Google Deletes Rogue Ads, Dangers Persist

An anonymous reader writes passed us a link to a PC World article about attempts by Google to curb malicious ads via their popular service. The article is somewhat bleak, though, because researchers see the fix as nothing more than temporary. "'Search engines are just too easy a target for bad guys,' says Roger Thompson of Exploit Security Labs. On April 25, Exploit Prevention Labs reported that malware distributors were using advertisements placed via Google's automated AdWords system to infect unsuspecting end-users with spyware designed to capture bank login user names and passwords."

Adwords has poor service.

[Scott+Lockwood]

I'm amazed at what you can, and cannot do with the service. Just today, I found that you cannot remove an old bank account from adwords. Amazing. Even Paypal gets that right.

They are all vulnerable

[xintegerx]

About 6 months ago, a web site showed an AdBrite "please click up top to continue" full page ad. Except, this wasn't a picture, but an actual web page.

The ad itself looked like a blue, medical stock template with a nonsensical press release inside of it. It didn't look like an ad, but an unprofessional scam. Well, my antivirus went off either at that page, or when I clicked to investigate it. The home page itself consisted exactly of that same type of garbage.

So, Google Ads are dangerous because they take you to web sites of hundreds of thousands third party web sites nobody heard of before. AdBrite sticks those pages right into the ad so you can be infected even without clicking on anything; and because of that, you're screwed even if you have an ad-blocker software, because those ads are pulled straight from the advertiser's web sites.

Re:They are all vulnerable

[thePowerOfGrayskull]

Well, my antivirus went off either at that page, or when I clicked to investigate I've gotta say... if you didn't click to investigate it, you would very likely not need antivirus.

M$ Search is Worse.

[Erris]

Microsoft's search excels in spreading malware. How's that for cold water on this Google slam?

Re:M$ Search is Worse.

[Dachannien]

Great, so they both suck. I don't see how Microsoft sucking makes Google suck any less on this one.

Google has to require link = real destination

[Animats]

This vulnerability in AdWords exists because Google made them "reseller-friendly." That needs to stop.

When you click on a Google AdWords ad link, the link goes to Google, not to the destination site. Then Google's ad link server looks at the URL, logs the click, and does a redirect to the site specified by the advertiser. That isn't necessarily the destination shown in the Google ad. It's often some "ad broker" or "affiliate", which wants to see the click event for "tracking". That's what created the vulnerability. Attackers can buy ads for "Bank of America" and have them redirect to "slimeballcentral.biz".

Google does check, when the ad is purchased and occasionally thereafter, that the link sold with the ad eventually redirects to the purported destination, or what Google calls the "landing site". But that's not good enough any more. Attackers can create ads which attract innocent users, run them past the attacker's site where the attacker gets a shot at them, then direct them invisibly to the destination. That's how this attack works.

It's time to cut the middlemen out of the loop. Google ad links need to go directly to the destination site, only. "Ad brokers" and "affiliates" will have to use Google's own ad tracking numbers. This might require outside auditing to be trustworthy.

That would cause some disruption in the ad-broker / "search engine optimization" business, although they'd adjust to it. It's going to be interesting to see whether Google chooses to protect its search customers or its ad brokers. That will tell us whether Google has abandoned "Don't be evil".

A simple solution

[halcyon1234]

Why doesn't Google just test every new ad that is submitted to them? It wouldn't be all that hard. All they need are a few machines running XP and an unpatched copy of IE. Make an image of a working machine as a backup. Then, when a new Ad Sense ad is submitted, one of those machine visits the website. If it gets hit with malware, the ad is rejected, and the machine is re-imaged from the backup.

The philosophy is simple: Anyone who would take advantage of any sort of exploit to install software on an end user's machine is not peddling a legitimate product.

Of course, a semi-clever malware site admin can write a script that would deliver different content to a Google machine. But I am sure Google has enough disposable IPs and proxies that that won't be a problem. And even if it is, I'm sure they can just Google for a good IP spoofer. (Goofer?)

It's a trivial matter with an easily implemented solution.

Re:A simple solution

[Solra+Bizna]

They can also change the content of the page after it's accepted, so Google would have to check every ad fairly often.

-:sigma.SB

Re:A simple solution

[halcyon1234]

That is true. What about some sort of "verify this ad" button or feature. Let the end user report a potential "no no" ad for verification. It would cover everything from malware to WoW gold-farm ads.

