Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Advertising Google Microsoft Security Technology

Two Major Ad Networks Found Serving Malware 330

Trailrunner7 writes "Two major online ad networks — DoubleClick and MSN — were serving malware via drive-by download exploits over the last week, experts say, after a group of attackers was able to trick the networks into displaying their ads by impersonating an online advertising provider. The scheme involved a group of attackers who registered a domain that was one letter away from that of ADShuffle.com, an online advertising technology firm. The attackers then used the fake domain — ADShufffle.com — to dupe the advertising networks into serving their malicious banner ads. The ads used various exploits to install malware on victims' PCs through drive-by downloads, according to information compiled by security vendor Armorize."
This discussion has been archived. No new comments can be posted.

Two Major Ad Networks Found Serving Malware

Comments Filter:
  • Of course! (Score:5, Interesting)

    by MadUndergrad ( 950779 ) on Monday December 13, 2010 @12:10AM (#34532100)

    What do you expect from a company called "Doubelclick"? I bet Googel tampers with their search results too.

    • Re: (Score:2, Insightful)

      by icebike ( 68054 )

      Doubleclick is Owned by Google, so they probably don't need to tamper.

      Oh, ah, Whooosh, I guess.

      • by Anonymous Coward

        At the time Google bought DoubleClick, Google owned the advertisement network with the best reputation (Goolge AdWords/AdSense. Relevant, not-very-annoying text ads) and DoubleClick had perhaps the worst reputation (horrible flash banners, etc.) of them all. I couldn't understand why Google would buy that. Then again, these days Google is pretty horrible towards Ad publishers (closing or freezing accounts without offering any explanation, etc... If you aren't a big name, expect to get buttfucked by Google)

    • umm... not in violation of one click shopping patents?

  • by wizardforce ( 1005805 ) on Monday December 13, 2010 @12:16AM (#34532120) Journal

    One more example of why ad blocking has its security benefits. What's worse is that doubleclick and friends are used by pretty much every site out there including Slashdot. It's a shame that although a lot of people would be willing to support sites like Slashdot allowing a few ads to load occasionally; doubleclick just isn't trustworthy enough to allow that.

    • by cappp ( 1822388 ) on Monday December 13, 2010 @12:21AM (#34532140)
      And this is why I blanket block all ads on all sites. It's an incrediably blunt instrument, but its the only way to avoid this kind of thing apparantly.

      What sucks is that I'd actually like to support the sites I frequently visit, and ad views clearly have a significant effect on their various bottom lines, but I just can't justify exposing myself to whatever that week's ad-based crazy shit danger happens to be. It's similar to how I feel about porn sites - the responsible part of my wants to subscribe and send them a little cash for the assistance rendered by their presentation of jiggly bits being jiggly...but that same responsible part is also well aware that any kind of commercial interaction with said pornographers has a suspicious way of going horribly wrong.

      So now I find myself chosing between doing that right thing - supporting the services I use - and the secure thing. And as it happens, the secure thing wins out.
      • by Jah-Wren Ryel ( 80510 ) on Monday December 13, 2010 @12:29AM (#34532166)

        What sucks is that I'd actually like to support the sites I frequently visit, and ad views clearly have a significant effect on their various bottom lines,

        Ad views have become the defacto micropayment system. If we had an alternative, sites wouldn't have to be dependent on privacy-invasive and security-breaking ad systems. I'm sure that many would anyway, but they would at least have other options.

        but that same responsible part is also well aware that any kind of commercial interaction with said pornographers has a suspicious way of going horribly wrong.

        Micropayments could solve that problem too - anonymous microcash would be almost completely immune to the kind of abuses that you are avoiding.

        • by CosmeticLobotamy ( 155360 ) on Monday December 13, 2010 @02:18AM (#34532396)

          A "push" credit card transaction would also solve those problems. Why is it that I can only pay for something by giving my entire credit balance to someone and trusting them to give me back everything but what their invoice says? Why can't I say, "Hey, MasterCard, give this guy $50." He gets an email, his automatic email-getting-password-sender-outer tells me how to get to his jiggly bits. ... I mean, the jiggly bits he has video of, not the ones between his pockets.

          • I use a debit card for online transactions. It has its own separate bank account, with no overdraft or other type of negative balance facility. When I want to buy something online, I get to the checkout page, see how much the total is, use online banking to transfer just enough money into the account from my main account to cover the cost, and then proceed with the purchase. If a retailer tries to take too much, or tries to take payment twice, or if the card number is compromised and is used fraudulently, p

            • by Bert64 ( 520050 )

              Be careful with that, even tho you have no formal overdraft facility some banks will give you an "unarranged overdraft" and charge you stupid fees for it...
              I used to use a card with an extremely low credit limit for online purchases, until i found that the credit limit isn't the limit that you can spend, its just the limit that you can spend without being charged extra fees.

            • by Ecuador ( 740021 ) on Monday December 13, 2010 @05:44AM (#34532874) Homepage

              You think that is smart eh? Oh, boy, are you in for a suprise!
              Using debit cards to be "safer" is the worst idea possible. All credit cards have fraud protection. If someone uses it fraudulently, as long as you catch it within a couple of months, you are not responsible for paying it. When you give your credit card number to someone you are giving access to your credit line, provided by your bank, not your money directly, and when they charge your card they won't draw money from you, they will post a charge for which they will get paid later by the bank and you will be asked to pay for it.
              Now, if you give your debit card, you are giving your bank account. A transaction draws money from your account immediately, good luck trying to reverse that later, I mean it is YOUR money gone, not the bank's money. Then, the fact that you don't have overdraft protection does not mean much. First of all you will have the bounce fee. Secondly, there have been many instances where banks go ahead and honor the overdrawing (it has happened to me once, they charged both the fee AND overdrew the account, it was either Wacovia or Chase...) and when you ask them about it they say "because you are a good customer our system allowed it".
              There are of course many other reasons for using a credit card. For example you get extended warranty (AMEX doubles 1-year warranties), cashback etc.
              If you want to be secure there are virtual account numbers that many CC provide. Some of them can be set with a pre-set limit. But be careful, similar to a bank account there are times where the bank will still honor going over the limit. The difference is, you will NOT have paid it with your money. You will receive a bill showing the fraud and you will file for it to be cleared. It has happened to me a couple of times and I shudder at the thought of that being my debit card...

              • Please tell me how's a Visa debit card is worse than a Visa credit card? And how is it better losing your own money vs losing someone elses money that you have to pay back?

                • Well in the UK the COnsumer Credit Act 1974 means you have no liability for fraudulent transactions. That does not apply to Debit Card transactions.

              • by account_deleted ( 4530225 ) on Monday December 13, 2010 @09:35AM (#34533896)
                Comment removed based on user account deletion
          • by Flixie ( 643395 )
            Flattr is on it... http://flattr.com/ [flattr.com] From their blog http://blog.flattr.net/2010/12/claiming-content/ [flattr.net]: "Wouldn’t it be wonderful if Flattr could figure out that you own a piece of content and automatically let others flattr it, without you doing anything? "
          • In most of the world there is a thing called "bank transfer". For most transactions it is even free. All you need is to know the recipient's account number, which is published by everyone interesting in receiving non-cash payments.

          • Re: (Score:3, Interesting)

            by edgr ( 781723 )
            Most of the big banks in Sweden allow you to create a temporary (virtual) credit card with a specified limit and expiry date. You type the credit limit and expiry in, push a button and it spits out a new mastercard number. At least one bank (Swedbank, one of the largest in Scandinavia) requires this kind of card for all online transactions.
          • by DamonHD ( 794830 )

            You kinda can, eg with EntroPay that I was a founder of, you can create a new card (new number) with just enough credit/balance on it to support the transaction you want to do.

            Rgds

            Damon

          • I say, "Hey, MasterCard, give this guy $50." He gets an email, his automatic email-getting-password-sender-outer tells me how to get to his jiggly bits.

            You mean like PayPal?

