Malware Delivered By Yahoo, Fox, Google Ads

WrongSizeGlass writes "CNET is reporting that Avast has tracked over 2.6 million instances of malware that have been served up to unsuspecting web surfers since last December by ad services such as Yahoo's Yield Manager, Fox Audience Network's Fimserve.com and even some from Google's DoubleClick. Some high-profile sites include The New York Times, Drudge Report.com, TechCrunch and WhitePages.com. The practice has been dubbed 'malvertising.' I usually suspect the users of 'careless web activity' when I delouse a PC, but now I'm going to have to give some the benefit of the doubt."

Re:One lesson to learn

[Anonymusing]

FTA: "Users don't need to click on anything to get infected; a computer becomes infected after the ad is loaded by the browser."

Re:One lesson to learn

[julesh]

Never ever click an ad!

Clicking not necessary. I was infected with malware earlier this month without any interaction after visiting the Pirate Bay. An advert used javascript to redirect me to an obscure URL ( http://uqwaaa.in/cgi-bin/gjj [uqwaaa.in] ), which proceded to use a Firefox flaw of some kind to infect me. 3.6 doesn't seem to be susceptible, but 3.5.7 which I was running at the time *was*. The exploit installed a Firefox extension that randomly redirects links from google, yahoo and bing to advertising pages.

Re:Yup....seen it.

[Nos.]

I work in the security group and we had a few machines on our help desk get infected with the Antivirus Live malware. After some research, we determined that it came through a legitimate site (help desk site that emulates various OS... can't think of the name), or more specifically the ads on the site.

We do run WebSense, but this was a legitimate site that our help desk uses quite frequently. All machines were up to date with McAfee, but it was a new variation. We ran it through VirusTotal.com within hours of the infection and I believe there were only two on the list that picked it up at that time.

So it wasn't the fault of the user and it can't be blamed on our choice of AV vendor. Obviously we need a better way of detecting malware. McAfee does have Artemis, but it failed on VirusTotal as well.

Re:Good thing

[bunratty]

In addition, you can also use the Plugin Check [mozilla.com] to make sure you have the most recent versions of plugins to decrease the risk of attack. And don't forget to turn on DEP [microsoft.com] for all programs and services on Windows.

Re:Yup....seen it.

[Em Emalb]

aren't paying attention to the ads their serving are just as at fault as any un-educated (or even educated) user is.

Aw man. They're. Not their. And I make that gaffe while writing about un-educated and educated. Fail, thy name is Em.

Re:'careless web activity'

[FlyingBishop]

Don't block ads. Use NoScript. Blacklists are easily compromised. Whitelists are much more difficult.

Privoxy

[John Hasler]

> Doesn't really help in a business environment - few adblockers allow you to
> deploy and manage them centrally. Frankly, it would make more sense to block
> ads at the firewall.

Privoxy does exactly that.

Re:Yup....seen it.

[Anonymous Coward]

One little hint to avoid/recover from virut.

Don't store passwords in your browser or in any text file, registry, or any plain un-encrypted space. Your passwords are going to be the ONLY VALUABLE DATA you have left, and you'll have a small window of time to get them all changed. While if you have no backup, your initial time is going to be wasted reloading an OS. If you have a clone, your up in minutes replacing passwords.

INSTALL A FUCKING HARDWARE FIREWALL
Firewall / router
IPCop + Adv Proxy + URL filter

ADD a URL filter rule

Blacklist "iframe"

looks like on single line

iframe

Some others I like

iframe
eengine.js
down.css
"a.htm"
drsmartload.exe
load1.exe
"http://pages.tvunetworks.com/channels/pulloutad300x250.jsp"
adx.gif
8.txt
out.exe
adrtv.exe
ad2.exe
ntos.exe
audio.dll
video.dll
oembios.exe
twext.exe
local.ds
user.ds
sysproc86.sys
sysproc32.sys

About the iframe block
(sorry no more blogspot.com
posting, without a little work) Most iframe sites are shit anyway, but you can make an EXCEPTION for your favorite crappy coded iframe website. (While you might be able to pull this off with firefox plugins, there are other browsers eh... which is why we block this shit at the input, er well um in squid)

Clone Backup of OS. e.g. 750G drive to 750G drive.
(Clonezilla, Acronis)
You get hit, You roll back. Less than 20 Min.

Password Manager
(Cross Platform on USB - keepassx.org), you get hit, you replace your bank pass's first, your servers second, your blogs like /. third. Bla bla bla, all organized, now you are god.

Virtual Machines.
I always liked vmware, then I found SunVM, and then I heard about win7's vm exploit. So I am sticking with SUNVM. That said, create OS iso's for...

VM OS for dangerous browsing, let er rip, cause when we reboot it's new again, so lets see what happens. Let's learn.

VM OS for shopping.

VM OS for banking.

OTHER PROTECTION.
Obviously all the other security shit, Kaspersky (KIS), pop3 mail only, no webmail, no HTML mail, NoScript, ABP, TOR, ztree, HJT, spybot, process hacker, etc.

OF NOTABLE MENTION: Secunia's PSI http://secunia.com

I'm a professional Malware removal guy. Literally.

[_KiTA_]

I work at a pinch hitter Tier 2 Pay to Play tech support company that is outsourced to by several major ISPs.

I see these damned things all the time. Usually they come with names like XP Antivirus 2010 or "Vista Security Center" or somesuch crap. They almost exclusively look the same, and there are new names that appear every so often -- XP Antivirus 2010 was "Internet Security 2010" not too long ago, for example. I suspect there is a kit that these companies are using to make their products.

