Malware Delivered By Yahoo, Fox, Google Ads 319
WrongSizeGlass writes "CNET is reporting that Avast has tracked over 2.6 million instances of malware that have been served up to unsuspecting web surfers since last December by ad services such as Yahoo's Yield Manager, Fox Audience Network's Fimserve.com and even some from Google's DoubleClick. Some high-profile sites include The New York Times, Drudge Report.com, TechCrunch and WhitePages.com. The practice has been dubbed 'malvertising.'
I usually suspect the users of 'careless web activity' when I delouse a PC, but now I'm going to have to give some the benefit of the doubt."
Yup....seen it. (Score:5, Interesting)
At my work, we allow unrestricted access to the net, but log everything. We had a recent spate of vundo variants come through, and when we went through the logs, almost all of them were via the NYTimes or Wa Post. Frustrating, when large companies like this make work for you. For the most part, the allow everything, log it and using IDPS on the front-end(s) has helped quite a bit.
Say No To Flash (Score:1, Interesting)
The number one reason to avoid Flash is the advertisements. The numerous exploits means that it is just a matter of displaying the ad, and voila, you have most injected visitors.
JavaScript based ads are not much better, but they're at least not as easy to exploit as Flash based ads.
Much more profitable than click-throughs... (Score:1, Interesting)
1) Flash-based Banner Ad
2) JRE Exploit (CVE-2008-5353)
3) Adobe Reader Exploit
4) Profit?
The real defense line (Score:5, Interesting)
The way I see it, no browser should be designed to require admin rights. All that it needs is a sandboxed environment for temporary files. When this mantra gets in the developers' heads, such exploits will no longer be possible. Of course, by that time, other type of exploits will be invented, but we'll cross that bridge when we reach it.
ORLY? (Score:2, Interesting)
OK, if the ad networks won't police this (Score:3, Interesting)
Then we should start blocking the ad networks from our networks.
If lots of people started doing that, I wonder how quick Google, Yahoo, et all would start screening advertisers for malware?
Re:Yup....seen it. (Score:3, Interesting)
I run a program called "TeaTimer" that automatically blocks changes to your computer or registry. I'm not sure how well it works in a work setting, but for my home PC it's caught numerous browser-based programs from doing damage.
Re:Adblocker (Score:3, Interesting)
Yes. This goes way beyond being "merely annoyed". If it becomes a security issue then ads need to go in general.
This is another example of how "outsourcing" leads to loss of quality and control. If you are going to spam someone then you need to be in control of the relevant content. You need to take responsibility for it. That seems to be the real problem here. You end up needing to whitelist 10 or 20 scripting hosts for the average "legitimate" website.
Re:The real defense line (Score:3, Interesting)
In UNIX one might try running the browser as another user via 'su'. That user could be isolated with no useful data or access. Probably some X permissions will have change to allow the browser to display on an X server owned by another user.
Could this be accomplished with Windows?
Say NO to active content. (Score:4, Interesting)
That's why I am so pissed at site designers who go "lalala I can't hear you" whenever I request they make their site accessible without "active content" (i.e. Javascript, Flash, Java or even worse things).
It's nifty and all, but nowadays it's the main malware distribution mechanism. And you can't tell users "just switch off Javascript", because suddenly, half of the Web won't work (I do switch of Javascript: no, not NoScript. Just The Real Thing -- and for most, I'm even glad *this* half of the Web doesn't work -- but I can't tell a regular user to do the same). Heck, those $@#%! web designers even do regular links with javascript snippets for reasons inscrutable to me. Disgusting.
Advertisers? Do you hear me? I'll look at pngs, jpegs and gifs, even animated. I'll read text. but I won't even see your Javascript/Flash/whatever stuff.
There. Had to be said.
Re:Yup....seen it. (Score:3, Interesting)
As I write this message, I am running a scan to make sure I just finished cleaning this virus off one of my user's machines. This user has TeaTimer installed, yet still got infected. It's rather odd, seeing as the infect piggybacks on some registry values. So either the user is mindless hitting Allow on TeaTimer, or the virus is circumventing it.
You can't tell the enemy from your friends... (Score:5, Interesting)
I have a running dialogue with a webmaster of a celebrity paps site (ok, sue me) about the various bits of malware that are being served up by her various advertisers. This began a few months ago, and it took a while before I figured out they could not be expected to know this was happening. She has tracked down the source of these adverts to an agency that offered her triple the usual rate. Now she knows, among other things, that if it's too good to be true, there is a reason why.
