Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


02:05 PM
Dark Reading
Dark Reading
Products and Releases

Bromium Labs Finds YouTube Ads Serving Malware

Team discovers classic drive-by download attack on YouTube infecting users by exploiting client software vulnerabilities

CUPERTINO, Calif. – Bromium®, Inc., a pioneer in trustworthy computing, today announced new findings from Bromium Labs that discovered malware in the YouTube ad network by using Bromium vSentry® and LAVA (Live Attack Visualization & Analysis). Forensic evidence was captured in LAVA when the malware was encountered while watching a YouTube video, which helped the Google and Bromium security teams analyze the event and determine the offending advertisement came from Googleads/Doubleclick via a Flash file.

"It is a concerning trend that malware writers target incredibly popular websites like YouTube and are capable of infecting users while they view YouTube videos – without even needing to click on any ads," said Rahul Kashyap, chief security architect and head of security research at Bromium. "This malware campaign targeting YouTube users seems to be ongoing for some time and is clearly not a one-off. It is imperative that users have the latest patches at the very least. While Google informed us it is conducting a full investigation of this particular abuse, we at Bromium recommend, from a user security standpoint, disabling ads, using ad blockers in the interim and use robust isolation technologies such as micro-virtualization to prevent such unforeseen attacks."

Forensic evidence captured by Bromium LAVA revealed while watching a YouTube video, a thumbnail of another video appeared. After clicking on the thumbnail, the user was redirected to a malicious ad served by Googleads. The redirect was because of a SWF (Flash) file that injects an IFRAME into the Internet Explorer DOM. A detailed account of the analysis can be read here: labs.bromium.com.

Bromium LAVA offers an unrivaled, precise and detailed view of malware behavior in real-time. LAVA is a centralized security application that works in conjunction with Bromium's vSentry software installed at endpoints throughout the organization. LAVA gathers information from each vSentry endpoint – even mobile laptops not connected to the corporate network – then provides real-time analysis of each complete, hardware-isolated malware attack cycle that occurs.

Bromium shared details of the attack with Google's security team, and Google confirmed that a rogue advertiser was behind this malvertisment. Google has taken this campaign off and is beefing up internal procedures to prevent such events from occurring again. Google has informed Bromium the company is conducting a full investigation of this abuse and will take appropriate measures.

Bromium will be discussing the findings in detail during RSA 2014, February 24-28, 2014 at booth 2409, Moscone Center, San Francisco, CA.

Supporting Resources

Follow Bromium on the Web at:




Twitter (@bromium)

About Bromium, Inc.

Bromium is re-inventing enterprise security with its powerful new technology, micro-virtualization, which was designed to protect businesses from advanced malware, while simultaneously empowering users and delivering unmatched threat intelligence to IT. Unlike traditional security methods, which rely on complex and ineffective detection techniques, Bromium protects against malware from the Web, email or USB devices, by automatically isolating each user-task at the endpoint in a hardware-isolated micro-VM, preventing theft or damage to any enterprise resource. Bromium's technological innovations have earned the company numerous industry awards including being named as a CNBC Disruptor and a Gartner Cool Vendor for 2013. Bromium counts a rapidly growing set of Fortune 500 companies and government agencies as customers, including NYSE and BlackRock.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Take me to your BISO 
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-10
In YzmCMS 5.6, XSS was discovered in member/member_content/init.html via the SRC attribute of an IFRAME element because of using UEditor
PUBLISHED: 2021-05-10
In YzmCMS 5.6, stored XSS exists via the common/static/plugin/ueditor/ action parameter, which allows remote attackers to upload a swf file. The swf file can be injected with arbitrary web script or HTML.
PUBLISHED: 2021-05-10
Cross-site scripting (XSS) vulnerability in static/admin/js/kindeditor/plugins/multiimage/images/swfupload.swf in noneCms v1.3.0 allows remote attackers to inject arbitrary web script or HTML via the movieName parameter.
PUBLISHED: 2021-05-10
Cross-site scripting (XSS) vulnerability in admin/nav/add.html in noneCMS v1.3.0 allows remote authenticated attackers to inject arbitrary web script or HTML via the name parameter.
PUBLISHED: 2021-05-10
Cross-site scripting (XSS) vulnerability in admin/article/add.html in noneCMS v1.3.0 allows remote authenticated attackers to inject arbitrary web script or HTML via the name parameter.