02:05 PM
Dark Reading
Dark Reading
Products and Releases
Connect Directly

Bromium Labs Finds YouTube Ads Serving Malware

Team discovers classic drive-by download attack on YouTube infecting users by exploiting client software vulnerabilities

CUPERTINO, Calif. – Bromium®, Inc., a pioneer in trustworthy computing, today announced new findings from Bromium Labs that discovered malware in the YouTube ad network by using Bromium vSentry® and LAVA (Live Attack Visualization & Analysis). Forensic evidence was captured in LAVA when the malware was encountered while watching a YouTube video, which helped the Google and Bromium security teams analyze the event and determine the offending advertisement came from Googleads/Doubleclick via a Flash file.

"It is a concerning trend that malware writers target incredibly popular websites like YouTube and are capable of infecting users while they view YouTube videos – without even needing to click on any ads," said Rahul Kashyap, chief security architect and head of security research at Bromium. "This malware campaign targeting YouTube users seems to be ongoing for some time and is clearly not a one-off. It is imperative that users have the latest patches at the very least. While Google informed us it is conducting a full investigation of this particular abuse, we at Bromium recommend, from a user security standpoint, disabling ads, using ad blockers in the interim and use robust isolation technologies such as micro-virtualization to prevent such unforeseen attacks."

Forensic evidence captured by Bromium LAVA revealed while watching a YouTube video, a thumbnail of another video appeared. After clicking on the thumbnail, the user was redirected to a malicious ad served by Googleads. The redirect was because of a SWF (Flash) file that injects an IFRAME into the Internet Explorer DOM. A detailed account of the analysis can be read here:

Bromium LAVA offers an unrivaled, precise and detailed view of malware behavior in real-time. LAVA is a centralized security application that works in conjunction with Bromium's vSentry software installed at endpoints throughout the organization. LAVA gathers information from each vSentry endpoint – even mobile laptops not connected to the corporate network – then provides real-time analysis of each complete, hardware-isolated malware attack cycle that occurs.

Bromium shared details of the attack with Google's security team, and Google confirmed that a rogue advertiser was behind this malvertisment. Google has taken this campaign off and is beefing up internal procedures to prevent such events from occurring again. Google has informed Bromium the company is conducting a full investigation of this abuse and will take appropriate measures.

Bromium will be discussing the findings in detail during RSA 2014, February 24-28, 2014 at booth 2409, Moscone Center, San Francisco, CA.

Supporting Resources

Follow Bromium on the Web at:

Twitter (@bromium)

About Bromium, Inc.

Bromium is re-inventing enterprise security with its powerful new technology, micro-virtualization, which was designed to protect businesses from advanced malware, while simultaneously empowering users and delivering unmatched threat intelligence to IT. Unlike traditional security methods, which rely on complex and ineffective detection techniques, Bromium protects against malware from the Web, email or USB devices, by automatically isolating each user-task at the endpoint in a hardware-isolated micro-VM, preventing theft or damage to any enterprise resource. Bromium's technological innovations have earned the company numerous industry awards including being named as a CNBC Disruptor and a Gartner Cool Vendor for 2013. Bromium counts a rapidly growing set of Fortune 500 companies and government agencies as customers, including NYSE and BlackRock.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2014-07-28 in Subversion 1.8.0 before 1.8.3, when using the --pidfile option and running in foreground mode, allows local users to gain privileges via a symlink attack on the pid file. NOTE: this issue was SPLIT due to different affected versions (ADT3). The issue is covered by CVE-...

Published: 2014-07-28
Unspecified vulnerability in HP and H3C VPN Firewall Module products SECPATH1000FE before 5.20.R3177 and SECBLADEFW before 5.20.R3177 allows remote attackers to cause a denial of service via unknown vectors.

Published: 2014-07-28
The module in Subversion 1.8.0 before 1.8.2 allows local users to gain privileges via a symlink attack on the pid file created for (1) or (2) when the --pidfile option is used. NOTE: this issue was SPLIT from CVE-2013-4262 based on different affected versions...

Published: 2014-07-28
Cross-site request forgery (CSRF) vulnerability in php/user_account.php in Silver Peak VX through 6.2.4 allows remote attackers to hijack the authentication of administrators for requests that create administrative accounts.

Published: 2014-07-28
Cross-site scripting (XSS) vulnerability in php/user_account.php in Silver Peak VX before 6.2.4 allows remote attackers to inject arbitrary web script or HTML via the user_id parameter.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Sara Peters hosts a conversation on Botnets and those who fight them.