A picture tells a 1,000 words. Pixels pwn up to 5 million nerds: Crims use steganography to stash bad code in ads A strain of malware has been clocked using steganography to run malicious JavaScript on Macs via images in online banner ads, it was claimed this week. A joint report from security shops Confiant and Malwarebytes drilled into the techniques used by VeryMal, a malvertising operation that spreads through poisoned ad images. What …
Accessibility options:
1. Don't load images. I can't see 'em so they're worth SFA. Perhaps if they have AltText to them, but otherwise fuck 'em.
2. Don't use anything other than system colours & fonts. I can't see if it uses Helvetica, KellyAnneGothic, or any other font, so just stick to the system defaults. I can't see the colours so don't bother using those either.
3. Turn all the scripting off entirely. JS is more trouble than it's worth. Any site requiring it can be visited via a search engine cache of the plain text content & thus give TheFinger to their "requirement". I didn't accept the JS "requirement" bullshit from my previous bank, I won't accept it from anyone else either.
And last but not least, I'm not rich enough to afford to run Apples iBling.
=-J
@shadowsystems unfortunately one of the three of those make sense.
Turning off JavaScript - that makes sense.
Fonts? you don't have to see them, sure, but the default system comes with X y & Z fonts. Unless *you* have uninstalled the others and even then, all the code looks for is that you have A, B & C fonts again they are more likely looking at the default font set that was installed with the OS. Anything else sensory-wise is just hogwash. You also would likely *not* know if windows re-installed such fonts, unless you check every day .. you do don't you? I know that's the first thing *I* do when I get on my system (not)
And then images .. sure turn them off cause *you* can't see them .. that doesn't still mean some wonky issue doesn't occur where the image is not seen as "an image" by the code and content gets pulled down that you weren't expecting, and oh yeah .. because you can't SEE them .. you don't necessarily know if something made it past your "don't download images" filter..
And come to think of it, even with JS turned off, theres likely an option to turn it back on without your direct request by something turning it back on.. oh.. like an update.. and again .. because you're blind, how would you know? until its potentially too late..
So I guess all three of your assertions could be wrong.
"Fonts? you don't have to see them, sure, but the default system comes with X y & Z fonts."
Nice rant, but did you actually read what he wrote? "Don't use anything other than system colours & fonts."
Why should a site not even load if you don't allow it to download fonts via JS scripts? I've seen sites like that, closed the page and gone elsewhere.
Except my security settings for the Internet Zone in IE11+ is configured to not download fonts, the accessibility is set to ignore anything other than the already installed system fonts/colours, thus it doesn't matter what font the site might want me to have, if it isn't already installed then it doesn't get installed. It can't use scripting *of any kind* to trick my browser into grabbing files from some unknown server, it can't use scripts at all. Go ahead & embed a pull request in the demand to download the dodgy font, my browser ignores the demand & uses the defaults instead. Like a VT terminal using a monochrome green screen, other fonts & colours don't even get processed & thus any dodgy code embedded in said font can't get run.
Both the security & accessibility settings are configured to ignore images. My browser doesn't download them, it only reads the AltText if there is any. No AltText, nothing comes across. You can embed all the dodgy code you want inside the image itself, it doesn't matter since the browser ignores the image entirely. You could try to inject code into the AltText to trick the browser into doing bad things, but then the rest of my security/accessibility settings would probably nip it in the bud. Like, say, by not running any sort of scripting at all? Yeah, that might put a crimp in the attempt.
As for an update resetting my browser settings, I'm not running Win10 so that's much less of a potential attack vector than you might think. And yes, I *do* check my settings after every update just to make *damned sure* MS hasn't tried to fuck with me. So far there have been plenty of updates to IE, but software like GWControl Panel & O&O ShutUp10 have cockblocked MS' attempts to "upgrade" my machine to Win10. So far so good. *Crosses fingers & knocks on wood*
I applaud your attempt to inject a bit of paranoia into my ramblings, but I'm already paranoid enough as it is (TheVoicesInsideMyHead assure me I'm perfectly sane!) & I try to keep my defenses in good working order.
Now go enjoy a pint on me, just make sure the publican draws the suds from a clean cask, uses a clean tankard, & doesn't put anything in your drink. I make him use my own tankard & make sure the flip up lid stays closed until I go to drink. Mmmmm... Dried Frog Pills! =-D
The relevant part is quoted: "They are DATA, not code."
That's the basic premise of the Harvard architecture: that data is data and that code is code and shouldn't mix. However, compilers (especially runtime compilers like JITs) break this rule because code IS their data. That's why you can't run a JIT in a strict Harvard architecture. That said, most computer architectures are in between this and the von Neumann architecture where code and data are one and the same. You can treat code as data or segregate it as needed, so we're both right in the sense that things can change from role to role.
"variables should not be executable ...
Then this would not work. You can extract strings all you want. They are DATA, not code."
The problem is we're talking about web pages and Javascript. The modern web needs this sort of functionality in order to wor...
*thinks*
You're absolutely right.
