Hackers Use Banner Ads on Major Sites to Hijack Your PC

The worst-case scenario used to be that online ads are pesky, memory-draining distractions. But a new batch of banner ads is much more sinister: They hijack personal computers and bully users until they agree to buy antivirus software. And the ads do their dirty work even if you don't click on them.The malware-spiked ads have been spotted on various legitimate websites, ranging from the British magazine The Economist to baseball's MLB.com to the Canada.com news portal. Hackers are using deceptive practices and tricky Flash programming to get their ads onto legitimate sites by way of DoubleClick's DART program. Web publishers use the DoubleClick-hosted platform to manage advertising inventory." CT: Link updated to original source instead of plagerizer.

oh great

[deftones_325]

So now I need to buy penis-enlargment pills AND and anti-virus.

Re:oh great

[FuzzyDaddy]

Yes, those two things often go together.

What are these "ads" you're talking about ?

[galaad2]

That's why Firefox+NoScript+AdBlock Plus+Flashblock were invented

AdBlock and NoScript

[Timinithis]

I use these exclusively, are there reports that this method gets by them? I know that if the ad is blocked, it isn't downloaded, but is that all it takes, download the ad and you have the virus?

Sounds like a reason to just block all double-click items...

I don't enable flash/scripts on any page unless it is needed -- like scripts for /.

Ah, let the blame game begin

[SuperBanana]

The malware-spiked ads have been spotted on various legitimate websites, ranging from the British magazine The Economist to baseball's MLB.com to the Canada.com news portal.

...and since those sites outsource to Doubleclick, they'll point a finger at them. Doubleclick will no doubt point the finger at some previously-unheard-of company that "solicits advertisements for the Doubleclick network", and they'll point the finger at their "client."

Meanwhile, The Economist, MLB, Canada.com, etc won't take responsibility for the content they present on their website (after all, they chose to use Doubleclick, they chose to put advertisements on the website, they chose not to require approval of ads before they were shown on their website, etc.) Funny how everyone is trigger-happy when it comes to copyright, but when it comes to content they present causing harm, it ain't theirs, eh? :-)

Doubleclick, of course, won't accept responsibility for vetting advertising distributed via their channel (which seems like a standard business procedure for, oh, an advertising network?) The only comfort is the mechanism of the free market: if website users get pissed enough, said websites might put pressure on Doubleclick or leave them altogether. That's bad for Doubleclick business, so maybe Doubleclick will consider vetting ads better, or run checks to see that flash code doesn't do certain things, etc. Then again, if the malicious banner ad suppliers are paying good enough money, Doubleclick may be perfectly happy to issue a press release "apologizing" and keep right on doing business as usual.

Re:Ah, let the blame game begin

[Frosty+Piss]

Meanwhile, The Economist, MLB, Canada.com, etc won't take responsibility for the content they present on their website (after all, they chose to use Doubleclick, they chose to put advertisements on the website, they chose not to require approval of ads before they were shown on their website, etc.) Funny how everyone is trigger-happy when it comes to copyright, but when it comes to content they present causing harm, it ain't theirs, eh?

And speaking of "trigger-happy", you seem to point the finger right back at the Web sites for not inspecting the ads and the underlaying code. Well, that's what they hire DoubleClick for, thats one of the points for using outside ad servers. DoubleClick (and its Mother Ship Google) where not doing their jobs. It was THEIR responsibility to know that the ads THEY served where ligit or not. That's why THEY make the "big bucks". Google is good, Google is God...

TFA = Site scraping?

The flibby link is identical to this Wired blog post by Betsy Schiffman, dated four days earlier.

Your company/family/school

[KiloByte]

Right, we all use Adblock and the like. Yet, you can't force everyone in the vicinity to do so, there are lesser minds who opt for Opera, and there's even a tiny portion of giants on Links -- and let's not even mention how low SOME folks can fall.

