The researchers had an unpleasant surprise two weeks ago, after the release of the first Cisco report concerning the malicious ad distribution campaign, according to which the malvertising network of Kyle and Stan has approximately nine times bigger reach than the one first reported. The researches were given the chance to look at the telemetry data provided and in this way they found that that almost 6500 malicious domains have been involved. This is approximately nine times more than the original number of 703 malicious domains that were originally reported. The Cisco report further revealed that the number of the connections made to these domains is 31 000, which is more than three times of the originally reported 9 541 connections.
Two of the researchers of the malvertising network of Kyle and Stan, Armin Pelkmann and Craig Williams, traced back the attack to 2012 and found out that it has been active for a much longer period than it was first reported.
→‘We think it’s been a reasonably successful campaign [for the attacker],’ Williams said, ‘The numbers correspond to the number of times an attack was detected and blocked by a Cisco security device. Considering the number of times we’ve seen it, we think it’s significant.’
The attacks of Kyle and Stan malvertising network
The malvertising network of Kyle and Stan is different from the other malware networks of the same type in two ways – first, it has been able to set ads on very large and popular websites such as Amazon; and second, the network has certain Mac OS X and Windows flavors of the malware.
According to the malware researchers, when a certain victim is compromised, a unique spin on the malware reaches the machine and each spin has subtle differences in its packing, which results in a generation of unique MD5 checksum. When the victim visits a website that is hosting such malicious ad, the browser of the victim is redirected twice. The users of Mac and Windows are sent to a URL which is hosting a tailor made malware for each platform. When the malware reaches the final download URL, browser hijacker or spyware, it is automatically downloaded to the machine that is compromised or the PC user is fooled into installing it as it is bundled with legitimate software such as a media player.
How does Kyle and Stan malvertising network work
The malware researchers have reversed the malware files to find out that there is a unique part in each file, which makes the compute checksum absolutely different. This means that the Kyle and Stan malvertising network uses sophisticated techniques in order to store and mess up the data that is available on the site. This method is used by the cyber criminals in order to mislead the antivirus system on the computer and the other detection systems that are used.
The malvertising campaign of Kyle and Stan network is very successful as when the attacker succeeds in getting a malicious ad on the network by legitimately hosting an ad and paying a network to distribute it or by compromising a host serving ad, the attacker can grow a very quick campaign, than when the malware is distributed through phishing emails or spam.
The Future of the Malware
The malware researchers say that the malvertising network of Kyle and Stan is an example of the next malware evolution. It is characterized by embedding in the websites, which gives very good results. For example, even if only one percent of the website visitors see the ad, this means higher success rate than the one resulting from a spam campaign.