Categories

Malvertising

Localized malvertising affects some OpenDNS users

The Domain Name System (DNS) is the equivalent of the phone book for the Internet in that in translates host names (i.e. malwarebytes.org) into IP addresses (i.e. 184.173.97.192) therefore allowing systems to communicate with each other.

Without a DNS, we would have to manually type IP addresses each time we need to visit a website.

Most Internet Service Providers as well as other companies such as Google offer this functionality. On top of domain name translation, DNS services can also filter out malicious or phishing sites, provide additional security and speed improvements.

OpenDNS, a very popular DNS resolution service with over 50 million active users, experienced a malvertising (malicious ads) attack that affected a certain percentage of its user base.

The problem was first spotted by French security researcher Malekal:

Malekal was kind enough to share the traffic capture with me so we can better understand how this happened.

When a site cannot be resolved, OpenDNS provides an ad-supported page where the user can look for similar sites, etc.:

adsupported

(On a side note,  the second ad from the top for the Tech Support service links to computemyPC, a company involved in tech support scams.)

Where there are ads, there will be malvertising.

The malvertising attack can be summarized in the graph below:

diagram2

Let’s take a deeper look at each URL involved in this infection.

#1 http://www.website-unavailable[dot]com/main?wc=EWJvGQlmBRNEGxVwAxYBFBc%3D&url=sexy.exgfs.com%2Fpics%2Famateur-exgirlfriends%2F%3Fdiscount%3D2045028&ref=http%3A%2F%2Fsecrethomesex.com%2F&w=971&h=514&ifc=0

mainad

The code responsible for the ad circled in red shown below:

ad

#2 http://ads[dot]rubiconproject[dot]com/ad/9037.js loads

#3 http://optimized-by[dot]rubiconproject[dot]com/a/9037/15225/61137-2.js?&cb=0.9430403284420199&tk_st=1&tk_sf=1&rp_s=c&p_exp=1&p_pos=atf&p_screen_res=1024×768

malvertising5

#4 http://tap2-cdn[dot]rubiconproject[dot]com/partner/scripts/rubicon/emily.html?rtb_ext=1&pc=9037/15225&geo=eu&co=de

malvertising4

#5 http://ads[dot]heias[dot]com/x/heias.TAG.v2.0/tag.php?H_VAR=h_ref|;|http%3A%2F%2Fwww.opendns.com{redacted}

malvertising3

#6 http://ad2[dot]adfarm1[dot]adition[dot]com/banner?sid=2502427&adjsver=3&co=1&fvers=10&iframe=0&ref=http%3A//www.website-unavailable.com{redacted}

malvertising2

#7 http://ad[dot]123-template[dot]com/www/delivery/ajs.php?zoneid=4&cb=40468151097&charset=utf-8&loc=http%3A//www.website-unavailable.com/{redacted}

malvertising

#8 http://spring[dot]freeconcealedcarrymagazine[dot]com/scripts/js/core.js?ver=3.71.2396

infectedsite

#9 Exploit Kit

Exploit landinghttp://zcrnm8[dot]goalmedal[dot]pw/dN6-8f3bfead-77f4f8M44-c24-ea4ab_bQ1-c_f57.html

Java exploit http://zcrnm8[dot]goalmedal[dot]pw/4030722763/1391145360.jar

Binary 1 (VT results): http://zcrnm8[dot]goalmedal[dot]pw/f/1391145360/4030722763/2

Binary 2 (VT results): http://zcrnm8[dot]goalmedal[dot]pw/f/1391145360/4030722763/2/2

Malvertising is not always straightforward and often involves multiple intermediaries, which is why it is so hard to spot and prevent.

The more ad networks are involved, the greater the chances of a malicious ad are. It’s easy to see how the initial client (in this case OpenDNS) may be completely unaware of dubious or malicious networks that are down the stream.

In fact the first ad  is powered by the Rubicon project which is known for its attention and care against malvertising. The problem is the number of successive ad networks where it only takes one to turn things sour:

  • ads.heias.com
  • ad2.adfarm1.adition.com
  • ad.123-template.com

This attack appears to have affected only certain countries, with Germany being one of them.

Shortly after Malekal reported the malvertising issue to OpenDNS, the problem seemed to have been taken care of.

Prompt reactions are crucial and we know for a fact how hard it can be sometimes to get ad networks or even compromised sites to roll out an immediate fix.

A radical solution to malvertising would be to remove all ads from the websites we visit. However, this is not a realistic solution because it is the main source of revenues for website owners.

This is why if you use an ad-blocker utility, you may found yourself blocked by many webmasters who will refuse such visitors.

While there are some good and bad practices when it comes to ad management, the malvertising problem is here to stay.

Special thanks to Malekal for his help on this. Feel free to check out his site for more coverage on malvertising and other threats.

Jérôme Segura @jeromesegura


3 thoughts on “Localized malvertising affects some OpenDNS users

  1. David Ulevitch says on February 3, 2014 at 12:03 pm :

    I’m David, the CEO / Founder of OpenDNS. Over the years, as we’ve become more of a security company, and more enterprise-focused, we’ve shifted away from ad revenue as a primary source of income for the company. We’re in the final stages of turning off advertising as a revenue stream, and this is exactly why.

    We’re preparing a blog post on the subject, but our enterprise customers were protected from this two ways — one because there are no ads, and two, because we were blocking the malware drop site for enterprise users.

    The crappy thing is that our free users were potentially impacted in two ways, first because they get the ads from time to time, and second, because they don’t get the full weight of our enterprise protection. In this case, nobody was impacted that we know of — we checked and only the researcher saw the ad show up — the researcher was also probing a ton of domains against our resolvers, which is fine.

    Over the course of this year, we are taking steps to make sure this doesn’t recur in a few important ways. And it’s not just this blog post that has prompted this strategic initiative for us. See here: https://news.ycombinator.com/item?id=7049446

    We’ve been working since early last year to bring better security to consumers of our service, and to extinguish the small remaining bits of ad revenue. This is all the more reason, and has certainly helped us gather steam in that effort.

    Thanks,
    David

  2. Jerome Segura says on February 3, 2014 at 1:43 pm :

    Hi David,

    Thanks for your response and once again your immediate attention to this problem is very much appreciated to keep end-users safe.

    This particular case was (to me) out of the ordinary due to the fact that there are so many jumps before leading to the exploit page. It certainly shows how difficult – we could almost say near impossible – it is to control Ad networks.

    It is great news to hear that you will be phasing out the ads for the free OpenDNS users! It is a great service that offers speed and additional protection and I would certainly recommend it.

    Regards,
    Jérôme S.

  3. Gregory Estrada says on June 29, 2014 at 1:50 am :

    I don’t use OpenDNS but google search regarding rubiconproject and malware returned this page. Thanks for this informative post. My machine locked up and taskmgr, explorer.exe (the win32 shell) is not responding, and my Chrome browser, and mouse cursor are all stuck… nothing can be done even waiting for 4mins didn’t work, only reset / power button can escape the freeze. Further digging of my logs, firewall etc , leads to rubiconproject. Didn’t have BSOD just a freeze requiring pressing the power button. I have a feeling rubiconproject tried to drop malware, but I have DEP enabled, and restricted account.

    Some paged complaining about rubicon project was flagged as unsafe and others were removed, something fishy. Is rubiconproject a project of some secret three letter agency?

    p.s. (sorry can’t reproduce the random ad of a specific website so didn’t capture packets with wireshark)

Leave a Reply

Subscribe to our YouTube Channel