RoughTed Infection Map
RoughTed Infection Map

Security vendor Check Point has said RoughTed topped the malware charts in June. In a blog post it said that 28% of organisations globally were affected by the RoughTed malvertising campaign last month. This number comes from Check Point’s global network of sensors and data from customers who have opted in to provide real-time threat data. Importantly this puts some force behind the numbers rather than their being plucked out of the air.

What is malvertising?

Malvertising is an increasing problem as websites scramble to make money to keep going. Reports from other security vendors such as RiskIQ have shown that malvertising is growing faster than legitimate advertising. Those behind malvertising campaigns are not just targeting small websites. They have already breached several of the major online ad platforms.

This has led to sites such as TMZ, MSN, New York Times, BBC and NFL serving up malware to their visitors. The malware often includes exploit kits which install ransomware and other nasty things onto computers.

How bad is RoughTed?

In a word, Nasty! Its ability to affect 28% of the companies and sensors such as honeypots deployed by Check Point is impressive. It was first spotted in May and by the end of June had impacted over 150 countries. Its authors have included the ability to attack any operating system. This means that it doesn’t matter whether you view the Internet on a mobile device, a laptop or a PC, all systems are susceptible to attack.

RoughTed has been equipped with technology to bypass ad-blocking technology. This is something that will concern security teams. One of the reasons for installing ad-blockers on end user devices is to reduce the risk of malvertising attacks. Check Point also says that it uses fingerprinting of the local machine to determine what malware and exploit to use. This is a significant degree of sophistication that is not commonly seen.

What were the top 10 Most Wanted malware in June?

Check Point has provided a list of its Top 10 Most Wanted malware from June. It’s pretty impressive and contains several ransomware variants. The list is:

  1. ↑ RoughTed – Large-scale malvertising used to deliver various malicious websites and payloads such as scams, adware, exploit kits and ransomware. It can be used to attack any type of platform and operating system, and utilizes ad-blocker bypassing and fingerprinting in order to make sure it delivers the most relevant attack.
  2. ↓ Fireball– Browser-hijacker that can be turned into a full-functioning malware downloader. It is capable of executing any code on the victim machines, resulting in a wide range of actions from stealing credentials to dropping additional malware.
  3. ↑ Slammer – Memory resident worm targeted to attack Microsoft SQL 2000. By propagating rapidly, the worm can cause a denial of service condition on affected targets.
  4. ↑ Cryptowall – Ransomware that started as a Cryptolocker doppelgänger, but eventually surpassed it. After the takedown of Cryptolocker, Cryptowall became one of the most prominent ransomwares to date. Cryptowall is known for its use of AES encryption and for conducting its C&C communications over the Tor anonymous network. It is widely distributed via exploit kits, malvertising and phishing campaigns.
  5. ↔ HackerDefender – User-mode Rootkit for Windows, can be used to hide files, processes and registry keys, and also implements a backdoor and port redirector that operates through TCP ports opened by existing services. This means it is not possible to find the hidden backdoor through traditional means.
  6. ↑ Jaff – Ransomware which began being distributed by the Necrus botnet in May 2017.
  7. ↓ Conficker – Worm that allows remote operations and malware download. The infected machine is controlled by a botnet, which contacts its Command & Control server to receive instructions.
  8. ↑ Nivdort – Multipurpose bot, also known as Bayrob, that is used to collect passwords, modify system settings and download additional malware. It is usually spread via spam emails with the recipient address encoded in the binary, thus making each file unique.
  9. ↑ Zeus – Banking Trojan that uses man-in-the-browser keystroke logging and form grabbing in order to steal banking information.
  10. ↓ Rig ek – Exploit Kit first introduced in 2014. Rig delivers Exploits for Flash, Java, Silverlight and Internet Explorer. The infection chain starts with a redirection to a landing page that contains JavaScript that checks for vulnerable plug-ins and delivers the exploit

What does this mean?

With several high profile global attacks playing out this year, organisations are paying more attention that usual. The problem is that they are often focused on the latest type of attack rather than monitoring for all attacks. This creates blind spots that attackers are very good at exploiting.

The attacks in the Top 10 use a variety of different methods and exploits. They also have different targets. This makes them hard to identify and block if security teams are distracted with other problems.

One of the ways to deal with this distraction is to not have the entire IT security team chasing the same problem. There needs to be part of the team that deals with the wider security threat landscape. This then allows smaller teams to focus on specific attacks and defences.

The rise of malvertising as a delivery vehicle is likely to continue. There is a need for the major ad platforms to do more when it comes to protecting themselves. If they continue to be as open to attack as in the past, criminals will continue to use them as their delivery mechanism. Ad revenue is essential for many of the sites on the Internet. If users reach the point where they cannot trust the ads they are served they will use even more draconian tools to block ads. That will force many sites offline so it is time for the online ad industry to sort this problem out.


Please enter your comment!
Please enter your name here