Friday, January 09, 2015

Several major sites served ads with ransomware affecting users with older browsers (the Kovter trojan)

CNN Money, in a story also run by The Washington Times and the Webroot Threat Blog, is reporting malware in ads served on Huffington Post and AOL’s network, was well as the men’s magazine FHM, the Los Angeles Weekly and the Houston Press. 
Apparently the infections started in October and were detected by a computer security firm Cyphort around Jan. 3.  It seems that the affected sites had removed the ads by Jan. 5.  The malware is called Kovter.
Reports indicate that computers could be infected even if the ads were not visited, merely by the way they flash embedded images and videos (which are implicit “visits”), changing servers quickly and difficult for anti-virus software to detect.  However, it appears that only older browsers are affected (through Internet Explorer 8).  It appears that newer versions of Firefox and Chrome block the malware). 

The symptom is that the computer is locked, with mouse and keyboard not working, and a warning that the computer contains child pornography, and a demand to pay ransom in Moneypak or something similar like bitcoin. 

Anyone who visited AOL or the Huffington Post during the first week of January (as I do) would have been exposed to the virus, but would not be affected if using a modern browser.
It’s unclear if the newest Microsoft security updates would stop all such malware from working.  The CNN story by Joe Pagliery is here.  It includes a video about CoinVault or CryptoLocker-type malware.

Advertising forms the “business model” backbone for all the free content we get on the Web today, as well as for services that support user generated content – social media and blogging platforms.  
Theoretically, an ad on one of these could have caused an infection on an older computer or browser if not detected first by the service provider.  I haven’t seen any statements yet from Facebook, Google, or similar companies on new security measures they will have to take to screen ads for malware problems before offering them on their networks, but they surely must see this as a serious issue. 
I’m trying to find out how well modern security products (Webroot Secure Anywhere, Trend Micro, Kaspersky, etc) detect Kovter and all other ransomware products right now.  Again, it would seem that Microsoft should be able to stop scripts like these from running automatically from ads or embeds.  Microsoft has a page on Kovter here.  Damballas has an account here. Expect a bulletin from CERT on this soon.

No comments: