customer’s PR agency, who sort out the ads for various different outlets, and are not interested in making different sizes that wouldn’t be blocked just for us.

>PR agency are not interested in making sizes that wouldn’t be blocked

Sounds like the PR agency is interested in making ads which nobody would see. Great job, PR agency.

unfortunately for content producers, this kind of advertising is typically more work and less profit

Of course there is a way they can do that, because that's how it always used to work. It's just not as cheap or easy.

For me ad blocking is non-negotiable.

In my opinion if a website can't make a profit without ads, then it shouldn't exist. There are a tons of other ways to make money from a website without showing a single ad on the page.

I disagree. Case in point: there are websites that sell ad space the "old fashioned way" meaning they're directly paid by the advertiser, they get a predetermined format and placement, text-only with a link. Absolutely no JS, no tracking. If the advertiser wants to track visitors, they create a single unique landing page for their link.

This is 100% acceptable to me for the following reasons: first, these site owners fully control the ad presentation on the site, and there's zero possibility of unvetted JS going through because the advertiser delivers plain text to a knowledgable human publisher who is the one who will run the placement. Likewise, the advertiser gains no knowledge of visitors who didn't elect to click the ad link and visit their site.

This gets to my comments above: the quest for a fully-scalable inventory of both eyeballs and advertisers is a hugely corrupting influence on so many levels. Small companies wanting to build relationships to help each other, without exploiting visitors in the process, is OK in my view.

I’m amazed that web sites still let ads run arbitrary scripts. Serve and image and/or some text along with a link and call it done. If interactivity is somehow really necessary, define a few templates and allow no deviation from them.

But I guess these sites would rather just continue to be a conduit for screwing with their viewers.

This. It seems like the default model for ad impressions is just "run whatever you want, go wild." Untrusted code? SURE! Ads for blatantly fraudulent product? PARTY TIME! Even more basic shadiness is astonishingly rampant---I recently made the mistake of opening a well-known and very stuffy academic blog with countless daily visitors from a browser not stuffed full of ad blockers, and immediately got a half-naked Ashley Madison ad on my work machine.

What we need is some third-party intermediary to screen, not the ads, but the sites hosting the ads---some kind of certification authority that says "this is a list of websites that don't allow people to run untrusted code or scams," and then allows users to block everything else by default.

Certification sounds good until a major "certified" site goes rogue (or gets hacked) and hosts malware. Then everyone who trusted the "adblock except certified sites" premise gets burned, and reverts to regular adblock.

> Serve and image and/or some text along with a link and call it done.

I'm amazed too. But I'm also fairly certain publishers would love to do that. It's just not as practical as you make it sound. (And frankly, if you do come up with a solution for this, by all means reach out and let's bring it to the ad tech market; we'll rapidly make a fortune.)

For starters, how do you deal with ad fraud? What do you do with fraudulent sites that e.g. stack dozens of ads on top of each other so they all count as views? Or those that have zombie devices replay actual site visits and ad clicks? Or those that have toolbars replace ads with something else? Picture an EasyJet special offer popping up in the middle of your screen as you're pulling out your CC to book a ticket on RyanAir. This type of stuff happens; many times without the offending company even knowing how its ads got served to a zombie device. Companies lose billions per year to ad fraud. It's an enormous problem. Whether it's PPV (ad stacking), PPC (click bots), or PPA (CC fraud), you need some sort of tracking to weed out fraud.

And then there's the logistics of the whole thing. In theory there are more user-friendly ways to market and serve ads than real time bidding platforms. In practice, not so much. Apple tried to sell vetted ads at one point with a direct sales force to interact with relevant brands; it miserably failed. Similarly, there used to be a rather high quality ad network that ran image/text-only ads on Daring Fireball and a bunch of other sites; it eventually shut down. Selling your own ads is a non-starter unless you've a large audience already. So the truth is, and for better or worse, the simpler and cheaper way to buy and sell ads may very well be RTB for the foreseeable future.

You're making it far more complicated than it should be.

