Malware Delivered By Yahoo, Fox, Google Ads

WrongSizeGlass writes "CNET is reporting that Avast has tracked over 2.6 million instances of malware that have been served up to unsuspecting web surfers since last December by ad services such as Yahoo's Yield Manager, Fox Audience Network's Fimserve.com and even some from Google's DoubleClick. Some high-profile sites include The New York Times, Drudge Report.com, TechCrunch and WhitePages.com. The practice has been dubbed 'malvertising.' I usually suspect the users of 'careless web activity' when I delouse a PC, but now I'm going to have to give some the benefit of the doubt."

Yup....seen it.

[Em+Emalb]

At my work, we allow unrestricted access to the net, but log everything. We had a recent spate of vundo variants come through, and when we went through the logs, almost all of them were via the NYTimes or Wa Post. Frustrating, when large companies like this make work for you. For the most part, the allow everything, log it and using IDPS on the front-end(s) has helped quite a bit.

Re:Yup....seen it.

[tivoKlr]

Having been an IT admin in my former life, and also having operated in a similar fashion to you, allowing unfettered access to the internet for our employees (it was a Fire Department, and the staff was there for 48 hrs straight, so allowing them some creature comforts such as facebook and youtube was appreciated). Having solid, centrally managed AV on each client machine, along with limited local user rights seemed to be effective.

I wish more facilities would take this tact instead of letting some firewall with a blacklist subscription slowly narrow the available internet to static sites that are considered "safe." True irony that advertising from some of these safe sites are now delivering payloads. Ironically, where I work now (not in IT), plenty of popup ads from news sites make it through, so I would assume we're vulnerable through this vector.

Re:Yup....seen it.

[Nos.]

I work in the security group and we had a few machines on our help desk get infected with the Antivirus Live malware. After some research, we determined that it came through a legitimate site (help desk site that emulates various OS... can't think of the name), or more specifically the ads on the site.

We do run WebSense, but this was a legitimate site that our help desk uses quite frequently. All machines were up to date with McAfee, but it was a new variation. We ran it through VirusTotal.com within hours of the infection and I believe there were only two on the list that picked it up at that time.

So it wasn't the fault of the user and it can't be blamed on our choice of AV vendor. Obviously we need a better way of detecting malware. McAfee does have Artemis, but it failed on VirusTotal as well.

Re:Yup....seen it.

[Em+Emalb]

Obviously, the biggest hurdle we're having to deal with is user education. I've got a select few folks in various departments learning to work with ad-block and no script, but for the average person, it's hard to figure out what they need to unblock and what they can block with no ill effects. It's frustrating to them, and by extension, our helpdesk guys who end up fielding calls from the same people (over and over) with the same questions. Of course, the other issue we have is vendor lock in, with their stupid sites working correctly ONLY in IE. I hate that, but in my case (financial industry) it's so rampant there's nothing we can do about it except lock stuff down as best we can.

That said...these large companies that aren't paying attention to the ads their serving are just as at fault as any un-educated (or even educated) user is.

Re:Yup....seen it.

[Em+Emalb]

aren't paying attention to the ads their serving are just as at fault as any un-educated (or even educated) user is.

Aw man. They're. Not their. And I make that gaffe while writing about un-educated and educated. Fail, thy name is Em.

Re:Yup....seen it.

[commodore64_love]

I run a program called "TeaTimer" that automatically blocks changes to your computer or registry. I'm not sure how well it works in a work setting, but for my home PC it's caught numerous browser-based programs from doing damage.

Re:Yup....seen it.

[ShadowRangerRIT]

Ouch. The two news sites I browse most often. Good thing I run AdBlock and NoScript, and I wrote myself a Greasemonkey script to rewrite all the internal links to point to the print-friendly (read: ad-free) versions of the articles.

Re:Yup....seen it.

[Hadlock]

Hell, just last week (last Friday!) a flash ad on TechCrunch (linked to from Google News, no less!) opened a new tab in Google Chrome and downloaded a PDF to my desktop under XP SP3. That was an eye opening experience....

