Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

9/8/2014
02:00 PM
Sara Peters
Sara Peters
Quick Hits
Connect Directly
Twitter
RSS
E-Mail
50%
50%

'Kyle & Stan' Parks Malvertising On Amazon, YouTube

Windows and Macs alike are at risk to sophisticated mutating malware.

A malicious advertising (malvertising) network is distributing spyware, adware, and browser hijackers to both Macs and PCs, crafting a unique malware bundle for each machine it infects. The network, dubbed "Kyle and Stan" by Cisco's TALOS Security Research, is 700 domains strong, including the likes of amazon.com and youtube.com. "This by all means is most likely just the tip of the iceberg," researchers said in a blog post today.

    The world of online ads has only a few major players that are supplying ads to thousands of websites. If an attacker can get one of those major advertisement networks to display an advertisement with a malicious payload just for a few minutes without being detected, then countless machines can be infected by such an attack.

"Kyle and Stan" is so named because the group dubbed hundreds of their subdomains "stan.mxp2099.com" and "kyle.mxp2038.com." Here's what happens when a user visits one of the malicious sites:

    The website automatically starts the download of a unique piece of malware for every user. The file is a bundle of legitimate software, like a media-player, and compiles malware and a unique-to-every-user configuration into the downloaded file. The attackers are purely relying on social engineering techniques, in order to get the user to install the software package. No drive-by exploits are being used thus far. The impressive thing is that we are seeing this technique not only work for Windows, but for Mac operating systems alike.

The malicious kit for Macs includes the legitimate application MPlayerX and the malicious browser hijackers Conduit and VSearch.

Because the malware package is unique to each infected machine, the checksum is different every time, which makes detection very difficult.

"All in all," say the researchers, "we are facing a very robust and well-engineered malware delivery network that won't be taken down until the minds behind this are identified."

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
9/9/2014 | 8:57:59 PM
Re: "Kyle & Stan" Malvertising
I agree. Social engineering attacks are becoming very effective and quite impactful. Easy to do too.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
9/9/2014 | 8:55:55 PM
Re: "Kyle & Stan" Malvertising
I agree. At the same time the checksum is not really resolving the overall issue. Once system is infected detecting it is actually too late.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
9/9/2014 | 8:53:27 PM
Very sophisticated
Threats are very sophisticated anymore and this is the main reason we continue to see attracts on different systems. We need to look at the security in a new perspective to go beyond what we are doing now: trying to catch up. We need to design systems and applications security in mind and detecting unrecognized piece of code in an automated way before it is too late.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
9/9/2014 | 4:51:03 PM
Re: "Kyle & Stan" Malvertising> draconian?
Maybe not draconian, but defnitely not realistic since advertising is a huge revenue stream. Unlikely websites will take action without some legislation with some teeth.. #notholdingmybreate
noliveira707
50%
50%
noliveira707,
User Rank: Apprentice
9/9/2014 | 7:39:41 AM
Re: "Kyle & Stan" Malvertising
Maybe the variants can be detected throught behaviour, that can be unique. The nightmare will occour with the same malware with different checksums and behaviours.
aws0513
50%
50%
aws0513,
User Rank: Ninja
9/8/2014 | 3:15:15 PM
Re: "Kyle & Stan" Malvertising
I agree, these bad actors are getting quite devious.

My gut feeling is that such activity may end up changing how ISP and web service providers conduct business.  To maintain a good reputation in our every growing and connected community, it may become necessary for the web service vendors to conduct full scope vetting of their advertising and hosting customers before agreeing to provide services.  Included with this effort would be strict requirements for change management and content review to ensure that any links provided by the vendor on a site will not take users to unsafe waters now or in the future.

I know this strict control set sounds draconian to some people, but such actions are a common and usually effective response to misuse of an environment, product, or service.

 

 

 
GonzSTL
50%
50%
GonzSTL,
User Rank: Ninja
9/8/2014 | 2:32:36 PM
"Kyle & Stan" Malvertising
This is both disturbing and clever; disturbing because it uses well known trusted sites, and clever because it uses social engineering, which is known to be a very effective technique. Adding to that, the uniqueness of each infection certainly confounds existing detection mechanisms, and is OS agnostic. Really, I believe that this particular social engineering approach is the wave of the future. As the online community attracts newer and often younger, less savvy users, the potential for spreading rises dramatically. The key to mitigating this type of attack is security awareness training. I have always maintained that effective training should not only emphasize safe corporate computing practices; they should relate those practices to users' personal activities as well. This provides added value to the training itself, enhancing the users' buy-in to the training. If effective, then users quickly realize that they in turn should disseminate the information to their friends, family, etc. for their own personal protection. This could naturally result in a more educated general public.
Mobile Banking Malware Up 50% in First Half of 2019
Kelly Sheridan, Staff Editor, Dark Reading,  1/17/2020
Exploits Released for As-Yet Unpatched Critical Citrix Flaw
Jai Vijayan, Contributing Writer,  1/13/2020
Microsoft to Officially End Support for Windows 7, Server 2008
Kelly Sheridan, Staff Editor, Dark Reading,  1/13/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-7227
PUBLISHED: 2020-01-18
Westermo MRD-315 1.7.3 and 1.7.4 devices have an information disclosure vulnerability that allows an authenticated remote attacker to retrieve the source code of different functions of the web application via requests that lack certain mandatory parameters. This affects ifaces-diag.asp, system.asp, ...
CVE-2019-15625
PUBLISHED: 2020-01-18
A memory usage vulnerability exists in Trend Micro Password Manager 3.8 that could allow an attacker with access and permissions to the victim's memory processes to extract sensitive information.
CVE-2019-19696
PUBLISHED: 2020-01-18
A RootCA vulnerability found in Trend Micro Password Manager for Windows and macOS exists where the localhost.key of RootCA.crt might be improperly accessed by an unauthorized party and could be used to create malicious self-signed SSL certificates, allowing an attacker to misdirect a user to phishi...
CVE-2019-19697
PUBLISHED: 2020-01-18
An arbitrary code execution vulnerability exists in the Trend Micro Security 2019 (v15) consumer family of products which could allow an attacker to gain elevated privileges and tamper with protected services by disabling or otherwise preventing them to start. An attacker must already have administr...
CVE-2019-20357
PUBLISHED: 2020-01-18
A Persistent Arbitrary Code Execution vulnerability exists in the Trend Micro Security 2020 (v160 and 2019 (v15) consumer familiy of products which could potentially allow an attacker the ability to create a malicious program to escalate privileges and attain persistence on a vulnerable system.