Why do you care how many people saw the ad? What you care about is results. If you run an ad and accrue benefits of $50,000, you are happy if the ad campaign cost less than that.

You've a contradiction in your statement. If I get a positive ROI tomorrow on those $50k, it's fine on paper. But if it turns out that a large chunk of the ad spend went to fraudsters without me having any idea it did, such as what happened with P&G [1], what's to stop the latter from doubling down on their activities? (The real losers here are genuine publishers like news outfits, btw.) And how do I know it's the $50k ad spend rather than what the content team has been up to in the past month? Or that the $50k wouldn't have been better spent on SEO efforts or on PR outreach?

[1]: https://www.reuters.com/article/us-procter-gamble-advertisin...

I don't understand what you are saying.

Say you sell lamps. If you spend $5000 next month on digital ads and you are able to attribute new sales of $6000 to that ad campaign, then why do you care what the impression numbers were? All that matters is that sales went up by a big enough amount.

The company selling ads can't tell you how effective the ads were. Only you know that.

Here's a more concrete and practical example: If you spend $50k on content marketing and SEO, and another $50k on ads, which is giving you the best bang for your buck?

In the current JS-based ad world you can go: my ROI on the first is X with reasonable confidence; and on the second I believe it is Y after discounting for [heaps of ad fraud-related reasons] -- which is not great, but still better than no idea.

In a text/image only ad world you'd go: my ROI on the first is X with reasonable confidence; on the second I've absolutely no idea except that the numbers are getting worst by the month because of [heap of ad fraud related reasons].

The main victim here, I should point out in passing, are the websites you're getting your news from.

And yes, you're somewhat correct, the company selling ads can't tell you how effective the ads ultimately are. But only they can tell you if the ad likely got served to an actual human rather than to a bot, among other schemes. And knowing that a bot is likely browsing your site can make a world of difference with your boss when you're reporting on whether you should spend more on content/SEO or online ads, or with your payment provider when someone is testing stolen CCs on your SaaS sign-up form.

> The main victim here, I should point out in passing, are the websites you're getting your news from.

The main victim is the user. We are tracked and profiled a million different ways. Shitty ad-tech devours our bandwidth and batteries and makes everything feel worse. I'd wager that end users are often paying more for the bandwidth and power to receive an ad than the publisher is getting paid to show the ad.

How about not pay per impression?

Well, speaking as a marketer, I'd beg to ask what you're selling me if you're unable to show me what I'm getting for my ad spend. If I'm worrying about branding for a large company, then yeah, perhaps I'd happily pay for billboard ads, TV ads, radio ads, or some placement on a high traffic website. More realistically I'm working with an SMB and when they pay a few thousands on ads they want to know their ROI so they can decide if it's moving the needle or not.

Also, PPC and PPA are what SMBs prefer to buy. PPV only holds its ground when used for brand recognition purposes, with the caveat that it's hilariously easy for fraudulent publishers to stack ads on top of each other and get away with it.

> I'd beg to ask what you're selling me if you're unable to show me what I'm getting for my ad spend

How could we tell you that? You know better than anybody what your revenue numbers are. A billion impressions isn't worth anything if it doesn't affect anything you measure.

> How could we tell you that?

As you just said: a billion impressions aren't worth anything if it doesn't affect anything you measure. And that's the whole problem in the ad industry. Are you buying ads to:

- Build your brand/awareness/mailing list?

- Get marketing qualified leads that your sales will handle?

- Get sales for your SaaS without going through sales?

- Something else?

Each of these require different type of tracking - views, clicks, actions. More importantly though, each is subjected to ad fraud. And simple text/image ads won't let you detect the latter to weed it out of your stats.

And the event you're thinking "so? as long as your ROI is positive you're fine" the answer is no, it's not good, because it incites more fraud and the budget might have been better spent on content marketing or other efforts.

And none of that requires JS to be delivered to the browser beyond the script that loaded the ad itself. The ad networks should pass whatever appropriate data to each other, not the browser.

