On Wednesday, June 12, Rolling Stone Magazine’s website automatically served visitors drive-by downloads via an ad network it uses to generate revenue. The chain of redirects that began at the index of RollingStone.com and lead up to malicious content served by an exploit kit were as follows:
In the above chain, doubleclick.net corresponds to Google’s DoubleClick Ad network, while 50[.]23[.]2[.]66 appears to act as a relatively well-disguised malicious traffic distribution system. The domain pintcampaign[.]com acts as an entry point to the Sweet Orange Exploit Kit, which along with Blackhole corresponds to a substantial portion of the current exploit kit market. Like most exploit kits, Sweet Orange serves the user a cocktail of exploits targeting ubiquitous software components such as Oracle’s Java web plugin and Adobe’s Acrobat Reader.
If an exploit was successful in compromising one of the user’s web software components, a payload is retrieved from superseverity[.]heelclicker[.]net and installed on the victim’s system. VirusTotal detections for the file are available here. Subsequent analysis of the malware’s network traffic reveals it to be an instance of ZeroAccess, which (relative to its distribution via an ad network) ironically generates revenue for its operators primarily through click fraud.
Users have many reasons to block web ads (e.g., longer battery life and a better web browsing experience). Although seldom mentioned, improved security has been and continues to be one of them. For those not yet using ad blocking software, Barracuda Labs recommends Adblock Plus, which is a free plugin available for both Google Chrome and Mozilla Firefox. In the case of the RollingStone.com campaign and in almost half of the top-ranked drive-by download instances we observed in a previous systematic study, an ad-free web would also have prevented malicious content from reaching the user.