Malvertising: Not all Java from is legitimate

Isn’t it ironic getting a Java exploit via, the primary source for one of the most common used browser plugins? Current malvertising campaigns are able to do this. This blog post details a relatively new trend: real-time advertisement bidding platforms being infiltrated by cyber criminals spreading malware.




Malvertising has changed over the years starting with exploitation of weak advertisement management panels and has now evolved into pretending to be a legit third party advertiser with social engineering. The current malvertising techniques are quite deceptive and most of the times only noticeable at the client side.

Combating this malvertising technique is hard due to the large layered setup of the bidding platforms currently in place. It can be a malicious advertiser 3 layers down in the chain but it can also be on the 1st level. Trust is the current system many advertisers use but it seems to be insufficient for today’s malvertising campaigns and techniques, a new system needs to be implemented in order to combat them.

Findings in network monitoring

Over the last week, from Tuesday august 19th until Friday august 22nd, the Security Operations Center of Fox-IT’s ProtACT service observed multiple high-profile websites redirecting their visitors to malware. These websites have not been compromised themselves, but are the victim of malvertising. This means an advertisement provider, providing its services to a small part of a website, serves malicious advertisement aimed at infecting visitors with malware.

While monitoring network traffic to and from workstations we observed a higher than usual amount of infections. When investigating these incidents in depth we noticed that they were infected with advertisements served via high-profile websites. During this period at least the following websites were observed redirecting and/or serving malicious advertisements to their visitors:


The advertisement in this case included the Angler exploit kit. Upon landing on this exploit kit a few checks were done to confirm whether the user is running a vulnerable version of either Java, Flash or Silverlight. If the user was deemed vulnerable the exploit kit would embed an exploit initiating a download of a malicious payload, in this campaign it was the Asprox malware. This whole process of malvertising towards an exploit kit is also visualized in the image at the top of this post.
Please note, a visitor does not need to click on the malicious advertisements in order to get infected. This all happens silently in the background as the ad is loaded by the user’s browser.

One aspect of advertisement networks that makes tracking these threats really complicated is ‘retargetting’. Retargetting is the process of one or multiple ad and content providers leaving tracking data, cookies or other files, so the next time an advertiser can deliver different advertisement as was shown the previous time. A website that rents advertisement space can sometimes show retargetted advertisement without knowing. The way it works is that a user with an interesting set of tracking cookies and other metadata for a certain adprovider is retargetted from the original advertisement content on the website to the modified or personalized data. We have seen examples where the website that helped with the ad redirect to infect a user had no idea it was helping the delivery of certain content for a certain adprovider.

While half the world is already familiar with exploitation of browser plugins, keep in mind drive-by and water-hole attacks are not solely focusing on the common browsers. A couple of months ago we also noticed advertisement loaded by the ‘Skype’-application was also serving malicious content.

In both cases Fox-IT contacted the affected advertiser, AppNexus in these cases, to quickly stop the malvertising.

The problem

The biggest problem with these malicious advertisements is that separating good from bad is a difficult process in the world of online advertising. With specific schemes such as real-time bidding, bad advertisements can remain hidden for extended periods of time. The Dutch website has recently published a detailed article about the problem here.

AppNexus as an example for this case, is one of the companies providing real-time bidding on advertisements and is used by many of the top ranking websites.

What is real-time bidding?

Real-time bidding is a process many advertisers have to serve ads. When a user visits a website, for example, this triggers a bidding request among the affiliates of the advertiser who will get to see meta-data about the visiting user. This metadata can include: geographical location, browser type, and web browsing history. The affiliates in their turn then automatically bid on this impression. The highest bidding advertisers gets to display their ad. In the case of this malvertising campaign the malicious advertisers were the highest bidders. For more details please see

The Payload

The aim of the exploit kit is to execute a malicious file on the visitor’s computer to infect them. The Angler exploitkit has been observed to deliver different payloads in the last few days. Although the dropped malware can vary, Fox-IT has only seen the Asprox malware being spread with this campaign.

Update (August 27th): It was pointed out by Kimberly on twitter that it was in fact Rerdom that was distributed which we mistook for Asprox ( Although, Asprox and Rerdrom do have a close relationship and affiliate with each other. More about the Asprox ecosystem can be read here on the StopMalvertising website: [ Urgent eviction notification – A deeper dive into the Asprox Ecosystem ].

Asprox is a notorious spam botnet which has upped its game over these past few months by using the infected machines to perform advertisement clicking fraud. Since this move the actors behind this botnet have started spreading Asprox on a much larger scale, at first via e-mail attachments and now by employing various exploit kits. Statistics provided by FireEye provided back in May 2014 shows big fluctuations in the botnet size and botnet activity:

FireEye Asprox tracking

In 2013 Trendmicro also published a paper about Asprox which explained the variety of functionality of the botnet. While Asprox is known as a spam botnet to most the spam is only 1 component of a modular botnet called Asprox. Asprox has gone through many changes and modifications which includes spam modules, website scanning modules and even credential stealing modules. This history and current events show Asprox is still actively being developed and used.

Indicators of compromise

These IOC’s relate to the malvertising campaign on the high-ranked websites specifically. The advertisement content first redirects to: ( which will give redirects towards the exploit kit.

The exploit kit:

Domains that were observed:

  • (on port 37702)
  • (on port 37702)

PassiveDNS logging shows 3 IP’s having been associated with these domains:


All the exploit kit hosts were observed using port 37702. Running exploit kits on high ports at best prevents certain network tools from logging the HTTP connections, as these are typically configured to monitor only HTTP ports. It does mean this exploit kit is blocked on a lot of corporate networks as they do not allow for browsing outside the normal HTTP ports, port 80 (or proxy ports) and 443 for SSL.

