January 20, 2013 By George Tubin 3 min read

In the wake of the recent Java zero-day vulnerability (CVE-2013-0422) being exploited in the wild, the research team at Trusteer, an IBM company, has investigated a new type of viral campaign, which distributes Blackhole exploit kits that use this vulnerability to compromise user endpoints.

False Malvertising

Malvertising, or malicious advertising, denotes the use of online advertising to spread malware. A practice that can be inserted into reputable, high-profile websites, malicious advertising provides an opportunity to “push” exploits to Web users. Trusteer’s research team recently recorded a criminal campaign in which hackers used the Clicksor ad network to distribute the Blackhole exploit kit (Clicksor is a popular ad network, ranked 152 by Alexa). Using Clicksor as the malvertising platform allows hackers to reach a very wide audience while allowing the hacker to distribute the malware at a very low cost, starting at $0.50 per 1,000 impressions. Clicksor — and other legitimate online advertising services — has no idea, of course, that these paid, seemingly legitimate advertisements contain malware.

The recent Java zero-day vulnerability, which has been folded into exploit kits like Blackhole, automates the exploitation of computers via Web-browser vulnerabilities. As a result, the endpoint may be automatically compromised with malware when an unpatched browser is used to access a site that displays malicious Clicksor ads — without the user ever opening the ad.

While tracking Blackhole exploits delivered via malvertising, Trusteer’s research team found dozens of sites and domains that are currently hosting malvertising campaigns. About 9 percent of the exploits originated from Clicksor, but at least 10 other ad networks were hosting similar malvertising campaigns, including Linkbucks.com, Hooqy Media Advertiser, Traff, Banners Broker, AdFly, Paypopup, SmsAfiliados.com and ExoClick. Although analysts cannot quantify the number of malicious advertisements being served, they believe the number is in the hundreds of thousands — if not millions.

The Malvertising Campaign Explained

1. Malvertising starts with a site that embeds the legitimate Clicksor service:

Figure 1: Legitimate Clicksor service embedded in a website.

2. When the user accesses the page, the Clicksor snippet is legitimately loaded as part of the page (user does not click on the ad):

Figure 2: Clicksor ad loaded into the Web page.

3. The website embeds the Clicksor service snippet (a legitimate part of the ad content):

4. The Clicksor service snippet redirects the browser to get content for the ad. In this case, it is redirected to a site that hosts the malicious Blackhole exploit kit. Note that there is no direct link between the site that embedded the service and Blackhole, and that the referer field continues to show that the ad came from Clicksor:

5. Blackhole downloads the Java applet that exploits the zero-day vulnerability:

6. Process Monitor shows Internet Explorer (IE) exploiting vulnerabilities through the Java applet that downloads and executes the malware (“C:\Users\user\wgsdgsdgsdsgsd.exe”):

7. The website displays the ad served by Clicksor. In this case, the content received didn’t include an image, so it appears as if it didn’t load correctly. The user is not aware that the endpoint has been compromised:

It is strongly recommended that all endpoints be patched as soon as possible. In case a patch can’t be effectively deployed on all endpoints — and for ongoing protection against unpatched vulnerabilities — an Exploit Prevention Security Layer should be implemented to protect the endpoints from compromise.

More from Malware

Ongoing ITG05 operations leverage evolving malware arsenal in global campaigns

13 min read - As of March 2024, X-Force is tracking multiple ongoing ITG05 phishing campaigns featuring lure documents crafted to imitate authentic documents of government and non-governmental organizations (NGOs) in Europe, the South Caucasus, Central Asia, and North and South America. The uncovered lures include a mixture of internal and publicly available documents, as well as possible actor-generated documents associated with finance, critical infrastructure, executive engagements, cyber security, maritime security, healthcare, business, and defense industrial production. Beginning in November 2023, X-Force observed ITG05…

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

Hive0051’s large scale malicious operations enabled by synchronized multi-channel DNS fluxing

12 min read - For the last year and a half, IBM X-Force has actively monitored the evolution of Hive0051’s malware capabilities. This Russian threat actor has accelerated its development efforts to support expanding operations since the onset of the Ukraine conflict. Recent analysis identified three key changes to capabilities: an improved multi-channel approach to DNS fluxing, obfuscated multi-stage scripts, and the use of fileless PowerShell variants of the Gamma malware. As of October 2023, IBM X-Force has also observed a significant increase in…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today