It's still an "after the fact" solution, but short of forcing people to make immutable ads...

Of course, given the mindstaggerly awsome amounts of bandwidth Google weilds, doing daily or weekly spot checks on new ads wouldn't be that straining. I mean, it's not like EVERY single ad needs checking. Customers who are in good standing (have been clean for a few months, for example-- or those who are, like, Disney and Coke-- known entities) don't need policing.

Re:A simple solution

[Paradise+Pete]

Why doesn't Google just test every new ad that is submitted to them? It wouldn't be all that hard.

I don't think it's quite so easy. You figure out how to do that reliably and I'll bet you've got a job waiting for you at Google.

Re:A simple solution

[mkw87]

Better yet use a VMWare copy of XP?

Re:A simple solution

Has anyone check out XPL's SDK? http://explabs.com/ss/sdk.asp Google, Yahoo and every other site featuring user-generated content could stop malicious links with it.

Re:A simple solution

[pipingguy]

Don't Google's indexing bots already do this?

In more ways than one.

[Erris]

Now I remember why this topic seems familiar. M$'s search engines were recently shown to have far more malware than others. So it's a double M$ issue - they suck on the desktop and people take advantage of their search engine to blow out users of both.

Re:In more ways than one.

Disregard that, I suck cocks.
-- Twitter, reporting from my mom's basement

So who's at fault?

[Itninja]

My question is, if a malicious piece of malware get delivered to someone via a Google Ad on my site am I going to get sued? If my AdWords are just a ticking litigious timebomb maybe I should take them down....

Re:So who's at fault?

$PROSECUTION: Your honour i visited the $DEFENDERS website i clicked on a link and i was infected by a trojan which stole my bank account details
$DEFENDER: that wasnt me it was a google advert that did it
$JUDGE: and who put the advert code on your website
$DEFENDER: I did your honour
$JUDGE: guilty as charged!, 3 years prison for fraud and theft by deception
$BANK: we would like now to issue precedings against $DEFENDER and $ADVERTISER for theft,fraud,conspiracy,wiretap laws, do you have a form we can fill out ?

Re:So who's at fault?

[Shemmie]

I thought a site couldn't be held liable for the contents of sites it links to? Surely if you could, the entire Internet would fall over?

$DEFENDER: Yes your Honour, I put the link on my site. However, Google links to me. If the proescution hadn't come to me via a Google search, he would not have been infected. Thus, Google are to blame.

$Google_Defense: Yes your Honour, we linked to his site. However, Microsoft Live Search linked to us.
...
(Optional)
$Microsoft_Defense: Yes your Honour, we linked to their site. And we are to blame, because no one ever links to us.

Re:Google has to require link = real destination

Re-directs, while disconcerting, are not the main problem. These exploits often find their way into trusted sites too. The Super Bowl site was hacked with the ANI exploit right before the Super Bowl. Thousands of trusted sites are hacked today, and they're in Google/Yahoo/MSN's organic search results. The criminals hack into a site, insert a simple link into the HTML, and voila, a portion of every unsuspecting visitor's browser's session is re-directed to an exploit server. Also, even if Google eliminated re-directs, the advertisers themselves will want to add their own. Advertisers need to measure somehow. What Google needs to do is apply a technology fix. There's anti-exploit technology available from nearly every security vendor, including the company mentioned in the story who discovered this exploit. In fact, the exploit was discovered by one of their users who was alerted to the malicious hyperlink.

This is not the root cause or solution.

[Erris]

From the fine article:

If someone clicked a booby-trapped sponsored link they were the ad would redirect their browser through URLs that attempted to automatically download a virus program (MSO6-014) onto their computers before passing them along to the actual sites that were advertised.

The problem is that so many people use a crappy browser that allows the attacks. Malicious people are going to put their stuff on the web and that's not Google's fault. To top it all off, Google is doing a better job fighting the problem than Microsoft's own search.

The further away you get from M$, the better off you are.

Woops, bad formatting.

[Erris]

From the fine article:

If someone clicked a booby-trapped sponsored link they were the ad would redirect their browser through URLs that attempted to automatically download a virus program (MSO6-014) onto their computers before passing them along to the actual sites that were advertised.

The problem is that so many people use a crappy browser that allows the attacks. Malicious people are going to put their stuff on the web and that's not Google's fault. To top it all off, Google is doing a better job fighting the problem than Microsoft's own search.

The further away you get from M$, the better off you are.

