In the wake of the recent Java zero-day vulnerability (CVE-2013-0422) being exploited in the wild, the research team at Trusteer, an IBM company, has investigated a new type of viral campaign, which distributes Blackhole exploit kits that use this vulnerability to compromise user endpoints.

False Malvertising

Malvertising, or malicious advertising, denotes the use of online advertising to spread malware. A practice that can be inserted into reputable, high-profile websites, malicious advertising provides an opportunity to “push” exploits to Web users. Trusteer’s research team recently recorded a criminal campaign in which hackers used the Clicksor ad network to distribute the Blackhole exploit kit (Clicksor is a popular ad network, ranked 152 by Alexa). Using Clicksor as the malvertising platform allows hackers to reach a very wide audience while allowing the hacker to distribute the malware at a very low cost, starting at $0.50 per 1,000 impressions. Clicksor — and other legitimate online advertising services — has no idea, of course, that these paid, seemingly legitimate advertisements contain malware.

The recent Java zero-day vulnerability, which has been folded into exploit kits like Blackhole, automates the exploitation of computers via Web-browser vulnerabilities. As a result, the endpoint may be automatically compromised with malware when an unpatched browser is used to access a site that displays malicious Clicksor ads — without the user ever opening the ad.

While tracking Blackhole exploits delivered via malvertising, Trusteer’s research team found dozens of sites and domains that are currently hosting malvertising campaigns. About 9 percent of the exploits originated from Clicksor, but at least 10 other ad networks were hosting similar malvertising campaigns, including Linkbucks.com, Hooqy Media Advertiser, Traff, Banners Broker, AdFly, Paypopup, SmsAfiliados.com and ExoClick. Although analysts cannot quantify the number of malicious advertisements being served, they believe the number is in the hundreds of thousands — if not millions.

The Malvertising Campaign Explained

1. Malvertising starts with a site that embeds the legitimate Clicksor service:

Figure 1: Legitimate Clicksor service embedded in a website.

2. When the user accesses the page, the Clicksor snippet is legitimately loaded as part of the page (user does not click on the ad):

Figure 2: Clicksor ad loaded into the Web page.

3. The website embeds the Clicksor service snippet (a legitimate part of the ad content):

4. The Clicksor service snippet redirects the browser to get content for the ad. In this case, it is redirected to a site that hosts the malicious Blackhole exploit kit. Note that there is no direct link between the site that embedded the service and Blackhole, and that the referer field continues to show that the ad came from Clicksor:

5. Blackhole downloads the Java applet that exploits the zero-day vulnerability:

6. Process Monitor shows Internet Explorer (IE) exploiting vulnerabilities through the Java applet that downloads and executes the malware (“C:\Users\user\wgsdgsdgsdsgsd.exe”):

7. The website displays the ad served by Clicksor. In this case, the content received didn’t include an image, so it appears as if it didn’t load correctly. The user is not aware that the endpoint has been compromised:

It is strongly recommended that all endpoints be patched as soon as possible. In case a patch can’t be effectively deployed on all endpoints — and for ongoing protection against unpatched vulnerabilities — an Exploit Prevention Security Layer should be implemented to protect the endpoints from compromise.