The company/server that serves the images can count... they also get a referer for the host in question... and while I may be OK with google to load a script for the ads they serve, there is NO reason for anything inside what they serve to bring down any other JS.

Well, how about you actually measure the ROI. Run the ad for a while, measure the click-throughs (and resulting sale). It's not rocket science.

I don't know what an SMB is btw.

SMB is a small or medium business.

Per the answer I gave to a separate answer, there's more than meets the eye when you're measuring an online ROI. Text/image only ads would prevent adequate ad fraud tracking. Take the naive scenario where you add some utm parameters to your PPC campaign and call it a day. The next thing you know you can have a bunch of bots crawling your site owing to click bots and referral spam, alongside fake user bots building profiles by replaying bits and pieces of actual traffic sessions, the two combining to messing up your traffic stats. And if you're large enough to have sophisticated fraudsters target your site, another cohort of bots might show up registering to your SaaS to test stolen CC numbers, messing up your sign up stats to boot.

And, don't get me wrong here. I'm an engineer too and I've been using ad blockers for longer than I've been neck deep into marketing and sales. I just get where you're coming from. But the sorrier realities on the ground are not as simple as one might think from afar.

I would have thought the only real solution to was to actually track money you make as a result of the ad spend.

Spend 10k advertising one month, measure your revenue increase in the following month.

This is how we were tracking our Facebook adverting.

How does running arbitrary code in ads solve this problem? How do other forms of advertising (newspapers, radio, TV, etc.) solve it?

Why aren't these ad scripts sandboxed? I thought you can't have arbitrary code from cross site domains have access.

Because the advertisers want to be able to load it with scripts to track stuff like viewability, fraud etc., and since they have the money they ultimately have the power.

They often are sandboxed within an iframe element: (https://www.iab.com/guidelines/safeframe/)

Why do ads need to contain code at all?

Why not limit them to just static images?

Because that’s not how the web works. There is only one sandbox per frame and all code in that frame is in the same sandbox. It doesn’t make much sense to do it differently because JavaScript can modify the behavior of the built in objects and thus that of other scripts in the same environment.

The industry is moving in a direction where more and more ads will be sandboxed, we are just not there quite yet.

Outbrain does this. People hate Outbrain.

Do people hate Outbrain because Outbrain does this? Or is it due to the nature of their ads? (I'm assuming we're talking about the "Around the Web" chum boxes, right?)

Yep the hate is probably for the type of machine generated click bait content that ends up on there. But other than that they do advertising right. Each ad is a picture, some text and a link. All hosted by Outbrain.

Hi everyone, I'm the author of the blog post. We at Confiant help websites to protect their users by detecting and blocking malvertising. We are hiring in our security and engineering teams.

If you're interested in working to combat the problem outlined in the blog post, we would love to hear from you! Please reach out to me [eliya AT confiant DOT com].

I will be back a little bit later to answer some of the questions that I see here in the comments as well. Thanks!

I think it's time to require bonded advertisers on advertising platforms. If you deliver third party content, you should be legally and financially responsible for it. Period. Google and others should be able to police their platform. They aren't... advertisers should have to put up a given dollar amount to advertise on the platform. If malware is detected, they get blackballed.

ELI5: Do I need to actively do something to be impacted, or is it enough to passively visit the infected site/ad?

The "steganography" is simply to get around ad company filters, and the end result is the classic "You need to install Flash" nonsense soliciting the user to install a DMG.

Well the impact is to persuade you to download and run a file. I think most people on HN will be savy enough not to do that... even if it does claim to be a Flash update.

As others have noted this issue is more about the lax security of ad networks (and their sub networks). Rather than introducing real security, most major ad networks play a cat and mouse game with malware.

Especially if it claims to be a Flash update! What's the intersection of StillUsesFlash & ReadsHN? It's gotta be the empty set at this point, right?

Which, come to think of it, is a great way to screen malware---anyone who will run a flash update probably thinks they need it to get their AOL e-mail, and will happily take the forthcoming call from Apple's Tech Support (TM) asking them for their password and SSN.

if you're not using an Ad blocked, start now. or quit pretending you care about safety. sadly there's no middle ground.