But, she and I have synched clocks so she can know to the few seconds what I got. She has to report back precise details to get her advertisers to figure out what happened, cause most of her direct advertisers are contracting out ads to other agencies, and they sell other ads, and the chain gets long and obscure in no time at all.
So far, she is helpful, but last week I sent her a screenshot of a nasty one installing that 2010 antivirus onto one of my virtual machines, and it turned out to be her oldest and most loyal sponsor, and an entirely legitimate ad that had gotten hijacked on the way to her server. Yup, her server is compromised, and some ads are being re-written on the fly from other sources. Makes sense to me, just another vector. This is not good - even honest webmasters are vulnerable, though she called in a team/favor to fix up her server, which is supposed to be monitored for this stuff. Oh well.
Is there any defense? I'm using VPC2007 to run browsers just to be able to look at the nasty stuff being inflicted on me (not the celebs, thank you) and I can't imagine the fun of doing this from my desktop. Ewww.
When the NYT is being used, we are past blaming the source.
Not to mention the waiting time I see for ad servers. I want the damned content I asked for, thank you, perhaps webmasters need to find a way to ditch slow ads and let us see what we wanted to in the first place, ok? Thanks!
Why I don't run ads (Score:5, Interesting)
Yup, I've seen it, too. I run a gaming web site that gets around 2 million page loads a month. A long time ago, I made a deliberate decision not to run ads. My rationale at the time was that I didn't mind paying the hosting cost because it's my hobby. Some people pay a lot on woodworking, some people pay a fortune on golf. My hobbyist indulgence is paying the monthly fee for a VPS to host the site.
A while back, when I needed more power for the site and the hosting costs went up, I made a deal to move the site (which was a MediaWiki-based wiki) to Wikia. They promised me that there would only be one ad on the site, that it would never be injected in the content, that it wouldn't be obtrusive, and other such things. After the site was moved, they proceeded to go back on these promises, and several more.
After less than a year, the other administrators and I decided to re-host the site ourselves, and ask for donations. Again, we don't run ads, and thanks to donations, I'm almost breaking even on the hosting costs.
Recently, someone pointed me back to Wikia's site. It is a tragedy. Aside from being woefully out of date, there were six or eight ads, including javascript and Flash ads that obscure parts of the screen and injected into the articles. Worst of all, some of the "malvertising" discussed in this article.
Here's what's kind of bad. Because Wikia uses SEO crappy games, their site still comes up on top of the search results in Google. (You should see the page titles, they're 10 or 15 words long.) I recently posted a message on the game's official forums warning people of the malevolent advertising, because I wanted to make sure people used the right URL for our wiki, and it was a good chance to reiterate how important it is to us to keep the site ad-free.
A week or so ago, one of the guys at Ars Technica ranted in an article about how people who use ad blocking are stealing content. It's the same argument I've seen higher profile people (Rubert Murdoch, I'm looking at you...) make the same claim. I said then, and I still maintain, that using ad blocking and Flash blocking is not just a matter of convenience, but a matter of maintaining the security of my system.
Fortunately, I like sites like Ars Technica, because they provide an alternate means of reading their content without "stealing" it, and I have a paid subscription to the site. However, as long as a site's only business model is advertising, I don't feel one iota of guilt in protecting my system. If they block content if ad blockers are being used, more power to them, I'll find another site to read.
But stories like this, stories I've actually felt first-hand, are why I support sites without advertising, I do what I can to opt out of advertising, and I don't force advertising on visitors to sites I run myself.
Re:One lesson to learn (Score:3, Interesting)
Does anyone know of an equivalent to having a hosts file that you can use in conjuction with a Windows or Linux DNS server so that you can just block sites at the actual DNS server rather than having to keep updating the hosts file blacklist on all clients?
Re:Yup....seen it. (Score:3, Interesting)
What I've found to work is, again, unfettered access combined with some sagely advice on where to find safe smut(redtube,youporn,mega...), and setting up a sandboxie icon that looks just like a regular Firefox button. Whether it be masking the icon for sanboxing or to give them a blue E to start FF/Opera/Safari, I find giving less insight into what I'm doing and just making things seem like nothing has changed is the best policy.
