Bromium Labs Finds YouTube Ads Serving Malware

Team discovers classic drive-by download attack on YouTube infecting users by exploiting client software vulnerabilities

March 6, 2014

3 Min Read


CUPERTINO, Calif. – Bromium®, Inc., a pioneer in trustworthy computing, today announced new findings from Bromium Labs that discovered malware in the YouTube ad network by using Bromium vSentry® and LAVA (Live Attack Visualization & Analysis). Forensic evidence was captured in LAVA when the malware was encountered while watching a YouTube video, which helped the Google and Bromium security teams analyze the event and determine the offending advertisement came from Googleads/Doubleclick via a Flash file.

"It is a concerning trend that malware writers target incredibly popular websites like YouTube and are capable of infecting users while they view YouTube videos – without even needing to click on any ads," said Rahul Kashyap, chief security architect and head of security research at Bromium. "This malware campaign targeting YouTube users seems to be ongoing for some time and is clearly not a one-off. It is imperative that users have the latest patches at the very least. While Google informed us it is conducting a full investigation of this particular abuse, we at Bromium recommend, from a user security standpoint, disabling ads, using ad blockers in the interim and use robust isolation technologies such as micro-virtualization to prevent such unforeseen attacks."

Forensic evidence captured by Bromium LAVA revealed while watching a YouTube video, a thumbnail of another video appeared. After clicking on the thumbnail, the user was redirected to a malicious ad served by Googleads. The redirect was because of a SWF (Flash) file that injects an IFRAME into the Internet Explorer DOM. A detailed account of the analysis can be read here:

Bromium LAVA offers an unrivaled, precise and detailed view of malware behavior in real-time. LAVA is a centralized security application that works in conjunction with Bromium's vSentry software installed at endpoints throughout the organization. LAVA gathers information from each vSentry endpoint – even mobile laptops not connected to the corporate network – then provides real-time analysis of each complete, hardware-isolated malware attack cycle that occurs.

Bromium shared details of the attack with Google's security team, and Google confirmed that a rogue advertiser was behind this malvertisment. Google has taken this campaign off and is beefing up internal procedures to prevent such events from occurring again. Google has informed Bromium the company is conducting a full investigation of this abuse and will take appropriate measures.

Bromium will be discussing the findings in detail during RSA 2014, February 24-28, 2014 at booth 2409, Moscone Center, San Francisco, CA.

Supporting Resources

Follow Bromium on the Web at:

Twitter (@bromium)

About Bromium, Inc.

Bromium is re-inventing enterprise security with its powerful new technology, micro-virtualization, which was designed to protect businesses from advanced malware, while simultaneously empowering users and delivering unmatched threat intelligence to IT. Unlike traditional security methods, which rely on complex and ineffective detection techniques, Bromium protects against malware from the Web, email or USB devices, by automatically isolating each user-task at the endpoint in a hardware-isolated micro-VM, preventing theft or damage to any enterprise resource. Bromium's technological innovations have earned the company numerous industry awards including being named as a CNBC Disruptor and a Gartner Cool Vendor for 2013. Bromium counts a rapidly growing set of Fortune 500 companies and government agencies as customers, including NYSE and BlackRock.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights