JS:Prontexi - will infect via ads just by loading normal page

[Modelworks]

Infecting using javascript has been around for awhile, the thing that makes this one different is all you have to do is load the page containing the ad. You do not even need to click on the ad for it to infect the pc.


http://www.mediapost.com/publications/?fa=Articles.showArticle&art_aid=124344

Antivirus and malware researchers say they have discovered a "widespread campaign" that is infecting the display ads served by leading online publishers and advertising services, including Google, Yahoo and Fox. The researchers at ALWIL Software, the Prague-based developers of the Avast antivirus software, have identified the new strain of malware as "JS: Prontexi," and said it is a JavaScript code that is enabling malware attacks to spread via advertising distributed by mainstream publishers and ad-serving systems.

"The poison ad infiltration method is growing in popularity because it does not require users to click on anything," Jiri Sejtko, a senior virus analyst at Avast, stated, explaining: "Users can get infected just by reading their favorite newspaper or by doing a search on popular topics; the infection begins just after the infected ad is loaded by the browser."

The new strain of malware represents the latest in an ongoing progression of malware being distributed by online advertising sources, a practice that has been dubbed "malvertising." In recent months, the perpetrators of such attacks have grown more brazen and ingenious in their efforts to use advertising, advertisers and even agencies as a new vector for distributing their malicious code, which often launches a variety of attacks, some of which can infect personal computer operating systems to steal personal identities or for other nefarious purposes.

The ALWIL team said it has found that the infected ads are placing malware and viruses on the computers of people visiting leading Web sites such as Google and Yahoo, and that some of the biggest and most popular ad delivery platforms have been the "most compromised," including Yahoo's Yieldmanager.com and Fox Audience Network's Firmerve.com.

"The list of poisoned ad services is extensive and includes advertangel, bannering, jambovideonework, myspace, vestraff and zedo," they said. "DoubleClick, an advertising server affiliated with Google, is ranked fifth in the Avast Virus Lab list of infected servers by rate of infection."

The ALWIL researchers described the JS: Prontexi.code as a new kind of "vector," which acts as a channel for malware attacks on vulnerable software such as Adobe and "a range of zero-day exploits." "JS: Prontexi highlights the lack of care shown by advertising service providers to actively screen the content they are distributing," Sejtko asserted. "Serving up infected content like this is a double hazard for advertising companies. In addition to reducing consumer trust in their services, they run the risk of being flagged or even blocked by antivirus programs as a source of malware."

ALWIL said a surge of JS: Prontexi attacks began in February, but said its Avast program has updated its virus databases to fully protect against the new vector. Details of the ALWIL research, including various trace files, can be found on the Avast blog.

 

[tzdk]

And what exactly is "this one"? Seems like more of the same to me, from security companies... The usual pdf- or flash-exploits for those who use old versions but if so harmful there will be details with more meat on available right?

 

[Modelworks]

And what exactly is "this one"? Seems like more of the same to me, from security companies... The usual pdf- or flash-exploits for those who use old versions but if so harmful there will be details with more meat on available right?

The difference is that it isn't based on a site you visit and there is nothing you can patch in a browser or plugin because it isn't a security flaw in an application. You need to scan the content of the actual page which most AV software does not do. The corrupted ad is served to any site that serves that companies ads. If 1000 sites use ad revenue from an advertising company then 1000 web sites will be vulnerable. The ad companies do not have a system currently in place to find these infected ad files so you have to be extra cautious with ads on sites until the problem is resolved.

The most compromised services are yieldmanager.com (Yahoo) and fimserve.com (FOX Audience Network) which covers more than 50%. The list of the poisoned ad services is not limited to the “TOP 8” shown in the graph above. The following domains are compromised too:

* unanimis.co.uk 4593
* xtendmedia.com 4389
* doubleclick.net 4076
* vuze.com 3599
* openx.net 2978
* globaltakeoff.net 1915
* specificclick.net 1726
* bidsystem.com 1581

Almost all of the services above are targeted on advertising – at least one website you are reading uses one of these services. The actual files of JS: Prontexi are not hosted on single domain, the attack uses randomly generated domains. In some cases, it even tries to hide the domain by prefixing commonly known “google.analytics.com”

The virus total page:
http://www.virustotal.com/analisis/...41457e010d68e24504f0db43ec4c5166d6-1266404229

 

[tzdk]

Strange how such an apparently worldwide magic risk can pass so silently unless you read Avast blog From February so guess internet survived...

Well more detail please. Computer does not get infected just like that. What happens? Where is the diagnostic/reverse engineering report? What are "the actual files"? They don't mean html content, obfuscated javascript so what? Redirection? most likely so old. No clicks needed, will go down regardless of OS, applications - versions of?. Ok, I think I will not only use but also buy Avast now, heh. I have the feeling any security company can make such posts, every single day - or there is nothing new in this, more of the same. More power to Avast if they actually were the first to protect against this 1 out of xxxxxxx threats.

 

[Chiefcrowe]

That is definitely scary stuff, thanks for the heads up. i hope other antivirus companies are aware of this too!