I would say that adzapper (if you use squid) or a DNS-based blacklist is quite mandatory wherever you do have a say. Glancing at the logs of ISPs I have root at, roughly 1/4 of all freaking http requests go to lowlifes -- and even that based on my grossly incomplete list of ad/spyware/tracking scum.

Yeah, 25%. That's horrible.
And there are some customers dumb enough to complain if you do protect them from ads, so you can't do this in an ISP scenario. But in a company, school or family? Hell yeah, there's no reason for doubleclick.com to get through, ever.

Re:Your company/family/school

[Nicolay77]

Opera is faster and more secure. Opera 9.5 is even faster, making Safari bite the dust. It also uses less memory.

It also can block ads (although not with a blacklist as FF, but you can block whole domains).

To me the lesser minds are the ones that can't respect other people choices.

Not exactly new

This has been going on since flash 8 was released with a vulnerability. I got hit by this about a year ago, maybe a little more.

  Suddenly windows security center, that I routinely turn off because I can't stand the nagging, started up and told me that my computer was insecure and that I should go to a certain website and buy their virus defender software.

Not very subtle to a savvy person like myself, but I imagine some people would fall for it.

The box also started throwing up connection error message boxes, presumably because my external firewall were blocking outgoing connection attempts. Again not subtle, but it's an uncommon setup for a home user.

Third, it must have rooted the box somehow because certain files became invisible. "test.exe" among them. Renaming a textfile to text.exe would make it disappear, and the folder would be unremovable. Cygwin came to the rescue there. Also I noticed only because I happened to have lots of little crap programs laying around.

The virus scanners did not pick up on this.

This is the only time I have actually contracted a virus. Needless to say I hosed the box (PING is not disk image). What I learned from the experience is that knowing your system is way more effective than a virus scanner, and B) don't trust flash which is how I got the damn thing. I thought I was safe with firefox.

Terrible relationships with their advertisers

[sseaman]

Content providers need to be responsible for the content of the ads posted on their sites - that's a given. TFA indicates that these content providers (the people behind NHL.com, for example) simply received payment for these ads via credit card or wire transfer and then posted the content. If these sites used a network television model, they would have intimate relationships with the advertisers and would work together to provide less offensive and more effective ads. I don't think they need to go that far (network television ads are far from perfect, although they are quite effective), but clearly MLB.com and NHL.com need to be held responsible for the content on their sites, and hopefully this will encourage better cooperation between site hosts and advertisers.

Re:Never Experienced This

[doombringerltx]

3) How did YouTube decide that "ridiculously hot LATINA girl dancing, not asian!" is a Related Video? Except in the sense that it's always relevant, I mean. Finally a reason to RTFA

Doubleclick sent out a notice Friday

[night_flyer]

