Malware Delivered By Yahoo, Fox, Google Ads

WrongSizeGlass writes "CNET is reporting that Avast has tracked over 2.6 million instances of malware that have been served up to unsuspecting web surfers since last December by ad services such as Yahoo's Yield Manager, Fox Audience Network's Fimserve.com and even some from Google's DoubleClick. Some high-profile sites include The New York Times, Drudge Report.com, TechCrunch and WhitePages.com. The practice has been dubbed 'malvertising.' I usually suspect the users of 'careless web activity' when I delouse a PC, but now I'm going to have to give some the benefit of the doubt."

Yup....seen it.

[Em Emalb]

At my work, we allow unrestricted access to the net, but log everything. We had a recent spate of vundo variants come through, and when we went through the logs, almost all of them were via the NYTimes or Wa Post. Frustrating, when large companies like this make work for you. For the most part, the allow everything, log it and using IDPS on the front-end(s) has helped quite a bit.

Re:Yup....seen it.

[tivoKlr]

Having been an IT admin in my former life, and also having operated in a similar fashion to you, allowing unfettered access to the internet for our employees (it was a Fire Department, and the staff was there for 48 hrs straight, so allowing them some creature comforts such as facebook and youtube was appreciated). Having solid, centrally managed AV on each client machine, along with limited local user rights seemed to be effective.

I wish more facilities would take this tact instead of letting some firewall with a blacklist subscription slowly narrow the available internet to static sites that are considered "safe." True irony that advertising from some of these safe sites are now delivering payloads. Ironically, where I work now (not in IT), plenty of popup ads from news sites make it through, so I would assume we're vulnerable through this vector.

Re:Yup....seen it.

[Em Emalb]

Obviously, the biggest hurdle we're having to deal with is user education. I've got a select few folks in various departments learning to work with ad-block and no script, but for the average person, it's hard to figure out what they need to unblock and what they can block with no ill effects. It's frustrating to them, and by extension, our helpdesk guys who end up fielding calls from the same people (over and over) with the same questions. Of course, the other issue we have is vendor lock in, with their stupid sites working correctly ONLY in IE. I hate that, but in my case (financial industry) it's so rampant there's nothing we can do about it except lock stuff down as best we can.

That said...these large companies that aren't paying attention to the ads their serving are just as at fault as any un-educated (or even educated) user is.

Re:Yup....seen it.

[Em Emalb]

aren't paying attention to the ads their serving are just as at fault as any un-educated (or even educated) user is.

Aw man. They're. Not their. And I make that gaffe while writing about un-educated and educated. Fail, thy name is Em.

Re:

[E-Rock]

Because of this we have enabled inPrivate filtering for IE8 via group policy (not the same as inPrivate browsing). It's an effective ad blocking tool. I hate that we have to block the revenue sources of the pages we visit, but when they're being used to deliver malware, I don't see an alternative.

Re:

[tunapez]

What I've found to work is, again, unfettered access combined with some sagely advice on where to find safe smut(redtube,youporn,mega...), and setting up a sandboxie icon that looks just like a regular Firefox button. Whether it be masking the icon for sanboxing or to give them a blue E to start FF/Opera/Safari, I find giving less insight into what I'm doing and just making things seem like nothing has changed is the best policy.

Do muni FDs allow internet access outside of email and work site nowadays? I've

Re:Yup....seen it.

[jafiwam]

It's not the sites, it's the ad networks.

Go get a HOSTS file that blocks ads and keep it updated and pushed out on your network.

I see ZERO ads most days. When some new ad network annoys me, I go add it to my HOSTS file. The same thing can be done with the network DNS server without needing to modify machines.

Believe me, most people don't bitch (very much) about not seeing ads on the internet all of a sudden. They might be curious about it, but usually that's it.

Re:

[Nos.]

I work in the security group and we had a few machines on our help desk get infected with the Antivirus Live malware. After some research, we determined that it came through a legitimate site (help desk site that emulates various OS... can't think of the name), or more specifically the ads on the site.

We do run WebSense, but this was a legitimate site that our help desk uses quite frequently. All machines were up to date with McAfee, but it was a new variation. We ran it through VirusTotal.com within hou

Re:

[commodore64_love]

I run a program called "TeaTimer" that automatically blocks changes to your computer or registry. I'm not sure how well it works in a work setting, but for my home PC it's caught numerous browser-based programs from doing damage.

Re:

[Talderas]

As I write this message, I am running a scan to make sure I just finished cleaning this virus off one of my user's machines. This user has TeaTimer installed, yet still got infected. It's rather odd, seeing as the infect piggybacks on some registry values. So either the user is mindless hitting Allow on TeaTimer, or the virus is circumventing it.