        • Ad views have become the defacto micropayment system.

          I like to think of ad views as the squeegee guy at the red light intersection. He'll mess up your windscreen while you're stopped, and then on top of that, he expects you to pay him for it.

      • You can subscribe to many sites like slashdot, and pay them directly.
        • by lxs ( 131946 )

          Sure, but nobody wants to subscribe to many sites. One or two is fine but twenty or more? Especially when most only have interesting content once a fortnight.
          (I know that's not what you meant but it gets to the heart of the problem as I see it.)

    • by icebike ( 68054 )

      Agreed.

      I use OpenDNS to block doubleclick but they have a lot of domains they serve under in addition to their own.

      I don't begrudge the advertising, I've even been known to click on it occasionally if it interests me. And I don't worry too much about the malware, running Linux and tight filters. But a few jerks like ADShufffle.com screw over all the advertiser. And I wager nothing at all happens to them.

    • Aye!
      Adblock, No-Script.

      I use AVG, not sure what is best free virus scanner. Don't think the commercial scanners are significantly better (maybe not better at all) than the free ones.

      • Comment removed (Score:5, Informative)

        by account_deleted ( 4530225 ) on Monday December 13, 2010 @03:16AM (#34532528)
        Comment removed based on user account deletion
        • Ditto on MS Essentials. I made the switch about a year ago after many years of AVG, including corporate licensing. AVG is still a decent product, but more naggy and has gotten more resource hungry over the years. MS Essentials isn't perfect but seems to use less resources and catches as much or more than others. Being free is also nice. Being updated very regularly, almost daily, is also good.

  • by TestedDoughnut ( 1324447 ) on Monday December 13, 2010 @12:18AM (#34532122)
    Ever since I've installed a host file (http://www.mvps.org/winhelp2002/hosts.htm) to redirect advertisers to my loopback, I haven't had any malware, spyware, or adware issues. I first started using the host file 5 years ago. With that in mind, I can't say I'm really all that surprised that advertisers would be the source of ad/spy/malware...
    • by gmhowell ( 26755 ) <gmhowell@gmail.com> on Monday December 13, 2010 @01:47AM (#34532348) Homepage Journal

      Oh no, between you and the AC, you've mentioned HOSTS files twice. If you mention them a third time, the apk troll shows up, like a techno Candyman with Tourette's.

  • by Anonymous Coward on Monday December 13, 2010 @12:19AM (#34532128)

    Oh wait... Google's doubleclick got tricked too.... okay, nevermind.

      -The Anonymous Google Fanboy

    • by icebike ( 68054 ) on Monday December 13, 2010 @12:24AM (#34532150)

      Quote Story:

      A spokesman for Google, which owns DoubleClick, told the IDG News Service that the malicious ads were only being served for a short amount of time, and that the company's own malware filters detected the ads, as well.

      So, MSN was clueless. Google was merely slow to act.

      • by jimicus ( 737525 )

        Does seem a little odd. Google has malware filters for ads, the filters detected the malware but (and this is the big but) not before it had been served out for a while.

        That sounds rather more like a human malware filter than a machine one.

        • by m_ilya ( 311437 )
          Testing ads for malware presence is not as simple as testing an executable for a virus because in general case ad is a combination of Flash, JavaScript and HTML documents hosted on 3rd party servers which may change content of these documents at any time. This means the testing machinery have to do repeat tests all the time but given that there are many creatives in ad network there is a limitation on how quickly you can do repeat tests. If malware author is smart and for example implements a strategy where
    • MS for the security holes, MSN for the exploits. One stop shopping! We have you rooted the fastest! Where do you want someone to make you go today!

  • coulda told ya (Score:2, Interesting)

    by Anonymous Coward

    I could have told you that. I narrowed down the issue to MSN/Hotmail a couple days ago and was advising users to stay away for as long as possible/use adblock/noscript.

    I've been dealing with removing this horseshit from end users pc's all week.

    Something interesting I noticed was the malware authors were amateurs- they forgot to setup the fake HDD defrag malware to run at boot on any other user profile besides the one that was infected.

