Page 1 of 1

heads up on a stenographic ad attack

Posted: Sat Dec 10, 2016 12:32 am
by morganism
"Millions of readers who visited popular news websites have been targeted by a series of malicious ads redirecting to an exploit kit exploiting several Flash vulnerabilities."

"Using the known Internet Explorer vulnerability CVE-2016-0162, the encoded script attempts to verify that it is not being run in a monitored environment such as a malware analyst’s machine.

”If the script does not detect any signs of monitoring, it redirects to the Stegano exploit kit’s landing page, via the TinyURL service. The landing page loads a Flash file that is able to exploit three different vulnerabilities (CVE-2015-8651, CVE-2016-1019, CVE-2016-4117), depending on the version of Flash found on the victim’s system."

http://www.welivesecurity.com/2016/12/06/readers-popular-websites-targeted-stealthy-stegano-exploit-kit-hiding-pixels-malicious-ads/

checks for IE and old Java installs

Re: heads up on a stenographic ad attack

Posted: Sun Dec 11, 2016 9:48 pm
by Thrawn
Basically the only novel aspect of this is the concealment of the payload using steganography. The threat vector - scripts from a domain that cannot be trusted - is unchanged.

From the perspective of a research lab trying to study the attack, it's important, but from the perspective of an end-user trying to defend against it, it's the same as any other malvertising.

(In fact, it's theoretically slightly easier to block, because blocking scripts or images will stop this one. I actually do sometimes allow scripts while blocking images, on my mobile.)