Attacks/Breaches
3/5/2014
02:05 PM
Dark Reading
Dark Reading
Products and Releases
Connect Directly
RSS
E-Mail
50%
50%

Bromium Labs Finds YouTube Ads Serving Malware

Team discovers classic drive-by download attack on YouTube infecting users by exploiting client software vulnerabilities

CUPERTINO, Calif. – Bromium®, Inc., a pioneer in trustworthy computing, today announced new findings from Bromium Labs that discovered malware in the YouTube ad network by using Bromium vSentry® and LAVA (Live Attack Visualization & Analysis). Forensic evidence was captured in LAVA when the malware was encountered while watching a YouTube video, which helped the Google and Bromium security teams analyze the event and determine the offending advertisement came from Googleads/Doubleclick via a Flash file.

"It is a concerning trend that malware writers target incredibly popular websites like YouTube and are capable of infecting users while they view YouTube videos – without even needing to click on any ads," said Rahul Kashyap, chief security architect and head of security research at Bromium. "This malware campaign targeting YouTube users seems to be ongoing for some time and is clearly not a one-off. It is imperative that users have the latest patches at the very least. While Google informed us it is conducting a full investigation of this particular abuse, we at Bromium recommend, from a user security standpoint, disabling ads, using ad blockers in the interim and use robust isolation technologies such as micro-virtualization to prevent such unforeseen attacks."

Forensic evidence captured by Bromium LAVA revealed while watching a YouTube video, a thumbnail of another video appeared. After clicking on the thumbnail, the user was redirected to a malicious ad served by Googleads. The redirect was because of a SWF (Flash) file that injects an IFRAME into the Internet Explorer DOM. A detailed account of the analysis can be read here: labs.bromium.com.

Bromium LAVA offers an unrivaled, precise and detailed view of malware behavior in real-time. LAVA is a centralized security application that works in conjunction with Bromium's vSentry software installed at endpoints throughout the organization. LAVA gathers information from each vSentry endpoint – even mobile laptops not connected to the corporate network – then provides real-time analysis of each complete, hardware-isolated malware attack cycle that occurs.

Bromium shared details of the attack with Google's security team, and Google confirmed that a rogue advertiser was behind this malvertisment. Google has taken this campaign off and is beefing up internal procedures to prevent such events from occurring again. Google has informed Bromium the company is conducting a full investigation of this abuse and will take appropriate measures.

Bromium will be discussing the findings in detail during RSA 2014, February 24-28, 2014 at booth 2409, Moscone Center, San Francisco, CA.

Supporting Resources

Follow Bromium on the Web at:

www.bromium.com

blogs.bromium.com

labs.bromium.com

Twitter (@bromium)

About Bromium, Inc.

Bromium is re-inventing enterprise security with its powerful new technology, micro-virtualization, which was designed to protect businesses from advanced malware, while simultaneously empowering users and delivering unmatched threat intelligence to IT. Unlike traditional security methods, which rely on complex and ineffective detection techniques, Bromium protects against malware from the Web, email or USB devices, by automatically isolating each user-task at the endpoint in a hardware-isolated micro-VM, preventing theft or damage to any enterprise resource. Bromium's technological innovations have earned the company numerous industry awards including being named as a CNBC Disruptor and a Gartner Cool Vendor for 2013. Bromium counts a rapidly growing set of Fortune 500 companies and government agencies as customers, including NYSE and BlackRock.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-0485
Published: 2014-09-02
S3QL 1.18.1 and earlier uses the pickle Python module unsafely, which allows remote attackers to execute arbitrary code via a crafted serialized object in (1) common.py or (2) local.py in backends/.

CVE-2014-3861
Published: 2014-09-02
Cross-site scripting (XSS) vulnerability in CDA.xsl in HL7 C-CDA 1.1 and earlier allows remote attackers to inject arbitrary web script or HTML via a crafted reference element within a nonXMLBody element.

CVE-2014-3862
Published: 2014-09-02
CDA.xsl in HL7 C-CDA 1.1 and earlier allows remote attackers to discover potentially sensitive URLs via a crafted reference element that triggers creation of an IMG element with an arbitrary URL in its SRC attribute, leading to information disclosure in a Referer log.

CVE-2014-5076
Published: 2014-09-02
The La Banque Postale application before 3.2.6 for Android does not prevent the launching of an activity by a component of another application, which allows attackers to obtain sensitive cached banking information via crafted intents, as demonstrated by the drozer framework.

CVE-2014-5136
Published: 2014-09-02
Cross-site scripting (XSS) vulnerability in Innovative Interfaces Sierra Library Services Platform 1.2_3 allows remote attackers to inject arbitrary web script or HTML via unspecified parameters.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
This episode of Dark Reading Radio looks at infosec security from the big enterprise POV with interviews featuring Ron Plesco, Cyber Investigations, Intelligence & Analytics at KPMG; and Chris Inglis & Chris Bell of Securonix.