Re:

[commodore64_love]

>>>the user is mindless hitting Allow on TeaTimer

Yes. TeaTimer won't allow the registry to change unless you first click "ok". As for the annoyance I've not noticed any problems. A lot of times I forget TeaTimer is even running. It's certainly less troublesome thatn NoScript's constantly nagging.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[ShadowRangerRIT]

Ouch. The two news sites I browse most often. Good thing I run AdBlock and NoScript, and I wrote myself a Greasemonkey script to rewrite all the internal links to point to the print-friendly (read: ad-free) versions of the articles.

Re:

[Hadlock]

Hell, just last week (last Friday!) a flash ad on TechCrunch (linked to from Google News, no less!) opened a new tab in Google Chrome and downloaded a PDF to my desktop under XP SP3. That was an eye opening experience....

Why I don't run ads

[KingSkippus]

Yup, I've seen it, too. I run a gaming web site that gets around 2 million page loads a month. A long time ago, I made a deliberate decision not to run ads. My rationale at the time was that I didn't mind paying the hosting cost because it's my hobby. Some people pay a lot on woodworking, some people pay a fortune on golf. My hobbyist indulgence is paying the monthly fee for a VPS to host the site.

A while back, when I needed more power for the site and the hosting costs went up, I made a deal to move the site (which was a MediaWiki-based wiki) to Wikia. They promised me that there would only be one ad on the site, that it would never be injected in the content, that it wouldn't be obtrusive, and other such things. After the site was moved, they proceeded to go back on these promises, and several more.

After less than a year, the other administrators and I decided to re-host the site ourselves, and ask for donations. Again, we don't run ads, and thanks to donations, I'm almost breaking even on the hosting costs.

Recently, someone pointed me back to Wikia's site. It is a tragedy. Aside from being woefully out of date, there were six or eight ads, including javascript and Flash ads that obscure parts of the screen and injected into the articles. Worst of all, some of the "malvertising" discussed in this article.

Here's what's kind of bad. Because Wikia uses SEO crappy games, their site still comes up on top of the search results in Google. (You should see the page titles, they're 10 or 15 words long.) I recently posted a message on the game's official forums warning people of the malevolent advertising, because I wanted to make sure people used the right URL for our wiki, and it was a good chance to reiterate how important it is to us to keep the site ad-free.

A week or so ago, one of the guys at Ars Technica ranted in an article about how people who use ad blocking are stealing content. It's the same argument I've seen higher profile people (Rubert Murdoch, I'm looking at you...) make the same claim. I said then, and I still maintain, that using ad blocking and Flash blocking is not just a matter of convenience, but a matter of maintaining the security of my system.

Fortunately, I like sites like Ars Technica, because they provide an alternate means of reading their content without "stealing" it, and I have a paid subscription to the site. However, as long as a site's only business model is advertising, I don't feel one iota of guilt in protecting my system. If they block content if ad blockers are being used, more power to them, I'll find another site to read.

But stories like this, stories I've actually felt first-hand, are why I support sites without advertising, I do what I can to opt out of advertising, and I don't force advertising on visitors to sites I run myself.

Re:

[Seedy2]

I saw the word "malvertising" and thought it was redundant. I have always considered ALL advertising to be malware. Including print and TV advertising. They are all an attempt to force me to view their message, which I neither want nor asked for, and block or delay me viewing what I want to see.

Re:Why I don't run ads

[kalirion]

Sure, just like highway billboards and road-side bombs are really similar, when you think about it.

One lesson to learn

[courteaudotbiz]

Never ever click an ad!

Re:One lesson to learn

[Anonymusing]

FTA: "Users don't need to click on anything to get infected; a computer becomes infected after the ad is loaded by the browser."

Re:One lesson to learn

[oldspewey]

Indeed, and for people browsing Fox News, you don't even need a computer to be infected.

Re:

[commodore64_love]

Yes becasue it is an established fact that Fox has no bias

STRAWMAN ARGUMENT. I never said that. What I said was that CNN, MSNBC, ABC, CBS, et cetera have a pro-government and anti-individual-liberty bias.

Point - They are ALL biased, therefore if you're going to attack FOX for bias, then you should be attacking all the TV media outlets for the same reason.

Re:

[commodore64_love]

P.S.

Outside news sources? Like BBC? Also biased in a pro-government and pro-EU manner. There really is no such thing as an unbiased source, although I do enjoy watching Russia Today for its unique perspective.

Re:

[L4t3r4lu5]

I guess I'll start whitelisting advertising when they can stop drive-by malware infecting my computer.

AdBlock can stay enabled for the time being. Sorry, Ars.

google ads?

