Steganography Based Ad Payload That Drops Shlayer Trojan on Mac Users

This is precisely why an ad-blocker is a non-negotiable part of defense in depth. I'm sympathetic to web publishers who legit need the ad revenue to operate, but they're caught in the middle: asking me to drop this critical layer of protection is a non-starter.

I’m amazed that web sites still let ads run arbitrary scripts. Serve and image and&#x2F;or some text along with a link and call it done. If interactivity is somehow really necessary, define a few templates and allow no deviation from them.<p>But I guess these sites would rather just continue to be a conduit for screwing with their viewers.

Hi everyone, I&#x27;m the author of the blog post. We at Confiant help websites to protect their users by detecting and blocking malvertising. We are hiring in our security and engineering teams.<p>If you&#x27;re interested in working to combat the problem outlined in the blog post, we would love to hear from you! Please reach out to me [eliya AT confiant DOT com].<p>I will be back a little bit later to answer some of the questions that I see here in the comments as well. Thanks!

I think it&#x27;s time to require bonded advertisers on advertising platforms. If you deliver third party content, you should be legally and financially responsible for it. Period. Google and others should be able to police their platform. They aren&#x27;t... advertisers should have to put up a given dollar amount to advertise on the platform. If malware is detected, they get blackballed.

ELI5: Do I need to actively do something to be impacted, or is it enough to passively visit the infected site&#x2F;ad?

20 years since Melissa.<p>TWENTY YEARS.<p>And people still click on things they shouldn&#x27;t be clicking on.<p>It is amazing the brainpower that goes into developing processes like this just to trick a person into doing what they&#x27;ve been told NOT to do.<p>I understand every new generation of user&#x27;s needs to be reminded this. Of course, right? Kids grow up, and have to be taught basic online hygiene.<p>Maybe it is time to do away with the entire paradigm of &quot;click to install&quot; and have authenticated package managers for everything.<p>Would that solve the problem? If the only way to install software was through an &quot;app&#x2F;apt-store&quot; where everything is fingerprinted? This reminds me of the article on HN a few days ago about enabling HTTPS and Tor for apt. I learned a lot about how apt verifies untouched packages are installed.<p>Why isn&#x27;t that the ONLY method to add software to a computer?<p>Just seems like we are attacking the wrong problem. People still get STIs because they don&#x27;t want to use a condom (or don&#x27;t know how to use one). My analogy sucks, but if we got rid of sex we wouldn&#x27;t have STIs, by definition. Ok, F for that metaphor, but am I going in the right direction?

Is there any point at which ISPs block these known malware domains? It seems like they are using the same site (veryield-malyst.com) over and over to distribute the payload in repeated malware campaigns. Why haven&#x27;t the major ISPs blocked access to that domain?<p>&gt; The `veryield-malyst` domain, as a case in point, has been active for months, but only recently are VeryMal starting to smuggle it using steganography. Here’s one of their tags ad tags from early November for comparison:<p>So we&#x27;ve known since at least November that this site is bad, but it&#x27;s still serving this stuff up today? WTF?

Funny enough, just today it came out Google plans to neuter ad blockers by disabling the extension API they are using (<a href="https:&#x2F;&#x2F;www.heise.de&#x2F;newsticker&#x2F;meldung&#x2F;Kontroverse-Plaene-Werbeblockern-droht-in-Chrome-das-Aus-4286274.html" rel="nofollow">https:&#x2F;&#x2F;www.heise.de&#x2F;newsticker&#x2F;meldung&#x2F;Kontroverse-Plaene-W...</a>).<p>So, Google, tell me what options do I have? Switch to CPU and memory hog Firefox, to the new Internet Explorer called Safari, or watch while ads that I can&#x27;t block fuck up my computer?

Spam emails with embedded links don&#x27;t use steganography, but they use a similar redirect attack. I have reverse engineered many of them, and, for a lot of them, I am struck by the sense of whimsy in the choice of variable names the attackers use. Clearly, they are having fun doing these scripts. It always struck me as sad that these possibly talented (and apparently pretty happy) developers have been steered into crime instead of a probably lucrative honest career in software.

That&#x27;s it. I&#x27;m disabling JS by default.

Maybe I&#x27;m missing something, but why is Apple fonts required here?

Maybe it&#x27;s time to limit browser to 2 levels of IFrame and 2 redirects in an IFrame... let the ad companies figure out how to pass&#x2F;share their data directly instead of adding payload to the browser. It&#x27;s entirely possible for the ad networks to proxy their requests instead of layers of IFrames, scripts and redirects.<p>The other side is that any advertising re-sellers should have to put up a bond&#x2F;insurance against serving malware. If you get busted, you&#x27;re out. It&#x27;s up to the advertising companies to ensure that they don&#x27;t deliver malware. If a campaign includes malware, then it&#x27;s a $10K fine + $1 for every time that campaign was shown.

I think the title is a bit misleading, as it is still required a user action to actually infect the device

Any published IOCs for this? Any hashes for the malware itself?

tl;dr malicious Ad stores payload in image. it then executes it with eval()<p>if publisher had minimal CSP eval protection on Ads it will be safe. but I guess that would break every ad, even Google&#x27;s.<p>in the end, same old everything. just a slightly clever way to avoid static analysis, that is also not new at all.