They are almost exclusively coming in from banner ads. Specifically they use a Flash ad that, after a few minutes, or upon webpage close, or mouseover, opens an infected PDF file on a random infected server. Google Chrome occasionally catches these domain names, usually they are IP addresses or something similar.

Flashblock is NOT foolproof (although it does help), as occasionally they just have the ad banner on an infected server that auto-redirects you to a PDF file immediately.

They are occasionally Java files instead, but almost exclusively they are PDF files.

They're actually getting very creative in their infections. XP AV 2010, for example, sets itself up as the handler for EXE files -- in order to remove it, you have to install Malwarebytes and rename the mbam.exe file as 1.com or something similar. You can also dive into the registry to fix the EXE thing, except if the program is running it will just break it again immediately. Either windows does not have support for hijacking the .COM support in Windows XP/Vista/7, or these viruses just aren't thinking to try yet. Once they do, then our options drop to "OS Reinstall", as you can literally not run anything.

Some of these programs install themselves in such a way that if you attempt to load Safe Mode, your OS will intentionally BSOD. Or, in at least one infection, the screen filled with ASCII smiley faces and didn't continue.

Combofix will also remove most of these, and usually with "Security Center" or "XP AV 2010" we give up and run Combofix immediately.

The solution to prevent future infections isn't to move to Firefox or Chrome -- these infect those just as easily, although Chrome seems to just crash it's Flash plugin instead. In order to fix these, you have to update Adobe Flash, Adobe PDF, and Sun Java to the latest versions. PDF is the most important, but not the only one. Better browsers won't work. Antimalware programs won't work. The only way to fix it is to patch the holes.

Re:Yup....seen it.

[Anonymous Coward]

I wish more facilities would take this tact

<nazi mode="semantics">You mean tack [merriam-webster.com], "the direction of a ship with respect to the trim of her sails" or, metaphorically, "a course or method of action". Tact [merriam-webster.com] means "sensitive mental or aesthetic perception" or "a keen sense of what to do or say in order to maintain good relations with others or avoid offense" and is not short for, nor in any way related to, the word tactic.</nazi>

Re:CUSTOM HOSTS FILES ARE THE SUPERIOR ANSWER

[geekboy642]

1 is flat-out false.
2 is technically correct.
3 is true.
4, while true, is pointless. A far better (and simpler, easier) job of this can be done with a local caching DNS server.
5 is the same as 4.
6 is stupid and wrong. Text editors that can easily handle 30MB of text are rare under Windows, and nobody should ever do that anyways.
7 is completely stupid. There might be bugs in Window's HOSTS implementation. If there are, they will never be corrected. An AdBlock bug, or a DNS server bug, will be corrected within hours at the longest.
8 is vacuously true.
9 is completely false. Any malware that doesn't have admin access can get it trivially, under any Windows platform. It is impossible to lockdown the HOSTS file to the point that an admin-level malware cannot interfere with it.
10 is entirely wrong. See 6), and inspect any modern ad blocker. They've had 3-click-to-block for years now.
11 is flat-out wrong. See 9).

It takes you over an hour to process one million db entries? That's shameful. What are you doing that takes 4ms per entry? And why wouldn't "cat HOSTS | sed -e 's/[\t ]+/ /g' -e 's/[ ]+$//g' | sort -dfu" be faster and easier than processing text in assembler?

Doubleclick too...

[Tteddo]

I fix PC's for a living and I have been seeing this too. Some people all the do is Facebook and they are getting "XP Antivirus" or it's variants, and I know there is no way they are doing anything. They all use Firefox, etc. The last 2 weeks I have been putting on Ad Block Plus and explaining to them what it does because I was having people get infected again in a manner of weeks after I clean it up the first time. I know that kinda sucks for website revenue, but what else is there to do. One guy got infected from Photobucket, and it was repeatable.

Re:The real defense line

[FlashBIOS]

Until that happens, check out Sandboxie. Sandboxie is a fantastic piece of software that I've been using for years on my browser (and more importantly at home, my wife's and son's). It is largely transparent, and regularly updated. And, it works with any software, not just the browser.

http://sandboxie.com/ [sandboxie.com]

Re:CUSTOM HOSTS FILES ARE THE SUPERIOR ANSWER

[Vancorps]

Notepad can easily handle 30meg text files or even 2gig text files. When your list is that long it makes sense to go the server route, but in my experience you only need a couple megs to block the majority of sites and performance is not noticeably impacted then.

Re:I'm a professional Malware removal guy. Literal

[E-Sabbath]

Same experience except: my sneaky trick is to install mbam on the infected computer, then run the same version of it off a flash drive. Surprisingly, it works.

Also, do you think using Foxit instead of Adobe might help? For that matter, setting PDFs to not auto-open?

Re:Yup....seen it.

[E-Rock]

Because of this we have enabled inPrivate filtering for IE8 via group policy (not the same as inPrivate browsing). It's an effective ad blocking tool. I hate that we have to block the revenue sources of the pages we visit, but when they're being used to deliver malware, I don't see an alternative.

Re:Yup....seen it.

[jafiwam]

It's not the sites, it's the ad networks.

Go get a HOSTS file that blocks ads and keep it updated and pushed out on your network.

I see ZERO ads most days. When some new ad network annoys me, I go add it to my HOSTS file. The same thing can be done with the network DNS server without needing to modify machines.

Believe me, most people don't bitch (very much) about not seeing ads on the internet all of a sudden. They might be curious about it, but usually that's it.

Re:Yup....seen it.

[Skratchez]

I thought we were the mods. :ohdear: But yeah, follow Taco's law, rate down if it's irrelevant or interesting, not because you are the legendary grammar Nazi or if you disagree with a valid point.