Fake antivirus attack driven by Web ads

An Internet security firm has identified a new variant of a fake anti-virus attack that uses Web advertisements to relay users into the Shnakule network, a large malware delivery network on the Internet. The Shnakule network has averaged around 2,000 unique host names per day with as many as 4,357 in a single day. It has been very active with fake anti-virus attacks typically conducted via search engine poisoning, according to Blue Coat Systems. With this latest attack, Shnakule is now using malvertising to conduct its attacks. To date, the Blue Coat said it has identified more than 15,000 user requests related to the latest form of the attack. The latest Shnakule attack is a three-staged attack that utilizes malicious Web advertisements. In the first stage, malicious ad servers were set up as independent entities, not directly associated with each other or any existing Shnakule sub-networks, to route users to malware. In the second stage, a new Shnakule subnetwork relays users to the malware. The final stage is the malware payload, which changes frequently in an attempt to avoid detection from anti-virus software. “Though this attack initially launched in late June, it is still continuing, and in a recent check of the payload by Blue Coat Security Labs against 43 anti-virus engines only two of those engines identified the payload as malicious or suspicious," said Chris Larsen, senior malware researcher for Blue Coat Systems. In the current attack, none of the rogue ad servers appears by name in the pages that host its ads, indicating that the victimized legitimate sites are not directly using these ad servers. Each of the rogue ad servers had been set up with different registrars at least a month prior to launching the attack, which was long enough to successfully convince Web advertising companies that they were serving legitimate ads. — Newsbytes.ph