Malicious malvertizement versus clean ... let's take a look at good versus bad, and the use of Fuse Kit
As I have said before, the criminals who are creating malvertizements are inherently lazy. If they can take shortcuts (such as taking a pre-existing "good" advertisement then manipulating it to add their own malicious code) then they will. For example, let's look at the cardstore.com malvertizement recently featured on this blog.
The author of the bad malvertizement used Fuse - the clean advertisement (sourced from bannersonline.com) shows no sign of Fuse.
Good advert - opening script:
Bad advert - opening script:
Bad advert: Good advert:
You will note that there are additional bits within the malicious advertisement, an important one being "Dynamic text 4". It is here that the bad guys are, apparently, hiding nasty stuff. There are also three additional scripts and four Sprites. The "Dynamic text 4" text is:
Now, I don't pretend to understand exactly how "Dynamic Text 4" is being misused - in no way can I claim to be a coder - heck, I can't even claim to be the person who spotted the problem with "Dynamic Text 4" (it was Kimberley who saw that) but what I can say is that *something* is going on. The script for the clean ad is tiny (heck, even I can understand it) - the script for the bad ad is far longer (check out the scroll bars) but there is no way I can grok it, or distill it down to a behavioral description that all of us can understand. Would anybody like to be guest blogger for a day and explain the "what, why and how" for my long-suffering readers?