1

We've received a random email, which was of-course by the way it looks might be a marketing attempt - however, one always needs for a verification to be done. The email read the following:

We have identified that the website http://example.com/ is serving up malicious content. Attached is our initial report. Please can you confirm receipt of this email by directly replying to the sender.

When we find compromised websites, if we feel it is in the public interest, we inform search engine providers, Law Enforcement Agencies and our customers of the compromise to enable them to make appropriate steps. In some cases, we publish our findings within a reasonable time to ensure the general public are aware of any risks presented by the compromise.

We may be able to provide further information on the compromise as and when our research identifies it.

You have received this email because we notify sites by emailing to industry recognized email addresses for reporting compromised sites. If you have any questions then please feel free to contact us on the address used to send this email.

Post this email, we checked up with our Ad-Server for which I came across and inspected the domain which earlier had an open Unvalidated Redirect Vulnerability but was a business use-case and was needed at production system. The URL looks like below:

hxxp://banners.xxx.com/www/content/afr.php?zoneid=737&target=_blank&cb=1708201502

Although a Unvalidated Redirect could be used to redirect users to malicious sites but I am aware our internal servers are not sending any malicious code (we verified this from internal security inspection of all consistent & active code at production Ad-Server). It's hence sending no malicious content from insider organization servers to any external entities.

My question is, why all the Ad-severing servers are termed as CnC in most reports like they claimed in this below report and how do we respond?

enter image description here

Can we otherwise deploy a known tool to detect if there are any certainty on our Ad-Server for the results delivered in end-reports or treat it as a complete marketing agenda since with manual inspection, we looked down to header level & packet level data which shows false positive.

Shritam Bhowmick
  • 1,602
  • 14
  • 28

1 Answers1

1

My question is, why all the Ad-severing servers are termed as CnC in most reports like they claimed in this below report and how do we respond?

Because the way advertisement is done today on the internet make it easy to use ads to serve malware or do social attacks. There is already the term Malvertisement for malware delivery through advertisements and as far as I know all of the major advertising networks were affected already. If you search for malvertisement you will find lots of examples, reports that it is rapidly increasing and that is even used in micro-targeted attacks.

Unfortunately there is no sure way to find out if a place you offer for advertisement will serve malware. The process of including the advertisement is very dynamic and lots of parties are involved and real time bidding makes it easy to include the malvertisement only at specific times, for specific browsers, specific source IP address or similar. This way it is impossible to find out with random inspection if there will be malvertisement or not.

Part of these malvertisement attacks are compromised ad-servers, like the one from Yahoo in 2014, OpenX several times or MadAdsMedia 2015.

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
  • ActiveX restrictions at browser level determines a controlled environment detection and prevention. I don't see any threats for a CVE-2015 which isn't verified. Also, is there any specific deployment tool we can use to at-least verify!? Compliance requires this. – Shritam Bhowmick Jan 30 '16 at 17:19
  • 1
    @ShritamBhowmick: I'm not sure why you refer to ActiveX and some unspecified CVE from 2015. The majority of malvertisement in 2015 was probably with Flash and in 2014 with Java and there were lots of different exploits involved. – Steffen Ullrich Jan 30 '16 at 17:22
  • 1
    @ShritamBhowmick: since there are no details how the ads are delivered by you and how you control the content of the ads it is impossible to suggest any improvement of this process. But unless the (unknown) sender of the mail you received tries to sell you something I would believe that you actually served malware. It is not uncommon for ad-servers to get compromised. – Steffen Ullrich Jan 30 '16 at 17:26
  • If Ad-Servers get's compromised, does that it scope of internal organization!? – Shritam Bhowmick Jan 30 '16 at 19:00
  • 1
    @ShritamBhowmick: sorry, but I'm not able to understand what you ask in this comment. Maybe you could provide an example to make it more clear. – Steffen Ullrich Jan 30 '16 at 20:55
  • I am asking if there is any specific universal tools to be deployed to detect these threats. Also, I am asking if these 3rd party servers are included in compliance (ISO 27k1). As per my info - 3rd party ad-servers aren't part of the scope in organizational security. If they are - we need to discuss a specific tool which can detect these threats. – Shritam Bhowmick Jan 31 '16 at 15:09
  • @ShritamBhowmick: I'm not aware of any universal tools which cover this case and I doubt that these will ever exist for the current way of real time bidding. And I don't know if the behavior of 3rd party servers is included in the compliance or not. But it is a fact that these servers cause problems for the users and thus (hopefully) for the ad-network too. Insofar it does not matter for me as a user if these are included in compliance of the ad-network or not. – Steffen Ullrich Jan 31 '16 at 16:15
  • certainly. As for the fact, we got these checked from internal security team and with the HTTP data inspection, they said, it's a false positive. The other vendor who tried to sell us their product claimed that our traffic were sent to Angler Exploit Kit which wasn't the case at first place. Also, this was old report which was sent to us via mass mailer, with trial & error basis of email approach like: support@company.com, abuse@company.com, etc.. But earlier you said, this could be serious so I'd love to dig in again and make sure as per your expert advice. – Shritam Bhowmick Jan 31 '16 at 16:31
  • as we talk, they have published without confirmation and what should be the next steps to convey them to take their blog post since it's false positive - team checked again. – Shritam Bhowmick Feb 02 '16 at 11:35
  • @ShritamBhowmick: I think you need to contact them and tell them the result of your own analysis. Either they can proof that they are right which means that your analysis was wrong or you can proof that there analysis was wrong. If you feel confident that your analysis was correct and exhaustive than you should be able to proof them wrong. – Steffen Ullrich Feb 02 '16 at 11:56
  • they're saying this is the source & is infected `http://banners.yatrainc.com/www/content/afr.php?zoneid=737&target=_blank&cb=1708201502`, however our team doesn't see any malware affected to any traffic which is being redirected from here. They specifically mentioned `Compromised Revive ad server script` for the aforementioned URL. – Shritam Bhowmick Feb 02 '16 at 12:29
  • @ShritamBhowmick: I have no idea how your team checked the site. Like I said: if you are sure that you checked exhaustive than you should be able to proof it. Don't expect anybody here to do a remote analysis of your situation by having nearly no useful information. – Steffen Ullrich Feb 02 '16 at 12:41
  • they derived the analysis from this URL itself. – Shritam Bhowmick Feb 02 '16 at 16:06
  • @ShritamBhowmick: Whatever process of "derived" this exactly means. A content behind a 3rd party URL can change all the time and it is typical for malvertising that the same URL in some cases serves malware and in some not - often depending on browser, source IP, OS ... of the visitor. Thus checking what's behind a specific URL from your place at a specific time will not help. – Steffen Ullrich Feb 02 '16 at 17:06
  • derived means they have determined the conclusion of a threatful scenario which is 'java drive-by' dependent. Look `http://blogs.forcepoint.com/security-labs/top-20-airline-travel-site-yatracom-victim-malvertizing-attack-redirects-users-angler` – Shritam Bhowmick Feb 02 '16 at 20:39