Re:First

[Wicked+Zen]

What? Is this supposed to mean something? Are you implying that going after websites with malicious ads will eventually lead to the eradication of freedoms? Because that's what the quote you are referring to means. Or are you just trying to be funny? Because you are not.

Firefox Affected?

[Mister+Transistor]

I even RTFA (!) and I couldn't determine whether or not Firefox is vulnerable or not. Based on things as usual, I'm assuming it isn't but I really cant tell!

Re:Firefox Affected?

[Paradise+Pete]

I couldn't determine whether or not Firefox is vulnerable or not.

Well that would depend on what's on the attacking page, wouldn't it? You can't simply say "this attack works only on X," because the attack can change at any time.

Re:Firefox Affected?

[pembo13]

Why is this offtopic? There's more to web surfing than IE+Windows

Re:Firefox Affected?

[Mister+Transistor]

Yeah, no shit. Must be "Mods on Crack" day...

no it doesn't.

no it doesn't. I've deleted multiple bank and credit card numbers from my paypal account, and they have a way of magically re-appearing. It's freaky, and I really don't like it. I'm sure others have experienced this too...

Re:no it doesn't.

[Scott+Lockwood]

Very odd. I've used paypal since it's inception, and I've never had that happen.

Re:no it doesn't.

[quixote9]

Yup. Me too. Took over four years (4!) for me to get just one account straightened out with Pay"pal". I'm not sure they ever did, actually. I stopped checking after the last time the vampire died because it bothered me too much to see the damn thing back at the old stand all the time.

Re:no it doesn't.

Most won't let you get rid of at least one way to get money from you. If you give another, you can delete a first.

Re:Google has to require link = real destination

[bitt3n]

Attackers can buy ads for "Bank of America" and have them redirect to "slimeballcentral.biz".

This is even more nefarious because many long-term BoA customers will simply assume the destination URL to be a rare example of corporate transparency.

Slam?

[The+Bungi]

Hi twitter.

How's that for cold water on this Google slam?

So reporting an issue is a "slam" now? That is, unless it's about "M$", right?

"This is bad, but look over here, some more bad stuff and creative spelling!!"

I bet you're a big fan of Faux News.

Whole new meaning

[Myria]

I guess that this gives a whole new meaning to "I'm Feeling Lucky".

What are AdWords?

*pats AdBlock on the head*

Good add-on. Here's a bone for ya.

Hey, is that a DoubleClick ad? Sic 'em, boy!

Slam and Advert

[Erris]

The Bungi Troll asks:

So reporting an issue is a "slam" now?

Yes, it's a slam if you only report half the issue. All of the search engines have this "problem" and M$ has it worse than others. The unmentioned root cause of the issue is a crappy browser and OS that's easy to exploit, yet somehow it's all Google's fault. That is a Google slam.

This is par for the course in the Wintel press world. The article ends up being an advertisement for Site Advisor, which is just another Windoze band-aid. The reporter who wrote this article needed to do some more research. Because they did not, they ended up slamming Google.

Re:Slam and Advert

[The+Bungi]

The Bungi Troll

http://slashdot.org/~twitter

Yes, it's a slam if you only report half the issue.

So that's a bit like talking about botnets and your desperate denial of the existence of Linux botnets with tens of thousands of machines?

The unmentioned root cause of the issue is a crappy browser

They don't have to "mention it", because the root cause is an unpatched crappy browser. Quite a different thing.

Re:Slam and Advert

[bmo]

"So that's a bit like talking about botnets and your desperate denial of the existence of Linux botnets with tens of thousands of machines?"

Tens of thousands?

I don't really know about that, but let's take that number at face value and compare that to what Vint Cerf has calculated: he figures that 1/4 of all Windows clients are bots.

http://arstechnica.com/news.ars/post/20070125-8707 .html

That's 150 MILLION machines compared to your purported "tens of thousands". The Bible says something about removing a log of wood from your own eye before pointing out a speck of dust in another's. Religious or not, it's good advice.

And let's look at the attack vectors for "linux botnets" - nearly all of them are servers running vulnerable PHP code and victims of brute force attacks at the SSH port. This is _trivial_ to secure. If you run sshd on any port other than 22, all those "invalid user" messages simply go away. That's not even taking into account using Denyhosts. If you combine the two strategies, it's simply too much of a waste of time for someone to try to root the box through SSH. The other obvious strategy is to not run random PHP code without checking first online if it's massive security risk.

