Publishers are, and rightfully so, worried about malvertising. They are working hard to build up their brand and a malicious ad can destroy that in one fail swoop. When their users are infected, the user experience and association with their brand becomes tainted – and it is hard to recoup the loss of further revenue.
Malicious code today takes many forms and can be hidden in many places. Traditional threats like classic viruses and worms are still circulating (and in big numbers), but have declined in number in relative terms. Today’s ‘weapon of choice’ for hackers is the Trojan. This class of malware includes a wide array of programs, each tailored with a specific purpose: Backdoor Trojans, Trojan Downloaders, PWS Trojans, Trojan Droppers and Trojan Proxies. There is also an increasing number of potentially undesirable non-viral programs.
In my previous post in The Secrets to Malware Detection in Online Advertising Part I, I discussed all the places malware could hide in order to infect a user – with the assurance that security experts work day and night (and build systems as well) to detect and block malvertising campaigns. In this post, I will discuss the different techniques and methods used by the professionals to identify and isolate the insidious codes. A security team cannot build a system to track malicious codes and just leave it to run ever after, because there is always new malware being created. Malvertising is only on the rise in terms of volume, ingenuity and sophistication of attacks.
Talk techniques to me
Being able to detect malvertising requires expertise – and a keen eye that can review reams of data. The expert needs to strike an optimal balance that offers maximum speed and minimum memory usage for detection of the malicious codes. There are a few main methods malware researchers utilize:
Signature based – This method was (and remains) one of the first methods used to detect malware. The malware researcher will scan and analyze feeds of suspicious files (received from a particular company or third-party source) looking for certain pieces of code or data also known as “signatures”. A code that repeats or a signature match on a file serve as a ‘red flag’ to the expert and they would mark it as suspicious.
Checksumming – is a modification of signature analysis and is method based on calculating CRC (Cyclic Redundancy Check) checksums. This method was developed to compensate for a main disadvantage of the signature method, which is that there ends up being an incredibly large database and frequent false alarms.
To circumvent the above identifying tactics, hackers often make their malicious ad campaigns polymorphic – which makes them more difficult to detect. A polymorphic virus means that their “body” is self-changing during replication and avoids the presence of any constant search strings. So, as fast as security teams can identify a signature, this kind of malware has no constant fragment of virus-specific code to find. (Typically, polymorphism is achieved when non-constant keys containing random sets of decryption commands are encrypted into the main code of the virus – or by changing the executable virus code.) Since a variable code has no signature, other techniques must be used to detect the malicious code.
Reduced masks – By using elements within the encrypted body of the virus, the researcher can ‘take’ the encryption key out of the equation to obtain a static code. Then the signature, or mask, will be revealed in the resulting static code.
Known plaintext cryptanalysis – This method uses a system of equations to decode an encrypted virus body, in a way similar to the classical cryptographic problem, where one would decode an encoded text without keys (with a couple differences). In cryptanalysis, the system reconstructs the keys and the algorithm of the decrypting program. Then, it decodes the encrypted virus body by applying this algorithm to the encoded fragment.
Statistical analysis – The system can analyze the frequency of the processor commands used and uses this information to make a decision on whether the file is infected or not.
Heuristics – The malware researcher will scan and analyze reams of data looking for suspicious activity and behavior. This method requires the researcher to look for malicious code served with suspicious behavior; for example, to a thousand people in the space of five minutes. The researcher would note this and inspect further.
Once the anti-malvertising expert has identified code that is deemed suspicious, there are a couple ways for the expert to confirm the suspicion. First off, there are hubs of information where major security companies list the malicious codes they have detected. This library is a powerful resource for every security expert. Malware researchers can access these lists and run lookups for malicious codes. If they are within the system already, then they can tick it off their suspicion as confirmed.
If the malicious code the expert found is not listed in the main hub, then the researcher will use a technique called “Emulation”, a way to execute the file in a ‘virtual environment’. The system emulates not only processor opcodes (operation codes), but also operating system calls. This mimicry allows the researcher to identify if the code is indeed malicious.
An interesting note is that when an emulator is used, the actions of every command must be constantly controlled. The researcher must prevent the program from executing its malicious intent.
In practice, the researcher is looking to detect the malicious code as efficiently as possible, this boils down to whichever method can be implemented with maximum speed and minimum memory usage.
How to Protect Yourself from Malvertising
Understandably, with the prolific amount of malvertising in the industry, one could think that fighting against black hat programmers would be like pushing back the rising tide with your bare hands. However, GeoEdge utilizes a multi-pronged approach with all of the above techniques, in addition to being open to collaboration opportunities – where we join forces and share data, so there are more codes to check against one another for a signature or suspicious behavior – and all this helps staunch much of the flow.
Using ad security and verification services that have security teams dedicated to uncovering new and sophisticated malicious activity is what holds the key to safe sites and user browsing experiences. Hackers are doing their best to infect users, but they are meeting their match. GeoEdge utilizes internal and external resources to detect malware-laden ads. In addition to our dedicated security team that constantly monitors and scans the environment, GeoEdge has developed its own metaEngine that is agile enough to detect malware that has not yet been identified.
For more information on how GeoEdge can protect you and your users from malvertising attacks, click here.