Malvertising attack: Did you visited answer.com in the recent days?

  • Yes

    Votes: 0 0.0%
  • No

    Votes: 6 31.6%
  • I don't visit this website

    Votes: 13 68.4%
  • Total voters
    19

Jack

Level 85
Verified
Staff member
A malvertising attack has been mounted on the popular website answers.com, which receives 2 million visits daily.

Some visitors that browse the knowledge-based website are exposed to fraudulent and malicious advertisements and could be infected with ransomware on a drive-by basis, without even having to click on an ad.

According to Malwarebytes, the attack is making use of the RIG exploit kit to drop the CrypMIC ransomware, a payload that Neutrino first served back in July. The campaign also follows the same pattern that was used by Angler EK and subsequently Neutrino EK via the ‘domain shadowing‘ practice and the use of the HTTPS open redirector from Rocket Fuel (rfihub.com).

“There has been an interesting battle between two exploit kits in the past few months,” said Malwarebytes researcher Jerome Segura, in an analysis. “Following the demise of the Angler exploit kit in June, Neutrino EK assumed the lead position by having the top malware and malvertising campaigns defaulted to it. But since then, there have been several shake ups, and an underdog in the name of RIG EK replaced Neutrino EK on several high volume campaigns from compromised websites.”

In early September, Malwarebytes noticed a change in how RIG drops its malware payload. Rather than using Neutrino’s trademark iexplore.exe process, the firm spotted instances where wscript.exe was the parent process of the dropped binary. This may seem like a minor difference, but it is being used as a way to bypass certain proxies.

“Threat actors are privileging RIG over its rival Neutrino, as it can be seen from various malware campaigns,” Segura said. “In the meantime, domain shadowing in the malvertising space is still an effective means of duping ad agencies via social engineering. While this practice is well known, it also remains a powerful method to bypass traditional defenses at the gateway by wrapping the ad traffic (and malicious code) in an encrypted tunnel.”

Read more: http://www.infosecurity-magazine.com/news/malvertising-attack-threatens-2/
 

CMLew

Level 23
Verified
Disable Windows Script Host (wscript.exe) and command line utility (cscript.exe). These should already be manually disabled or monitored by MT members... it's been preached enough.
As in blocked execution these two on the comp?
 
  • Like
Reactions: Der.Reisende

CMLew

Level 23
Verified
If not needed - disable. Most typical users do not need except when running some utilities - like Win10Privacy.

If needed, monitor with HIPS or anti-executable.
I see. So just to sum it up. If I have those software (VS auto-mode or SpS Firewall), those entries are being monitored automatically right from the setup of the software. Am I right to say that?

If that's the case, then most likely I would get prompt if I surf Answers.com
 
H

hjlbx

I see. So just to sum it up. If I have those software (VS auto-mode or SpS Firewall), those entries are being monitored automatically right from the setup of the software. Am I right to say that?

If that's the case, then most likely I would get prompt if I surf Answers.com
If there is no allow rule created in VS or SpS, then when executed wscript and cscript will generate alert. Alternatively you can create block rule for both in VS and SpS. Whatever you do you do not want to create permanent allow rules for either wscript or cscript. I know in VS wscript and cscript should be on the vulnerable Windows process list by default. In SpS they are not and you must monitor them.

At this point in time I would bet the malvertising has been eliminated from Answers.com; once it has been reported it is usually - but not always - too late to visit a site for testing security softs. Don't get your hopes up...
 

CMLew

Level 23
Verified
If there is no allow rule created in VS or SpS, then when executed wscript and cscript will generate alert. Alternatively you can create block rule for both in VS and SpS. Whatever you do you do not want to create permanent allow rules for either wscript or cscript. I know in VS wscript and cscript should be on the vulnerable Windows process list by default. In SpS they are not and you must monitor them.

At this point in time I would bet the malvertising has been eliminated from Answers.com; once it has been reported it is usually - but not always - too late to visit a site for testing security softs. Don't get your hopes up...
Haha! Thanks for the heads up. Im not really interested to surf in and test. Rather, I need to go and check all my 6 comps at home to make sure those are in place. :cool: Just in case any of my family members surfing that and it has not eradicate it yet. :)
 

soccer97

Level 11
Disable Windows Script Host (wscript.exe) and command line utility (cscript.exe). These should already be manually disabled or monitored by MT members... it's been preached enough.
Disable both of these on a 'production computer'? I was unaware - or is this create a rule in whatever program. Malvertising is not cool.
 

_CyberGhosT_

Level 53
Verified
Trusted
Content Creator
If not needed - disable. Most typical users do not need except when running some utilities - like Win10Privacy.

If needed, monitor with HIPS or anti-executable.
Right, and for those that don't use these, if you use Process Lasso simply add them to the
Disallowed Process List, very easy to do.
Awesome share hjlbx & Jack.