    Made disinfection pretty easy...

  • Praise for adblock (Score:2, Insightful)

    by Matt Perry ( 793115 )

    This is why I block all ads and all your moral arguments and begging [arstechnica.com] be damned. Ad blocking is sensible risk management.

    • Re: (Score:3, Interesting)

      by Mashiki ( 184564 )

      Queue people whining and crying that people are thieves and all that because they block ads. Sorry, but if you can't be sure you'll never serve malware. You'll never be allowed to serve ads which might infect my machine with something...nasty. Especially now that ransomware is starting to become the next trend.

      • by Deathlizard ( 115856 ) on Monday December 13, 2010 @01:07AM (#34532260) Homepage Journal

        Let em whine. I'm sorry, These ad firms put themselves into this mess.

        The day ad firms decided to allow advertisers to use Flash and JavaScript in their advertisements is the day I started blocking them. Seriously, What was wrong with simple images and text? Was the monkey way too easy to punch or something?

        • I must have punched that spanked that damned monkey a dozen times and all it did was make my mouse hand sore.
        • by Tom ( 822 )

          add animated GIFs to that list.

          I started blocking ads when two things happened, pretty much simultaneously:

          One, ad content took over a considerable part of the screen real estate and
          two, ads started to distract from the actual content through animation, blinking, sound, etc.

          I know advertisement is all about getting your attention, but it tries to do that in contexts where I don't want my attention diverted to something else. I don't mind advertisement on the WC or on the bus that much, it's not as if I had

        • Comment removed based on user account deletion
        • by Mashiki ( 184564 )

          I agree, ad firms have put themselves into that mess. The reality is, they don't even realize it. I'm still wondering who had the brainwave to allow flash and js, to play outside of the sandbox.

      • by Spad ( 470073 ) <slashdot@ s p a d . co.uk> on Monday December 13, 2010 @03:06AM (#34532508) Homepage

        Cue.

  • Trust model (Score:5, Interesting)

    by Inf0phreak ( 627499 ) on Monday December 13, 2010 @12:28AM (#34532160)

    The trust model of online advertising is in my opinion fundamentally broken. A big part of the security model of the web is domain-based - e.g. the same origin policy - but this goes down the drain with third party ads hosted on yet another third party's server.

    With online advertising it was for the first time possible to measure the effect of ad campaigns better than "how many saw it and did we sell more after it?" What did this bring us? "PUNCH THE MONKEY!", "LOOK AT THE BLINKING LIGHTS!", "BEEP BLOOP BEEEEEP!!!" and perhaps most insidiously it broke the domain-based model of trust on the web since everything had to be put on the advertising hosters' servers to deter click fraud and whatnot.

    AdBlock doesn't just save you bandwidth and reduces the annoyance of browsing the web, it is also one of the best tools for avoiding drive-by malware from ads.

    • by mrvan ( 973822 )

      ... it broke the domain-based model of trust on the web since everything had to be put on the advertising hosters' servers to deter click fraud and whatnot.

      Erm? I would say the trust model works exactly as promised.

      I trust slashdot.org (I know, silly me) and ask my browser to download and display HTML content from their domain
      The HTML at /.org instructs my browser to go get and display some other content from an ad domain
      I do not trust that ad domain and refuse to display their content
      Everybody happy?

      *Browsers*, however, need to become more explicit about this and realize that if I instruct them to get a page from x.com I don't really want to get images, fram

  • by Anonymous Coward

    Seen a few people say they use Adblock and all, which is fine, but if you recognize that an ad-server can be compromised, then why not any other web server you visit? How many things are you going to block before it makes the web safe? So many all websites are useless? That's why I found NoScript more annoying than not. Too often I was just saying yes to so much it wasn't really that much more secure.

    Much better to have secure systems inside than walls trying to block everything.

