Presentation Material
Abstract
The significant part of the web economy is web advertising. Banner networks are presented on the majority of popular websites such as YouTube, Facebook, New York Times etc. In other words, by visiting a website we implicitly allow a number of third-party JavaScript and Flash programs to execute in our browsers and this brings up some huge security concerns.
In this research we address the problem of leveraging ad networks to spread malicious programs, also known as malvertising. Yes, it’s 2014, and our investigation determines that this abuse is still rampant. It puts a significantly large population at risk.
In this talk we start with the live capture of malware that we uncovered on YouTube. We then talk about the possibilities and perils that lie ahead. Our goals are to determine how web advertising could be exploited to spread malware, the chances of malicious banners being detected by security crawlers, and how malicious banners can bypass anti-malware checks and stay undetected.
We try to estimate how vulnerable the somewhat ‘opaque’ ad-networking industry is, and what countermeasures could be applied to lower the severity of the threats it poses.
AI Generated Summary
The talk addresses malvertising, focusing on the exploitation of online advertising networks through malicious Flash banners. It details how attackers bypass ad network security checks by embedding obfuscated malicious code within rich media advertisements.
A key presented technique involves using steganography to hide JavaScript payloads within the pixel data of standard image files (e.g., PNG) that are part of the ad. The malicious Flash banner loads the image, extracts the hidden code bit-by-bit from the least significant bits of the color channels using ActionScript’s BitmapData class, and executes it via the ExternalInterface.call method. This method allows arbitrary JavaScript execution on the host page, typically to create a hidden iframe that redirects the user to a drive-by download exploit kit. A demonstration showed a Python script embedding a simple iframe-creation script into an image’s LSBs, which was then extracted and triggered by a Flash banner after a timed delay, resulting in a Metasploit session.
The research highlights that compressed image formats (JPEG, PNG) prevent visual or simple frequency analysis detection of such manipulations, rendering static checks on ad content ineffective. Practical implications include the inadequacy of current ad screening policies that only scan for high-entropy embedded binaries. The speaker argues that the industry must shift focus from blocking ads to mitigating the final drive-by download stage, as malvertising aligns with attacker incentives of maximizing profit with minimal effort. The pervasive nature of the threat, capable of compromising reputable sites, undermines traditional blacklisting approaches, necessitating shared responsibility between ad publishers and security providers to address the fundamental challenge of stealthy code delivery via advertisements.