Untangling a Major Malvertising Network
[This post is from our internal blog a week ago. It's a big post, and its size kept it from being edited for official release until now. (And also because even malware researchers need to take an occasional vacation...) --C.L.]
As I mentioned in a post last week, there was an interesting malvertising component involved as one of the "prongs" of a large malware attack, and it was worth a post of its own. (Any time a big site like the L.A. Times is involved in a malware campaign, it's newsworthy, and it's not alone -- there are lot of name-brand sites getting victimized by this campaign.)
Among the domains sending traffic to the searcherstypediscksruns.com/.net/.org family of Blackhole sites was a site named adhidclick.com. This site was registered back in December of 2012. And then it sat, for more than eight months, with no traffic in our logs, until 8/22 - 8/23, when it suddenly showed up over 1,400 times.
All of the sites it relayed traffic to were evil. Besides the exploit kit sites mentioned, there were also a bunch of malicious junk subdomains hosted on a DynDNS host (servehttp.com), a handful of links to what I call "survey hell" sites (basically spam/scam networks that use fake surveys or quizzes as bait), and a couple to a porn-malware site, just for variety. (All of which were flagged in real-time by WebPulse, btw...)
So adhidclick.com was clearly a malvertising site. And, it had siblings...
...and so on.
Each of these was registered (anonymously) last year, lay dormant for at least eight months (almost a year, actually, in one case!), popped into life for a couple of days in August, relayed its share of the traffic, and then retired. It's an impressively large (and patient!) malvertising operation. And it's interesting enough that I could stop at this point, and it would make a good blog post. But there's more to the story...
The "funnel" layer of the malvertising network described in Part One is simply rotating through a set of relay sites to send traffic on to the malicious sites that are the tip of the harpoon. But there's so much traffic coming into the funnel that it begs the question, "Where is it all coming from?" Which brings us to this section, where the story gets really interesting.
Tracing the traffic back from the funnel-site level yielded a whole bunch of interesting "ad" "lead" and "media" type domain names. These were also registered many months ago, but left fallow until this summer, when the malvertising campaign really kicked off. These sites can be identified as part of this malware ecosystem because they're the link between various legitimate sites (via their ad providers) and the funnel sites.
There's enough data that I decided to put it in table form:
|Domain||Registration Date||Activity Began||Primary Traffic Source|
|salinmedia.com||2/05/2013||6/10/2013||thebump.com, theknot.com, thenest.com|
|libnmedia.com||11/08/2012||8/06/2013||adnxs.com (many subdomains)|
|iniqstat.com||10/26/2012||8/16/2013||adnxs.com (many subdomains)|
|rimwaserver.com||12/18/2012||2/28/2013||French sites: atlantico.fr, capital.fr, voici.fr, gala.fr ...|
|dlelead.com||9/17/2012||8/22/2013||latimes.com (+ 13 of its subdomains), doubleclick.net|
|gerlead.com||9/17/2012||8/14/2013||thefiscaltimes.com, salon.com, laweekly.com, usnews.com ...|
|(and 9 or 10 more...)|
All of the victimized host sites are large, popular destinations. Please keep in mind that they are not likely to be directly compromised, or even directly hosting the malicious ads -- most likely the ads are ending up there as part of the advertising ecosystem. Malvertising is hard to pin down, for reasons pointed out in this blog post.
To give you an idea of the amount of traffic being generated, dlelead.com saw almost 6,000 hits in less than a week, and gerlead.com had well over 12,000 hits in about two weeks. (The actual traffic volume is much larger, as these numbers came from our "small logs". And this doesn't allow for things like caching within our ecosystem. And this is after the traffic began tailing off dramatically after we flagged these domains as malicious...)
As noted in Part One, the long hibernation time for these sites is very interesting. A second point of interest is how segmented this attack is -- the Bad Guys managed to get each of these fake ad domains into a position of trust with a different target market, so that even if one were to be discovered, the overall attack could continue. (And at the lower levels, the sites are changing very rapidly, so they don't care if those get identified.)
Only mapping out the entire attack network earns a view into the stealthiest part, as the Bad Guys have gone to great lengths to blend into legitimate Web traffic...
P.S. I checked again today (9/04) and we're still blocking a lot of the malvertising traffic coming from latimes.com (since that's probably the biggest name on the victim list). That's a two-week lifespan so far...