Slightly tangential, but people like to get on a moral high-ground and posture about content creator revenue, but do I really have to care about people not making a revenue from distributing malware and selling my browsing behaviour that's being tracked across the web?

We really need to stop pretending that ad networks are these neutral entities. They are a backdoor that inserted on every website, and I shouldn't have to justify plugging it up, you should have to explain why you've sold my security.

Not to mention the extreme negative psychological and societal consequences of these ad companies. There's no way ad companies are anything but an extreme negative even if they fix their security and only deliver inert payloads. Ad companies were a sickness for society and individuals in the days of TV and newspapers and they are a sickness now. Starving them out of business could be seen as a moral duty to oneself and a benefit to society. If content creators choose to partner with such ad companies, they should accept their fate, that of the ad companies. Or they can figure out a better business model. It's not up to the rest of society to sacrifice itself and the well-being of the people in the rest of society so some ad men can make billions or for some content creators to put out a bunch of content that's almost certainly just garbage. We in the rest of society, owe these ad men and anyone who aligns with them nothing. They're lucky that as a society we allow their sick, disgusting manipulation of others to continue ... for now.

Do there exist any ad networks that only accept an image from the advertiser and provide any analytics themselves (so you only have to trust the ad network and not the advertiser?)

Does Brave block it?

Does anyone have an answer to this question?

The user still needs to go through with the fake Flash update. Even if one is to accidentally fat finger the download, they still have to proceed with the installation. To protect yourself, please be vigilant and only accept software updates directly from the vendor of the software you are using. This is more of a phishing attack to get folks to install malware / adware.

20 years since Melissa.


And people still click on things they shouldn't be clicking on.

It is amazing the brainpower that goes into developing processes like this just to trick a person into doing what they've been told NOT to do.

I understand every new generation of user's needs to be reminded this. Of course, right? Kids grow up, and have to be taught basic online hygiene.

Maybe it is time to do away with the entire paradigm of "click to install" and have authenticated package managers for everything.

Would that solve the problem? If the only way to install software was through an "app/apt-store" where everything is fingerprinted? This reminds me of the article on HN a few days ago about enabling HTTPS and Tor for apt. I learned a lot about how apt verifies untouched packages are installed.

Why isn't that the ONLY method to add software to a computer?

Just seems like we are attacking the wrong problem. People still get STIs because they don't want to use a condom (or don't know how to use one). My analogy sucks, but if we got rid of sex we wouldn't have STIs, by definition. Ok, F for that metaphor, but am I going in the right direction?

Is there any point at which ISPs block these known malware domains? It seems like they are using the same site (veryield-malyst.com) over and over to distribute the payload in repeated malware campaigns. Why haven't the major ISPs blocked access to that domain?

> The `veryield-malyst` domain, as a case in point, has been active for months, but only recently are VeryMal starting to smuggle it using steganography. Here’s one of their tags ad tags from early November for comparison:

So we've known since at least November that this site is bad, but it's still serving this stuff up today? WTF?

Funny enough, just today it came out Google plans to neuter ad blockers by disabling the extension API they are using (https://www.heise.de/newsticker/meldung/Kontroverse-Plaene-W...).

So, Google, tell me what options do I have? Switch to CPU and memory hog Firefox, to the new Internet Explorer called Safari, or watch while ads that I can't block fuck up my computer?

aw man... what OS are you on? Chrome is the CPU and memory hog on macOS... Though I guess Firefox isn't that far behind.

Same as you - macOS. I regularly have ~250-300 tabs open on my MBP (though I admit, I cheat via using The Great Suspender), the only time it hogs CPU is when some nasty advertising on sueddeutsche.de or Facebook decide they need to warm my lap.

In addition, I vastly prefer Chrome's devtools. Nothing comes close, and I believe this is a huge part of why developers are so Chrome-loyal.

