Malware stole login credentials, cryptocurrency, and more from infected machines.
See full article...
See full article...
Nearly 1 million Windows devices targeted in advanced “malvertising” spree
- Thread starter JournalBot
- Start date
I thought for a second this was about the Windows build-in ad platform that helpfully suggests Microsoft products you can buy.
I can’t remember ever giving permission for that, so to me that’s malware (even if it does not steal my credentials, I guess I have to wait for Recall to enjoy that too).
I can’t remember ever giving permission for that, so to me that’s malware (even if it does not steal my credentials, I guess I have to wait for Recall to enjoy that too).
Upvote
12
(31
/
-19)
Upvote
63
(63
/
0)
I block all ads on my devices and have been for years. I also don't use MS either since it's a virus magnet.
Upvote
-3
(32
/
-35)
When we have articles like this please provide information on how the malware was installed so we know if it's a problem. For instance if it exploits an unpatched vulneratbility in "X" say that. If it requires the user to click ok to execute something with admin permission that is important to know. Does Windows Defender detect and block it? All of that would be tremendously useful as we struggle to deal with so many potential infections.
Upvote
160
(162
/
-2)
Haven't seen any of these files on my system. Maybe a combination of FireFox browser with Strict security enabled and antivirus/firewall software blocked them.
I just deleted a batch of quaranteened malware files. Could've been them.
I just deleted a batch of quaranteened malware files. Could've been them.
Upvote
7
(11
/
-4)
The campaign DID NOT target anyone, as you yourself write in the same paragraph! Surely you know that "infected" does not equal "targeted"?!
Upvote
-10
(15
/
-25)
ublock origin and a pi-hole here. Browse using firefox. I used to think I was a bit paranoid, now I worry I'm not paranoid enough.
Upvote
94
(95
/
-1)
As usual with one of these articles, so many questions. How is the payload executed? By normal browser scripting? If so, why does the browser have permission to do the bad stuff?
If the ads were hosted by dodgy sites, could they also be hosted by reputable sites serving up malicious ads on a legit ad platform? Could you see one of these ads even if you weren't just looking for pirated movie streams?
I realise that asking these questions probably disqualifies me from even running a browser, but I would guess I'm with 99.99% of users if that's the case.
If the ads were hosted by dodgy sites, could they also be hosted by reputable sites serving up malicious ads on a legit ad platform? Could you see one of these ads even if you weren't just looking for pirated movie streams?
I realise that asking these questions probably disqualifies me from even running a browser, but I would guess I'm with 99.99% of users if that's the case.
Upvote
88
(88
/
0)
I've blocked ads since forever, and use ClamAV (with the GUI addition, since I hate the CLI).
I'm getting my family on SteamOS this year once Win10 support goes bye-bye. I don't think any of my family wants Microsoft to have their payment information, and SteamOS is free. It should serve their needs well.
And I'll be adding uBlock to their systems since, god knows, they probably need it but refuse to have it because "reasons".
The kind of behavior this story highlights makes me wonder how viable advertising will remain for generating revenue, should this kind of behavior increase. It would be counterproductive for most places to ban ads, but this kind of behavior could increase the use of ad-blockers by quite a lot.
Undermining the financial foundation of the Internet isn't a bright move, but then, the people doing this are obviously indifferent to the consequences of what they're doing.
Upvote
29
(32
/
-3)
Thank you, modern internet, for continuously proving, almost daily, that my strategy of blocking all scripts, and all ads continues to be the correct one. You want to run a script, convince me why that benefits me.
Upvote
70
(70
/
0)
This "nearly 1 million" - of how many presumed Windows machines in use? More context would be useful.
Upvote
12
(12
/
0)
I'm not sure that article has quite captured what's actually happening initially. From the linked paper:
"The streaming websites embedded malvertising redirectors within movie frames to generate pay-per-view or pay-per-click revenue from malvertising platforms. These redirectors subsequently routed traffic through one or two additional malicious redirectors, ultimately leading to another website, such as a malware or tech support scam website, which then redirected to GitHub."
Bold to highlight - it sounds like these weren't ads, they were embedded in the actual streamed movie. Just watching would have been enouogh. Possibly and ad blocker would have caught the redirects.
It's not even clear from the paper how, once a victim was redirected to Github, how the malicious download occurred. So not surprised Dan wasn't able to tell us in a article.
"The streaming websites embedded malvertising redirectors within movie frames to generate pay-per-view or pay-per-click revenue from malvertising platforms. These redirectors subsequently routed traffic through one or two additional malicious redirectors, ultimately leading to another website, such as a malware or tech support scam website, which then redirected to GitHub."
Bold to highlight - it sounds like these weren't ads, they were embedded in the actual streamed movie. Just watching would have been enouogh. Possibly and ad blocker would have caught the redirects.