 

[balloonshark]

It looks like a HOSTS file, AdBlockPlus and limiting plugins with NoScript (both Firefox plugins) would prevent infection.

Even if the above didn't protect a sandbox type program would contain the malware. A HIPS program or anti-executable should also be able to stop the malware from running once downloaded.

 

[Modelworks]

Strange how such an apparently worldwide magic risk can pass so silently unless you read Avast blog From February so guess internet survived...

Keep thinking like that, you are the type of person malware creators love.

Well more detail please. Computer does not get infected just like that. What happens? Where is the diagnostic/reverse engineering report? What are "the actual files"? They don't mean html content, obfuscated javascript so what? Redirection? most likely so old.

What happens is you load an infected page. Your browser displays the ad. The script inside the ad downloads code and executes it on the pc without the browser knowing it has downloaded anything and without the user doing anything but loading the page.

No clicks needed, will go down regardless of OS, applications - versions of?.

As long as the target OS can execute the javascript and the downloaded program is executable on the OS that is all that matters.

Ok, I think I will not only use but also buy Avast now, heh. I have the feeling any security company can make such posts, every single day - or there is nothing new in this, more of the same.

It isn't more of the same or I wouldn't have posted about it. I have done virus reverse engineering for over 10 years and report new ones to AV companies when I find them. This is not more of the same.

 

[Modelworks]

It looks like a HOSTS file, AdBlockPlus and limiting plugins with NoScript (both Firefox plugins) would prevent infection.

Even if the above didn't protect a sandbox type program would contain the malware. A HIPS program or anti-executable should also be able to stop the malware from running once downloaded.

Those are the main things . If you are blocking ads and limiting what scripts can do you are safe. The ones that are not are the people that depend solely on their AV software as AV software normally doesn't scan web page content unless someone goes to purposefully download something.

 

[tzdk]

All security companies make these type of posts and there is nothing new in this no matter how scared you are. Explain where you see that? How can you have any idea based on what they "reveal"? Pdf-exploits are certainly not new which is what they mean by "initiates infection", ads being used for redirection until fixed also not new. So old "threat", more of the same and the real one is not javascript as you seem to think but pdf-based, and so it would be rather useful to know what versions are targeted or were since this is old "discovery".

If I am malware material you are the type security industry loves but not really not much security in eating old info up just because it comes from them. There have been written many posts since then so why not get scared over more current events? Or change tactic and be critical to scare mongering? at least require sufficient info to evaluate what they are talking about.

In case you missed their real point it is to show Avast catched javascript helping infection = argument for their http scanner or simply Avast. End of story. Or catched the example they chose to publish is probably more correct. Pretty obvious what they are up to - Avira, Kaspersky etc. do exactly the same thing. They don't show off failures! So you always get the story of mighty dangers vs. perfect product regardless of brand and type of infection.

 

[mechBgon]

What happens is you load an infected page. Your browser displays the ad. The script inside the ad downloads code and executes it on the pc without the browser knowing it has downloaded anything and without the user doing anything but loading the page.

Malicious scripts, whether in malicious ad banners, in malicious sites themselves, or in hacked normally-safe sites, have been a commonplace threat for years. If someone wants a blanket defense, the first thing I'd suggest is a non-Admin user account plus Software Restriction Policy, because then it doesn't even matter if the exploit worked; its payload won't be allowed to run. There are also third-party anti-executable apps available, although I haven't bothered trying anything besides SRP.

On Vista or 7, keeping UAC and Protected Mode enabled would add another layer of complication, since the script would get the Integrity level of LOW. As long as I'm dishing out random security-tweak advice, let me also mention SEHOP for Vista and 7, which can be enabled with the FixIt on this page.

And of course, make sure you've fully enabled your Data Execution Prevention:

...and checked your rig with Secunia to ensure you're not toting around a bunch of exploitable software when you could simply patch it:

 

[Modelworks]

All security companies make these type of posts and there is nothing new in this no matter how scared you are. Explain where you see that? How can you have any idea based on what they "reveal"? Pdf-exploits are certainly not new which is what they mean by "initiates infection", ads being used for redirection until fixed also not new. So old "threat", more of the same and the real one is not javascript as you seem to think but pdf-based, and so it would be rather useful to know what versions are targeted or were since this is old "discovery".

I know what they reveal because I take malware apart down to the byte code. I use reports from organizations as a news item for something I may not have seen. Then I take it apart myself to see if what they are claiming is true or unique.

If I am malware material you are the type security industry loves but not really not much security in eating old info up just because it comes from them. There have been written many posts since then so why not get scared over more current events? Or change tactic and be critical to scare mongering? at least require sufficient info to evaluate what they are talking about.

As I said above I do not just take their word for it. I have over 1,900 pieces of malware in my collection. Many that I have broken down to byte code. I rarely post about every day reports, but when I see something unique I post about it.

In case you missed their real point it is to show Avast catched javascript helping infection = argument for their http scanner or simply Avast. End of story. Or catched the example they chose to publish is probably more correct. Pretty obvious what they are up to - Avira, Kaspersky etc. do exactly the same thing. They don't show off failures! So you always get the story of mighty dangers vs. perfect product regardless of brand and type of infection.

I don't care what their PR says. Like I said I use what they report as a tip that their might be something new, then I check it for myself. Your cynical approach that all reports are just to sell more software is what malware creators love.

 

[Modelworks]

Malicious scripts, whether in malicious ad banners, in malicious sites themselves, or in hacked normally-safe sites, have been a commonplace threat for years.

I agree they have been . The difference here is the scripts originate from the ad service itself not in a site. It isn't so much the actual script but the way it is being distributed. Also in the past they required that a person clicked the ad to initiate the infection. The way this method works it doesn't require clicking , just loading.

 

[mechBgon]

I agree they have been . The difference here is the scripts originate from the ad service itself not in a site. It isn't so much the actual script but the way it is being distributed. Also in the past they required that a person clicked the ad to initiate the infection. The way this method works it doesn't require clicking , just loading.

That's actually not new, though; you can find numerous examples of rigged "full-auto" ad banners if you go back through the last few years of this lady's security blog, she specializes in hunting and reporting on them. Random example: link

I think the message everyone should take home from it all, is that normally-safe sites can be rendered unsafe if their advertising partner got hoodwinked into carrying malvertisements, as well as if the site itself has become hacked (also quite commonplace). So it's best to have defense-in-depth. I suggest starting with a non-Admin user account for daily browsing, and have some additional suggestions here for Windows XP/Vista/7 users.

 

[VirtualLarry]

I still don't see what the exploit actually is. As far as I know, unless the security model is broken, JS cannot execute or launch native code, which is required to infect the OS. So what is actually happening here? What is the secondary infection vector? Or is this a case of a certain JS sandbox having a security hole?

 

[mjrpes3]

I still don't see what the exploit actually is. As far as I know, unless the security model is broken, JS cannot execute or launch native code, which is required to infect the OS. So what is actually happening here? What is the secondary infection vector? Or is this a case of a certain JS sandbox having a security hole?

The JS is used to probe the browser environment and see if there are any vulnerabilities; these could exist in the browser itself or in extensions like flash, java runtime, pdf, etc. The JS is able to detect the version of the software and install the malware if a vulnerability is found. Look at the Fiesta exploit pack to get an example of the number of vulnerabilities available:

http://www.prevx.com/blog/107/Fiesta---Monitoring-ITW-exploit.html

The JS will take advantage of new exploits quickly, like they are probably already doing with the one just found in Firefox:

http://blog.mozilla.com/security/2009/07/14/critical-javascript-vulnerability-in-firefox-35/

I got hit by this in January. Was looking up a programming question I had on google and visited a bad site apparently. Got "drive by" malware installed and had to do a reinstall because it infected so well. I had no way of avoiding the malware; just by visiting the site I was infected. Investigating some more it looks like I got hit because I had the Microsoft .NET add-on installed in firefox:

http://blogs.zdnet.com/security/?p=4614

This is the real deal and anyone who doesn't take care is going to get hit sooner or later. The malware writers update their stuff to take advantage of exploits as soon as they are found. Ensure that you have only the most critical of extensions installed (screw those effing pdf add-ons), use utilities like adblock or flashblock if you can, and that the browser and any add-ons are always up to date.

 

[tzdk]

Are you talking about malware manufactured javascript code? If so I don't think that is correct. As http://browserspy.dk/ shows probing is everywhere. Feature not a bug. Marketing people are the experts in this field.

http://blog.washingtonpost.com/securityfix/2006/07/myspace_ad_served_adware_to_mo.html is one of the reasons it would be useful to see stats about which versions of whatever are actually affected. Details or it did not happen. As with a recent BSOD update from Microsoft, I think even Conficker, events like this can be presented in more than one way. Headline could also be "Stupidity". What is left to worry about for those who have done all the right things, do not mess up, do not use warez etc is the real question. There would be fewer security companies if majority did not screw up that is for sure. Saying a child can compute safely in 2010 is as much a fact as EVERYONE will get in trouble. Unless you really would prefer an offline Linux machine there is a risk about computing. Dont forget to check up on "Windows" at Secunia btw. Question is if you get much further! You can also get run over next time you go for a walk. Shit happens but freaking out is not a solution. You trust those who drive cars, you have to.

 

[mechBgon]

Got "drive by" malware installed and had to do a reinstall because it infected so well. I had no way of avoiding the malware; just by visiting the site I was infected.

Based on firsthand experience with sites that use attack suites, I'd bet a low-rights account with SRP would've dealt with it beautifully. Or even a low-rights account alone, actually.

 

[Anubis]

It looks like a HOSTS file, AdBlockPlus and limiting plugins with NoScript (both Firefox plugins) would prevent infection.

Even if the above didn't protect a sandbox type program would contain the malware. A HIPS program or anti-executable should also be able to stop the malware from running once downloaded.

i love my HOSTS file, all 70000 lines of it

 

[mjrpes3]

This was brought up on slashdot today:

http://tech.slashdot.org/story/10/03/23/1256211/Malware-Delivered-By-Yahoo-Fox-Google-Ads?art_pos=3

Always fun to read the comments