That's actually a huge part of why I switched and stayed with FF: their dev tools are now much superior to Chrome. No more clicking an XHR link in the console only to be taken to the network tab and have to manually locate that XHR. No more random caching of code even with 'disable caches' on. Among many, many other improvements. I would highly recommend giving FF dev tools another shot.

> In addition, I vastly prefer Chrome's devtools. Nothing comes close, and I believe this is a huge part of why developers are so Chrome-loyal.

So do I (I’ve also heard good things about Firefox’s dev tools but never made the switch), which is why I use Chrome for web development and Safari for everyday browsing. It works really well for me and I like that my browsing history isn’t full of with localhost URLs, my form fill history isn’t spammed with entries like “testtest123”, and my dev tools are (nearly) unadulterated by extension scripts.

huh. I guess Ghostery isn't protecting me enough. My computer gets angry when I have just a couple of Chrome tabs open. Though I haven't tried it for general browsing in a long time.

Spam emails with embedded links don't use steganography, but they use a similar redirect attack. I have reverse engineered many of them, and, for a lot of them, I am struck by the sense of whimsy in the choice of variable names the attackers use. Clearly, they are having fun doing these scripts. It always struck me as sad that these possibly talented (and apparently pretty happy) developers have been steered into crime instead of a probably lucrative honest career in software.

That's it. I'm disabling JS by default.

You will be astounded how much of the web breaks. I know you think you know, but it's worse than you can imagine. The number of sites that can't even display their images, the amount of third party css that is needed and won't load, dropdowns, search buttons, and endless Big Red Banners telling you that you need to enable javascript.

I am 100% in agreement JS is the problem and should be abandoned. But the web falls apart if you disable it.

source: disabled JS on iOS safari. I leave it disabled but have to open other browser all the time. Even stupid HuffPo "click to read" is JS. So when I click 'news' links from the main news widget they open in Safari and I can't read the article I have to copy and paste into Chrome (which does have JS enabled).

There's no way this is an ok user experience. But JS is not an ok security experience. I'm like F THIS I'M SWITCHING TO LYNX. :-(

Exactly this. Ten years ago, sites would fail gracefully if the client didn't have JS enabled. But today, all the cool web kids want to do "100% client-side rendering" which means the page is completely blank if you disable JS. For a very few web sites, this makes sense. For the vast majority, it does not.

If you're savvy enough to know that you can "disable JS by default" I'm betting you are also savvy enough to not download AdobeFlashPlayer.dmg from newtypeinstalllite.icu.

We might need a fork of Chromium for that in the future. I hope Mozilla does it, but they seem to be heading towards non-existence burning resources to just copy everything Google does.

Use uMatrix, it will give you finer control than a simple “on/off” with a nice GUI.

You don’t need JavaScript to make the user download a disk image. If you don’t just trust any ‘please install this plugin’ prompt you’re fine with or without JavaScript.

Maybe I'm missing something, but why is Apple fonts required here?

Seems like an odd method, but I believe that is how they are specifically targeting macOS machines for this particular malware.

That's correct. It's just a subtle way of doing OS fingerprinting.

Maybe it's time to limit browser to 2 levels of IFrame and 2 redirects in an IFrame... let the ad companies figure out how to pass/share their data directly instead of adding payload to the browser. It's entirely possible for the ad networks to proxy their requests instead of layers of IFrames, scripts and redirects.

The other side is that any advertising re-sellers should have to put up a bond/insurance against serving malware. If you get busted, you're out. It's up to the advertising companies to ensure that they don't deliver malware. If a campaign includes malware, then it's a $10K fine + $1 for every time that campaign was shown.

I think the title is a bit misleading, as it is still required a user action to actually infect the device

Any published IOCs for this? Any hashes for the malware itself?

tl;dr malicious Ad stores payload in image. it then executes it with eval()

if publisher had minimal CSP eval protection on Ads it will be safe. but I guess that would break every ad, even Google's.

in the end, same old everything. just a slightly clever way to avoid static analysis, that is also not new at all.

Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact