Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

9/8/2014
02:00 PM
Sara Peters
Sara Peters
Quick Hits
Connect Directly
Twitter
RSS
E-Mail
50%
50%

'Kyle & Stan' Parks Malvertising On Amazon, YouTube

Windows and Macs alike are at risk to sophisticated mutating malware.

A malicious advertising (malvertising) network is distributing spyware, adware, and browser hijackers to both Macs and PCs, crafting a unique malware bundle for each machine it infects. The network, dubbed "Kyle and Stan" by Cisco's TALOS Security Research, is 700 domains strong, including the likes of amazon.com and youtube.com. "This by all means is most likely just the tip of the iceberg," researchers said in a blog post today.

    The world of online ads has only a few major players that are supplying ads to thousands of websites. If an attacker can get one of those major advertisement networks to display an advertisement with a malicious payload just for a few minutes without being detected, then countless machines can be infected by such an attack.

"Kyle and Stan" is so named because the group dubbed hundreds of their subdomains "stan.mxp2099.com" and "kyle.mxp2038.com." Here's what happens when a user visits one of the malicious sites:

    The website automatically starts the download of a unique piece of malware for every user. The file is a bundle of legitimate software, like a media-player, and compiles malware and a unique-to-every-user configuration into the downloaded file. The attackers are purely relying on social engineering techniques, in order to get the user to install the software package. No drive-by exploits are being used thus far. The impressive thing is that we are seeing this technique not only work for Windows, but for Mac operating systems alike.

The malicious kit for Macs includes the legitimate application MPlayerX and the malicious browser hijackers Conduit and VSearch.

Because the malware package is unique to each infected machine, the checksum is different every time, which makes detection very difficult.

"All in all," say the researchers, "we are facing a very robust and well-engineered malware delivery network that won't be taken down until the minds behind this are identified."

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
9/9/2014 | 8:57:59 PM
Re: "Kyle & Stan" Malvertising
I agree. Social engineering attacks are becoming very effective and quite impactful. Easy to do too.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
9/9/2014 | 8:55:55 PM
Re: "Kyle & Stan" Malvertising
I agree. At the same time the checksum is not really resolving the overall issue. Once system is infected detecting it is actually too late.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
9/9/2014 | 8:53:27 PM
Very sophisticated
Threats are very sophisticated anymore and this is the main reason we continue to see attracts on different systems. We need to look at the security in a new perspective to go beyond what we are doing now: trying to catch up. We need to design systems and applications security in mind and detecting unrecognized piece of code in an automated way before it is too late.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
9/9/2014 | 4:51:03 PM
Re: "Kyle & Stan" Malvertising> draconian?
Maybe not draconian, but defnitely not realistic since advertising is a huge revenue stream. Unlikely websites will take action without some legislation with some teeth.. #notholdingmybreate
noliveira707
50%
50%
noliveira707,
User Rank: Apprentice
9/9/2014 | 7:39:41 AM
Re: "Kyle & Stan" Malvertising
Maybe the variants can be detected throught behaviour, that can be unique. The nightmare will occour with the same malware with different checksums and behaviours.
aws0513
50%
50%
aws0513,
User Rank: Ninja
9/8/2014 | 3:15:15 PM
Re: "Kyle & Stan" Malvertising
I agree, these bad actors are getting quite devious.

My gut feeling is that such activity may end up changing how ISP and web service providers conduct business.  To maintain a good reputation in our every growing and connected community, it may become necessary for the web service vendors to conduct full scope vetting of their advertising and hosting customers before agreeing to provide services.  Included with this effort would be strict requirements for change management and content review to ensure that any links provided by the vendor on a site will not take users to unsafe waters now or in the future.

I know this strict control set sounds draconian to some people, but such actions are a common and usually effective response to misuse of an environment, product, or service.

 

 

 
GonzSTL
50%
50%
GonzSTL,
User Rank: Ninja
9/8/2014 | 2:32:36 PM
"Kyle & Stan" Malvertising
This is both disturbing and clever; disturbing because it uses well known trusted sites, and clever because it uses social engineering, which is known to be a very effective technique. Adding to that, the uniqueness of each infection certainly confounds existing detection mechanisms, and is OS agnostic. Really, I believe that this particular social engineering approach is the wave of the future. As the online community attracts newer and often younger, less savvy users, the potential for spreading rises dramatically. The key to mitigating this type of attack is security awareness training. I have always maintained that effective training should not only emphasize safe corporate computing practices; they should relate those practices to users' personal activities as well. This provides added value to the training itself, enhancing the users' buy-in to the training. If effective, then users quickly realize that they in turn should disseminate the information to their friends, family, etc. for their own personal protection. This could naturally result in a more educated general public.
Overcoming the Challenge of Shorter Certificate Lifespans
Mike Cooper, Founder & CEO of Revocent,  10/15/2020
US Counterintelligence Director & Fmr. Europol Leader Talk Election Security
Kelly Sheridan, Staff Editor, Dark Reading,  10/16/2020
7 Tips for Choosing Security Metrics That Matter
Ericka Chickowski, Contributing Writer,  10/19/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-26895
PUBLISHED: 2020-10-21
Prior to 0.10.0-beta, LND (Lightning Network Daemon) would have accepted a counterparty high-S signature and broadcast tx-relay invalid local commitment/HTLC transactions. This can be exploited by any peer with an open channel regardless of the victim situation (e.g., routing node, payment-receiver,...
CVE-2020-26896
PUBLISHED: 2020-10-21
Prior to 0.11.0-beta, LND (Lightning Network Daemon) had a vulnerability in its invoice database. While claiming on-chain a received HTLC output, it didn't verify that the corresponding outgoing off-chain HTLC was already settled before releasing the preimage. In the case of a hash-and-amount collis...
CVE-2020-5790
PUBLISHED: 2020-10-20
Cross-site request forgery in Nagios XI 5.7.3 allows a remote attacker to perform sensitive application actions by tricking legitimate users into clicking a crafted link.
CVE-2020-5791
PUBLISHED: 2020-10-20
Improper neutralization of special elements used in an OS command in Nagios XI 5.7.3 allows a remote, authenticated admin user to execute operating system commands with the privileges of the apache user.
CVE-2020-5792
PUBLISHED: 2020-10-20
Improper neutralization of argument delimiters in a command in Nagios XI 5.7.3 allows a remote, authenticated admin user to write to arbitrary files and ultimately execute code with the privileges of the apache user.