Hackers Use Banner Ads on Major Sites to Hijack Your PC

The worst-case scenario used to be that online ads are pesky, memory-draining distractions. But a new batch of banner ads is much more sinister: They hijack personal computers and bully users until they agree to buy antivirus software. And the ads do their dirty work even if you don't click on them.The malware-spiked ads have been spotted on various legitimate websites, ranging from the British magazine The Economist to baseball's MLB.com to the Canada.com news portal. Hackers are using deceptive practices and tricky Flash programming to get their ads onto legitimate sites by way of DoubleClick's DART program. Web publishers use the DoubleClick-hosted platform to manage advertising inventory." CT: Link updated to original source instead of plagerizer.

Very stupid idea

[TheMeuge]

This just gives even more reason to ban advertisements entirely.

The "let's ban it" attitude seems awfully familiar. Are you a member of the US, UK, or EU parliament by any chance?

Like it or not, but advertising generates (directly and indirectly) the revenue that drives the Internet. When advertisement is passive, and does not attempt to hijack your computer, it is theoretically an win-for-all scenario: the advertisers get their clients, the consumers get their products, and the sites that host the advertisement get their costs and expenses covered.

TFA = Site scraping?

The flibby link is identical to this Wired blog post by Betsy Schiffman, dated four days earlier.

Not exactly new

This has been going on since flash 8 was released with a vulnerability. I got hit by this about a year ago, maybe a little more.

  Suddenly windows security center, that I routinely turn off because I can't stand the nagging, started up and told me that my computer was insecure and that I should go to a certain website and buy their virus defender software.

Not very subtle to a savvy person like myself, but I imagine some people would fall for it.

The box also started throwing up connection error message boxes, presumably because my external firewall were blocking outgoing connection attempts. Again not subtle, but it's an uncommon setup for a home user.

Third, it must have rooted the box somehow because certain files became invisible. "test.exe" among them. Renaming a textfile to text.exe would make it disappear, and the folder would be unremovable. Cygwin came to the rescue there. Also I noticed only because I happened to have lots of little crap programs laying around.

The virus scanners did not pick up on this.

This is the only time I have actually contracted a virus. Needless to say I hosed the box (PING is not disk image). What I learned from the experience is that knowing your system is way more effective than a virus scanner, and B) don't trust flash which is how I got the damn thing. I thought I was safe with firefox.

Doubleclick sent out a notice Friday

[night_flyer]

