Cisco Blogs


Cisco Blog > Security > Threat Research

Threat Spotlight: “Kyle and Stan” Malvertising Network 9 Times Larger Than Expected

This post was authored by Armin Pelkmann.

On September 8th, Cisco’s Talos Security Intelligence & Research Group unveiled the existence of the “Kyle and Stan” Malvertisement Network. The network was responsible for placing malicious advertisements on big websites like amazon.com, ads.yahoo.com, www.winrar.com, youtube.com and 70 other domains. As it turns out, this was just the tip of the iceberg. Ongoing research now reveals the real size of the attackers’ network is 9 times larger than reported in our first blog. For more details, read the Kyle and Stan Blog.

The infographic below illustrates how much more of the malvertisement network was uncovered in comparison to our first assessment. We have now isolated 6491 domains sharing the same infrastructure. This is over 9 times the previously mentioned 703 domains.  We have observed and analyzed 31151 connections made to these domains. This equals over 3 times the amount of connections previously observed. The increase in connections is most likely not proportional to the domains due to the fact that a long time that has passed since the initial attacks.

img_new_numbers

The discovery difference from the previous blog to this one in raw numbers. With more than 3-times the now observed connections and over 9-times the revealed malicious domains, this malvertising network is of unusually massive proportions.

Read More »

Tags: , , , , , , , , , , , , , , , , , ,

Threat Spotlight: “Kyle and Stan” Malvertising Network Threatens Windows and Mac Users With Mutating Malware

This post was authored by Shaun Hurley, David McDaniel and Armin Pelkmann.

Update 2014-09-22: Updates on this threat can be found here

img_MetricsHave you visited amazon.com, ads.yahoo.com, www.winrar.com, youtube.com, or any of the 74 domains listed below lately? If the answer is yes, then you may have been a victim to the “Kyle and Stan” Malvertising Network that distributes sophisticated, mutating malware for Windows and even Macs.

Table of contents

Attack in a Nutshell
Timeline
Technical Breakdown
Reversing of the Mac Malware
Reversing of the Windows Malware
IOCs
Conclusion
Protecting Users Against These Threats

Malvertising is a short form for “malicious advertising.” The idea is very simple: use online advertising to spread malware. Read More »

Tags: , , , , , , , , , , , , , , , , , ,

Filtering Explicit Content

Many web sites provide a setting to reduce the amount of explicit, or objectionable, content returned by the site. The user configures these settings, but many users are unaware such a setting exists, or that it needs to be set for each web site. Additionally, the security administrator cannot audit that users have configured the setting. As a result, users can be exposed to objectionable content or can inadvertently trigger filtering of objectionable content on the Cisco security service (Cisco WSA or CWS), sometimes causing uncomfortable questions from human resources or from management.

An emerging standard defines a new HTTP header, “Prefer: Safe,” which does not require the user to configure each web site. This feature is implemented by Firefox, Internet Explorer 10, and Bing. We anticipate more clients and more content providers will support this emerging standard.

Both Cisco Web Security Appliance (WSA) and Cloud Web Security (CWS) support this emerging standard, and can be configured to insert this header on behalf of HTTP and HTTPS clients. In this way, the security administrator can cause all traffic to default to avoiding explicit or objectionable content, without relying on users to configure their browser or to configure each visited web site.

Tags: , , , , , ,

Improving Email at Cisco Part 1 – The IT Technology Side

My personal email has 4 characteristics that drive me crazy:

  • I get way too much email
  • Most of my emails are a waste of time
  • Emails carry the risk of, very rarely, nasty virus payloads (or link you to sites that have worse)
  • Despite all this, I can’t live without email Read More »

Tags: , , , , , , ,

Botnets Riding Rails to your Data Center

May 29, 2013 at 10:57 am PST

Cisco Security Intelligence Operations is tracking reports of ongoing exploitation of a vulnerability in the popular web application framework Ruby on Rails that creates a Linux-based botnet. The vulnerability dates back to January 2013 and affects Ruby on Rails versions prior to 3.2.11, 3.1.10, 3.0.19, and 2.3.15.  Cisco Security Intelligence Operations’ has previously published an analysis of CVE-2013-0156. Cisco is receiving reports of attempted infection from Cisco IPS customers participating in Global Correlation.

Botnet C2 Code Read More »

Tags: , , , , , , , , , ,