here's a list of the sites that contained the malware:
100it.info, 10smi.info, 2greatfind.com, 2quickfind.com, 3akoh.net, Ad2cash.net, Ad2profit.com, Adcomatoz.com, Adgurman.com, Adhokuspokus.com, Adnetserver.com, Adredired.com, Adsolutio.com, Adtraff.com, Adverdaemon.com, Adverlounge.com, Adzyclon.com, Alg-search.com, Alhoster.com, Aligarx.biz, All-search-it.com, Alphatown.us, Anmira.info, Anonymbrowser.com, Antivirussecuritypro.com, Aptprog.com, Art-earn.biz, Astalaprofit.com, Autodealer-search.com, B2adz.com, Bazaard.com, Belkran.com, Belshar.com, Bestadmedia.com, Best-biznes.info, Best-cools.info, Bestdatafinder.com, Besteversearch.com, Bestpharmacydeals.com, Best-screensavers.biz, Bestsearchnet.com, Bestshopz.com, Bestwm.info, Bestwnvmovies.com, Bezzz.info, Bi-bi-search.com, Bizadverts.com, Bizmarketads.com, Blessedads.com, Bm-redy.com, Bovavi.com, Brandmarketads.com, Bucksinsoft.com, Burnads.com, Cancerno.com, Candid-search.com, Carpropane.com, Cashloanprofit.com, Casinoaceking.com, Casinoby.com, Casinodealsgalore.com, Cha-cha-search.com, Cheap-auto-deals.com, Checkstocklist.com, Chushok.com, Clever-at-search.com, Clubheat.info, Come-from-stars.com, Co-search.com, Creamme.net, Cryptdrive.com, Cyndyk.info, Deuscleanerpay.com, Didosearch.com, Diphelp.biz, Dmitry-v.info, Doma2000.com, Durtsev.com, Easybestdeals.com, Energostroj.com, Enothost.com, Eroticabsolute.com, Errordigger.com, Errorinspector.com, Evrogame.info, Fandasearch.com, Fantazybill.com, Fastwm.info, Fastzetup.info, Fati-gati-search.com, Favourable-search.com, Favouriteshop.com, Feel-search.com, F-host.net, Fifaallchamp.com, Fight-arts.com, Fileprotector.com, Findbyall.com, Firstbestsearch.com, Firstlastsearch.com, First-ts.com, Foamplastic.net, Fokus-search.com, Force-search.com, Forceup.com, Forex-instruments.info, Forvatormail.com, Freepcsecure.com, Freerepair.org, Freetvnow.net, Friedads.com, Fulsearch.com, Getfreecar.com, Gibdd.us, Glass-search.com, Glorymarkets.com, Gosthost.net, Great4mac.com, Greyhathosting.com, Gt-search.com, Hackerpro.us, Hardlinecenter.com, Hebooks-service.com, Hintway-international.com, Homeofsite.com, Hromeos.com, Hyip2all.org, Icq-lot.org, Iddqdmarketing.com, Ideal-search.com, Idea-rem.com, I-forexbank.biz, I-games.biz, Imamis.net, Individ-search.com, Information-advertising.info, Infyte.com, Initial-search.com, Insochi2014.com, Installprovider.com, Internetadaultfriend.com, Internetanonymizer.com, Internetsupernanny.com, Intervarioclick.com, Investmentsgroup.org, Invulnerableads.com, It-translation.biz, Izol-tech.com, Kamerton-tests.com, Kazilkasearch.com, Keytooday.com, Keywordcpv.com, Kiridi.net, Kpoba.net, Kurgan45.info, Ladadc.com, Lanastyle.com, Ldizain.info, Libresystm.com, Liders.biz, Linii.net, Liveclix.net, Loffersearch.com, Londasearch.com, Lovecraft-forum.net, Loveopen.info, Lseom.biz, Luckyadcoin.com, Luckyadsols.com, Mad-search.com, Magicsearcher.com, Mailcap.info, Manage-search.com, Marketingdungeon.com, Mass-send.com, Max-expo.net, Maxyanoff.com, Mediatornado.com, Mega-project.biz, Megashopcity.com, Mightyfaq.com, Misc-search.com, Mobilesoftmarketing.com, Mobiletops.com, Mobilorg.org, Moneycometrue.com, Moneypalacecash.com, Mounthost.net, Myfavouritesearch.com, Myhealth-life.org, Myonlinefinance.com, Mysurvey4u.com, Mythmarketing.com, Mytravelgeek.com, Myusefulsearch.com, Napol.net, Navygante.com, Netmediagroup.net, Netturbopro.com, Newbieadguide.com, Nryb.com, Of-by.info, Olgalml.com, Ol-search.com, Onedaysoft.com, Onestopshopz.com, Onwey.com, Opensols.com, Original-search.com, Osetua.com, Osminog.org, Parischat.org, Passwordinspector.com, Pcsoftw.com, Pcsupercharger.com, Performanceoptimizer.com, Piramidki.com, Podelkin.info, Popadprovider.com, Popsmedia.com, Popupnukerpro.com, Postcity.info, Prenetsearch.com, Prevedmarketing.com, Prizesforyou.com, Pro-dom.info, Propotolok.info, Pro-svet.info, R2d2adverising.com, Radiosfera.net, Rocktheads.com, Roller-search.com, Rombic-search.com, Rus-invest.net, Rusnets.info, Russia-post.com, Sajruen.info, Samson-pro.com, Sauni.net, Se7ensearch.com, Search-and-win.com,

hosts file

[phrostie]

all the more reason to set up a host file

http://www.mvps.org/winhelp2002/hosts.htm

Re:I only found these ads on....

