Thread: Well OT
View Single Post
  #1   Report Post  
Posted to uk.d-i-y
John Rumm John Rumm is offline
external usenet poster
  
Posts: 25,191
Default Well OT
On 12/04/2014 14:45, John Rumm wrote:
On 11/04/2014 21:53, Vir Campestris wrote:
On 10/04/2014 01:20, John Rumm wrote:
Malware that compromises ad servers is usually smart enough to only
poison a very small number of ads served - so on a typically site it
might only hit every 1000th visitor etc. It keeps the detection rate
much lower, since there is a very small chance a AV company will sample
the site at just the right moment.

That doesn't work.

Its common practice, so some folks obviously think it worthwhile.

There's also a much smaller chance of infecting anyone.

Precisely, and that is exactly why they do it. If most people who visit
a site get served a "safe" ad, then the site does not acquire a
reputation for serving malware, and does not draw attention to itself.
However over time, they will still infect large numbers of visitors.

I would anticipate that AV companies will pay more attention to sites
that draw lots of reports from users than those that don't.

(think about it - say every 1000th hit is the AV company, and they
infect 1 in ten. After 500 hits they've infected 50, and been detected.
If they went for everyone it would only take 50 hits to infect the 50
people, and be detected)

Remember though that this is a compromised ad server we are talking
about - so even if they go for a regular "1 in n" approach to serving
malign ads (rather than a more randomised approach), the ads will be
distributed over a number of web sites dictated by who is using the ad
server. So infection attempts will not necessarily correlate well with
visits to a particular site.


By coincidence I came across this talk by a former spyware software
developer, that touches on some of these things - this is the second
part of a three part talk he gave at DEFCON 18:

https://www.youtube.com/watch?v=lpJSEY1O_Pc

Makes for quite entertaining viewing.



--
Cheers,

John.

/================================================== ===============\
| Internode Ltd - http://www.internode.co.uk |
|-----------------------------------------------------------------|
| John Rumm - john(at)internode(dot)co(dot)uk |
\================================================= ================/
Reply With QuoteReply With Quote