Security News Malvertising Attack Threatens 2 Million answers.com Visitors Daily

Jack

Administrator
Thread author
Verified
Staff Member
Well-known
Jan 24, 2011
9,378
A malvertising attack has been mounted on the popular website answers.com, which receives 2 million visits daily.

Some visitors that browse the knowledge-based website are exposed to fraudulent and malicious advertisements and could be infected with ransomware on a drive-by basis, without even having to click on an ad.

According to Malwarebytes, the attack is making use of the RIG exploit kit to drop the CrypMIC ransomware, a payload that Neutrino first served back in July. The campaign also follows the same pattern that was used by Angler EK and subsequently Neutrino EK via the ‘domain shadowing‘ practice and the use of the HTTPS open redirector from Rocket Fuel (rfihub.com).

“There has been an interesting battle between two exploit kits in the past few months,” said Malwarebytes researcher Jerome Segura, in an analysis. “Following the demise of the Angler exploit kit in June, Neutrino EK assumed the lead position by having the top malware and malvertising campaigns defaulted to it. But since then, there have been several shake ups, and an underdog in the name of RIG EK replaced Neutrino EK on several high volume campaigns from compromised websites.”

In early September, Malwarebytes noticed a change in how RIG drops its malware payload. Rather than using Neutrino’s trademark iexplore.exe process, the firm spotted instances where wscript.exe was the parent process of the dropped binary. This may seem like a minor difference, but it is being used as a way to bypass certain proxies.

“Threat actors are privileging RIG over its rival Neutrino, as it can be seen from various malware campaigns,” Segura said. “In the meantime, domain shadowing in the malvertising space is still an effective means of duping ad agencies via social engineering. While this practice is well known, it also remains a powerful method to bypass traditional defenses at the gateway by wrapping the ad traffic (and malicious code) in an encrypted tunnel.”

Read more: http://www.infosecurity-magazine.com/news/malvertising-attack-threatens-2/
 

CMLew

Level 23
Verified
Well-known
Oct 30, 2015
1,251
Disable Windows Script Host (wscript.exe) and command line utility (cscript.exe). These should already be manually disabled or monitored by MT members... it's been preached enough.

As in blocked execution these two on the comp?
 
  • Like
Reactions: Der.Reisende

CMLew

Level 23
Verified
Well-known
Oct 30, 2015
1,251
If not needed - disable. Most typical users do not need except when running some utilities - like Win10Privacy.

If needed, monitor with HIPS or anti-executable.

I see. So just to sum it up. If I have those software (VS auto-mode or SpS Firewall), those entries are being monitored automatically right from the setup of the software. Am I right to say that?

If that's the case, then most likely I would get prompt if I surf Answers.com
 
H

hjlbx

I see. So just to sum it up. If I have those software (VS auto-mode or SpS Firewall), those entries are being monitored automatically right from the setup of the software. Am I right to say that?

If that's the case, then most likely I would get prompt if I surf Answers.com

If there is no allow rule created in VS or SpS, then when executed wscript and cscript will generate alert. Alternatively you can create block rule for both in VS and SpS. Whatever you do you do not want to create permanent allow rules for either wscript or cscript. I know in VS wscript and cscript should be on the vulnerable Windows process list by default. In SpS they are not and you must monitor them.

At this point in time I would bet the malvertising has been eliminated from Answers.com; once it has been reported it is usually - but not always - too late to visit a site for testing security softs. Don't get your hopes up...
 

CMLew

Level 23
Verified
Well-known
Oct 30, 2015
1,251
If there is no allow rule created in VS or SpS, then when executed wscript and cscript will generate alert. Alternatively you can create block rule for both in VS and SpS. Whatever you do you do not want to create permanent allow rules for either wscript or cscript. I know in VS wscript and cscript should be on the vulnerable Windows process list by default. In SpS they are not and you must monitor them.

At this point in time I would bet the malvertising has been eliminated from Answers.com; once it has been reported it is usually - but not always - too late to visit a site for testing security softs. Don't get your hopes up...

Haha! Thanks for the heads up. Im not really interested to surf in and test. Rather, I need to go and check all my 6 comps at home to make sure those are in place. :cool: Just in case any of my family members surfing that and it has not eradicate it yet. :)
 

soccer97

Level 11
Verified
May 22, 2014
517
Disable Windows Script Host (wscript.exe) and command line utility (cscript.exe). These should already be manually disabled or monitored by MT members... it's been preached enough.

Disable both of these on a 'production computer'? I was unaware - or is this create a rule in whatever program. Malvertising is not cool.
 

_CyberGhosT_

Level 53
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Aug 2, 2015
4,286
If not needed - disable. Most typical users do not need except when running some utilities - like Win10Privacy.

If needed, monitor with HIPS or anti-executable.
Right, and for those that don't use these, if you use Process Lasso simply add them to the
Disallowed Process List, very easy to do.
Awesome share hjlbx & Jack.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top