info@qualityplusconsulting.com l +1 262-553-6510

QPC podcasts have moved

Please forgive our old content here while we reorganize and redo our old website.

All new QPC podcasts are hosted on a more convenient platform for all of us.

Please visit https://qpcsecurity.podbean.com where you can use the Podbean mobile app, stream directly from the site, and sign up for the RSS feed.

Breakfast Bytes - Malvertising Example and Fix

5/20/2016

 

Real world example of a malvertisement
An example of how a malvertisement caused a problem for the computer's owner, how the issue was fixed, and how future incidents are prevented.

MP3 - Malvertising Example and Fix

What happened?
 
 

The computer owner was browsing the website for Entertainment Tonight and got a message from the host-based security product that a URL was blocked for being malicious, but then the below image also showed up.

The computer owner had a consumer-grade security product installed on the computer. The product also had an uninstall and configuration change password configured, which is good. But consumer-grade products often do not have an unload prevention password. The malware unloaded the security product and prevented it from running again even after a reboot.

So the message below was displayed AND a klaxon-like noise was coming from the speakers of the computer at a regular interval. Fortunately, the computer owner did not fall for the criminal's ploy. They contacted QPC.

 Krpik Malvertisement

The computer was setup properly from the perspective that the user was not browsing the internet as an admin account. And they had full system backups from a couple days prior. The computer owner did have a separate admin account.

I put the computer on a special section of my secured and isolated "internet only" network. This allowed for me to see all the packets ingress and egress as related to that computer. With that, I was able to identify some packets for investigation. Using other tools, I was able to identify what processes on the computer were generating that traffic. It turned out that valid applications on the computer were generating the suspicious packets that I investigated and no other suspicous packets were occurring.

I uninstalled the consumer-grade security product from the computer. Next, business-class Trend Worry-Free Business Security Services was installed and a full system scan was run.

I was able to get the computer cleaned with the new product, and I manually rectified the browser hijack issue.

Finally, we tested browsing to the same infected website with the Trend WFBiz product installed and enabled in the browser. The computer owner noticed that the pile of advertisements that previously showed in the entire right pane section of the website were no longer shown. No errors appeared, but the malicious content was just silently blocked.

Linkedin