[pikine]

I thought the text-only ads from Google will not allow an advertiser to embed Javascript. Not sure about their newer Flash ads which can embed ActionScript, but one would think Google will be more careful with that. Maybe it is possible that Google still unknowingly redirects you to a malware page after you click on an ad, but the pie chart in TFA does not show Google DoubleClick (probably an insignificant amount under Others). In addition, Google may use the automated method behind stopbadware.org to deter

Re:

[alexhs]

FTA: "Users don't need to click on anything to get infected; a computer becomes infected after the ad is loaded by the browser."

Which probably actually means :

Users don't need to click on anything to get infected; a Microsoft Windows OS becomes infected after the ad is loaded by Microsoft Internet Explorer.

Re:

[Talderas]

Nope, I've had users get infected with this that solely use Firefox for web browsing. This is not a virus that exploits Windows, it's really targeted at exploiting Adobe vulnerabilities plus a few others.

Re:One lesson to learn

[julesh]

Never ever click an ad!

Clicking not necessary. I was infected with malware earlier this month without any interaction after visiting the Pirate Bay. An advert used javascript to redirect me to an obscure URL ( http://uqwaaa.in/cgi-bin/gjj [uqwaaa.in] ), which proceded to use a Firefox flaw of some kind to infect me. 3.6 doesn't seem to be susceptible, but 3.5.7 which I was running at the time *was*. The exploit installed a Firefox extension that randomly redirects links from google, yahoo and bing to advertising pages.

Re:

[stony3k]

Use Noscript - it warns you when a URL hijack attempt occurs

Re:

[ShadowRangerRIT]

Last I checked, Flashblock isn't a security feature, it's a convenience feature. The Flash loads, but is quickly suspended and replaced in the DOM by the button. But it still has a brief window in which to do something malicious. If you want security, you need Adblock and/or NoScript (for blacklisting and whitelisting respectively). I personally run all three; untrusted sites are locked down by NoScript, and trusted sites are unlocked by NoScript, but have the Flash blocked for convenience/performance.

Re:

[TheThiefMaster]

Don't block using a hosts file, it's not for that. If you do, at least redirect to 0.0.0.0 (guaranteed invalid address) not 127.0.0.1 or 255.255.255.255.

For browsing adblock is better, for general blocks (like what a hosts file would give) use a damn firewall.

Re:

[bipbop]

Guaranteed invalid? No. ~$ telnet 0.0.0.0 22
Trying 0.0.0.0...
Connected to 0.0.0.0.
Escape character is '^]'.
SSH-1.99-OpenSSH_5.0 NetBSD_Secure_Shell-20080403-hpn13v1
^]cl

telnet> cl
Connection closed.

Re:

[somersault]

Does anyone know of an equivalent to having a hosts file that you can use in conjuction with a Windows or Linux DNS server so that you can just block sites at the actual DNS server rather than having to keep updating the hosts file blacklist on all clients?

Re:CUSTOM HOSTS FILES ARE THE SUPERIOR ANSWER

[geekboy642]

1 is flat-out false.
2 is technically correct.
3 is true.
4, while true, is pointless. A far better (and simpler, easier) job of this can be done with a local caching DNS server.
5 is the same as 4.
6 is stupid and wrong. Text editors that can easily handle 30MB of text are rare under Windows, and nobody should ever do that anyways.
7 is completely stupid. There might be bugs in Window's HOSTS implementation. If there are, they will never be corrected. An AdBlock bug, or a DNS server bug, will be corrected within hours at the longest.
8 is vacuously true.
9 is completely false. Any malware that doesn't have admin access can get it trivially, under any Windows platform. It is impossible to lockdown the HOSTS file to the point that an admin-level malware cannot interfere with it.
10 is entirely wrong. See 6), and inspect any modern ad blocker. They've had 3-click-to-block for years now.
11 is flat-out wrong. See 9).

It takes you over an hour to process one million db entries? That's shameful. What are you doing that takes 4ms per entry? And why wouldn't "cat HOSTS | sed -e 's/[\t ]+/ /g' -e 's/[ ]+$//g' | sort -dfu" be faster and easier than processing text in assembler?

Re:

[geekboy642]

1) Tell me: Does performing a lookup into a one-million-entry list require more or less CPU than performing a lookup into an empty list? The page will be parsed no matter what you do.
4) Dan Kaminsky's work is important. But the flaw he found is non-trivial to exploit, has never been discovered in the wild, and on a private DNS server is trivial to protect against. (Like, oh, say, using Source Port Randomization)
6) Okay, my mistake. Let's try that, open notepad, open some 30MB file. Oh, look at that. It's lo

Surprise! Oh, wait...

