Hacker News new | ask | show | jobs
by andy112 3901 days ago
Hi all. This is a side-project I've been working on for a while now. From the FAQs page:

Why is something like this a good idea?

JavaScript, iframes, and other embedded web content have the potential to cause your browser to take unwanted and even harmful actions on your behalf, however visibility into what you're running as you browse is very limited. After-the-fact analysis of what you were sent is (in nearly all cases) outright impossible.

If you have any thoughts or want a few interesting queries to get started, get in touch. Feedback is welcome!
1 comments
voltagex_ 3901 days ago
Can you help with any analysis of http://blog.voltagex.org/2015/10/07/malvertising-on-my-stack...?

Basically, a script started displaying really intrusive ads on StackOverflow, initially only on my Nexus 5 - the only way to get rid of them was clearing the cache. It did not happen over HTTPS. A commenter thinks it might be a compromised Google Analytics script but this doesn't sound possible.

link
andy112 3901 days ago
Hmm, that sounds strange.

If you were only able to reproduce it on a Nexus 5, I don't think analysis with ScriptObservatory will be easy. I'd still suggest submitting the URLs to be scanned by the robo-browser and then looking to see if what gets reported looks similar to what you saw before.

Also, if you write a Yara rule that matches on some of the unique features in the JS/iframes you saw, you could run a search through what's been seen. You can use that to also be alerted when new matches are reported. If something similar has been seen elsewhere, you might be able to tie it to a specific ad network.

link
voltagex_ 3901 days ago
Looking at Yara rules - I won't have time today but a unique-ish string in the script was

adsbyText:"ADS BY "+

including quotes.

link
andy112 3901 days ago
Yep that looks like a good string to key off of.

The results for the site you mentioned are here - https://scriptobservatory.org/webpage/543677125f1bea8226ba7c... - but I don't see anything that looks like a clear match.

link
voltagex_ 3901 days ago
Do you differentiate between http and https versions of sites?
link
andy112 3901 days ago
Yes, the two are considered as if they were completely separate sites.
link
voltagex_ 3901 days ago
The only reason I haven't run it again in a VM on a desktop is that the desktop version of these ads is a lot more malicious - exe downloads of antivirus scam software
link