TeslaCrypt Ransomeware Rampant Today via Ad Networks

drmike

100% Tier-1 Gogent
Today there is a mega ton of ransomware infecting going on.  Malware payloads are being pushed all over the place via ad networks and it's YUGE. 


Ransomeware is simple, it encrypts your files and holds them hostage.  To get your data back, you pay the robbers via Bitcoin to reverse the mess.


Article excerpt:


The tainted ads may have exposed tens of thousands of people over the past 24 hours alone, according to a blog post published Monday by Trend Micro. The new campaign started last week when "Angler," a toolkit that sells exploits for Adobe Flash, Microsoft Silverlight, and other widely used Internet software, started pushing laced banner ads through a compromised ad network.

According to a separate blog post from Trustwave's SpiderLabs group, one JSON-based file being served in the ads has more than 12,000 lines of heavily obfuscated code. When researchers deciphered the code, they discovered it enumerated a long list of security products and tools it avoided in an attempt to remain undetected.

"If the code doesn't find any of these programs, it continues with the flow and appends an iframe to the body of the html that leads to Angler EK [exploit kit] landing page," SpiderLabs researchers Daniel Chechik, Simon Kenin, and Rami Kogan wrote. "Upon successful exploitation, Angler infects the poor victim with both the Bedep trojan and the TeslaCrypt ransomware–double the trouble."

The ads are spreading on sites including answers.com, zerohedge.com, and infolinks.com. Legitimate mainstream sites receive the malware from domain names that are associated with compromised ad networks. The most widely seen domain name in the current campaign is brentsmedia[.]com. Whois records show it was owned by an online marketer until January 1, when the address expired. It was snapped up by its current owner on March 6, a day before the malicious ad onslaught started.


source: http://arstechnica.com/security/2016/03/big-name-sites-hit-by-rash-of-malicious-ads-spreading-crypto-ransomware/


I saw this slop coming when Spamhaus turned up efforts on TeslaCrypt.  Ongoing issue in past week.. and look the boys in Buffalo are hosting at least two TeslaCrypt payment extortion IPs. see: https://www.spamhaus.org/sbl/listings/velocity-servers.net


Quadranet is hosting at least 5 different extortion IPs: source: https://www.spamhaus.org/sbl/listings/quadranet.com


It is recommended, for now and probably for good that you disable Flash plugin, disable SilverLight and put all other plugins on click to play or similar.


And... folks wonder why I've long advocated Javascript off.... do dah!
 
Last edited by a moderator:

drmike

100% Tier-1 Gogent
... and I'll note that IPB doesn't work without Javascript... f---ing hackware. Non graceful piece of...  So ta-da... Need to enable JS to participate.   Luckily ads here are served in house and no malware payloads.
 
Top