[bhamlin]

Really, who is surprised by this? What's the cost of an ad and fake credentials compared to getting a chance to infect millions of computers?

Re:

[HungryHobo]

as far as I know the margins on selling infections aren't that fantastic.
I depends on who you're infecting though.

Good thing

[Jaysyn]

Good thing the combo of AdBlock, NoScript & FlashBlock will basically prevent these kinds of attacks.

Re:

[bunratty]

In addition, you can also use the Plugin Check [mozilla.com] to make sure you have the most recent versions of plugins to decrease the risk of attack. And don't forget to turn on DEP [microsoft.com] for all programs and services on Windows.

Re:

[Bearhouse]

Mod up, mod up...
How many times do we have to repeat this?
For those without Firefox and those extensions you point out, do your 'hosts' file:
http://en.wikipedia.org/wiki/Hosts_file [wikipedia.org]
Good for Chrome lovers and, of course, non-Windows platforms.
Yes - Apple and *Nix users are vunerable too...especially if in a mixed network with Windows boxen.

Peerblock is worth a look too...
http://www.peerblock.com/releases [peerblock.com]

Re:

[NatasRevol]

How exactly are Mac an *nix users vulnerable?

All of the malware being delivered only runs on Windows.

Re:

[0ld_d0g]

Unfortunately, that makes the web unusable for many people. Most people commenting here aren't the kind who get infected by malware.

Re:

[ShadowRangerRIT]

Well, AdBlock and Flashblock don't cause a problem for most people in my experience. NoScript drives them crazy though. And given that Flashblock (last I checked) doesn't provide real security (the Flash is loaded briefly before being replaced in the DOM, so the window of vulnerability remains), you're stuck with hoping the AdBlock filters are up to date. It's better than letting them browse on unprotected IE6, but without NoScript you're still vulnerable to exploits served from very new hosts (too new to s

Re:

[Jaysyn]

When I "fix" a Windows PC I always make sure to explain to the owner exactly what NoScript does & how to use it. I also stress to them how important it is that they actually use it & don't just "enable all" scripts. I generally don't charge my friends or co-workers for the 1st time I clean a PC but the on the two occasions I did get a PC back that had the floodgates opened so to speak, I charged the owner about $10 less than what Best Buy does for cleaning a PC. You can't fix stupid, but you can

Adblockers anyone

[Galestar]

Yet another reason to use ad blockers. I'm starting to think Firefox should come with it out of the box.

Re:Adblockers anyone

[Monkeedude1212]

The problem is that a large amount of money on the internet is made through advertisements. If Firefox gains marketshare, and starts with adblocking, thats tons of revenue stream being cut off. Google makes a lot of money through advertising, and they seem to be the only ones pushing for progress right now. I don't know if I'd want to go and reduce their income.

In Alberta - it's illegal to have a billboard on a Highway. Based solely on the idea that it causes more accidents because billboards are distracting. This isn't a direct attack on the speed limit, a major factor, or Alchohol, another major factor. Because attempting to control those other 2 factors would cause a huge upset.

Same with internet advertising, you can't just stop it all and make the world a better place.

Re:

[delinear]

You could conceivably stop all flash and scripted ads though. Sure there have been cases in the past of people exploiting image formats but they're all pretty well locked down now, if you can't get your message across with images and text then you can't expect your audience to be too sympathetic when your flashy advert allows the bad men to infect their PCs.

Re:

[rtaylor]

You might want to double check FireFox's revenue streams before suggesting they implement adblocking by default.

Adblocker

[wisnoskij]

I would like to support sites by viewing their ads but if it leaves you more open to viruses even on high-profile sites then it is not worth the risk.

Re:

[jedidiah]

Yes. This goes way beyond being "merely annoyed". If it becomes a security issue then ads need to go in general.

This is another example of how "outsourcing" leads to loss of quality and control. If you are going to spam someone then you need to be in control of the relevant content. You need to take responsibility for it. That seems to be the real problem here. You end up needing to whitelist 10 or 20 scripting hosts for the average "legitimate" website.

Re:

[daveime]

I think you'll find very few malware writers outsource to India. They prefer their malware to actually work !

Make the Ads Safe

[The Angry Mick]

I would like to support sites by viewing their ads but if it leaves you more open to viruses even on high-profile sites then it is not worth the risk.

Very good point, especially in light of Ars Technica's recent plea [arstechnica.com] to users to stop blocking ads.

I, too, would be than more willing to disable the protective measures I've got in place, but as long as these sites rely on third party advertisers that are more concerned with eyeball collection than system security, we have a stalemate. If sites want me to see their ads, they have the burden of making sure the ads are safe (less annoying, would also be good). If I lower my guard out of "friendship" for a site, only to get a drive by download as a reward, I'm going to take it as a major breech of trust.

