Today i want to write a non-technical article about malvertising in adult wolrd.
Im following malvertisings in adult world since the rise of Fake Police Ransomware in France that is probably one of the most big thread for the 3 last years.
(My english is not very good, so if you notice any confuse sentence, please contact me).
Malvertising are malicious advertising, the main goal is to redirect visitors to malicious content, most of time Exploit Kit, but sometimes, it can be fake antivirus alert page to make execute malicious executable by the visitors.
Malvertising are interesting for hackers traffers because it offers many advantages:
- High traffic : if they were able to place a malvertising on website or advert network with high traffic, it’s the jackpot
- More discreet : Malvertising are more discreet and harder to trace than usual hack that add iframes. You need some tools (Fiddlercaps etc) to trace it and some luck to get it. It can be the hell for webmaster to reproduce the malicious redirection and contact the ads company to find and get it pulled. Also, it’s easier to include filtering mechanisme on the server side.
Malvertising can permit to get malicious redirections for a long time without beeing notice.
(It seems now that threat like Darkleech offers the same advantages).
There are two kind of malvertising :
- SWF Banner that redirect via Action Script : Trojan.SWF.Redirector
- Fake Adult porn by popup : redirection by 302 or by an iframe or SWF Banner.
Table des matières
History about Fake Police Ransomwares Malvertisings
Malvertising are very old, the first appears probably around 2008/2009.
In 2009, the New York Times Website has been hit by one.
In France, a massive campaign began at the end of 2011 for the scareware Security Tool. On removal forums, threads for this scareware pops, very scary.
Then the first Fake Police Ransomwares appears, around November 2011.
Fake Police Ransomware are linking to massive malvertising in adult/warez websites last years.
Thoses Ransowares use psychologics attacks to make visitors feels guilty when they visits this kind of websites.
Here the history in France (it probably a quite different for USA users, i believe) about this links between mass malvertising and Fake Police Ransomwares.
My first write about Fake Police Ransomware, and the malvertising was on…… Clicksor network !
The fake page was in french but act to be German Police.
then we got :
The traffic for thoses malvertising was good and higher than usual threats.
In December 2011, it was higher, a malvertising in videobb website were placed via adserve network.
Videobb was a very popular streaming website in France used to watch illegal movies, (like megasearch, for example).
About this Malvertising, see : http://www.malekal.com/2011/12/13/malvertising-asrvstatsmanager-com-droppe-malware-via-videobb-et-adserve-com/
Hackers used TDS to redirect to Exploit kit, we were able to get the statistics : http://www.malekal.com/2011/12/14/a-propos-du-rotator-du-virus-gendarmerie/
In 2012 and next years, new Ransomware Fake Police family appears, rise and decline, more professional, more powerful.
Example of last skins (Urausy one) :
Bellow, the statistics about my Fake Police Ransomware page.
As you can see, the peak in France was in Mars 2012 then it decreases, but that’s not mean, they disapear.
It seems they targeted others countries.
1,3 billions uniq views on the page for 2 years.
600k uniq views on the page between Juanary 2012 and June 2012 :
The most prevelant Fake Police Ransomwares – trying to sort them by time :
- 2012 Mars : Gimeno / Gema– Virus Sacem – Probably most present in France and Germany – used adf.ly malvertising to spread. About Gema, i heard that the author was arrested.
- Middle 2012 : Weelsof – http://www.malekal.com/2012/06/12/ransomware-win32weelsof-via-malvertising-plugrush-com/ and http://www.malekal.com/2012/07/03/malvertising-samsung-virus-gendarmerie-controle-automatique-informationnel-trweelsof/
- Tobfy : Target USA so i dont know much about this one.
- Cbeplay.B : http://www.malekal.com/2013/09/22/en-cbeplay-p-malvertising-via-hornyspots/
- Casier / Trojan.Matsnu / Rannoh : http://www.malekal.com/2012/07/10/trojan-trustezeb-ransomware-virus-coder-de-windows/
- Urausy : Malvertising for Urausy – also spread by Fake Codec Affliliation program.
- Nymaim : peak around April 2013 : http://www.malekal.com/2013/04/11/ransomware-office-centrale-de-la-lutte-contre-la-criminalite-variante-3-nymaim/
- Flimrans : peak around May 2013 : http://www.malekal.com/2013/05/29/en-ero-advertising-malvertising-for-flimrans-ransomware-campaign/
- Kovter: not targetting France, so also, i dont know much about it.
- Browlock Ransomware appears (July 2013).
- DirtyDecrypt / Revoyem (July / August 2013) : http://www.malekal.com/2013/08/08/dirdecrypt-malvertising-trafficholder/
In the middle 2012, they were many and many differents familly, In the beginning of 2013, most of them disapear.
Only Reveton and Urausy survive, Kovter, Flimrans and Nymaim appears. They are still in the wild.
Microsoft wrote something about thoses Fake Police Ransomwares : http://blogs.technet.com/b/security/archive/2013/11/19/ransomware-is-on-the-rise-especially-in-europe.aspx
As you can see, the two best competitors are Reveton and Urausy.
Others are lower, except maybe Kovter, it was able to get high traffic network at the end of 2013 (TrafficHaus, Twr12 etc), they come back on the 2014 beginning. I guess antivirus miss it.
