Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

9/8/2014
02:00 PM
Sara Peters
Sara Peters
Quick Hits
Connect Directly
Twitter
RSS
E-Mail
50%
50%

'Kyle & Stan' Parks Malvertising On Amazon, YouTube

Windows and Macs alike are at risk to sophisticated mutating malware.

A malicious advertising (malvertising) network is distributing spyware, adware, and browser hijackers to both Macs and PCs, crafting a unique malware bundle for each machine it infects. The network, dubbed "Kyle and Stan" by Cisco's TALOS Security Research, is 700 domains strong, including the likes of amazon.com and youtube.com. "This by all means is most likely just the tip of the iceberg," researchers said in a blog post today.

    The world of online ads has only a few major players that are supplying ads to thousands of websites. If an attacker can get one of those major advertisement networks to display an advertisement with a malicious payload just for a few minutes without being detected, then countless machines can be infected by such an attack.

"Kyle and Stan" is so named because the group dubbed hundreds of their subdomains "stan.mxp2099.com" and "kyle.mxp2038.com." Here's what happens when a user visits one of the malicious sites:

    The website automatically starts the download of a unique piece of malware for every user. The file is a bundle of legitimate software, like a media-player, and compiles malware and a unique-to-every-user configuration into the downloaded file. The attackers are purely relying on social engineering techniques, in order to get the user to install the software package. No drive-by exploits are being used thus far. The impressive thing is that we are seeing this technique not only work for Windows, but for Mac operating systems alike.

The malicious kit for Macs includes the legitimate application MPlayerX and the malicious browser hijackers Conduit and VSearch.

Because the malware package is unique to each infected machine, the checksum is different every time, which makes detection very difficult.

"All in all," say the researchers, "we are facing a very robust and well-engineered malware delivery network that won't be taken down until the minds behind this are identified."

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
9/9/2014 | 8:57:59 PM
Re: "Kyle & Stan" Malvertising
I agree. Social engineering attacks are becoming very effective and quite impactful. Easy to do too.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
9/9/2014 | 8:55:55 PM
Re: "Kyle & Stan" Malvertising
I agree. At the same time the checksum is not really resolving the overall issue. Once system is infected detecting it is actually too late.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
9/9/2014 | 8:53:27 PM
Very sophisticated
Threats are very sophisticated anymore and this is the main reason we continue to see attracts on different systems. We need to look at the security in a new perspective to go beyond what we are doing now: trying to catch up. We need to design systems and applications security in mind and detecting unrecognized piece of code in an automated way before it is too late.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
9/9/2014 | 4:51:03 PM
Re: "Kyle & Stan" Malvertising> draconian?
Maybe not draconian, but defnitely not realistic since advertising is a huge revenue stream. Unlikely websites will take action without some legislation with some teeth.. #notholdingmybreate
noliveira707
50%
50%
noliveira707,
User Rank: Apprentice
9/9/2014 | 7:39:41 AM
Re: "Kyle & Stan" Malvertising
Maybe the variants can be detected throught behaviour, that can be unique. The nightmare will occour with the same malware with different checksums and behaviours.
aws0513
50%
50%
aws0513,
User Rank: Ninja
9/8/2014 | 3:15:15 PM
Re: "Kyle & Stan" Malvertising
I agree, these bad actors are getting quite devious.

My gut feeling is that such activity may end up changing how ISP and web service providers conduct business.  To maintain a good reputation in our every growing and connected community, it may become necessary for the web service vendors to conduct full scope vetting of their advertising and hosting customers before agreeing to provide services.  Included with this effort would be strict requirements for change management and content review to ensure that any links provided by the vendor on a site will not take users to unsafe waters now or in the future.

I know this strict control set sounds draconian to some people, but such actions are a common and usually effective response to misuse of an environment, product, or service.

 

 

 
GonzSTL
50%
50%
GonzSTL,
User Rank: Ninja
9/8/2014 | 2:32:36 PM
"Kyle & Stan" Malvertising
This is both disturbing and clever; disturbing because it uses well known trusted sites, and clever because it uses social engineering, which is known to be a very effective technique. Adding to that, the uniqueness of each infection certainly confounds existing detection mechanisms, and is OS agnostic. Really, I believe that this particular social engineering approach is the wave of the future. As the online community attracts newer and often younger, less savvy users, the potential for spreading rises dramatically. The key to mitigating this type of attack is security awareness training. I have always maintained that effective training should not only emphasize safe corporate computing practices; they should relate those practices to users' personal activities as well. This provides added value to the training itself, enhancing the users' buy-in to the training. If effective, then users quickly realize that they in turn should disseminate the information to their friends, family, etc. for their own personal protection. This could naturally result in a more educated general public.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 5/22/2020
The Problem with Artificial Intelligence in Security
Dr. Leila Powell, Lead Security Data Scientist, Panaseer,  5/26/2020
How an Industry Consortium Can Reinvent Security Solution Testing
Henry Harrison, Co-founder & Chief Technology Officer, Garrison,  5/21/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-10737
PUBLISHED: 2020-05-27
A race condition was found in the mkhomedir tool shipped with the oddjob package in versions before 0.34.5 and 0.34.6 wherein, during the home creation, mkhomedir copies the /etc/skel directory into the newly created home and changes its ownership to the home's user without properly checking the hom...
CVE-2020-13622
PUBLISHED: 2020-05-27
JerryScript 2.2.0 allows attackers to cause a denial of service (assertion failure) because a property key query for a Proxy object returns unintended data.
CVE-2020-13623
PUBLISHED: 2020-05-27
JerryScript 2.2.0 allows attackers to cause a denial of service (stack consumption) via a proxy operation.
CVE-2020-13616
PUBLISHED: 2020-05-26
The boost ASIO wrapper in net/asio.cpp in Pichi before 1.3.0 lacks TLS hostname verification.
CVE-2020-13614
PUBLISHED: 2020-05-26
An issue was discovered in ssl.c in Axel before 2.17.8. The TLS implementation lacks hostname verification.