The Latest in IT Security

Along with the public release of information about a large, long-running malvertising campaign, I also sent the full list of steathy malvertising domains to several contacts in the WebAd/anti-malvertising community. This led to a two-front war on the malvertisers, with the ad industry cutting off traffic to the domains at the top, and Blue Coat (and other security companies that follow our blog) blocking the traffic at the bottom. Consequently, the campaign basically collapsed.

Things got very quiet after September 11th, and for a few days there didn't seem to be any active malvertising domains in the whole network. Had the Bad Guys given up and seen the error of their ways? Heck no! (For one thing, they still had a bunch of domains they'd paid to register last year, and they sure didn't want to waste that money!)

So we kept an eye out, and sure enough, last Monday (9/15) the traffic began again. Granted, the volume is nowhere near where it was before their network was torn apart, but I suppose it takes time to make a bunch of changes and get a new set of stealth malvertising domains into the ad pipeline.

So far, we've only seen a handful of new domains come on line. Here's the list:

Once again, the striking characteristics of this gang are their patience in registering their domains up to a year before they start using them, and the care with which they segment the attack, using each domain to serve ads to one site or family of sites.

And, since 4 of the new domains were all registered last Halloween, it's appropriate to close with this classic movie tag line:

"They're back."

–C.L.

@bc_malware_guy