[morgan_greywolf]

BTW these ads are not directly dangerous unless you are running on some old browser/old Windows system, but yes, they are annoying as hell. Um, wrong. Watch the video. The guy is running Windows XP SP 2.

Doubleclick could fix this in 2 seconds

[oni]

From TFA: The malware looks like a ordinary Flash file, with its redirect function encrypted, so that when publishers upload it, the malware is not detectable.

All Doubleclick has to do is require the actionscript source code for all ads. There is *no good reason* for an advertiser to hide anything from doubleclick. Send doubleclick your sourcecode. They will compile it into a .swf file. If you don't like that policy, then you can find another distributer for your ads. If your actionscript is so convoluted or obfuscated that doubleclicks programmer can't figure it out, then you can wait in line until the programmer can figure it out, or you can simplify it.

Problem solved.

Re:Why aren't we blaming the browser?

[moderatorrater]

Flash is a plugin, it's what needs to enforce a security model. Also, sites need to step up and stop allowing exploitative ads. If an ad is clearly posing as a windows dialog box, then that ad shouldn't be allowed onto your site.

chain of responsibility

[SuperBanana]

And speaking of "trigger-happy", you seem to point the finger right back at the Web sites for not inspecting the ads and the underlaying code. Well, that's what they hire DoubleClick for,

And who decided to hire DoubleClick, instead of (as you mention) Google AdSense or a hundred other advertising networks, all of varying reputation, levels of annoying-ness, etc? Who negotiated the terms of the contract, which could have required vetting of ads by Doubleclick? Who had the power to chose between text, GIF, and Flash based ads? Who benefits financially from the presentation of those ads?

So, again tell me who is responsible for ME getting an infected PC visiting that website? If GM makes a car and the wheel falls off because Bob's Bolts sold them defective bolts, I can still sue GM for selling me a car on the reasonable assumption that GM would test bolts before putting them in a hundred thousand vehicles...and GM made the decision to buy from that particular supplier.

The way the world works is: I sue GM. GM then sues Bob's Bolts for damages (ie to reputation, the money they had to give me and spend on legal defense, cost of recall, etc.) Bob's Bolts then may sue Smith's Steel for selling them crappy steel.

Or, in this case: I sue The Economist for infecting my machine. The Economist turns around and sues Doubleclick for providing malicous ads. Doubleclick may then turn around and sue the company that made the malicious ads, for violating the terms of contract with Doubleclick specifying no malicious content...

Adding insult to disgust to injury...

[JRHelgeson]

PayPal has a "Virtual Debit Card" that you can use to access your PayPal account. Prior to downloading the software, you're asked to verify your system requirements. If everything checks out, you can then download and install the software.

Here's the rub - when you click on the "Download Now" button, it actually sends you to DoubleClick.net site. Then the DoubleClick.net site redirects you back to the PayPal site and starts downloading the application. If you have DoubleClick.net blocked in your hosts file, like I do, then you can't download the software.

Why?

It is so that DoubleClick.net can plant a first-party cookie, spy on your activities, direct advertisements to you... PayPal has just submitted ALL your information AND the fact that you use PayPal, AND the fact that you purchase stuff online, AND, AND, AND... Then DoubleClick.net can target you for highly targeted advertisements.

This is just unconscionable. PayPal deserves all the flame they're gonna get over this one.