Re:

[IICV]

Are the Breeches of Trust related in any way to the Trousers of Time?

On a more serious note, this is exactly why Ars Technica's plea was in vain - they want users to stop blocking ads, because that will bring them more money from the people who buy ads on their site. However, the people who buy ads on their site aren't making enough revenue from the ads as it is, and so resort to these intrusive, virus-laden pieces of shit in a weird attempt to generate more revenue.

This is why I don't feel bad about blocki

Re:

[ajs]

You could always whitelist ads on sites that you want to support while turning off JavaScript (e.g. using noscript). Most ads will still display (unless they're flash, and then it really was their choice, wasn't it?)

That's what I do. I even leave Slashdot's ad opt-out checkbox unchecked.

The real defense line

[geegel]

The way I see it, no browser should be designed to require admin rights. All that it needs is a sandboxed environment for temporary files. When this mantra gets in the developers' heads, such exploits will no longer be possible. Of course, by that time, other type of exploits will be invented, but we'll cross that bridge when we reach it.

Re:

[Neil Watson]

In UNIX one might try running the browser as another user via 'su'. That user could be isolated with no useful data or access. Probably some X permissions will have change to allow the browser to display on an X server owned by another user.

Could this be accomplished with Windows?

Re:

[geegel]

Basically yes. What's to stop a developer to code a browser with an emulator type architecture? You load the environment and in that environment you load the browser, while restricting its rights to the bare minimum.

Re:

[TheRaven64]

The problem with this approach is that the browser itself contains useful data - things like access to your Internet banking site, for example. Ideally the browser would create a new process when you navigate to a new site and chroot() that instance so that it can't get any access to the filesystem beyond that. That way, a compromised browser would only ever gain access to caches and passwords for the site that performed the attack. The wrapper would reparent each of these processes' windows into somethi

Re:

[Culture20]

The way I see it, no browser should be designed to require admin rights. All that it needs is a sandboxed environment for temporary files. When this mantra gets in the developers' heads, such exploits will no longer be possible. Of course, by that time, other type of exploits will be invented, but we'll cross that bridge when we reach it.

The way I see it, no browser updates should be designed to require admin rights. Back in the day, FF installers for windows didn't require admin rights; anywhere a user could install was fair game. I don't know if that's still true. But, what if the core executables were owned by root, but updates could be owned by various users? i.e. on opening, browser checks web for updates, if it finds some, it downloads the updated exe or dll to local user dir, and then restarts itself using the new version. If no

Re:

[The MAZZTer]

Huh? AFAIK none of the major players require admin rights. In addition Chrome (on XP/Vista/7) and IE8 (on Vista/7, not XP) both sandbox themselves and have been doing so for over a year now...

Re:

[geegel]

Well, most Windows users login into their OS with admin rights and when they launch the browser they automatically assign these rights. Basically, a browser should start with minimum rights regardless of what type of user launches it. Thank you for helping me clarify my point.

Chrome and IE8 have a combined market share of about 30% according to statcounter [statcounter.com]. This is indeed the right approach, but until ALL the major players and their most important versions take the route of sandboxing, malvertising will con

Re:

[geegel]

Most users follow the path of minimal resistance (i.e. they will most likely go with default settings). If these settings mean security by design, most of these problems would disappear.

Re:

[ShadowRangerRIT]

Well, the browser can lower its own privileges just fine. IE8 (and IE7 IIRC) run with lower privileges than a normal user for that reason. Even if you tell it to execute as admin, it programmatically lowers its privileges at runtime.

Ars Technica

[Anonymous Coward]

And Ars Technica says I shouldn't block ads.

I repeatedly told their staff that I don't block Ars Technica, but I do block ad servers. If they want to send me ads let them server them from their own domain.

Sites resposible for ad-vectored infections should be hit with hundreds of small claims court lawsuits to recoup the costs to clean up the infections.

Maybe then they'll learn.

nobody has to suport your idiot business model

[Thud457]

Advertising shitheads that want to run ad servers and serve up ads to hapless intarweb users should vet the content their customers are asking them to serve up. And not allow their customers to upload new content without being vetted. They should report any customers that misbehave. And they should be forced to do all this, on pain of literally having some guy named bubba come an break a finger for each offense.

'careless web activity'

[John Hasler]

> I usually suspect the users of 'careless web activity' when I delouse a PC...

They are guilty of 'careless web activity': not blocking ads.

Re:

[FlyingBishop]

Don't block ads. Use NoScript. Blacklists are easily compromised. Whitelists are much more difficult.

