Hidden risks of advertisements

Doina Cosovan (Security Scorecard) & Cătălin Liță (Security Scorecard)
partner message

ANY.RUN - Interactive malware analysis sandbox

http://any.run/

Get fast results in real-time! Intuitive interface. Convenient for any level analysts.

Join for free and start your malware hunting!

partner message

Avira Cloud Sandbox API. Completely private, unlimited-scale, automated malware analysis service

https://oem.avira.com/en/solutions/cloud-sandbox-api

Avira’s Cloud Sandbox API is built to ensure data privacy.

Receive detailed, file-specific threat intelligence reports containing actionable intelligence.

Supports MITRE ATT&CK™ framework.

partner message

Do APT Mercenary Groups Pose Real Threat to Companies?

https://businessresources.bitdefender.com/apt-as-a-service-webinar

Learn about the recent Bitdefender investigation of a new attack attributed to a sophisticated actor offering advanced-persistent-threats-as-a-service.

Access the investigation

partner message

Be a part of the cyber resilience story - explore careers at

https://careers.opentext.com/

Join the cybersecurity and data protection team at Carbonite + Webroot, OpenText companies.

partner message

We don’t just talk about sharing. We do it every day

https://www.cyberthreatalliance.org/our-sharing-model/

Find out more about how threat intelligence sharing and collaboration through the Cyber Threat Alliance can function as a force multiplier to improve defenses across the ecosystem.

partner message

Map Malicious Infrastructures with Pure Signal™ Intelligence

https://partners.team-cymru.com/pure-signal-trial

Elite analyst teams use Team Cymru’s Pure Signal platform to access 50+ data types, including global network flow, PDNS, malware and more.

Start your 2-week trial now!

partner message

What is cyber threat intelligence (CTI) and how is it used?

Join the VB2020 Threat Intelligence Practitioners’ Summit (TIPS)

Join the VB2020 Threat Intelligence Practitioners’ Summit, sponsored by the Cyber Threat Alliance,

to hear from leading industry voices on how CTI sharing can function as a force multiplier to strengthen defenses across the ecosystem.

partner message

Kaspersky Threat Intelligence Portal - find cyberthreats in files, URLs, IPs and domains

https://opentip.kaspersky.com/

Know which alerts or incidents pose real threats, and prioritize them fast and effectively based on impact and risk levels.

partner message

No-Cost Threat Detection for ISPs and Hosting Providers

https://partners.team-cymru.com/nimbus-threat-monitor

Partner with Team Cymru and get near-real-time threat detection, powered by our world-class IP Reputation data.

Join us now!

partner message

Outsource your Unwanted Software/PUA Work for Free

https://appesteem.com/avs

AppEsteem’s feeds sort out the good apps from the Deceptors.

Our criteria are widely accepted. We’ll help with your disputes.

All for Free. Giving you more time to fight real malware.

partner message

Do you want to know how IT security products score in independent tests?

https://www.av-comparatives.org/enterprise/latest-tests/

AV-Comparatives is an ISO certified independent organization offering systematic testing that checks whether security software lives up to its promises.

Results are available for free!

partner message

Defeating Application Fraud - Learn How

https://www.shapesecurity.com/solutions

We protect more accounts from fraud than everyone else in the world combined.

Shape Security is now part of F5 (www.f5.com)

partner message

30+ years of experience in the anti-malware industry

www.virusbulletin.com

Virus Bulletin is so much more than just a great conference.

Check out our website to see what more we have to offer.

partner message

DNSDB®: The DNS Super Power for Security Teams

https://www.farsightsecurity.com/get-started-guide/

Farsight Security DNSDB®: the world's largest real-time and historical database of DNS resolutions.

Get your free DNSDB API key and use it in our newly updated web GUI, DNSDB Scout and your own environments.

Contextualize everything DNS related with one API key - DNSDB.

partner message

Tired of home office and in urgent need of some networking?

https://www.amtso.org/newsletter/

Join the AMTSO community and meet security vendors, testers, journalists, and researchers to discuss cybersecurity trends, tests and standards!

Adware is everywhere. Mobile applications are widely used and most of them, especially the free ones, embed adware software development kits (SDKs). Web browsing frequently exposes users to adware, as well.

There are multiple methods for sinkholing adware infrastructure. First, adware developers might let their hard-coded domains expire. Second, they can use wrong domains, intentionally or unintentionally. Third, some adware SDKs have started to use domain generation algorithms (DGAs) as a fallback mechanism for the hard-coded domains. This seems an attempt to bypass ad blockers, which blacklisted their hard-coded domains. In the last case, using an ad blocker turns out to be more dangerous as it exposes the user to sinkholable domains, which might be under an attacker’s control.

This presentation / paper focuses on analysing the security risks involved when adware infrastructure can be sinkholed. First, an attacker can passively gather, for later use, personally identifiable information about both the users and the advertisers. Second, an attacker can actively serve specially crafted advertisements, including malvertising, in order to exploit and infect the contacting systems.

We sinkholed multiple adware-related domains, but we are going to illustrate a few interesting use cases.

The first use case is an Android mobile adware with an expired hard-coded domain, contacted by more than half a million unique IP addresses daily from tens of different applications.