But that's all about server stuff. Joe and Josephine User don't run services, or at least shouldn't. Gone are the days of Linux shipping with tons of services turned on by default - they must be configured and started by the owner. Take a Linux distro like Ubuntu 7.04, and stick it on a computer bare-arsed naked to a cable modem. The likelihood of a successful attack is nearly nil, but to do the same thing to a Windows machine, a take-over is 50 percent likely within 20 minutes (I'm being generous here, I've seen most estimates below 12 minutes and 5 minutes) - before patches can be successfully installed.

So you can sit there and blame the user all you like, but it doesn't change the reality that Windows is unsafe at any speed, by design.

--
BMO

Re:Slam and Advert

[The+Bungi]

I think you're missing some context here. I would never try to argue as to the number of machines in botnets that belong to a particular OS. The vast majority of them are running Windows. This really goes back to an incident where "Erris" here (actually his other suckpuppet account) dared someone to provide proof that any "GNU/Linux" machine was in a botnet. Of course, he was given the proof, after which he curiously decided that he didn't want to participate in the discussion anymore. That's all.

Having said that, while I think it would be disingenuous to claim there aren't a crapload of Windows machines in botnets, I'm still waiting from Cerf's proof that 1/4 of all Windows machines are. It's interesting no one else bothered to question that number. Oh, wait, it's not.

Re:Slam and Advert

[bmo]

So let's just say that Vint Cerf is off by 50 percent in the wrong direction. So I'll pull a number out of my ass and say 1/8. That's still a ton.

"dared someone to provide proof that any "GNU/Linux" machine was in a botnet."

Well, that's just silly. If I want amusement, I'll put SSH back on 22 and watch the bots hit the logs.

"It's interesting no one else bothered to question that number."

That number is plausible to me. Most people are running around with expired AV and Anti-Spyware, which is _worse_ IMO than no protection at all. Many people think that they don't need to update after their trial periods run out. If you were to say non-professionally administered machines (the ones sitting at home) I'd guess higher than Vint by 100 percent. Half of all home machines, and I think that guess is low.

People take care of their cars better, and that's not saying much.

--
BMO

Re:Slam and Advert

[stonecypher]

By that logic, a reporter discussing Darfur is engaging in a slam if they don't document prior abuses by other nations. Do you stand by your evaluation in that light?

Unpatched

[The+Bungi]

many people use a crappy browser

An unpatched crappy browser.

To top it all off, Google is doing a better job fighting the problem

How do you figure that, twitter? You're linking to the story that details the problem, but did you find the one with the solution? Or are you implying that Microsoft never did anything about it, but Google did?

Of course, I love this part from that article, in the usual Register style:

A Microsoft representative says in a statement that "to the extent that spammers are successful in essentially manipulating results, they will hurt the user experience on all search engines".

That left us scratching our heads for a couple reasons. For one, the same search terms don't appear to generate malicious returns on Google or Yahoo!, so how can the rep claim this is an industry-wide problem? And for another, what does spam have to do with this? We're wondering if our inquiry got mixed up with someone else's.

Emphasis mine. Would you like some ketchup with your crow? I'd bet good money you made the same point when this first happened to Live.com.

Just like now you're trying to deflect criticism of Google by pointing out how "M$ is teh worse". You always claim Microsoft pays people to astroturf Slashdot and stalk you. Are you in Google's payroll? It sure seems that way. Why go to all this trouble otherwise?

Re:Google has to require link = real destination

[rcjhawk]

If snorting beer through your nose after reading counts, mod parent up (funny).

Re:Google has to require link = real destination

[JustShootMe]

I've been a customer of BofA for several years now and have zero complaints. They've always seemed on top of things.

I've also worked at WaMu (I was a system admin with root on all of their UNIX machines corporatewide). I don't think I would ever bank there.

Direct Answer: Microsoft.

[Erris]

My question is, if a malicious piece of malware get delivered to someone via a Google Ad on my site am I going to get sued? If my AdWords are just a ticking litigious timebomb maybe I should take them down....

The title was, "Who's at fault?" The answer is obviously Microsoft. It's their browser getting blown out and no one else's. Their search engine is also turning up more malware than Google.

I can't imagine you being sued because someone tricked Google and then did something nasty to someone else's computer. Honyepot is going after the spammers right now and they are the people who will pay eventually. It would be nice if the companies that sponsored them and paid for their bad works would be held responsible, but I doubt American Express, Home Depot, American Airlines and others will ever pay. Don't deprive yourself of revenue because M$ IE has problems. Ultimately, this is someone else's fault and problem.