Re:

[John Hasler]

> Don't block ads. Use NoScript.

I use NoScript to block scripts. I use Privoxy to block ads.

> Blacklists are easily compromised. Whitelists are much more difficult.

Nothing gets through and I can selectively allow scripts.

Re:

[delinear]

I'm more than happy to tolerate ads if it supports my continued free access to some great web content and services. To be honest, I pretty much never notice them anyway so if the site owner benefits from them being there and I don't suffer any detriment, that's a true win-win situation (I've never blocked /. ads for the same reason, even though they kindly give me the option to disable them, I'm happy enough with the service they provide). If, however, I was similarly infected by visiting a reputable site I

ORLY?

[SpicyBrownMustard]

Let's see here... an anti-malvertising/malware firm reporting lots and lots of malicious "bad things" being served up by those terrible pesky Internet ads... no agenda here. The report failed to follow-through and dig into the real problem with malicious payloads associated with online ads, the ad network daisy-chain. If network-A has no impression for you, you're handed off to network-B, which may have no impression and then gives you to network-C... and so on. As your impression traverses the daisy chain

Re:

[John Hasler]

Why don't you think that the top tier services should be held responsible for the results of their daisy-chaining? They got paid for handing you off.

Yeah, this does not square with Googles analysis..

[Tran]

The other day someone posted a nice link to Google's facebook analysis, so I tried some of the pages mentioned above.
For example:
http://google.com/safebrowsing/diagnostic?site=drudgereport.com/ [google.com]

Seems that Google has a different opinion on this information.

OK, if the ad networks won't police this

[WCMI92]

Then we should start blocking the ad networks from our networks.

If lots of people started doing that, I wonder how quick Google, Yahoo, et all would start screening advertisers for malware?

Comment removed

[account_deleted]

Comment removed based on user account deletion

malvertising?

[Anonymous Coward]

how about badvertising?

Say NO to active content.

[Anonymous Coward]

That's why I am so pissed at site designers who go "lalala I can't hear you" whenever I request they make their site accessible without "active content" (i.e. Javascript, Flash, Java or even worse things).

It's nifty and all, but nowadays it's the main malware distribution mechanism. And you can't tell users "just switch off Javascript", because suddenly, half of the Web won't work (I do switch of Javascript: no, not NoScript. Just The Real Thing -- and for most, I'm even glad *this* half of the Web doesn't work -- but I can't tell a regular user to do the same). Heck, those $@#%! web designers even do regular links with javascript snippets for reasons inscrutable to me. Disgusting.

Advertisers? Do you hear me? I'll look at pngs, jpegs and gifs, even animated. I'll read text. but I won't even see your Javascript/Flash/whatever stuff.

There. Had to be said.

Ban Javascript!

[tedhiltonhead]

Ad networks should not enable their clients to include Javascript, Flash, Java, or other active content in the first place. If they have a compelling business case for doing so, all code should be "whitelist" filtered before being distributed. The ad network's reputation is on the line every time they serve an impression.

Ars Says

[JackSpratts]

It's a small price to pay for not using AdBlock. So remember: don't use it.

Adblock and Noscript

[erroneus]

Once again, we cannot trust advertising that does not come directly from the web site being contacted. No surprise there. Further, there are times when we cannot trust advertising that DOES come from the site being contacted.

The only safe content, so far, is based on simple text and pictures.

Are you listening advertisers? TRUST the people you are advertising through to host and deliver your ads appropriately. RESPECT your audience enough to avoid using flash and other nonsense. Do this and people will

You can't tell the enemy from your friends...

[rickb928]

I have a running dialogue with a webmaster of a celebrity paps site (ok, sue me) about the various bits of malware that are being served up by her various advertisers. This began a few months ago, and it took a while before I figured out they could not be expected to know this was happening. She has tracked down the source of these adverts to an agency that offered her triple the usual rate. Now she knows, among other things, that if it's too good to be true, there is a reason why.

But, she and I have synched clocks so she can know to the few seconds what I got. She has to report back precise details to get her advertisers to figure out what happened, cause most of her direct advertisers are contracting out ads to other agencies, and they sell other ads, and the chain gets long and obscure in no time at all.

So far, she is helpful, but last week I sent her a screenshot of a nasty one installing that 2010 antivirus onto one of my virtual machines, and it turned out to be her oldest and most loyal sponsor, and an entirely legitimate ad that had gotten hijacked on the way to her server. Yup, her server is compromised, and some ads are being re-written on the fly from other sources. Makes sense to me, just another vector. This is not good - even honest webmasters are vulnerable, though she called in a team/favor to fix up her server, which is supposed to be monitored for this stuff. Oh well.

