A picture tells a 1,000 words. Pixels pwn up to 5 million nerds: Crims use steganography to stash bad code in ads

Apple fans lured into installing malware via crafty JavaScript

Got Tips? 42 Reg comments

A strain of malware has been clocked using steganography to run malicious JavaScript on Macs via images in online banner ads, it was claimed this week.

A joint report from security shops Confiant and Malwarebytes drilled into the techniques used by VeryMal, a malvertising operation that spreads through poisoned ad images. What they found was that miscreants were avoiding security filters by hiding code in images using steganography.

That code, when executed in the browser, redirects the visitor to dodgy sites that try to trick people into installing Adobe Flash updates and similar fare that are actually adware, which secretly clicks on ads in the background to generate revenue for the campaign's masterminds. We've seen this kind of thing before, against Windows PCs.

We're told VerMal was active between January 11 and 13, on two top-tier ad exchanges used by a quarter of the top 100 publisher websites, targeting macOS and iOS users in the US. It was also doing the rounds in December, according to Confiant.

The upshot: as many as five million netizens a day shown maliciously crafted adverts, costing the industry $1.2m in just one day, it is alleged. That dollar value is the guesstimated impact of running these dodgy ads – from an increase in blockers and loss of trust in publishers to money paid out by advertisers and networks for fraudulent clicks.

"As malvertising detection continues to mature, sophisticated attackers are starting to learn that obvious methods of obfuscation are no longer getting the job done," explained Confiant security engineer Eliya Stein.

"The output of common JavaScript obfuscators is a very particular type of gibberish that can easily be recognized by the naked eye. Techniques like steganography are useful for smuggling payloads without relying on hex encoded strings or bulky lookup tables."

Beware Greeks bearing lists: Bank-raiding nasty Zeus smuggles attack orders in JPEGs


Stein said that in the case of VeryMal, the banner ad image containing the code is just a benign image: it is not dangerous on its own, and doesn't exploit any vulnerabilities in the browser. However, encoded in the pixels of the image is malicious JavaScript code. Crucially, the ad is served to the browser along with a small piece of seemingly harmless JS that reads through the image's pixels, extracts the malicious script from these bytes into a string, and then executes the string.

(Don't forget that in this day and age, ads are fetched as a package of images and code, the latter of which lets the ad network know if the former was seen by an actual human. For instance, if a reader scrolls past an ad too fast, it isn't reported as a successful impression by the bundled watchdog code. If the ad was fetched but not visibly rendered due to a blocker, the watchdog again snitches to the network.)

Security software scanning for malicious JS will not spot it smuggled into the ad image, and will likely let through the side-loaded extraction code. One solution to all of this, of course, is to block ad images and sidekick code from being fetched. (Just make sure you white-list the nice ads, like ours.)

Interestingly, the code checks to see if Apple fonts are present, and if so, it figures it's running on a Mac and continues on. Non-Macs stop at this point. Here are the full extraction steps, according to the report:

* Create a Canvas object (this enables the use of the HTML5 Canvas API in order to interact with images and their underlying data.)

* Grab the image located at: hxxp://s.ad-pixel.com/sscc.jpg

* Define a function that checks if a specific font family is supported in the browser.

* Check if Apple fonts are supported. If not, then do nothing.

* If so, then loop through the underlying data in the image file. Each loop reads a pixel value and translates it into an alphanumeric character.

* Add the newly extracted character to a string.

* Execute the code in the string.

"Much of the buzz around these types of attacks will have you believe that the image file alone is the threat and that we now have to fear the images that our browsers load during day to day web surfing, but this is a departure from the truth," said Stein.

"Validating the integrity of individual image files served in ads makes little sense within the broader context of the execution of these payloads.

"Estimated all together, Confiant benchmarks the cost impact for just that Jan 11th peak alone to have been over $1.2 million. When you consider that this was just one of multiple hundreds attacks Confiant has caught and blocked over the past month alone, the scale of the issues facing the digital ad industry becomes clearer." ®

Sponsored: Ransomware has gone nuclear


Biting the hand that feeds IT © 1998–2020