Over the last two months, millions of visitors to mainstream websites have been exposed to a new form of malware embedded in banner pixels. And if you didn’t see it, don’t be surprised.
The new malware, “Stegano”, is nearly invisible to the naked eye. Its code has been embedded in parameters controlling the transparency of pixels used to display banner ads. Since it’s buried in the alpha channel, even watchful ad networks find it difficult to detect.
The malware’s name borrows from the word Steganography; the practice of concealing secret messages inside a larger document. The medium is new, but the practice dates back to at least 440BC.
How Does Stegano Work?
Stegano first verifies that the browser isn’t running on a virtual machine or connected to security devices used to detect attacks. Then, it redirects the browser to a site that hosts three Adobe Flash exploits. These exploits are currently unpatched.
According to researchers from antivirus provider Eset, the Stegano virus easily outclasses other major exploit kits, such as Angler and Neutrino, in terms of referrals. And if Stegano is providing big returns, that means more malware based on hidden-pixel attacks are likely to crop up.
“We have observed major domains, including news websites visited by millions of people every day, acting as ‘referrers’ hosting these advertisements,” An Eset representative said. “Upon hitting the advertising slot, the browser will display an ordinary-looking banner to the observer. There is, however, a lot more to it than advertising.”
Two consecutive alpha values represents the tens and one of a character code, encoded as a difference from 255 (the full alpha). To make this hard to detect by the naked eye, the difference is minimized using an offset of 32.
What Should I Look Out For?
Currently, the Stegano ads promote applications calling themselves “Browser Defence” and “Broxu”. They also target people who visit news sites using Internet Explorer browsers. The script contained in the pixels exploits a now-patched IE vulnerability called CVE-2016-0162 to obtain details about visitors’ computers.
The script also checks for the presence of packet capture, sand-boxing, virtualization software, and a variety of security products. If none of these exist, it refers them to the exploit site and serves up either Ursnif or Ramnit malware.
In short, the attackers have gone to great lengths to make sure security-savvy people aren’t attacked. The Stegano attacks are concentrated in Canada, the UK, Australia, Spain, and Italy.
Because the payload uses a heavily modified version of Countly—an open-source package for measuring website traffic—the ad networks currently see nothing malicious in the Javascript.
What’s Ursnif or Ramnit Malware (In case I get infected)?
The Ursnif family is made up of modules designed to steal your e-mail credentials, log your keystrokes, take screenshots and videos, and act as a backdoor into your device. The Ramnit family does essentially the same things as Ursnif. However, it mainly targets the banking industry.
Anti-Phishing Training Won’t Help, So Protect your Users!
Since Stegano-type attacks are nearly invisible to the naked eye, even a security-savvy user is vulnerable to this sort of threat. That means your anti-phishing training is going to be near useless against this sort of malware. And if these exploit kits lead to ransomware demands, your business could be hit for tens of thousands of dollars from a single virus.
If you want your business to survive, the best way is to make sure your essential data is protected. With trustworthy backup and disaster recovery software, you can be hit by ransomware and still restore everything from bare metal.
BackupAssist is the #1 Backup and Disaster Recovery software for Windows Servers, used by world-famous organizations such as NASA, Cessna, and M.I.T. Check out our free 30-day trial or read more here.
