January 20, 2013 By George Tubin 3 min read

In the wake of the recent Java zero-day vulnerability (CVE-2013-0422) being exploited in the wild, the research team at Trusteer, an IBM company, has investigated a new type of viral campaign, which distributes Blackhole exploit kits that use this vulnerability to compromise user endpoints.

False Malvertising

Malvertising, or malicious advertising, denotes the use of online advertising to spread malware. A practice that can be inserted into reputable, high-profile websites, malicious advertising provides an opportunity to “push” exploits to Web users. Trusteer’s research team recently recorded a criminal campaign in which hackers used the Clicksor ad network to distribute the Blackhole exploit kit (Clicksor is a popular ad network, ranked 152 by Alexa). Using Clicksor as the malvertising platform allows hackers to reach a very wide audience while allowing the hacker to distribute the malware at a very low cost, starting at $0.50 per 1,000 impressions. Clicksor — and other legitimate online advertising services — has no idea, of course, that these paid, seemingly legitimate advertisements contain malware.

The recent Java zero-day vulnerability, which has been folded into exploit kits like Blackhole, automates the exploitation of computers via Web-browser vulnerabilities. As a result, the endpoint may be automatically compromised with malware when an unpatched browser is used to access a site that displays malicious Clicksor ads — without the user ever opening the ad.

While tracking Blackhole exploits delivered via malvertising, Trusteer’s research team found dozens of sites and domains that are currently hosting malvertising campaigns. About 9 percent of the exploits originated from Clicksor, but at least 10 other ad networks were hosting similar malvertising campaigns, including Linkbucks.com, Hooqy Media Advertiser, Traff, Banners Broker, AdFly, Paypopup, SmsAfiliados.com and ExoClick. Although analysts cannot quantify the number of malicious advertisements being served, they believe the number is in the hundreds of thousands — if not millions.

The Malvertising Campaign Explained

1. Malvertising starts with a site that embeds the legitimate Clicksor service:

Figure 1: Legitimate Clicksor service embedded in a website.

2. When the user accesses the page, the Clicksor snippet is legitimately loaded as part of the page (user does not click on the ad):

Figure 2: Clicksor ad loaded into the Web page.

3. The website embeds the Clicksor service snippet (a legitimate part of the ad content):

4. The Clicksor service snippet redirects the browser to get content for the ad. In this case, it is redirected to a site that hosts the malicious Blackhole exploit kit. Note that there is no direct link between the site that embedded the service and Blackhole, and that the referer field continues to show that the ad came from Clicksor:

5. Blackhole downloads the Java applet that exploits the zero-day vulnerability:

6. Process Monitor shows Internet Explorer (IE) exploiting vulnerabilities through the Java applet that downloads and executes the malware (“C:\Users\user\wgsdgsdgsdsgsd.exe”):

7. The website displays the ad served by Clicksor. In this case, the content received didn’t include an image, so it appears as if it didn’t load correctly. The user is not aware that the endpoint has been compromised:

It is strongly recommended that all endpoints be patched as soon as possible. In case a patch can’t be effectively deployed on all endpoints — and for ongoing protection against unpatched vulnerabilities — an Exploit Prevention Security Layer should be implemented to protect the endpoints from compromise.

More from Malware

Strela Stealer: Today’s invoice is tomorrow’s phish

12 min read - As of November 2024, IBM X-Force has tracked ongoing Hive0145 campaigns delivering Strela Stealer malware to victims throughout Europe - primarily Spain, Germany and Ukraine. The phishing emails used in these campaigns are real invoice notifications, which have been stolen through previously exfiltrated email credentials. Strela Stealer is designed to extract user credentials stored in Microsoft Outlook and Mozilla Thunderbird. During the past 18 months, the group tested various techniques to enhance its operation's effectiveness. Hive0145 is likely to be…

Hive0147 serving juicy Picanha with a side of Mekotio

17 min read - IBM X-Force tracks multiple threat actors operating within the flourishing Latin American (LATAM) threat landscape. X-Force has observed Hive0147 to be one of the most active threat groups operating in the region, targeting employee inboxes at scale, with a primary focus on phishing and malware distribution. After a 3-month break, Hive0147 returned in July with even larger campaign volumes, and the debut of a new malicious downloader X-Force named "Picanha,” likely under continued development, deploying the Mekotio banking trojan. Hive0147…

Ongoing ITG05 operations leverage evolving malware arsenal in global campaigns

13 min read - As of March 2024, X-Force is tracking multiple ongoing ITG05 phishing campaigns featuring lure documents crafted to imitate authentic documents of government and non-governmental organizations (NGOs) in Europe, the South Caucasus, Central Asia, and North and South America. The uncovered lures include a mixture of internal and publicly available documents, as well as possible actor-generated documents associated with finance, critical infrastructure, executive engagements, cyber security, maritime security, healthcare, business, and defense industrial production. Beginning in November 2023, X-Force observed ITG05…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today