Not an expert on JS but anyone who writes a JSON parser by simply encapsulating an eval statement is a fscking menace. JSON or other data parsers should be written from scratch to parse the text as data only.
Such foolishness would be the client-side equivalent to concatenating input onto SQL query strings at the server end.
Never allow data that is not under your control to be handled as code. Period.
> (Don't forget that in this day and age, ads are fetched as a package of images and code
Yup. And it's abuse of the LATTER which pisses people off (by crippling their machine) and has created the rise of the AdBlockers which has led to drop in the revenues which sites really need which has led to aggressive workaround tactics which has led to people getting MORE pissed off which...
I think there's a real argument for sites taking a stand, and "advertising" that they will only SHOW ads, not inject code into your machine. Pics, text, whatever, people are OK with that. Code, no, even for people who don't know what code is -- they CAN see their machine grind to a halt.
It'd need a Badge, and a strict emphasis on Trust. And a different negotiation tactic with advertisers. But one which would have power if explained properly, and implemented properly/trustworthily.
And I think sites would see a pickup in ad revenue.
Well, static or generated, the clientapp [browser] won't know the difference. It just gets a text file in reply to request (html +CSS +javascript etc).
So that would boil down to the user... just switching off javascript. But that can be a pain when the site's built by code-cretins using a generator and is nonuseful w/out JS.
Also, requires that the user be tech.savvy enough to A/ know that's possible B/ finding & installing a plugin to do so (I use JavaScript Toggle On and Off on Firefox -- rather excellent 1-button toggle topright) C/ having to do so interactively on an ongoing basis.
.
In essence though, I think you're talking about actual control, and that boils down to clientside intelligence. Browsers are mostly used by the 99% not the 1%-techsavvy types lurking on ElReg, so it boils down to the browser-coders needing to put some intelligence in their own code.
Problem: that's not going to be quick, AND you then get into the standard malware-racecondition of badactors responding to/gaming the defence, the defence adapting, the badactors adapting, the defence... etc.
.
All I'm really left with as a potentially useful approach, is a "social" signal similar to what we get when we buy branded products. That the site itself has done quality checks etc on its own delivery (ads etc) such that that delivery won't step outside the bounds of reasonableness.
Like the "Red Tractor" badge in UK declares that the product comes from British farms.
But then, how do you protect against counterfeiting? You can't. Other than having a bad experience and "just knowing, now" not to touch that particular site again.
...which gets straight back to my original point (although you're assuming active malware, and the topic was actually about lousy coding by ad-resellers which jams machine resources, rather than aggressively subverting machine resources for active attack) :
>Just thinking with my black hat on: how could this be subverted?
>And nope, I can't think of a way to not subvert it online -- only by pseudoalphachannel offline knowledge/trust.
But that step can be obfuscated, and code CAN legitimately read the canvas (for interactive elements like a whiteboard). I think the next step souls be for ad network to take anti-stego steps like I've noted before, such as mangling all uploaded images prior to storage.
Except the steganography is not the root problem, the side loading/dynamic creation of script is.
Although in this case the code is in an image there are lots of places to hide stuff, even in other code, or comments or images unrelated to the ads etc. The real problem is once, however it was retrieved, has become "code" again and as not directly downloaded outside the sight of most defences.
Again ads are a channel, but the root cause remains compromised scripts. therefore turn of JS which naturally blocks a fair few ads all by itself.
Love these sorts of attacks, they're so clever. Like the obsfucated JScript using a variant style of BrainF**k. It's just gibberish to most but if you start to pull it apart it reveals something similar, each character used to build the malicious script is meticulously put together by interpreting a tiny limited set of non-alpha chars and the way they get interpreted.
They're scum for sure, but the bad guys want something so badly they will push the limits of simple technologies to keep us on our toes, and they keep IT and coding so interesting you never stop learning.
They're scum for sure, but the bad guys want something so badly they will push the limits of simple technologies to keep us on our toes, and they keep IT and coding so interesting you never stop learning.
Maybe the ad industry should employ those clever bad people, to create interesting, non-intrusive, effective, safe advertising, instead of the tedious bilge their "creatives" currently excrete?
Look at car adverts - boring, monotonous, self important, undifferentiated rubbish, backed by a vast budget. And give them an inch of computer or TV screen (or worse, half an acre in the cinema) they indulge their obsession with long, noisy video that panders to the car makers' narcissism. There's an industry who could do with somebody very clever to reinvent their advertising.
Since these ads were being served from "...two top-tier ad exchanges used by a quarter of the top 100 publisher websites..." I assume those 2 ad exchanges will be reimbursing everyone who was harmed by these ads and paying compensation?
No? In what other industry can you sell a product to consumers, and then if it turns out to be damaging or harmful, do absolutely nothing about it and get away with it?
In the words of the late great Bill Hicks - "By the way if anyone here is in advertising or marketing… kill yourself. No really, there’s no rationalisation for what you do and you are Satan’s little helpers. Okay – kill yourself – seriously. "
"In what other industry can you sell a product to consumers, and then if it turns out to be damaging or harmful, do absolutely nothing about it and get away with it?"
