The Latest in IT Security

Visualizing Malware: Another Look at Malvertising

23
Jun
2011

[A lot of travel recently has pre-empted work on the blog. Here is a cool post from Tim in our internal team blog a couple of weeks ago. I’ve been pestering him to do another in our "visualizing malware" series… –C.L.]

As we have seen before (More Malicious Ads, Visualizing Malware Networks), malvertising enables the Bad Guys to sneak malicious content into legitimate ad streams, which in turn allows them to reach into the relatively "safe" parts of the Internet for potential victims.

Here are some interesting snippets from a graph of a recent malvertising attack. This graph represents just one traffic stream to the malware: someone who was reading an online comic book. Each node represents a new page in the comic. The complete chain is 250+ nodes in length. [Let’s hope this was a K9 user at home, and not someone doing "research" on the job. –C.L.]

closeup of a fork in the network graph

Periodically, the path will fork (as highlighted above). The main path leads to the next comic book page; the side path leads to an ad page hosted by the same server as the comic.

Here’s what this traffic looks like at the ad page (node #0_0_187). [Rotated 90 degrees to display better in this blog’s form-factor.]:

graph view of malvertising relay

Note that although there were a large number of links into this node (one link per comic page), we only occasionally saw it redirect to the particular ad provider designated as node #0_0_925 (the number "4" next to the link is a counter for this time period, i.e., the user was served ads from this server four times).

As mentioned, node #0_0_925 is an ad provider, but it is being used to connect visitors into the malware network. Interestingly, this single ad server contributed only a small part of the total traffic being funneled to the attack sites (three different malicious host names were observed in the data logs). Here’s a snippet from one of the attack nodes (#0_0_1566):

network graph of traffic to the attack site

 

In other words, lots of "trickles" added up to a big stream of potential victims for the Bad Guy. 

— TvdH

 

Leave a reply


Categories

MONDAY, DECEMBER 09, 2019
WHITE PAPERS

Mission-Critical Broadband – Why Governments Should Partner with Commercial Operators:
Many governments embrace mobile network operator (MNO) networks as ...

ARA at Scale: How to Choose a Solution That Grows With Your Needs:
Application release automation (ARA) tools enable best practices in...

The Multi-Model Database:
Part of the “new normal” where data and cloud applications are ...

Featured

Archives

Latest Comments