I also heard that Urausy Affiliation has stopped in December 2013 – they lost the malvertising in pornerbros in November, that was probably the last hit.
So, i guess now, Kovter is now the second best competitor.
The big one is still Reveton.
Browlock is also big – Symantec write up something about it with some statistics : http://www.symantec.com/connect/blogs/massive-malvertising-campaign-leads-browser-locking-ransomware
About Reveton Malvertising, there are two groups, K!NG group that is also involve in Browlock Malvertising and an others group, i called it “group goo.gl” (they use goo.gl as a rotator to redirect to Angler EK) – See the EDIT November 15 and November 24 : http://www.malekal .com/2013/10/14/reveton-malvertising-campaign/.
- Urausy : modify the Shell registry key to load a .dat file in %APPDATA% – ex : http://www.malekal.com/wp-content/uploads/Urausy.png
- Reveton : load a DLL from a startup lnk – ex : http://www.malekal.com/wp-content/uploads/Reveton_Urausy_Skin2.png some variants also modify the winmgmt service key
How submit Malvertising ?
How it works in background ?
Here some ways to place Malvertising.
The first way is to hack an advertising company server or a pornwebsite and then ads for it to increase the traffic to the infected webpage.
For example, at the end of this page : http://www.malekal.com/2013/10/14/reveton-malvertising-campaign/
You can see a hack on trafficholder openx server to redirect users to malicious content.
On this topics, a page from an adult website has been hacked : http://www.malekal.com/2013/10/16/sunporno-hack-advert-by-plugrush/ then ads was created to this page to increase the traffic.
but this is not the main way.
Fake ads company and adult webmaster abusing
The most way is to build a fake ads company.
Bellow some example with K!NG ones : creoads and ad-media
or ads.zazazizoo.com :
Kovter malvertising :
In the name of thoses fake ads companies, you can contact Adult Webmaster to get a slot.
This is what also happen with MegoAds in 2012 : http://www.malekal.com/2012/11/20/en-megoads-fake-advertising-for-porn-websites/
Most of the time, they target the same websites with high traffic, that’s why same websites are hitten by malvertising.
Most of the webmasters dont think that a SWF can be malicious because they even dont know about malvertising.
Malware guys abuse webmasters – the recommandation for webmasters is to use big ads company, that decrease the risk of problem.
Technicals articles about malicious SWF :
- http://www.j-ro.me/swf-malware-analysis-oct13.html (en)
- http://forum.malekal.com/analyser-une-animation-flash-malveillante-malvertising-t45190.html (fr)
Some abused websites :
Alotporn : http://www.malekal.com/2013/09/17/en-reveton-malvertising-on-alotporn-com/
x3xtube : http://www.malekal.com/2013/01/09/malvertising-adultmediatoys-com-double-exploit-kit/
and others that i dont blog and get by email.
Also, the output for malvertising are higher than usual advertising, so some webmasters are tempted to close the eyes about this and get fast cash.
After you got some adult websites as references, you can hit at the door of advertising network.
They can also submit malvertising directly to advertising network.
The account manager check it, and once validated, traffer enable the malicious redirection.
An other way, for PlugRush, Trafficholder networks, is to buy domain that are already validate by them.
Bellow some malvertising in ads network – every adult ads network has been target at least one time.
Lasts malvertising are not blogged, im thinking about directrevenue (Browlock), clickpapa network (ad-media and group goo.gl).
(Most of the topics are in French – sorry)
- Reveton Malvertising – main topic : http://www.malekal.com/2013/10/14/reveton-malvertising-campaign/
- Urausy Malvertising – main topic : http://www.malekal.com/2013/07/31/en-urausy-adultfriendzfinder-malvertising-banner/
+pornerbros topics :
xvideos / TrafficFactory :
http://www.malekal.com/2013/02/04/en-adf-ly-malvertising-leads-to-gamarue-trojan/ (Gamarue Trojan – so not Fake Police Ransomware)
(Also target by Reveton, but didnt blog it)
Clicksor : *no comment*
And now in 2014 ?
I have now contact with most of the ads network (and also antivirus) and working with them to clean up as most as possible their network.
I think, Reveton get hurt, and now it’s more difficult for traffer to submit their malvertisings.
Some get frustrated :
- August 2013 – i got a joe job against my website : http://www.malekal.com/2013/08/01/email-spam-pour-malekal-com/ – http://blog.dynamoo.com/2013/08/malekalcom-joe-job.html
- then Cookiebomb to redirect also to my website : http://www.malekal.com/2013/08/12/en-reveton-go-now-by-hacked-website/
- After that, at the end of 2013, some ads network has been DoSed – ero-advertising example :
It’s probably K!NG involve with this – according this topics gfy.com was also DoSed : http://gfy.com/showthread.php?t=1130077 (becarefull, porn pics in this thread).
and my websites too in December :
According Symantec, the Browlock detections decrease : https://twitter.com/threatintel/status/420211850202996736
K!NG Reveton malvertising has been pulled so at the end of 2013, he tried to place Browlock ones.
Now, I hope to see a decrease of Reveton in the next Microsoft SIR and with the effort of advertising company trying to keep the malvertisings traffic the lower as possible.