It's not even clear from the paper how, once a victim was redirected to Github, how the malicious download occurred. So not surprised Dan wasn't able to tell us in a article.
Upvote
59
(60
/
-1)
There are more then a billion windows computers, so 1 million is a very small percentage.
Upvote
-1
(6
/
-7)
I got the impression that is was still ads, just that the ads were embedded in the movie. Like when channels you pay for on Amazon Video inject commercials into shows.
But yeah, I don't know if it was explicitly spelled out anywhere.
I'm also curious about "redirects user to github repo"
Does that mean it silently directs some traffic to the repo, to get the payload to continue the attack?
Or does it actually mean the USER was taken to a repo page on github? Which I would assume means the user then had to actively download (and probably execute) a mystery package from an unsolicited repository.
If that's the case.... a MILLION users? I hesitate to victim-blame, but my sympathy level is about the same as when crypto bros encounter the rug-pull stage
Upvote
17
(17
/
0)
As usual with one of these articles, people expect an easy to parse summary of what to look out for, what damages it causes, and how to protect themselves. Because not all of us are tech-savvy in the same ways or tech-savvy enough to go through and understand the blog post, and the amount of technical detail in it, while fascinating, doesn't make parsing it any easier for the casual reader. Said casual reader might, for example, jump to the end of the Microsoft post as instructed due to curiosity over proposed mitigations, get smacked in the face with a ginormous list of lists about files, urls, checksums, etc, and have a little "oh snap" moment, as a treat.
Searching for "Microsoft recommends the following mitigations to reduce the impact of this threat." in the blog post would prevent that, by the way. For whomever that might concern.
Last edited:
Upvote
78
(78
/
0)
If malware can apparently trick defender (see related DVD piracy story) and disable malware detection, then what's the point of subscribing to anti-malware software? Seems like it can just make things worse by providing a false sense of security.
Upvote
11
(12
/
-1)
One of the attractions of a technology site is the knowledgeable readership, and the amount one can learn from those courteous enough to share their knowledge. Of course that means you have to put up with the “u more dumb than me” types.
Upvote
56
(56
/
0)
RandomReader_Delta_X
Smack-Fu Master, in training
Skimming trough the Microsoft post seriously makes me question why browsers have such far going functionality that allows all of this to happen. People watch a movie on an illegal streaming website that's running infected advertisements and end up in a chain linking system that's downloading and running system altering scripts and executables capable of reconfiguring the security settings of your OS.
Trying to turn browsers into an OS capable of running desktop software and highly programmatic languages feels so wrong to me. It's part of what's enabling all of this.
Edit: didn't notice a spelling mistake.
Trying to turn browsers into an OS capable of running desktop software and highly programmatic languages feels so wrong to me. It's part of what's enabling all of this.
Edit: didn't notice a spelling mistake.
Upvote
38
(39
/
-1)
Microsoft shows that it is simply javascript code referred in the iframe within thebiframe of the video player.
The javascript then downloads and executes powershell or autoit scripts which installs the malware ( itself autoit scripts or execs) with a screensaver or executable extension.
What I don't get is if browsers wouldn't warn users multiple times before executing all these downloaded content - from a user's perspective did the user click through all of the warnings?
Upvote
37
(37
/
0)
The Microsoft article shows it is just an iframe src link to javascripts. Github was just one ofnthe places to host the javascript files, other free public hosting sites work as well.
But yeah, I thought the same thing, the user would have to go down multiple warnings. Plus newer browsers probably might not even allow these to execute, so perhaps it could be one of those apps with embedded browsers?
Upvote
12
(12
/
0)
See a time when the Internet has a permanent health warning on it. Use at your peril. What kind of people are software engineers? No scruples? Too much time on their hands? All want to outdo each other and show how clever they are? Perhaps in truth probably not software engineers and just people who can write code. Coding is easy as they say.
Upvote
6
(6
/
0)
I don't want to financially contribute to Mr. Berger's sanewashing of Elon Musk. If I could subscribe to just Dr. Mole, Dr. Gitlin, etc, I would already be a subscriber
Upvote
-1
(18
/
-19)
I read through the linked Microsoft article and still do not know how the first stage payload was actually executed. Article says the payload was downloaded from Github, but nothing of how it was executed.
Is this a case of the user needing to run a file manually to start the exploit chain?
Is this a case of the user needing to run a file manually to start the exploit chain?
Upvote
18
(18
/
0)
Firefox seems called out in the article as something the malware authors were looking for. Is that the vector? Or are Firefox cookies just not encrypted so it was easy to spoof auth for logged in sites? Or just Microsoft trolling?