Is there any defense? I'm using VPC2007 to run browsers just to be able to look at the nasty stuff being inflicted on me (not the celebs, thank you) and I can't imagine the fun of doing this from my desktop. Ewww.

When the NYT is being used, we are past blaming the source.

Not to mention the waiting time I see for ad servers. I want the damned content I asked for, thank you, perhaps webmasters need to find a way to ditch slow ads and let us see what we wanted to in the first place, ok? Thanks!

Twice from Slashdot

[Alistair Hutton]

I've been hit twice in two weeks with attempted installs of trojans/fake anti-spyware just from visiting pages linked to from Slahsdot stories. Not amusing.

I sure am glad...

[NewbieProgrammerMan]

...that I never removed DoubleClick from the list of sites that aren't allowed to deliver content to my browser.

AdBlockPlus and Ghostery

[XB-70]

I install Firefox on every machine I set up and then add AdBlockPlus and Ghostery. It's amazing what these two block. Mind you, they are not perfect and sometimes you have to allow some code to get through with Ghostery or the site does not work. Lastly, of course, you should use Linux. That helps a lot...

I'm a professional Malware removal guy. Literally.

[_KiTA_]

I work at a pinch hitter Tier 2 Pay to Play tech support company that is outsourced to by several major ISPs.

I see these damned things all the time. Usually they come with names like XP Antivirus 2010 or "Vista Security Center" or somesuch crap. They almost exclusively look the same, and there are new names that appear every so often -- XP Antivirus 2010 was "Internet Security 2010" not too long ago, for example. I suspect there is a kit that these companies are using to make their products.

They are almost exclusively coming in from banner ads. Specifically they use a Flash ad that, after a few minutes, or upon webpage close, or mouseover, opens an infected PDF file on a random infected server. Google Chrome occasionally catches these domain names, usually they are IP addresses or something similar.

Flashblock is NOT foolproof (although it does help), as occasionally they just have the ad banner on an infected server that auto-redirects you to a PDF file immediately.

They are occasionally Java files instead, but almost exclusively they are PDF files.

They're actually getting very creative in their infections. XP AV 2010, for example, sets itself up as the handler for EXE files -- in order to remove it, you have to install Malwarebytes and rename the mbam.exe file as 1.com or something similar. You can also dive into the registry to fix the EXE thing, except if the program is running it will just break it again immediately. Either windows does not have support for hijacking the .COM support in Windows XP/Vista/7, or these viruses just aren't thinking to try yet. Once they do, then our options drop to "OS Reinstall", as you can literally not run anything.

Some of these programs install themselves in such a way that if you attempt to load Safe Mode, your OS will intentionally BSOD. Or, in at least one infection, the screen filled with ASCII smiley faces and didn't continue.

Combofix will also remove most of these, and usually with "Security Center" or "XP AV 2010" we give up and run Combofix immediately.

The solution to prevent future infections isn't to move to Firefox or Chrome -- these infect those just as easily, although Chrome seems to just crash it's Flash plugin instead. In order to fix these, you have to update Adobe Flash, Adobe PDF, and Sun Java to the latest versions. PDF is the most important, but not the only one. Better browsers won't work. Antimalware programs won't work. The only way to fix it is to patch the holes.

Re:I'm a professional Malware removal guy. Literal

[mr.bri]

Yep. You don't have to click on anything to get infected. We've had a couple of our systems infected over the past couple of months. What scares me is:

1. We were running the latest version of Firefox
2. Acrobat Reader was fully patched (version 8, not 9. But, we have to leave the JS enabled)
3. Adobe Flash was up-to-date
4. Windows was fully patched
5. We have web filters
6. They got past 2 layers of IDS/IPS and 3 layers of antivirus scanners (different engines)
7. Users are NOT admins!!!

Since then, we have switched to a few new products and attempted to tighten things up even more, but these things have gotten incredibly complex. In one case, it was a triple attack. The Flash ad (0-day exploit) loaded an exploited PDF (0-day exploit) that took advantage of a 0-day IE exploit (keep in mind we use Firefox), which compromised the system. We have a nuke-from-orbit policy on any system we suspect has been infected, but what a waste of time!

It was hosted from a site in India. The user was on Yahoo's website (we've had 4 infections through Yahoo's ads). They did NOT click on anything!

Be very afraid!

Re:

[_KiTA_]

No, just run Combofix. Then MBAM. It'll fix it. It's a rootkit, which is blocking MBAM and Webroot from seeing it.

That's the most terrifying thing about these things -- they literally install as rootkits, without admin privileges, even on a fully up to date WinVista or Win7 box. UAC, Security Policies, etc do nothing.