here's a list of the sites that contained the malware:
100it.info, 10smi.info, 2greatfind.com, 2quickfind.com, 3akoh.net, Ad2cash.net, Ad2profit.com, Adcomatoz.com, Adgurman.com, Adhokuspokus.com, Adnetserver.com, Adredired.com, Adsolutio.com, Adtraff.com, Adverdaemon.com, Adverlounge.com, Adzyclon.com, Alg-search.com, Alhoster.com, Aligarx.biz, All-search-it.com, Alphatown.us, Anmira.info, Anonymbrowser.com, Antivirussecuritypro.com, Aptprog.com, Art-earn.biz, Astalaprofit.com, Autodealer-search.com, B2adz.com, Bazaard.com, Belkran.com, Belshar.com, Bestadmedia.com, Best-biznes.info, Best-cools.info, Bestdatafinder.com, Besteversearch.com, Bestpharmacydeals.com, Best-screensavers.biz, Bestsearchnet.com, Bestshopz.com, Bestwm.info, Bestwnvmovies.com, Bezzz.info, Bi-bi-search.com, Bizadverts.com, Bizmarketads.com, Blessedads.com, Bm-redy.com, Bovavi.com, Brandmarketads.com, Bucksinsoft.com, Burnads.com, Cancerno.com, Candid-search.com, Carpropane.com, Cashloanprofit.com, Casinoaceking.com, Casinoby.com, Casinodealsgalore.com, Cha-cha-search.com, Cheap-auto-deals.com, Checkstocklist.com, Chushok.com, Clever-at-search.com, Clubheat.info, Come-from-stars.com, Co-search.com, Creamme.net, Cryptdrive.com, Cyndyk.info, Deuscleanerpay.com, Didosearch.com, Diphelp.biz, Dmitry-v.info, Doma2000.com, Durtsev.com, Easybestdeals.com, Energostroj.com, Enothost.com, Eroticabsolute.com, Errordigger.com, Errorinspector.com, Evrogame.info, Fandasearch.com, Fantazybill.com, Fastwm.info, Fastzetup.info, Fati-gati-search.com, Favourable-search.com, Favouriteshop.com, Feel-search.com, F-host.net, Fifaallchamp.com, Fight-arts.com, Fileprotector.com, Findbyall.com, Firstbestsearch.com, Firstlastsearch.com, First-ts.com, Foamplastic.net, Fokus-search.com, Force-search.com, Forceup.com, Forex-instruments.info, Forvatormail.com, Freepcsecure.com, Freerepair.org, Freetvnow.net, Friedads.com, Fulsearch.com, Getfreecar.com, Gibdd.us, Glass-search.com, Glorymarkets.com, Gosthost.net, Great4mac.com, Greyhathosting.com, Gt-search.com, Hackerpro.us, Hardlinecenter.com, Hebooks-service.com, Hintway-international.com, Homeofsite.com, Hromeos.com, Hyip2all.org, Icq-lot.org, Iddqdmarketing.com, Ideal-search.com, Idea-rem.com, I-forexbank.biz, I-games.biz, Imamis.net, Individ-search.com, Information-advertising.info, Infyte.com, Initial-search.com, Insochi2014.com, Installprovider.com, Internetadaultfriend.com, Internetanonymizer.com, Internetsupernanny.com, Intervarioclick.com, Investmentsgroup.org, Invulnerableads.com, It-translation.biz, Izol-tech.com, Kamerton-tests.com, Kazilkasearch.com, Keytooday.com, Keywordcpv.com, Kiridi.net, Kpoba.net, Kurgan45.info, Ladadc.com, Lanastyle.com, Ldizain.info, Libresystm.com, Liders.biz, Linii.net, Liveclix.net, Loffersearch.com, Londasearch.com, Lovecraft-forum.net, Loveopen.info, Lseom.biz, Luckyadcoin.com, Luckyadsols.com, Mad-search.com, Magicsearcher.com, Mailcap.info, Manage-search.com, Marketingdungeon.com, Mass-send.com, Max-expo.net, Maxyanoff.com, Mediatornado.com, Mega-project.biz, Megashopcity.com, Mightyfaq.com, Misc-search.com, Mobilesoftmarketing.com, Mobiletops.com, Mobilorg.org, Moneycometrue.com, Moneypalacecash.com, Mounthost.net, Myfavouritesearch.com, Myhealth-life.org, Myonlinefinance.com, Mysurvey4u.com, Mythmarketing.com, Mytravelgeek.com, Myusefulsearch.com, Napol.net, Navygante.com, Netmediagroup.net, Netturbopro.com, Newbieadguide.com, Nryb.com, Of-by.info, Olgalml.com, Ol-search.com, Onedaysoft.com, Onestopshopz.com, Onwey.com, Opensols.com, Original-search.com, Osetua.com, Osminog.org, Parischat.org, Passwordinspector.com, Pcsoftw.com, Pcsupercharger.com, Performanceoptimizer.com, Piramidki.com, Podelkin.info, Popadprovider.com, Popsmedia.com, Popupnukerpro.com, Postcity.info, Prenetsearch.com, Prevedmarketing.com, Prizesforyou.com, Pro-dom.info, Propotolok.info, Pro-svet.info, R2d2adverising.com, Radiosfera.net, Rocktheads.com, Roller-search.com, Rombic-search.com, Rus-invest.net, Rusnets.info, Russia-post.com, Sajruen.info, Samson-pro.com, Sauni.net, Se7ensearch.com, Search-and-win.com,

hosts file

[phrostie]

all the more reason to set up a host file

http://www.mvps.org/winhelp2002/hosts.htm

Re:I only found these ads on....

[morgan_greywolf]

BTW these ads are not directly dangerous unless you are running on some old browser/old Windows system, but yes, they are annoying as hell. Um, wrong. Watch the video. The guy is running Windows XP SP 2.

Re:Ah, let the blame game begin

[Frosty+Piss]

Meanwhile, The Economist, MLB, Canada.com, etc won't take responsibility for the content they present on their website (after all, they chose to use Doubleclick, they chose to put advertisements on the website, they chose not to require approval of ads before they were shown on their website, etc.) Funny how everyone is trigger-happy when it comes to copyright, but when it comes to content they present causing harm, it ain't theirs, eh?

And speaking of "trigger-happy", you seem to point the finger right back at the Web sites for not inspecting the ads and the underlaying code. Well, that's what they hire DoubleClick for, thats one of the points for using outside ad servers. DoubleClick (and its Mother Ship Google) where not doing their jobs. It was THEIR responsibility to know that the ads THEY served where ligit or not. That's why THEY make the "big bucks". Google is good, Google is God...