Re:Microsoft issue, isn't it?

[Erris]

Wow, more than five modpoints wasted trying to eliminate this thread. I'm flattered by the attention, but annoyed by people not getting to read about how Microsoft's search engine is worse and how none of this would be a problem if IE and Windows were not such sorry systems.

This just in

[aero6dof]

Researchers realize that everybody would be safest if we all just sat in the dark and shunned communication with anyone.

A couple of points

[whitehatlurker]

There are things which people should do to protect themselves from these kinds of things.

i) Use a filtering proxy (like Proxomitron) to remove sponsored ads from search engine sites. Or, ignore these ads.

ii) The very trite - patch your software! The exploited MS IE hole was patched over a year ago.

Jackass

[JacksBrokenCode]

Google has killed less people than Stalin. I guess news about problems with Google's setup aren't relevant at Slashdot...

YouTube video of the Google exploit

is here: http://www.youtube.com/watch?v=iD0wdzQb8XY Narrated by the researcher who first analyzed it.

Love Me! Feel Me! Google Me!

Love Me! Feel Me! Google Me! MOst of all, Google Me! GooooooGllleee Me!

Your Dean Truly,
Marilee Jones

Google has ads?

[segra]

ive never noticed... mmm i love foxy and noscript/adblock ;)

What is your problem?

[Erris]

This really goes back to an incident where "Erris" here (actually his other suckpuppet account) dared someone to provide proof that any "GNU/Linux" machine was in a botnet.

You are putting words into my mouth or someone else's. From other comments you've made, I'd say you were doing it on purpose as part of your pathetic Microsoft defense.

The truth of the matter is very simple. GNU/Linux comes out of the box spyware and malware free and is easy to keep that way. Windoze comes loaded with spyware and soon gets more without any help from the user other than normal browsing and email, sometimes from just plugging the box into a network. Windoze should never be used where data integrity or confidentiality is an issue. Even if it were possible to secure, it costs more and takes much more effort while delivering lower performance and fewer features. I can't imagine why anyone would deny this other than not knowing any better or working for Microsoft or both.

Re:What is your problem?

[The+Bungi]

Deny what, flocktard? That "Windoze" comes "preloaded with spyware"? Whoa, that's going to prove just damn hard.

I can't imagine why anyone would actually say that other than not nowing any better or being paid to spew retarded FUD about Microsoft.

Re:What is your problem?

[Erris]

Deny what, flocktard? That "Windoze" comes "preloaded with spyware"? Whoa, that's going to prove just damn hard. I can't imagine why anyone would actually say that other than not nowing any better or being paid to spew retarded FUD about Microsoft.

I love how you losers get all angry when people say bad things about M$. What have they ever done for you?

Re:What is your problem?

[The+Bungi]

You are like a bad joke - conjured up and unleashed on teh interwebs to ensure that free software is ridiculed to no end.

And you smell funny.

Other than that, you are free to say all the "bad" things you want about "M$". Just don't be surprised when someone questions your FUD.

Users should run servers.

[Erris]

you run sshd on any port other than 22 ... Joe and Josephine User don't run services, or at least shouldn't. Gone are the days of Linux shipping with tons of services turned on by default - they must be configured and started by the owner.

Off by default is a good policy but people should be encouraged to share and the ability to do so without being screwed is one of the biggest benefits of free software. OpenBSD's sftp is excellent and well implemented on GNU/Linux systems. It can only be brute force attacked by guessing passwords and a reasonable passphrase based password should be used rather than moving ports. Moving ports makes it hard for your friends to find what you want them to find, which adds to the difficulty already imposed by ISPs crimping upload speeds and forcing IP4 and dhcp. The bandwith wasted by ssh attacks is trial, but if you have a lot of that it's not an ssh attack, it's a denial of service. Browsers like konqueror navigate sftp as if it were a local protocol and this is a much nicer set up than the PHP based work around for html interactivity and sharing. People want a safe and secure way to share their pictures and other works. Free software gives them that with the small burden of choosing good passwords. Poblems incurred through linux file serving are trivial next to those the average Windoze user has to put up with from just plugging into the network. They have to get weekly patches, run multiple AV/spyware detectors but still can't share and still get screwed over.

Re:Google has to require link = real destination

[aggiefalcon01]

Speaking as a current BoA customer, I tend to agree