The second use case is a multi-platform mobile adware mediator with a fallback DGA, which is used in more than a thousand different applications and receives requests from tens of thousands of unique IP addresses (note that this is only the subset of IP addresses that didn’t manage to contact the hard-coded domain out of the total number of IP addresses using the adware mediator).

The third use case is a browser HTML5 adware player which intentionally used a non-resolving domain in order to evade syntax errors. They fixed the issue a few days after we sinkholed the domain, but during those few days, the sinkhole received requests from half a million unique IP addresses.

The fourth use case is an adware platform for browsers, whose domain was inserted in the SDK by the developers with a typo. It is contacted by more than two million unique IP addresses daily and is used by more than ten thousand different websites.

For one of the presented use cases, we created a proof of concept illustrating how an attacker can serve a malvertisement by owning an infrastructure domain. The most concerning aspects are: this happens regularly, this happens for the latest official adware platforms / SDKs, and this happens for adware that have a large user base.
Doina Cosovan
Security Scorecard Doina Cosovan has a computer science degree. From her second year of college she worked for Bitdefender's malware research team, before joining Security Scorecard five years ago. She has presented at conferences such as Virus Bulletin, Caro and AVAR. Some of her interests include malware, botnets, reverse engineering and machine learning.
Cătălin Valeriu Liță
Security Scorecard Cătălin Valeriu Liță received a Bachelor's degree in computer science from the Technical University Gheorghe Asachi, Romania, Iasi, Faculty of Automatics and Computer Science. He has a Master's degree in information security from the Alexandru Ioan Cuza University of Iași, Faculty of Computer Science, a Master's degree in business administration from the Alexandru Ioan Cuza University of Iași, Faculty of Economics and Business Administration, and a Ph.D. in computer science from the Faculty of Computer Science. He has presented at CARO and Virus Bulletin conferences. Prior to joining Security Scorecard he worked for nine years in Bitdefender's anti-malware team.
arrow left Back

Hidden risks of advertisements

Doina Cosovan (Security Scorecard) & Cătălin Liță (Security Scorecard)
Adware is everywhere. Mobile applications are widely used and most of them, especially the free ones, embed adware software development kits (SDKs). Web browsing frequently exposes users to adware, as well.

There are multiple methods for sinkholing adware infrastructure. First, adware developers might let their hard-coded domains expire. Second, they can use wrong domains, intentionally or unintentionally. Third, some adware SDKs have started to use domain generation algorithms (DGAs) as a fallback mechanism for the hard-coded domains. This seems an attempt to bypass ad blockers, which blacklisted their hard-coded domains. In the last case, using an ad blocker turns out to be more dangerous as it exposes the user to sinkholable domains, which might be under an attacker’s control.

This presentation / paper focuses on analysing the security risks involved when adware infrastructure can be sinkholed. First, an attacker can passively gather, for later use, personally identifiable information about both the users and the advertisers. Second, an attacker can actively serve specially crafted advertisements, including malvertising, in order to exploit and infect the contacting systems.

We sinkholed multiple adware-related domains, but we are going to illustrate a few interesting use cases.

The first use case is an Android mobile adware with an expired hard-coded domain, contacted by more than half a million unique IP addresses daily from tens of different applications.

The second use case is a multi-platform mobile adware mediator with a fallback DGA, which is used in more than a thousand different applications and receives requests from tens of thousands of unique IP addresses (note that this is only the subset of IP addresses that didn’t manage to contact the hard-coded domain out of the total number of IP addresses using the adware mediator).

The third use case is a browser HTML5 adware player which intentionally used a non-resolving domain in order to evade syntax errors. They fixed the issue a few days after we sinkholed the domain, but during those few days, the sinkhole received requests from half a million unique IP addresses.

The fourth use case is an adware platform for browsers, whose domain was inserted in the SDK by the developers with a typo. It is contacted by more than two million unique IP addresses daily and is used by more than ten thousand different websites.

For one of the presented use cases, we created a proof of concept illustrating how an attacker can serve a malvertisement by owning an infrastructure domain. The most concerning aspects are: this happens regularly, this happens for the latest official adware platforms / SDKs, and this happens for adware that have a large user base.
Doina Cosovan
Security Scorecard Doina Cosovan has a computer science degree. From her second year of college she worked for Bitdefender's malware research team, before joining Security Scorecard five years ago. She has presented at conferences such as Virus Bulletin, Caro and AVAR. Some of her interests include malware, botnets, reverse engineering and machine learning.
Cătălin Valeriu Liță
Security Scorecard Cătălin Valeriu Liță received a Bachelor's degree in computer science from the Technical University Gheorghe Asachi, Romania, Iasi, Faculty of Automatics and Computer Science. He has a Master's degree in information security from the Alexandru Ioan Cuza University of Iași, Faculty of Computer Science, a Master's degree in business administration from the Alexandru Ioan Cuza University of Iași, Faculty of Economics and Business Administration, and a Ph.D. in computer science from the Faculty of Computer Science. He has presented at CARO and Virus Bulletin conferences. Prior to joining Security Scorecard he worked for nine years in Bitdefender's anti-malware team.