Do muni FDs allow internet access outside of email and work site nowadays? I've set-up privately contracted, shared wireless hubs(VZ USB w/ old laptop & wireless-router) @ a couple stations in the past b/c all they got was work related net. Brother on the right coast concurs, his FD does not supply even 1 station/signal to access their department mail accounts. I was told, Internet has too many expenses and liability for the org to shoulder the costs everyday surfing. Add to that it's part of a critical system with lives depending on instant/unrestricted communication, it's paid for with taxpayer money(thus every log & email is available via a public records request) and the chit really gets deep when that Fck-A-FF MySpace page makes the 6 o'clock news.
Re:I'm a professional Malware removal guy. Literal (Score:5, Interesting)
1. We were running the latest version of Firefox
2. Acrobat Reader was fully patched (version 8, not 9. But, we have to leave the JS enabled)
3. Adobe Flash was up-to-date
4. Windows was fully patched
5. We have web filters
6. They got past 2 layers of IDS/IPS and 3 layers of antivirus scanners (different engines)
7. Users are NOT admins!!!
Since then, we have switched to a few new products and attempted to tighten things up even more, but these things have gotten incredibly complex. In one case, it was a triple attack. The Flash ad (0-day exploit) loaded an exploited PDF (0-day exploit) that took advantage of a 0-day IE exploit (keep in mind we use Firefox), which compromised the system. We have a nuke-from-orbit policy on any system we suspect has been infected, but what a waste of time!
It was hosted from a site in India. The user was on Yahoo's website (we've had 4 infections through Yahoo's ads). They did NOT click on anything!
Be very afraid!
Re:The real defense line (Score:3, Interesting)
ad servers really shot themselves in the foot here (Score:2, Interesting)
the biggest change this has for me is that it has moved installing adblocking software from just 'something i do for my personal computers' to 'something i do on any computer i touch, even professionally'.
it was the ad server's responsibility to regulate what they distribute. instead, they have just become an avenue for zero-day attacks that can spread across the web in no time at all. since they did NOT act responsibly in preventing this type of attack (really, is there NO review process at all on what they serve out to millions of people?), it falls on us, the users, to protect ourselves. when companies complain about lost revenue due to adblocking software, this is your justification.
Re:One lesson to learn (Score:3, Interesting)
Trying 0.0.0.0...
Connected to 0.0.0.0.
Escape character is '^]'.
SSH-1.99-OpenSSH_5.0 NetBSD_Secure_Shell-20080403-hpn13v1
^]cl
telnet> cl
Connection closed.
Sue DoubleClick (Score:5, Interesting)
A big class action against DoubleClick, etc. would be appropriate. They "exceeded authorized access", as defined in the Computer Crime and Abuse Act. That they got the attack from someone else isn't an absolute defense. The ad network obtained "something of value" for the attack. If they sent out one attack after they'd been informed, they were doing so "knowingly".
The ad network has the right to find and sue the source of the ad, but that's their problem, not the end user's problem. This is well-established law. In general, you can sue the party you dealt with, and they can sue the next party up the chain.
Re:I'm a professional Malware removal guy. Literal (Score:3, Interesting)
No, just run Combofix. Then MBAM. It'll fix it. It's a rootkit, which is blocking MBAM and Webroot from seeing it.
That's the most terrifying thing about these things -- they literally install as rootkits, without admin privileges, even on a fully up to date WinVista or Win7 box. UAC, Security Policies, etc do nothing.
It's no wonder Google got hacked by China.
Re:Yup....seen it. (Score:2, Interesting)
Thank you. I saw it but let it slide. I fought my last battle trying to explain that "downfall" was not a synonym for "drawback". They're words, which have meaning.
I don't object to people not knowing words, but I have a real problem with them using words of which they do not know the definitions. Ignorance is not a sin unless your arrogance prevents learning.
Re:One lesson to learn (Score:2, Interesting)
CNN lacks content to have a bias
This is why I always laugh at people that claim CNN is biased. CNN doesn't have a "left" or "right", "liberal" or "conservative", or "Democrat" or "Republican" bias. CNN's only bias is towards repeating whatever people with no lives send them via Twitter.
Re:Why I don't run ads (Score:4, Interesting)
Sure, just like highway billboards and road-side bombs are really similar, when you think about it.