Monetizing by serving ads has been the business model lately by most know sites like facebook, twitter, google, msn.com and various other websites. However there is a dark ecosystem in which these ads are either hijacked or compromise user accounts to server malware. A similar issue was seen by Bromium Labs and has been reported to Google.
YouTube In-Stream Ads were redirecting users to malicious websites, hosting the ‘Styx Exploit Kit‘ and was exploiting client side vulnerabilities by drive-by-download attack to infect users’ computer withCaphaw Banking Trojan.
The Exploitation process relied upon a Java vulnerability (CVE-2013-2460) and after getting dropped into the target computer system, the malware detects the Java version installed on the operating system and based upon it requests the suitable exploit. The investigation has revealed that the banking malware uses Domain Generation Algorithm (DGA) for communicating with Command and Control server (C&C) hoted in Europe.
Typically the infection involved the below behavior of the user.
- User watches a YouTube video
- User sees a thumbnail of another video (*.JPG)
- User clicks on the thumbnail and watches the video. In the background the user gets redirected to a malicious ad served by Googleads (*.doubleclick.net)
- Malware redirects the user to ‘foulpapers.com’
- Foulpapers.com iframes the aecua.nl
- aecua.nl delivers the exploit (in our case it was Styx exploit kit)
Details of this issue is available from Bromium labs
