[A lot of travel recently has pre-empted work on the blog. Here is a cool post from Tim in our internal team blog a couple of weeks ago. I’ve been pestering him to do another in our "visualizing malware" series… –C.L.]
As we have seen before (More Malicious Ads, Visualizing Malware Networks), malvertising enables the Bad Guys to sneak malicious content into legitimate ad streams, which in turn allows them to reach into the relatively "safe" parts of the Internet for potential victims.
Here are some interesting snippets from a graph of a recent malvertising attack. This graph represents just one traffic stream to the malware: someone who was reading an online comic book. Each node represents a new page in the comic. The complete chain is 250+ nodes in length. [Let’s hope this was a K9 user at home, and not someone doing "research" on the job. –C.L.]
Periodically, the path will fork (as highlighted above). The main path leads to the next comic book page; the side path leads to an ad page hosted by the same server as the comic.
Here’s what this traffic looks like at the ad page (node #0_0_187). [Rotated 90 degrees to display better in this blog’s form-factor.]:
Note that although there were a large number of links into this node (one link per comic page), we only occasionally saw it redirect to the particular ad provider designated as node #0_0_925 (the number "4" next to the link is a counter for this time period, i.e., the user was served ads from this server four times).
As mentioned, node #0_0_925 is an ad provider, but it is being used to connect visitors into the malware network. Interestingly, this single ad server contributed only a small part of the total traffic being funneled to the attack sites (three different malicious host names were observed in the data logs). Here’s a snippet from one of the attack nodes (#0_0_1566):
In other words, lots of "trickles" added up to a big stream of potential victims for the Bad Guy.
Leave a reply