CYBER NEWS

Kyle & Stan Malvertising Network With Bigger Reach

Kyle & Stan With Bigger ReachCurrent situation
The researchers had an unpleasant surprise two weeks ago, after the release of the first Cisco report concerning the malicious ad distribution campaign, according to which the malvertising network of Kyle and Stan has approximately nine times bigger reach than the one first reported. The researches were given the chance to look at the telemetry data provided and in this way they found that that almost 6500 malicious domains have been involved. This is approximately nine times more than the original number of 703 malicious domains that were originally reported. The Cisco report further revealed that the number of the connections made to these domains is 31 000, which is more than three times of the originally reported 9 541 connections.

The Researchers
Two of the researchers of the malvertising network of Kyle and Stan, Armin Pelkmann and Craig Williams, traced back the attack to 2012 and found out that it has been active for a much longer period than it was first reported.

‘We think it’s been a reasonably successful campaign [for the attacker],’ Williams said, ‘The numbers correspond to the number of times an attack was detected and blocked by a Cisco security device. Considering the number of times we’ve seen it, we think it’s significant.’

The attacks of Kyle and Stan malvertising network

The malvertising network of Kyle and Stan is different from the other malware networks of the same type in two ways – first, it has been able to set ads on very large and popular websites such as Amazon; and second, the network has certain Mac OS X and Windows flavors of the malware.

According to the malware researchers, when a certain victim is compromised, a unique spin on the malware reaches the machine and each spin has subtle differences in its packing, which results in a generation of unique MD5 checksum. When the victim visits a website that is hosting such malicious ad, the browser of the victim is redirected twice. The users of Mac and Windows are sent to a URL which is hosting a tailor made malware for each platform. When the malware reaches the final download URL, browser hijacker or spyware, it is automatically downloaded to the machine that is compromised or the PC user is fooled into installing it as it is bundled with legitimate software such as a media player.

How does Kyle and Stan malvertising network work

The malware researchers have reversed the malware files to find out that there is a unique part in each file, which makes the compute checksum absolutely different. This means that the Kyle and Stan malvertising network uses sophisticated techniques in order to store and mess up the data that is available on the site. This method is used by the cyber criminals in order to mislead the antivirus system on the computer and the other detection systems that are used.

The malvertising campaign of Kyle and Stan network is very successful as when the attacker succeeds in getting a malicious ad on the network by legitimately hosting an ad and paying a network to distribute it or by compromising a host serving ad, the attacker can grow a very quick campaign, than when the malware is distributed through phishing emails or spam.

The Future of the Malware

The malware researchers say that the malvertising network of Kyle and Stan is an example of the next malware evolution. It is characterized by embedding in the websites, which gives very good results. For example, even if only one percent of the website visitors see the ad, this means higher success rate than the one resulting from a spam campaign.

The consumers that are most susceptible to malvertising infections are the ones that use technologies on their devices with less than adequate detection. Among the things that can help here is the turning off JavaScript when there’s no need for it and using the Ad Block program.

Avatar

Berta Bilbao

Berta is a dedicated malware researcher, dreaming for a more secure cyber space. Her fascination with IT security began a few years ago when a malware locked her out of her own computer.

More Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...