Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

3/5/2014
02:05 PM
Dark Reading
Dark Reading
Products and Releases
50%
50%

Bromium Labs Finds YouTube Ads Serving Malware

Team discovers classic drive-by download attack on YouTube infecting users by exploiting client software vulnerabilities

CUPERTINO, Calif. – Bromium®, Inc., a pioneer in trustworthy computing, today announced new findings from Bromium Labs that discovered malware in the YouTube ad network by using Bromium vSentry® and LAVA (Live Attack Visualization & Analysis). Forensic evidence was captured in LAVA when the malware was encountered while watching a YouTube video, which helped the Google and Bromium security teams analyze the event and determine the offending advertisement came from Googleads/Doubleclick via a Flash file.

"It is a concerning trend that malware writers target incredibly popular websites like YouTube and are capable of infecting users while they view YouTube videos – without even needing to click on any ads," said Rahul Kashyap, chief security architect and head of security research at Bromium. "This malware campaign targeting YouTube users seems to be ongoing for some time and is clearly not a one-off. It is imperative that users have the latest patches at the very least. While Google informed us it is conducting a full investigation of this particular abuse, we at Bromium recommend, from a user security standpoint, disabling ads, using ad blockers in the interim and use robust isolation technologies such as micro-virtualization to prevent such unforeseen attacks."

Forensic evidence captured by Bromium LAVA revealed while watching a YouTube video, a thumbnail of another video appeared. After clicking on the thumbnail, the user was redirected to a malicious ad served by Googleads. The redirect was because of a SWF (Flash) file that injects an IFRAME into the Internet Explorer DOM. A detailed account of the analysis can be read here: labs.bromium.com.

Bromium LAVA offers an unrivaled, precise and detailed view of malware behavior in real-time. LAVA is a centralized security application that works in conjunction with Bromium's vSentry software installed at endpoints throughout the organization. LAVA gathers information from each vSentry endpoint – even mobile laptops not connected to the corporate network – then provides real-time analysis of each complete, hardware-isolated malware attack cycle that occurs.

Bromium shared details of the attack with Google's security team, and Google confirmed that a rogue advertiser was behind this malvertisment. Google has taken this campaign off and is beefing up internal procedures to prevent such events from occurring again. Google has informed Bromium the company is conducting a full investigation of this abuse and will take appropriate measures.

Bromium will be discussing the findings in detail during RSA 2014, February 24-28, 2014 at booth 2409, Moscone Center, San Francisco, CA.

Supporting Resources

Follow Bromium on the Web at:

www.bromium.com

blogs.bromium.com

labs.bromium.com

Twitter (@bromium)

About Bromium, Inc.

Bromium is re-inventing enterprise security with its powerful new technology, micro-virtualization, which was designed to protect businesses from advanced malware, while simultaneously empowering users and delivering unmatched threat intelligence to IT. Unlike traditional security methods, which rely on complex and ineffective detection techniques, Bromium protects against malware from the Web, email or USB devices, by automatically isolating each user-task at the endpoint in a hardware-isolated micro-VM, preventing theft or damage to any enterprise resource. Bromium's technological innovations have earned the company numerous industry awards including being named as a CNBC Disruptor and a Gartner Cool Vendor for 2013. Bromium counts a rapidly growing set of Fortune 500 companies and government agencies as customers, including NYSE and BlackRock.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 11/19/2020
New Proposed DNS Security Features Released
Kelly Jackson Higgins, Executive Editor at Dark Reading,  11/19/2020
How to Identify Cobalt Strike on Your Network
Zohar Buber, Security Analyst,  11/18/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: A GONG is as good as a cyber attack.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-5641
PUBLISHED: 2020-11-24
Cross-site request forgery (CSRF) vulnerability in GS108Ev3 firmware version 2.06.10 and earlier allows remote attackers to hijack the authentication of administrators and the product's settings may be changed without the user's intention or consent via unspecified vectors.
CVE-2020-5674
PUBLISHED: 2020-11-24
Untrusted search path vulnerability in the installers of multiple SEIKO EPSON products allows an attacker to gain privileges via a Trojan horse DLL in an unspecified directory.
CVE-2020-29002
PUBLISHED: 2020-11-24
includes/CologneBlueTemplate.php in the CologneBlue skin for MediaWiki through 1.35 allows XSS via a qbfind message supplied by an administrator.
CVE-2020-29003
PUBLISHED: 2020-11-24
The PollNY extension for MediaWiki through 1.35 allows XSS via an answer option for a poll question, entered during Special:CreatePoll or Special:UpdatePoll.
CVE-2020-26890
PUBLISHED: 2020-11-24
Matrix Synapse before 1.20.0 erroneously permits non-standard NaN, Infinity, and -Infinity JSON values in fields of m.room.member events, allowing remote attackers to execute a denial of service attack against the federation and common Matrix clients. If such a malformed event is accepted into the r...