Re:I only found these ads on....

[foobsr]

WareZ engines like astalavista.com

It is 2007!

They now say: "Note: Astalavista.com is NOT affiliated with Astalavista.box.sk, there are NO cracks/serials/keygens/warez etc. hosted on the Astalavista.com's server, and never were! Moreover, Astalavista.com is a security site, therefore requests for anything illegal are simply directed to the wrong party, and get ignored immediately!"

CC.

Re:Never Experienced This

[rucs_hack]

most advert serving domains still, for some reason place the images to be used in */ads/* or */banners/*, something like that anyway. A well written rule file for adblockplus (e.g most available ones) have the capacity to block many previously unknown ad servers. Then of course if they are spotted, they go on the list.

Re:What are these "ads" you're talking about ?

[galaad2]

i beg to differ, Flashblock does have a purpose even together with NoScript:

on some sites i want to allow scripts but block flash... and this is the best solution i've found.

Re:What are these "ads" you're talking about ?

9.0 or later.

Tools -> Preferences -> Advanced tab -> Content option.

I disable Javascript, Java and Plug-ins, and use the "Manage site preferences" button to whitelist sites for those features.

Use the "Blocked Content" button for ad blocking. I admit that Opera's content blocker interface isn't as good as Adblock Plus, though.

Do a google search on "urlfilter.ini" to get you started on a good content block site list.

Re:Never Experienced This

[Constantine+XVI]

AdBlock Plus, as mentioned by GP, has a built-in filter updater to combat exactly what you mentioned.

Google hole that allows a similar attack

[Animats]

There's a related hole in Google Maps, an "open redirector", that allows this exploit. Here's an example:

Caution - hostile URL Close the page displayed; don't click on anything on it. .

Note that it fools Slashdot, and most link scanners in spam filters, into accepting the URL as leading to "google.com". But, in fact, it redirects to the "malware-scan.com" hostile site, which will try to install an Active-X control.

We've been finding attacks like this up with SiteTruth, by using PhishTank information to down-rate sites that have open redirectors. We've found open redirectors on Google and AOL. They're actively being exploited.

So we're currently down-rating Google, and AOL.. It may seem drastic to downrate an entire major site because they have a few "minor" exploits. PhishTank itself only blacklists specific hostile URLs. But that's no longer enough. Most modern phishing attacks use a unique URL, and often a unique subdomain, for each user attacked. SiteTruth thus takes a harder line. If a domain hosts something one of the data sources says is an attack, it downrates the whole domain automatically.

It's within the power of the site operator to close such security holes. We encourage them to do so.

Re:What are these "ads" you're talking about ?

In the NoScript options, the plugins tab, check "Apply these restrictions to trusted sites too" and all other boxes you like. No need for both of them. :)

Re:I only found these ads on....

[gazbo]

Oh no, I just assumed that not everybody would be as credulous as the person who made the video. Of COURSE it's not scanning his PC, any more than you're really the 1,000,000th visitor to the webpage. It's nothing more complex than

window.confirm('Do you want to scan....');window.location.href='http://advert.com/pretend_to_scan.gif';

And yes, it asks you repeatedly. How is that "directly dangerous?" Annoying, yes (as the OP said), but not directly dangerous (as, once again, the OP said).

Re:Your company/family/school

[Nicolay77]

Opera is faster and more secure. Opera 9.5 is even faster, making Safari bite the dust. It also uses less memory.

It also can block ads (although not with a blacklist as FF, but you can block whole domains).

To me the lesser minds are the ones that can't respect other people choices.

Re:Ah, let the blame game begin

To be fair Google has not purchased Doubleclick yet (especially since EU has extended its review). Until the acquisition Google must legally take no part in Doubleclick's operations and so should not be blamed for this.

Google is also known for having a much stronger privacy policy than doubleclick.

Re:What are these "ads" you're talking about ?

[Neil+Hodges]

No, but AdBlock (Plus or vanilla) will do this for you.

- Neil

Re:Old news.. and a very old problem.

[Emetophobe]

I clicked on your "not a new problem" link. Avast (free edition) popped up a Trojan warning. What exactly is on that page?

Re:Never Experienced This

[Strilanc]

A large number of ads can be identified without even paying attention to the website. /ad((space)|(border)|(centric)|(cycle)|(farm)|(frame)|(image)|(logs)|(mentor)|(serv)|(vert)|(vus)|(header)|(zone)|(fetch)|(vo)|(id=)|(client)|(data)|(srv)|(view))/

is by far the best performing filter I have.