Skip to content
February 21, 2014 / McEnroe Navaraj

The Wild Wild Web: YouTube ads serving malware

There’s never a dull moment in the security industry, just as we heard about the latest IE 0day; one of our field security engineers in the Americas stumbled upon a YouTube link that was hosting malware. The vulnerability is not in YouTube as such, but the ad-network seems to be the culprit in this case. We’re working with Google security team to get to the bottom of this, in the meantime some quick details about the infection below.

Summary

- Classic drive-by download attack, infects the user by exploiting client software vulnerabilities.

- The ad network was discovered to be hosting the Styx exploit kit. This exploit kit was recently in the news for compromising at hasbro.com. Well, the attackers seem to have upped their target this time by somehow getting into YouTube ads.

- The exploit leveraged in this was a Java exploit.

- The Trojan appears to be a Banking Trojan belonging to the Caphaw family.

- The outbound CnC went out to Europe in this infection, where the server is likely to be hosted. It uses a DGA (Domain Generation Algorithm) for CnC, we’re still digging into the various IP addresses leveraged.

Details

The Malware analysis graph from Bromium LAVA console looks like this:

image

The malware was encountered while watching a YouTube video. Fortunately, we captured the forensic traces of the malware infection. We’ve shared all of this with Google security team, who’ve been very helpful and co-operative. We will update this section if we unravel any more interesting details of the origins of this attack.

The source of the dropper is as shown below, it appears to be a typical Java drive by download.

We noticed the malware tries to detect the version of Java installed and based on the version, it sends out different URLs to ensure that the exploit is compatible with the Java versions. This is a signature of the Styx Exploit kit.

We’ve confirmed that the exploit used in this instance of the attack is CVE-2013-2460.

The first stage dropper after the Java exploit, is tagged by few AV vendors as Win32/Caphaw. Caphaw is a widely used Banking Trojan and was analyzed by several people last year.

Further, the malware then tries to connect to two different domains “smis.cc” and “aqu.su”. smis.cc was created just a month back. The current web reputation for “smis.cc” is known to be bad.

Domain name: SMIS.CC

Created On: 1/24/2014 9:53:23 AM
Expires On: 1/24/2015 9:53:23 AM
Last Updated On: 1/24/2014 9:53:23 AM

Registrant:
Zuzanna Zielinska
Zuzanna Zielinska
ul. Warynskiego Ludwika 81
Opole, Opole 45-047
PL
48.72763610    Fax: 48.72763610

This server hosts four more domains that includes “aqu.su” and “many.su“.

The PE Compilation Timestamp seems to indicate that this malware has obviously been in the run for few months.

The attack that we saw was overall a repackaged attack, nothing utterly complex and hence we’re baffled as to how it ended up into YouTube’s ads. Hopefully, we’ll all get to the bottom of this asap.

Watering hole attacks are clearly getting popular by attackers. Recently, Yahoo mail users were attacked using similar vectors. Several high profile websites have become victims of such attacks recently. From the attackers point of view, this is the easiest way to cause maximum damage – max ROI.

As always, we urge users to beef up your security controls for all online activity and stay safe!

I would like to thank Robert Wagner who alerted us about this event and my other Bromium Labs colleagues for their inputs.

 

[UPDATE 02/23/2014]

Bromium Labs has been working with the Google security team to unravel the root cause. Google has confirmed that a rogue advertiser was behind this malvertisment. Google has taken this campaign off and is beefing up internal procedures to prevent such events from occurring again. Below is the transcript of how the malware got into the user’s machine. All of the forensic evidence was captured in LAVA, which helped the Google and Bromium teams in our analysis.

Modulus operandi

The attack that we unearthed with Google security team involved the following steps as seen by the victim:

Step 1: User watches a YouTube video
Step 2: User sees a thumbnail of another video (*.JPG)
Step 3: User clicks on the thumbnail and watches the video. In the background the user gets redirected to a malicious ad served by Googleads (*.doubleclick.net)
Step 4: Malware redirects the user to ‘foulpapers.com’
Step 5: Foulpapers.com iframes the aecua.nl
Step 6: aecua.nl delivers the exploit (in our case it was Styx exploit kit)

 

image

 

Details

Steps 1-2 are normal and no abuse was observed.

The hijack seems to happen in Step 3. After some digging into the forensic LAVA trace, we finally uncovered the culprit. The background redirect was because of a SWF (Flash) file that injects an IFRAME into the Internet Explorer DOM.

\Users\br*****\appdata\local\microsoft\windows\Temporary Internet Files\Content.IE5\B1BHEG61\imgad[1].swf

image

The flash file dropped in the advertisement was the culprit, if you decompile the flash you get this:

image

 

After reverse engineering the SWF, we observe that the redirect to “foulpapers.com” is present there in the SWF file. Further, the attacker tries to fingerprint the browser and goes ahead if it is Internet Explorer in the IsOurUserAgent() function as shown below.

image

The timestamp of this nicely corresponds to the LAVA graph where we see an outbound request to the IP address 38.96.232.90 which corresponds to ‘foulpapers.com’ and then eventually to the site hosting the exploit kit.

Now, looking back, the delivery of this came from this doubleclick ad:

clip_image002

So the offending advertisement clearly came from Googleads/Doubleclick via a Flash file. It is important to note that the user did not need to click on any ads on YouTube, the infection happens just by viewing the YouTube videos.

However, after this step, the next steps were simple. Foulpapers.com injected IFRAMEs from the malicious website and the website infected the user (micro-VM in this case)

clip_image004

The details of the ensuing infection are already covered in the first section of our blog.

We don’t yet know the exact bypass which the attackers used to evade Google’s internal advertisement security checks. Google has informed us that they’re conducting a full investigation of this abuse and will take appropriate measures.

 

What’s the impact?

YouTube has been targeted many times before. Recently, our friends at Sophos Labs mentioned about a similar campaign uncovered in 2013. More details available here. It’s obvious that the attackers are still able to infiltrate against existing defenses used by YouTube security for ads. This clearly is a concerning trend.

We all understand that YouTube is an incredibly popular website with over 1 billion users. So it is a big target. We don’t know the extent of the damage done by this malware campaign. Only Google can possibly estimate some accurate numbers of people impacted by this.

From a user security standpoint, we recommend disabling ads using ad blockers in the interim and use robust isolation technologies such as micro-virtualization to prevent such unforeseen attacks.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 35 other followers

%d bloggers like this: