How Cybercriminals Hide Malware: The Basics
Since publishers in the advertising ecosystem sell their media through programmatic, third-party demand partners, and exchanges, it’s become quite impossible for publishers alone to thwart malicious attempts. For starters, malicious attempts to infiltrate a publishers site is known as known as malvertising– and malware is a catch-all term for any type of malicious software that intentionally infiltrates a user’s device to causes extensive damage.
Distinguishing and classifying different types of malware insertion processes helps users understand the threat level posed and how to best protect their devices.
How is malware inserted?
Malware insertion processes are highly sophisticated with a wide scope of insertion techniques. We can ultimately attribute malware to scripts and executable codes, but when you break it down, malvertising comes through the URL.
URLs that are embedded in a page or come with a server response after a user interacts with the page, may lead to a malicious site, or prompt the user to download malicious code.
First off, let’s debunk a common misconception about malware- if users don’t click on a suspicious ad or download a deceptive file, they won’t get infected. The reality is that users do not have to actively click, as malvertising runs pre-click.
Where can malware hide?
In the Delivery Path
Let’s break it down, two delivery pathways exist to serve an ad:
- The first delivery path is pre-click, when ad calls can go through multiple third parties any one of which may insert malicious code.
- The second delivery path is post-click. When the user clicks on the ad, a series of URLs are called to get to the final landing page, a malicious code can be inserted from one of the third parties involved in that delivery path.
Embedded in the Creative
Malware might also be embedded in a content/graphic piece.
Malware can also be embedded in the Flash.swf file- Meaning the malicious code is activated when the ad loads. In the case that there is no malicious code in the creative pre-click, there still might be a possibility malicious code will surprise users once they click.
Within a Pixel
Pixels are typically found in ad calls, existing as small pieces of code used to send data in a query string and a tracking pixel can be embedded in a banner or on a landing page.
Typically, one will “shoot a pixel” to mark a certain interaction of a user. In the case of malware, the pixel transfers data to the “receiver” who responds by sending malware for example, pop-up.
Within a Video
Another popular misconception is that video ads can’t deliver malware.
Take a typical standard video type, a VAST video ad, this video ad contains pixels from third parties and one of those embedded pixels contains malicious code. So once the user allows the video ad to load and play, they become infected.
Alternatively, there could be a malicious post-click URL at the end of the video ad. In addition, a flash file (.swf) itself can inject an iframe into the page and this iframe will download the malware onto the user’s computer without the user ever clicking on the video.
On the Landing Page
And of course, a malicious URL could appear in the final landing page.
It could be that the landing page itself, as well as the pathway, is clean, but there are items within the page for the user to click on which contain malicious code.
One of the reasons this is so alarming is the user might consider themselves safe by this point, only to find that they became infected because they clicked on an (infected) element within the page.
Unfortunately, digital advertising remains one of the most effective channels for cybercriminals to serve malware. Its the responsibility of all players in the ecosystem to block malicious attempts and promote a quality user experience, by being both proactive and progressive in our attempts.
Techniques for Detecting Malware
Detecting malvertising requires expertise – and a keen eye to review reams of data. Stay on the lookout for Part II, where we dive into techniques to detect malware including, signature-based detection, checksumming statistical analysis, and more.