Rogue 'ad network' site likely infected thousands of users, still operational

Beware of what you click on.

An incredibly complex malware virus masquerading as a legitimate ad network and traced to Australia has infected thousands of computers by directing people clicking on the sites to malicious ones. Once you click on the sites, the malware, sequestered in a Flash or Adobe Reader file, then encrypts all the files on your machine.

[aditude-amp id="flyingcarpet" targeting='{"env":"staging","page_type":"article","post_id":1498456,"post_type":"story","post_chan":"none","tags":null,"ai":false,"category":"none","all_categories":"security,","session":"A"}']

“The only way to decrypt your files is to pay a ransom. When you pay it, you’re given a key that decrypts your files. Usually the ransom is $500, which you pay with Bitcoins. It’s pretty nasty,” said Malwarebytes lead researcher Jerome Segura, who spent weeks unlocking the scam.

The scam is unusual. Cyber criminals using ad network websites are relatively rare and just starting to come onto the radar of security researchers, Segura said.

Segura, a noted cyber expert, said the fraudulent website in question is www.australianadserver.com. While traced to Australia, the URL is hidden behind Cloudflare, which makes tracking it through ISPs nearly impossible. The ads have also appeared on www.123greetings.com and www.beeg.com, a popular porn site.

The researcher suspects the site australianadserver.com is being run by cyber criminals somewhere in Russia. The thugs approach legitimate highly trafficked sites and offer to display their ads, but according to Malwarebytes, the real thrust is to get malware onto your machine.

Studying some of the ads on the suspect sites, Segura found that victims were sent to a webpage that hosted an “exploit kit known as RIG EK, which exploits Flash while simultaneously installing a Trojan Horse.”

Segura and his team found the site while running a “honeypot” operation, where researchers regularly browse sites running on old Flash and Javascript. By studying them, the team often finds sites that have either been compromised by a virus or are the culprits spreading it. The scam was discovered a month ago.

At first, Segura thought australianadserver.com had been a victim itself. He reached out via email to system administrators there, who replied they had been affected by the Open SSL ‘Heartbleed’ virus that was discovered in April. Segura noticed their first language wasn’t English and said he initially believed their response.

But he soon discovered the domain hidden behind Cloudflare, which masks IP addresses and makes them hard to trace.

[aditude-amp id="medium1" targeting='{"env":"staging","page_type":"article","post_id":1498456,"post_type":"story","post_chan":"none","tags":null,"ai":false,"category":"none","all_categories":"security,","session":"A"}']

“The site was using text that had been cut and pasted from Wikipedia. I went back and this time around started to dig deeper. I studied the Flash advertisements. It was very strange,” Segura said.

Segura’s blogpost on the virus goes live Friday. You can read it here.

According to Malwarebytes, there are certain strings and functions in Flash that can be potentially dangerous. These include Loader, Externallnterface, NavigatetoURL, currentDomain, and loadBytes. Segura said that Flash ads are “actually applications which can perform certain undesired actions.”

“One of them is redirecting the browser to a potentially harmful site.”

[aditude-amp id="medium2" targeting='{"env":"staging","page_type":"article","post_id":1498456,"post_type":"story","post_chan":"none","tags":null,"ai":false,"category":"none","all_categories":"security,","session":"A"}']

Shielding yourself from this scam is relatively straightforward, Segura noted. Disabling Flash or tools like NoScript is advisable. A downside is that disabling both can impede your browsing experience. And, of course, Segura would recommend installing the latest version of Malwarebytes.

You’ve been warned.