Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

9/8/2014
02:00 PM
Sara Peters
Sara Peters
Quick Hits
Connect Directly
Twitter
RSS
E-Mail
50%
50%

'Kyle & Stan' Parks Malvertising On Amazon, YouTube

Windows and Macs alike are at risk to sophisticated mutating malware.

A malicious advertising (malvertising) network is distributing spyware, adware, and browser hijackers to both Macs and PCs, crafting a unique malware bundle for each machine it infects. The network, dubbed "Kyle and Stan" by Cisco's TALOS Security Research, is 700 domains strong, including the likes of amazon.com and youtube.com. "This by all means is most likely just the tip of the iceberg," researchers said in a blog post today.

    The world of online ads has only a few major players that are supplying ads to thousands of websites. If an attacker can get one of those major advertisement networks to display an advertisement with a malicious payload just for a few minutes without being detected, then countless machines can be infected by such an attack.

"Kyle and Stan" is so named because the group dubbed hundreds of their subdomains "stan.mxp2099.com" and "kyle.mxp2038.com." Here's what happens when a user visits one of the malicious sites:

    The website automatically starts the download of a unique piece of malware for every user. The file is a bundle of legitimate software, like a media-player, and compiles malware and a unique-to-every-user configuration into the downloaded file. The attackers are purely relying on social engineering techniques, in order to get the user to install the software package. No drive-by exploits are being used thus far. The impressive thing is that we are seeing this technique not only work for Windows, but for Mac operating systems alike.

The malicious kit for Macs includes the legitimate application MPlayerX and the malicious browser hijackers Conduit and VSearch.

Because the malware package is unique to each infected machine, the checksum is different every time, which makes detection very difficult.

"All in all," say the researchers, "we are facing a very robust and well-engineered malware delivery network that won't be taken down until the minds behind this are identified."

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
9/9/2014 | 8:57:59 PM
Re: "Kyle & Stan" Malvertising
I agree. Social engineering attacks are becoming very effective and quite impactful. Easy to do too.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
9/9/2014 | 8:55:55 PM
Re: "Kyle & Stan" Malvertising
I agree. At the same time the checksum is not really resolving the overall issue. Once system is infected detecting it is actually too late.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
9/9/2014 | 8:53:27 PM
Very sophisticated
Threats are very sophisticated anymore and this is the main reason we continue to see attracts on different systems. We need to look at the security in a new perspective to go beyond what we are doing now: trying to catch up. We need to design systems and applications security in mind and detecting unrecognized piece of code in an automated way before it is too late.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
9/9/2014 | 4:51:03 PM
Re: "Kyle & Stan" Malvertising> draconian?
Maybe not draconian, but defnitely not realistic since advertising is a huge revenue stream. Unlikely websites will take action without some legislation with some teeth.. #notholdingmybreate
noliveira707
50%
50%
noliveira707,
User Rank: Apprentice
9/9/2014 | 7:39:41 AM
Re: "Kyle & Stan" Malvertising
Maybe the variants can be detected throught behaviour, that can be unique. The nightmare will occour with the same malware with different checksums and behaviours.
aws0513
50%
50%
aws0513,
User Rank: Ninja
9/8/2014 | 3:15:15 PM
Re: "Kyle & Stan" Malvertising
I agree, these bad actors are getting quite devious.

My gut feeling is that such activity may end up changing how ISP and web service providers conduct business.  To maintain a good reputation in our every growing and connected community, it may become necessary for the web service vendors to conduct full scope vetting of their advertising and hosting customers before agreeing to provide services.  Included with this effort would be strict requirements for change management and content review to ensure that any links provided by the vendor on a site will not take users to unsafe waters now or in the future.

I know this strict control set sounds draconian to some people, but such actions are a common and usually effective response to misuse of an environment, product, or service.

 

 

 
GonzSTL
50%
50%
GonzSTL,
User Rank: Ninja
9/8/2014 | 2:32:36 PM
"Kyle & Stan" Malvertising
This is both disturbing and clever; disturbing because it uses well known trusted sites, and clever because it uses social engineering, which is known to be a very effective technique. Adding to that, the uniqueness of each infection certainly confounds existing detection mechanisms, and is OS agnostic. Really, I believe that this particular social engineering approach is the wave of the future. As the online community attracts newer and often younger, less savvy users, the potential for spreading rises dramatically. The key to mitigating this type of attack is security awareness training. I have always maintained that effective training should not only emphasize safe corporate computing practices; they should relate those practices to users' personal activities as well. This provides added value to the training itself, enhancing the users' buy-in to the training. If effective, then users quickly realize that they in turn should disseminate the information to their friends, family, etc. for their own personal protection. This could naturally result in a more educated general public.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/3/2020
Pen Testers Who Got Arrested Doing Their Jobs Tell All
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
New 'Nanodegree' Program Provides Hands-On Cybersecurity Training
Nicole Ferraro, Contributing Writer,  8/3/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15058
PUBLISHED: 2020-08-07
Lindy 42633 4-Port USB 2.0 Gigabit Network Server 2.078.000 devices allow an attacker on the same network to elevate privileges because the administrative password can be discovered by sniffing unencrypted UDP traffic.
CVE-2020-15059
PUBLISHED: 2020-08-07
Lindy 42633 4-Port USB 2.0 Gigabit Network Server 2.078.000 devices allow an attacker on the same network to bypass authentication via a web-administration request that lacks a password parameter.
CVE-2020-15060
PUBLISHED: 2020-08-07
Lindy 42633 4-Port USB 2.0 Gigabit Network Server 2.078.000 devices allow an attacker on the same network to conduct persistent XSS attacks by leveraging administrative privileges to set a crafted server name.
CVE-2020-15061
PUBLISHED: 2020-08-07
Lindy 42633 4-Port USB 2.0 Gigabit Network Server 2.078.000 devices allow an attacker on the same network to denial-of-service the device via long input values.
CVE-2020-15062
PUBLISHED: 2020-08-07
DIGITUS DA-70254 4-Port Gigabit Network Hub 2.073.000.E0008 devices allow an attacker on the same network to elevate privileges because the administrative password can be discovered by sniffing unencrypted UDP traffic.