As the Western World is increasingly controlled by Oligarchs I think we can expect to see an increase in this very thing or taxpayer funded bailouts when a Corporation is forced to pay up, if that Corp. is on the correct side of the "Government".
The problem is that *you* aren't the customer, you are the product, AKA "livestock". The customer is the dude who wants to run harmful code on your computer and has presumably paid (using a stolen credit card) for the privilege of doing so.
The fact that the harmful ads get removed is as much about lost revenue due to the credit card fraud and harm to the company reputation as it is the potential harm to product ecosystem.
I 100% agree with Bill Hicks though. I remember watching that show in the early/mid '90 and it has only become more and more relevant as the advertising services have had to become more and more conniving to cope with increasingly abusive "customers" on both sides of the fence.
Or equivalents are a necessity for sane use of the internet these days.
If a site wants Javascript before it works then (with a very few exceptions) I will not use the site.
(If for some reason I have to then I fire up a Linux VM from a virtual CD - access the site then close the VM. Any malware downloaded to the VM is wiped with the VM shutdown (no persistent storage)).
Out of all the sites on the internet I have only whitelisted 53 domains in NoScript.
In my opinion - and site that serves malware (directly or indirectly by using an ad network that has malware on it) should be strictly liable for all damage caused.
"In my opinion - and site that serves malware (directly or indirectly by using an ad network that has malware on it) should be strictly liable for all damage caused."
That could be a lot harder on small business than medium or large business, but all Business should be able to prove they have taken real steps to avoid these issues.
Off topic - Open source, Linux and the BSDs should be taught in Middle (Jr. High, depending on your location) and High School. Surely, some of the big Universities could get together and put together a comprehensive curriculum for Middle and High Schools that incorporates maths, science and programming that makes sense as children move through educational levels.maybe some already have. Does anyone know?
"Crucially, the ad is served to the browser along with a small piece of seemingly harmless JS "
The only sensible approach is to assume all JS is harmful (and thus block it) - after all there's no guarantee the ad fingers thoroughly vet the JS in ads they serve
As has been said, with all the JS being flung around (instead of just inoffensive bit of text or image) that's where the problem starts
Every now and again * I run browser sessions with ad / script blocking disabled (usually have them enabled with various whitelists ) - its horrendous how much junk many many sites serve up, and it hammers performance, page loads are typically really slow compared to when I run with defensive browser plugins enabled.
* I do this to see if any sites I regularly visit have cleaned up their ad act in case I need to update whitelists
There is a simple solution, one guaranteed to stop malvertising today and now. It is a solution that was once an internet standard; thus, if it was successful once, it can be successful again. The simple, bulletproof solution is disallow all javascript in every advertisements, no exception. But I already know it will not happen. My privacy and security is less important to the Corporation than their wallets.
It's not like we can do anything to stop them. Any fine we try to impose will either be eaten as The Cost of Doing Business or challenges as Abuse of Power. Try to get them criminally and they'll jump jurisdictions, and because of the zero-sum game there WILL be a country willing to welcome a jumper and protect them from foreign sovereignty.
I agree Ads should not need to run a extra cade in order to be displayed. If the ad wants to animate/play sound/expor get bigger when moused over I would think that the browser already is able to do this without needing extra code.
All that should sent is picture/sound/URL and nothing more.
Irrelevant. This attack was directed at Mac users, who are at liberty to install AV software (though this is generally inadvisable because most Mac AV is malware in disguise). iOS users were not targetable.
Note also that you'd have to be one dumb fucker to accept the subsequent invitation to install Flash, which requires user intervention, password entry etc.
Depends on your definition of "nice". For me, that means no or minimal animation, no auto-play sound or video, no floating over the real content, no pushing the content "below the fold". If something appears on my screen or pops up to attract my attention, then it's something important from my OS or one of my running programs. If any ad server can fall back to a non-JS supported image on screen, then I will see it. If it can be served directly from the domain the site is hosted at, then I *may* see it (and the site owner takes responsibility because they serve it to me, no "oh, sorry, we have no control over 3rd party ad slingers). But if it comes from a 3rd party ad slinger loaded up with JS and no "clean" fallback, it gets black-holed.
Ads suck. There are no 'nice' adverts. Everything we buy costs more than it should because of advertising.
Business doesn't care, because advertising spend is tax-deductible, so the more ads they buy, the less tax they have to pay whether their revenue from sales increases or not. And then they pass on the cost of advertising to the customer, because that's what 'markup' and 'margins' is all about. The customer pays for the ads, but the company gets the tax-breaks. Neat, huh?
Which means the more ads there are, the less revenue Government receives in taxes from profitable businesses. Which means the more tax they have to find from elsewhere, ie income tax and/or sales tax, taken from people who are already being 'taxed' by having to pay more than they should for goods and services because of advertising.
Not that advertising agencies care, of course.
(Sorry about the chavrag utterly meaningless "here's why" bollocks, which also annoys me. At least I didn't use CAPITAL letters like some of 'em. That would've been REALLY annoying).
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
