New Malvertising Campaign Uses Steganography to Bypass Detection

SteganographyI recently came across an interesting article from ZDNet that discusses a rather clever way malvertisers are sneaking malicious JavaScript into their ads.

To give a quick background, malvertising is when malware authors craft a malicious web advertisement, and then trick legitimate ad networks into placing the ad. When they pull it off, it allows their malware to be hosted on some of the biggest, most trusted, and highly trafficked websites on the net.

This is bad for ad networks, so they are at the front line trying to stop this from happening. They have rules about what each submitted ad’s scripts are, and are not, allowed to do. But JavaScript can be highly obfuscated, making it possible for bad things to slip through the cracks, and make it onto trusted, reputable sites.

The previously mentioned article details the relatively new malvertising group called VeryMal. In order to get their malicious scripts past the ad network filters, VeryMal used Steganography to embed the malicious JavaScript into a normal image file included in the ad. Once a victim browsed to a website and the ad was loaded on their system, VeryMal used a different script that had already passed the ad network’s review to pull the malicious script out of the image, and execute it.

The details about what exactly this malicious script did is irrelevant to this post. The main point I want to highlight is that detection-based security can always be fooled if you understand the algorithm well enough. Building a detection algorithm that can reliably detect malicious code hidden within an image is impossible. The only hope the ad network had to detect this was if they were looking for JavaScript being built dynamically on the client and disallowing that. But even if they start doing that, cyber criminals will always come up with a new way to avoid any specific detection algorithm.

This is the reason Light Point Security uses isolation-based security to protect our customers. The concept behind Browser Isolation is to prevent all web content from executing locally on the user’s computer by moving it to an isolated, remote environment. Instead of relying on detecting malware in order to provide security, Browser Isolation assumes all web content is malicious and prevents any of it from ever reaching the user’s computer in the first place. If there’s no way for web content to reach the user’s computer, then there’s no way for web-based malware to reach it either. This is all done while preserving the user experience.

Learn more about Remote Browser Isolation

Leave a Reply

Your email address will not be published. Required fields are marked *