    • Because it's not the web server being comprimised per say. It's the Ad network either being fooled, or willfully putting up exploit code rather than any sort of hack going on. Also considering the turnover of data/files on an ad networks servers, it's much harder for them to keep this from happening
      • To expand on this; the job of an ad agency is to put you in touch with many groups who normally you wouldn't be in touch with. Preferably even groups who you wouldn't want to be in touch with. There's a differece between going to a place you trust which might be compromised and a bunch of such places having the chance to pay to get in touch with you.
  • My MS messenger has been setting off the anti-virus alarms for several months now. They come in through the ads at the bottom of the main window.

  • by Lucky75 ( 1265142 ) on Monday December 13, 2010 @12:57AM (#34532236)
    For the very few oblivious people (esp on /.), here's your solution: Adblock [mozilla.org]

    It's really just one more reason for me to not feel guilty about blocking ads. Sometimes I click on ads from sites which I trust and wish to support, but other than that, the hell with them.
  • ad network should serve the images/text and a link URL, nothing more

    stop letting advertising providers provide custom HTML and remote-load scripts/images into ads

    • by jack2000 ( 1178961 ) on Monday December 13, 2010 @02:08AM (#34532380)
      Some one should put an option in firefox( a native option mind you not a whole extension) that basically says break third party javascript. We'll see who wins the damn war then.

      And if sites start puting bullshit javascript on the main domains then fuck em.
      • by jimicus ( 737525 ) on Monday December 13, 2010 @06:08AM (#34532930)

        Your idea, while clever, isn't going to solve the problem. Javascript will just wind up being pulled in at the server side rather than through <script src="http://dooberidooberidoo....">

        The problem is a combination of idiot ideas concerning computer security. Read something like "The Six Dumbest Ideas in Computer History" [ranum.com] some time - it's eye-opening and it explains a lot. In the case of web browsing and Javascript, you've essentially integrated four of those ideas into basic computer use.

        For those who haven't time to read the article, I'll summarise the idiot ideas that have made it into web browsing:

        1. Default Permit. Why on Earth is it the default for most web browsers to run every single little thing they download? It's completely insane - seriously, I can't think of a better way to transmit malware than to sit somebody at a computer and give them a nice easy way to download and automatically run every silly thing they can find, even if the only thing they will run is supposedly sandboxed.

        2. Enumerating Badness. We tell ourselves that it's OK to do this, as long as the end user (if they must run Windows at all) does so with half-decent AV installed. But AV works by keeping a list of "things that are bad" and blocking them all - you know how long that list is these days? You only need one thing to slip the net and your system's 0wned anyway. It's the computer equivalent of having sex with every disease-ridden cheap whore you can find working the streets and hoping to Christ the condom never breaks. The bad thing only needs to be lucky once, you need to be lucky every time.

        3. Penetrate and Patch. Today the issue is at the server end. Four days ago, the issue was in Firefox (latest release was on the 9th December, it fixes a number of security holes). Next week it might be in Adobe Reader or Chrome. Exactly when did it start making good sense to play whack-a-mole with security holes? You don't see them building high-security prisons out of temporary Portakabins and then tacking extra things on in a blind panic every time inmates escape, so why are so many pieces of software that are likely to be exposed to malware designed in exactly this way?

        4. Educating users. Telling people not to click blindly on every ad doesn't work, as anyone who's ever done serious amounts of user support can attest. You always have some people who will click on everything that appears on their PC, if education was going to fix that it would have stopped being a problem years ago. There's a damn good reason why larger companies frequently lock their PCs down so thoroughly they may as well be dumb terminals, and it's not because the IT department is run by a bunch of power-thirsty mini-hitlers. It's because it's the only way to stop the helpdesk being overrun with people ringing in to say "I clicked on this attachment and now I've got everyone complaining that I emailed them a virus. I didn't!".

      • Some one should put an option in firefox( a native option mind you not a whole extension) that basically says break third party javascript. We'll see who wins the damn war then.

        That would break CDNs serving JS for the site owner and cookieless domains used for the same purpose, both are considered good practice at the moment for faster web sites. In addition, it would need countless (hardcoded?) exceptions for sites like ajax.googleapis.com which are used to help users reduce traffic by caching frequently used JS libraries more.
        I use NoScript and although it has its deficiencies, it generally works very well.

  • by saikou ( 211301 ) on Monday December 13, 2010 @02:04AM (#34532378) Homepage

    I find it a bit odd that an extra "f" would have duped "the system". I believe what may have been happening is that human verification part of the equation could have been "hacked".

    You create an account, you specify where the banner data lives, it gets submitted for an approval.

    Except in this case whoever looked at the data saw "trusted" domain and figured everything is fine. Heck, the "fake" domain could have served an innocent javascript up until owners knew that banner got approved, then swapped out the script and off the drive-by script malware goes.

    And then Google/Doubleclick detects bait-and-switch ("hey, we didn't approve this virus!") and it gets flagged.

  • This is a strong argument for blocking DoubleClick and MSN's ad server at the corporate firewall.

  • by Ismellpoop ( 1949100 ) on Monday December 13, 2010 @02:15AM (#34532390)
    well its bullshit every time an add tried to install something the package manager won't open them. Shit I've tried every distro out there and I still can't open them up. What am I doing wrong can someone please help me. I really want to see all these cool things the rest of the world is experiencing.
    • by sorak ( 246725 )

      well its bullshit every time an add tried to install something the package manager won't open them. Shit I've tried every distro out there and I still can't open them up. What am I doing wrong can someone please help me. I really want to see all these cool things the rest of the world is experiencing.

      don't worry. I hear WINE is adding support for that.

  • This will never change as long as the companies that failed, MSN and Google, don't really bare the cost of their failure. Yes, they're really really sorry, but mostly because they lost some revenue. They couldn't care less about what happens to the end users.

    If they had to pay real money proportional to the amount of damages the situation would be completely different. Estimate them number of visits to poisoned web sites, multiply that by the amount of time required to check for and fix damage, multipl

  • How is this news? 90% of the Spyware I see comes from banner ads that redirect to malware.

    Pick your poison:

    1. Ad redirects upon load to Malware
    2. Ad appears normal, redirects after X seconds to Malware
    3. Ad appears normal, then redirects to Malware upon closure
    4. Ad redirects to Malware upon specific click event (mouseover, clicking something in the page, etc)

    Where Malware in this instance is 99% of the time a PDF exploit. And since Flash lacks basic security measures (such as, say, an option to refus

  • The only 'safe' way to serve ads is from your own databases, after having thoroughly checked the ads to be displayed for any malicious behavior.

    As I stated yesterday, and got modded troll for; you can only be the provider yourself. You cannot trust anybody else. You must act as the filter or else you will hurt your customer base.

    • by Khyber ( 864651 )

      To add, this same statement holds true to my LED business. If I do not serve as the filter for all the marketing bullshit, I end up losing sales even though I never sold anything, because the potential customer base has become jaded and distrustful, either from personal experience with sham lights or through hearing about stories from other users about said sham lights.

      There is no other way around this, it is a fact and cannot be changed. It is logical, and anyone that ignores it, especially content distrib

  • I started blocking ads when they started blocking me or my use of webpages.

    Static banner ads were okay, but as soon as they started blinking, jumping, making noise, popping up or sliding in front, they were unacceptable and had to go. It's a simple as that.

    Using Adblock Plus with NoScript have made sure I've yet to experience my first ad-borne infection.

  • Personally, I'd be surprised at the discovery of an ad serving network that DIDN'T serve malware on the side.

    I have never understood why advert networks allow their "Partners" to cross-load javascript, and other scripted media objects. If the advert requires a "phone home" script, then it should have that script hosted, and vetted by the advert network they are partnered with, rather than playing a shell game of spot the malware.

    Any advert that tries to hot-load a javascript or other scripted media object s

  • by toygeek ( 473120 ) on Monday December 13, 2010 @05:23AM (#34532824) Journal

    88x31 and 468x60 animated GIF's.

    I'm going to implement ad blocking at the router level at my house....

  • No wonder I saw a spike of GPcode infections at my workplace last week.....

Avoid strange women and temporary variables.

Working...