In the ancient times before the turn of the millennia, steganography was going to be the way to stick it to the man, offering a way to hide secrets in plain sight by embedding data in pictures. It is much older than that, dating back thousands of years but it wasn't until the mid-80's that it was brought to mainstream computing. It is in the headlines today as Confiant and Malwarebytes have detected it being used to hide code in banner ads and taking advantage of a JavaScript vulnerability on Macs to redirect browsers to a site where you get the opportunity to install a Flash 'update'. It looks to have been most active between January 11th and 13th, but evidence suggests it was active since December, so make sure to update your protection ASAP.
If you are interested in how VeryMal works, The Register has a good write up here.
"A strain of malware has been clocked using steganography to run malicious JavaScript on Macs via images in online banner ads, it was claimed this week."
Here is some more Tech News from around the web:
- Intel reports 13% revenues growth for 2018 @ DigiTime
- Facebook to combine Instagram, WhatsApp and Messenger @ The Inquirer
- Nintendo throws out Metroid Prime 4 work, restarts with Retro Studios @ Ars Technica
- More money than sense? Turn your iPhone into a spoon with the Kickstarter nobody asked for @ The Inquirer
- Hole-punch, foldable screens rising as new handset designs @ DigiTimes
- Intel Is Working On A Vulkan Overlay Layer, Inspired By Gallium3D HUD @ Slashdot
- You're an admin! You're an admin! You're all admins, thanks to this Microsoft Exchange zero-day and exploit @ The Register
- Windows Server 2019 vs. Linux vs. FreeBSD Gigabit & 10GbE Networking Performance @ Phoronix
- Sprint subscribers: What do your updated iPhone and Tonga have in common? Both are cut off from the world @ The Register
All the more reason to
All the more reason to restrict Ads to a limited subset of JavaScript and allow no JavaScript access to the Image content. Let the browser’s own internal Vetted/Verfied routines read the Image content and display it.
All that Scripting language functionality has too much OS level function call ability and all Ads/Ad scripts should be run inside a restricted sandbox. It’s time to clip JavaScript’s wings and really Ads need to have no ability to process any Image content via any outside of the browser code! Image content needs to be processed by the safe browser code routines and never allowed to be processed by that nefarious outside JavaScript.
This is all the fault of the HTML standards being dictated by the Internet Ad industry and ditto for the JavaScript standards.
Steganography would not be an attack vector if the Image Content where not accessable by any outside of the browser JavaScript related code functionality. Let only the Browser’s Internal Code have any Read/Write access to the Image content so allow no outside Script that’s shipped with the Ads to have any Image access/processing privileges.
I’d even say that Images should be randomly Salted to wipe out any Steganography hidden values and disrupt the ability to use Image content for payload pushing.
Next time a site asks me to
Next time a site asks me to whitelist them on ublock, I’ll paste a link to this story. Thank you!
Promise you will use a tool
Promise you will use a tool like this and send them a screengrab!
Why aren’t the ad companies
Why aren’t the ad companies re-creating the images that are uploaded. Like some image boards will do to prevent malware?
Ad companies so far don’t seem to have any reason to vet the ads because it is cheaper to copy and paste a boilerplate apology when a bunch of people get hit with ransomware than it is to invest in any kind of vetting process.
As much as we would like to see things change, most website owners are either unwilling or unable to drop a bad advertiser. Because of this, they are not at risk of losing their reach, and with no other consequences (not like they are going to cover the ransom or other costs incurred due to a malicious ad), there is no reason for them to change.
With advertisers being unwilling to change, and website owners being unwilling to or not in a position to risk that revenue, the only tool the rest of us have, is ad blocking.
If an ad network wants to restore faith in their service, they need to vet their ads, and back that commitment by offering to cover the cost of any damages incurred due to a malicious ad.
There is only 2 reasons why they refuse it.
1: They know their ads are bad and with their hundreds of millions of billions of dollars in profit, if they had to bear the cost of the damage caused by the malicious ads, it would financially destroy the company.
2: They have no interest in vetting the ads, and don’t care about the damage caused. They take pride in accepting money from criminals because regardless of the ad, they are being paid for the ad contract, thus any step towards preventing malicious ads, is money lost due to less cash flow from the criminals.