The ‘Asprox’ malware:

Since this botnet makes use of a fast flux technique the domain names make for better indicators of compromise than IP’s:


The following MD5 hash was seen for the dropped payload:

  • Crypted payload: 554c5dbb12e3fd382ce16e5bb34a17c2
  • Decrypted payload: 5304bc5b9454e6bc5a0ba2bff0eba605


There is no silver bullet to protect yourself from malvertising. At a minimum:

  • Enable click-to-play in your browser. This prevents 3rd party plugins from executing automatically.
  • Keep all plugins running in the browser up-to-date using tools like Secunia PSI.
  • Consider turning off unneeded plugins if you don’t use them. For example, Java can be installed without the web-plugin component lowering the risk of exploitation and infection.

Usage of Adblockers

In cases of malvertising on websites ad blockers are usually effective in blocking redirects.
However, on the case of Skype on May 15th it would have been insufficient. Most adblockers are part of the Browsers as an add-on, incapable of filtering for other applications. Skype makes use of Adobe Flash to display certain advertisements, this happens to be a plugin which the Angler can exploit.

Fox-IT Security Research Team

42 thoughts on “Malvertising: Not all Java from is legitimate

  1. Pingback: ITsecurity Daily News: 08/26/2014 | ITsecurityITsecurity

  2. The real-time bidding part is pretty interesting, I never thought ad services are so evolved.

    On the other hand, the use of the MD-5 hashes is a bit deprecated. Why don’t you use SHA-256? More details on

  3. Pingback:, TMZ Serving Malvertising Redirects to Angler Kit | Threatpost | The first stop for security news

  4. Pingback:, TMZ Serving Malvertising Redirects to Angler Exploit KitDigital Era | Digital Era

  5. Pingback: New malvertising campaign hit visitors of several high-profile sites | News around The World

  6. Pingback: New malvertising campaign hit visitors of several high-profile sites – Jumbosky Money

  7. Pingback: New malvertising campaign hit visitors of several high-profile sites | Wizeguys

  8. Pingback: New malvertising campaign hit visitors of several high-profile sites | POPFIX - Celebrity, Tech, Sports News

  9. Pingback: New malvertising campaign hit visitors of several high-profile sites | Blog

  10. Pingback: New malvertising campaign hit visitors of several high-profile sites |

  11. Pingback: New malvertising campaign hit visitors of several high-profile sites | Protect Your PC | Tips, Advice, and support. Protect Your PC | Tips, Advice, and support.

  12. Pingback: New malvertising campaign hit visitors of several high-profile sites | Bartle Doo Articles

  13. Pingback: New malvertising campaign hit visitors of several high-profile sites – Health and Fitness

  14. Pingback: New malvertising campaign hit visitors of several high-profile sites - Sysnative Forums

  15. Pingback: Kampaň malvertisingu zasáhla navštěvované servery » Kyber bezpečnost

  16. Pingback: New malvertising campaign hit visitors of several high-profile sites | IP Pings

  17. Pingback: Los usuarios de Java, deviantART o Photobucket expuestos a malware

  18. Pingback: Kizz MyAnthia » Blog Archive » New malvertising campaign hit visitors of several high-profile sites

  19. Pingback: Campagna di malvertising su otto popolari siti web | NUTesla | The Informant

  20. Pingback: Malware-Infested Ads Found on Major Websites | The Today Online

  21. Pingback: PrimalSec Weekly 08/29 ← Primal Security Podcast

  22. Pingback: Exploit-Kit verteilte via Werbeanzeigen Windows-Malware auf bekannten Websites - Servaholics

  23. Pingback: Cool News Story Bro! Week of 8-29-2014 -

  24. Pingback: Lock down your browser and load up your Ad-blocker!

  25. Pingback: Διαφημίσεις στο Photobucket, eBay, Deviantart και Java οδηγούν σε malware

  26. Pingback: New malvertising campaign hit visitors of several high-profile sites | The Journalist Post

  27. Pingback: Malvertising campaign hit high-profile websites | Security Affairs

  28. Pingback: Malware found on and other website - Technology Assumed

  29. Pingback: 16-31 August 2014 Cyber Attacks Tineline |

  30. Pingback: 16-31 August 2014 Cyber Attacks Timeline |

  31. Pingback: Malicious Advertisements Found on, Other High-Profile Sites | TechLeaks

  32. Pingback: A2Z IT LLC | Managed Services and HealthCare Consultation florida Orlando | technical support, Florida | central florida, Florida

  33. Pingback: New malvertising campaign hit visitors of several high-profile sites | e-Shielder Security

  34. Pingback: Malvertising: Not all Java from is legitimate | e-Shielder Security

  35. Pingback: Visitors To High-Profile Websites Affected By Malvertising | VPN Creative

  36. Pingback: Malvertising attacks: Definition, examples, protection, security

  37. Pingback: Czech Republic cestování » Blog Archive » Bezpečnostní svodka: Ransomware, čistka Windows Store, směrnice a díra v čínských routerech

  38. Pingback: Malvertising campaign based on Google DoubleClick | Security Affairs

  39. Pingback: Blacklist : la nouvelle série arrive en France le 27 août | Le plein d'actus

  40. Pingback: Liveblog: Malvertising from Google advertisements via possibly compromised reseller | Fox-IT International blog

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s