Yahoo Serving Ads with a Side of Malware

This blog is part of our Infinity Vs. The Real World series

It's recently come to light that Yahoo's ad servers were unknowingly distributing a rather nasty piece of malware. This hack vector is not the first, as we saw this with FireEye as well when visiting their "Security Careers" section on their website, and certainly will not be the last. So while this is never a positive thing for anyone, it is inevitable for many companies. But we here at Cylance use these opportunities to test our Infinity platform against real world malware. First, I turned to our resident malware expert for copies of the Yahoo samples (5 unique files):

MD5: 4365fa50e654ccdf7159d6608b21bf9e
MD5: 47e71b1a29a9bf6f51f804732163ec8d
MD5: b3c64e3017b53f4627a6eee666619f7f
MD5: e0f69226348305c7ca02ca374b562976
MD5: fa5643f8120d11c494ddac8ebd5d672b

In order to get the mathematical confidence rating from Infinity, I'm using Cylance V, our easy-to-use solution for investigating malware and advanced threats. Of the 5 samples, the industry identified only 2 of those as bad as of January 6th, 2014. Infinity and CylanceV, however, correctly identified them as malicious files without any prior knowledge, awareness or need for an update. Infinity does all of this without; signatures, heuristics, behavioral system analysis, sandboxing or hardware micro-virtualization - just 100% pure math!

As you can see, most of the samples had few or no detections the first time they were submitted on 1/3/2014. For example: MD5: 47e71b1a29a9bf6f51f804732163ec8d (which had two names in my set, Qne4X.exe and 5_.exe) was correctly identified by ONLY engines on its first submission! Even more disheartening is that NONE of those 4 were from a major "tier 1" vendor! If the technology used to protect the vast majority of the world's networks isn't catching this stuff, then it's time for a new approach – one based on math, not human intelligence and sacrificial lambs.

How long do you think the malware was running rampant in the world's infrastructure before it was submitted to the prominent public and private malware feeds? Far too long...