As redirects were mentioned heavily I would guess some were dropping random installers? Are ad networks are complicit in being in chains of browser exploits? I would think a legit ad network would verify the referrer to make sure the link is direct and from an authorized source. Perhaps a fix is to make as networks/sites liable if they allow such chains. It should not be too much extra work for a site to verify the link they were fed by their ad network is not full of redirects.
Browsers used to include pop-up blockers. Whatever happened to that? I can’t think of a single instance a site opened a new tab or window I wasn’t expecting it to just re-use the current tab and in these days of mobile having multiple windows for a single site are uncommon. My wishlist is if it wants a new window or redirect more than once it needs to ask permission (my healthcare/internet/utility provider sites are especially egregious on redirects. I’d like it if browsers just told them that redirecting 10 times to auth a login just makes them feel like they are selling my login info to ad networks. Why isn’t it all handled transparently on the backend?).
Letting websites run unsigned code seems problematic in general. I think that web GPU code, compiling JavaScript, and general filesystem/network access should be heavily sandboxed/code signed/enabled per day/URL even if there are battery life hits to prevent abuse.
As redirects were mentioned heavily I would guess some were dropping random installers? Are ad networks are complicit in being in chains of browser exploits? I would think a legit ad network would verify the referrer to make sure the link is direct and from an authorized source. Perhaps a fix is to make as networks/sites liable if they allow such chains. It should not be too much extra work for a site to verify the link they were fed by their ad network is not full of redirects.
Browsers used to include pop-up blockers. Whatever happened to that? I can’t think of a single instance a site opened a new tab or window I wasn’t expecting it to just re-use the current tab and in these days of mobile having multiple windows for a single site are uncommon. My wishlist is if it wants a new window or redirect more than once it needs to ask permission (my healthcare/internet/utility provider sites are especially egregious on redirects. I’d like it if browsers just told them that redirecting 10 times to auth a login just makes them feel like they are selling my login info to ad networks. Why isn’t it all handled transparently on the backend?).
Letting websites run unsigned code seems problematic in general. I think that web GPU code, compiling JavaScript, and general filesystem/network access should be heavily sandboxed/code signed/enabled per day/URL even if there are battery life hits to prevent abuse.
Upvote
5
(5
/
0)
They still have them, but there's a bunch of JavaScript tricks to get around them. I highly recommend Strict Popup Blocker for Firefox- it actually blocks 100% of popups
Upvote
1
(2
/
-1)
I realize one of the ideas of the web has been to link to other information but I think we're past the point that any web browser should allow third party content. I know that would kill the web advertising market, I know it could lead to security bugs festering (i.e. self hosting node.js for example and never updating it), but the idea that you can in theory go to a legitimate site, get some sort of malware (or even be exposed to content that you don't want to see: nudity, crypto, certain political campaigns, etc.) and the site owner can legitimately say they have no or even just limited control over it is a bit asinine.
I think it's time website owners should be held morally, and probably legally, responsible for any content "they" publish, which includes any ads they choose to run. I am not talking user content under Section 230 since that is fundamentally uncontrollable but the ads you choose to run are your responsibility. I don't see, "It's just what is on the ad network" as a legitimate excuse. Google and the other ad networks should be held responsible too but the site owner must as well since they are choosing to contract with such entities just like other markets. GM didn't get to say, "sorry that's LG's problem, nothing I can do about it" when the Bolt battery fires happened and I think we should hold websites to the same standard regarding the ads they choose to run.
I think it's time website owners should be held morally, and probably legally, responsible for any content "they" publish, which includes any ads they choose to run. I am not talking user content under Section 230 since that is fundamentally uncontrollable but the ads you choose to run are your responsibility. I don't see, "It's just what is on the ad network" as a legitimate excuse. Google and the other ad networks should be held responsible too but the site owner must as well since they are choosing to contract with such entities just like other markets. GM didn't get to say, "sorry that's LG's problem, nothing I can do about it" when the Bolt battery fires happened and I think we should hold websites to the same standard regarding the ads they choose to run.
Upvote
11
(11
/
0)
"Malvertising" which infects your computer, as opposed to the good advertising that only causes psychic damage
Upvote
16
(16
/
0)
Upvote
-13
(8
/
-21)
BobbyBobberson
Ars Scholae Palatinae
So it redirected the browsers to Github where the user downloaded an exe and ran it?
Upvote
0
(1
/
-1)
I is one who b more dumb, that is why I have read sites like this and "ask woody" for over a decade. They keep me safe from myself. I know enough tech to be dangerous to myself, so I rely on those who understand but also can communicate that to us who b dumber in such a way as to safely navigate the "innerweb" and keep our PC's clean and running fast for 20+ years. Thank you nerd brainiacs. I am grateful.
Upvote
10
(11
/
-1)