It's no wonder Google got hacked by China.

Re:

[E-Sabbath]

Same experience except: my sneaky trick is to install mbam on the infected computer, then run the same version of it off a flash drive. Surprisingly, it works.

Also, do you think using Foxit instead of Adobe might help? For that matter, setting PDFs to not auto-open?

Ad CDNs have been a nightmare

[Coopjust]

Two weeks ago, someone asked me to reinstall Windows XP for them. Their disk was XP SP3.

I reinstall, and open IE to visit Windows Update

Instantly, I get a Vundo variant from a malicious ad attacking the out-of-date Flash Player that came with XP that installs without any user intervention whatsoever.

This only served to reinforce that I was right and not a webmaster/free content hating jerk when I block ads online.

Doubleclick too...

[Tteddo]

I fix PC's for a living and I have been seeing this too. Some people all the do is Facebook and they are getting "XP Antivirus" or it's variants, and I know there is no way they are doing anything. They all use Firefox, etc. The last 2 weeks I have been putting on Ad Block Plus and explaining to them what it does because I was having people get infected again in a manner of weeks after I clean it up the first time. I know that kinda sucks for website revenue, but what else is there to do. One guy got infected from Photobucket, and it was repeatable.

Remind me

[sjames]

Why is it somehow un-ethical to block ads again?

Perhaps it's a good idea for big sites with a reputation to maintain to borrow just a bit from the old model where they sell ad space with an approval process directly to advertisers and serve the images from their own servers.

Sue DoubleClick

[Animats]

A big class action against DoubleClick, etc. would be appropriate. They "exceeded authorized access", as defined in the Computer Crime and Abuse Act. That they got the attack from someone else isn't an absolute defense. The ad network obtained "something of value" for the attack. If they sent out one attack after they'd been informed, they were doing so "knowingly".

The ad network has the right to find and sue the source of the ad, but that's their problem, not the end user's problem. This is well-established law. In general, you can sue the party you dealt with, and they can sue the next party up the chain.

Re:Say No To Flash

[somersault]

Say no to unsolicited content altogether! Adblockers ftw.

Re:

[jimicus]

Doesn't really help in a business environment - few adblockers allow you to deploy and manage them centrally. Frankly, it would make more sense to block ads at the firewall.

Actually, now I think of it, that's a damn good idea. It'd mess up the page layout for a lot of things but if you served up a blank JPEG of the relevant size that shouldn't matter too much...

Re:

[somersault]

We do actually have that option in the content filter on our firewall. When I enabled it before I got complaints from one of the directors because they actually click on ads -.-

Follow the money..

[js_sebastian]

We do actually have that option in the content filter on our firewall. When I enabled it before I got complaints from one of the directors because they actually click on ads -.-

Wow... so these are the guys that actually pay for all of our free internet services? By all means do not ad-block them or the internet will collapse!

Privoxy

[John Hasler]

> Doesn't really help in a business environment - few adblockers allow you to
> deploy and manage them centrally. Frankly, it would make more sense to block
> ads at the firewall.

Privoxy does exactly that.

Re:

[L4t3r4lu5]

I just re-enabled AdBlock. I disabled it after the Ars Technica article regarding advertisement supported websites.

I'm happy to have unobtrusive text advertising, even images. Moving images and flash irritate me, but drive-by malware?

AdBlock stays on.

Re:

[commodore64_love]

Or how about GIFs and PNGs? Back in the 90s and early 2000s that's what ads were, and it worked just fine. There's no need to waste bandwidth on a 1000 kilobyte or more Flash ad when a ~100 kilobyte animated GIF can do the same job.

Re:

[commodore64_love]

That's one of the things I like about Opera Turbo -
- it blocks flash ads by default and displays a giant |> play button.
More browsers should do that.

What I don't like about Opera is how many websites refuse to serve it with javascript, and instead serve a broken nonfunctional page. I get a little frustrated with constantly right-clicking and choosing "mask as firefox" or "mask as explorer" to get a page to load properly. That isn't Opera's fault of course but it would be a lot easier if they

On the contrary!

[Errol backfiring]

Watch an ad and you're f*cked automatically!

Re:

[julesh]

1) Flash-based Banner Ad
2) JRE Exploit (CVE-2008-5353)
3) Adobe Reader Exploit
4) Profit?

From what I saw when this happened to me:

1) Javascript-based banner ad
2) MFSA2010-01 [mozilla.org] (or something similar that was present in Firefox 3.5.7)
3) Mozilla extension to redirect links from google, yahoo and bing to a site of your choice
4) Site that serves large numbers of per-impression banners for dubious porn sites
5) Profit.