Friday, March 18, 2016


Arse Technica - major sites serving ads spreading ransomware. Quote:

Mainstream websites, including those published by The New York Times, the BBC, MSN, and AOL, are falling victim to a new rash of malicious ads that attempt to surreptitiously install crypto ransomware and other malware on the computers of unsuspecting visitors, security firms warned.

The tainted ads may have exposed tens of thousands of people over the past 24 hours alone, according to a blog post published Monday by Trend Micro. The new campaign started last week when "Angler," a toolkit that sells exploits for Adobe Flash, Microsoft Silverlight, and other widely used Internet software, started pushing laced banner ads through a compromised ad network.

According to a separate blog post from Trustwave's SpiderLabs group, one JSON-based file being served in the ads has more than 12,000 lines of heavily obfuscated code. When researchers deciphered the code, they discovered it enumerated a long list of security products and tools it avoided in an attempt to remain undetected.

"If the code doesn't find any of these programs, it continues with the flow and appends an iframe to the body of the html that leads to Angler EK [exploit kit] landing page," SpiderLabs researchers Daniel Chechik, Simon Kenin, and Rami Kogan wrote. "Upon successful exploitation, Angler infects the poor victim with both the Bedep trojan and the TeslaCrypt ransomware–double the trouble."

This is why, if you love your computer, you

1) uninstall Java Runtime, it's useless.

2) install Ghostery, Adblock Plus, and NoScript.

It doesn't matter if you avoid all porn like the plague and only ever visit "trustworthy" "corporate" sites like the NYT; the ads on their webpage are still html coming from a third party, and all third-party html is potentially an attack.

And if you believe that corporations are completely trustworthy and know how to provide quality security, I have a story for you:

Years ago I used Norton for my AV. Then, when they bundled Norton AV into a major bloatware suite, I thought "hey, no big deal, I have a powerful enough computer, I'll put up with the bloat if it means added security."

Then one day I woke up and found the internet was missing.

What happened was, my Norton Bloatware would phone in to the mothership on boot-up, to check and make sure its license was still valid. Well, the license server was a major license corporation that also took care of the MS Office suite... and MS had programmed an entire edition of their suite to phone in to the mothership on the exact same day.

So, as you'd expect, the license server had crashed under the weight of all that traffic.

So because of this, Norton Bloatware couldn't validate its license on that site either, so it wouldn't start.

So I lose the bloatware proxy, and thus no internet.

Having no internet, I only managed to figure this out by starting up a packet analyzer, watching the failed connects, and sorting it out the hard way.

I had to basically remove Norton Bloatware from startup and surf without protection in order to use internet.

At which point I decided to go through the very tedious process of manually uninstalling Norton Bloatware (difficult because to uninstall it you'd usually have to have it running, but that would mean no internet because the license server was still kaput, so it had to be unstarted, which meant a manual uninstall, and you do not uninstall a registry-heavy piece of software by hand unless you really know what you're doing).

All because some major corporations who should have known better (Microsoft, the license server, and Norton) critically and fatally screwed up what should have been a very simple license-checking process.

So don't ever trust any corporation to know how to protect your computer. It's up to you.

Maybe if a few hundred NYT readers who got hit with ransomware decide to sue the NYT for damages, and win, then we might see changes. Til then, this is why we hate ads, internet.

No comments:

Post a Comment