Re:Yup....seen it.

[Talderas]

As I write this message, I am running a scan to make sure I just finished cleaning this virus off one of my user's machines. This user has TeaTimer installed, yet still got infected. It's rather odd, seeing as the infect piggybacks on some registry values. So either the user is mindless hitting Allow on TeaTimer, or the virus is circumventing it.

Re:Yup....seen it.

[Victor_0x53h]

I believe using TeaTimer would teach the average user to constantly click "Yes" without thought. As mentioned before this kind of security has a huge education barrier. I haven't run with TeaTimer since it was first introduced with Spybot, but my experience was pretty awful being prompted anytime anything was run.

Also if TeaTimer prevents changes to the registry prompted by some piece of crapware, said crapware has already been executed. What else has it done; how much protection does blocking changes to the registry really provide?

Re:Yup....seen it.

[commodore64_love]

>>>the user is mindless hitting Allow on TeaTimer

Yes. TeaTimer won't allow the registry to change unless you first click "ok". As for the annoyance I've not noticed any problems. A lot of times I forget TeaTimer is even running. It's certainly less troublesome thatn NoScript's constantly nagging.

Re:Yup....seen it.

One little hint to avoid/recover from virut.

Don't store passwords in your browser or in any text file, registry, or any plain un-encrypted space. Your passwords are going to be the ONLY VALUABLE DATA you have left, and you'll have a small window of time to get them all changed. While if you have no backup, your initial time is going to be wasted reloading an OS. If you have a clone, your up in minutes replacing passwords.

INSTALL A FUCKING HARDWARE FIREWALL
Firewall / router
IPCop + Adv Proxy + URL filter

ADD a URL filter rule

Blacklist "iframe"

looks like on single line

iframe

Some others I like

iframe
eengine.js
down.css
"a.htm"
drsmartload.exe
load1.exe
"http://pages.tvunetworks.com/channels/pulloutad300x250.jsp"
adx.gif
8.txt
out.exe
adrtv.exe
ad2.exe
ntos.exe
audio.dll
video.dll
oembios.exe
twext.exe
local.ds
user.ds
sysproc86.sys
sysproc32.sys

About the iframe block
(sorry no more blogspot.com
posting, without a little work) Most iframe sites are shit anyway, but you can make an EXCEPTION for your favorite crappy coded iframe website. (While you might be able to pull this off with firefox plugins, there are other browsers eh... which is why we block this shit at the input, er well um in squid)

Clone Backup of OS. e.g. 750G drive to 750G drive.
(Clonezilla, Acronis)
You get hit, You roll back. Less than 20 Min.

Password Manager
(Cross Platform on USB - keepassx.org), you get hit, you replace your bank pass's first, your servers second, your blogs like /. third. Bla bla bla, all organized, now you are god.

Virtual Machines.
I always liked vmware, then I found SunVM, and then I heard about win7's vm exploit. So I am sticking with SUNVM. That said, create OS iso's for...

VM OS for dangerous browsing, let er rip, cause when we reboot it's new again, so lets see what happens. Let's learn.

VM OS for shopping.

VM OS for banking.

OTHER PROTECTION.
Obviously all the other security shit, Kaspersky (KIS), pop3 mail only, no webmail, no HTML mail, NoScript, ABP, TOR, ztree, HJT, spybot, process hacker, etc.

OF NOTABLE MENTION: Secunia's PSI http://secunia.com

Re:Yup....seen it.

I wish more facilities would take this tact

<nazi mode="semantics">You mean tack , "the direction of a ship with respect to the trim of her sails" or, metaphorically, "a course or method of action". Tact means "sensitive mental or aesthetic perception" or "a keen sense of what to do or say in order to maintain good relations with others or avoid offense" and is not short for, nor in any way related to, the word tactic.</nazi>

Re:Yup....seen it.

[mzs]

I use yahoo mail classic with noscript and adblock plus in Firefox. I see no such problems. I also use RequestPolicy and CookieMonster, but for that site they happen to do nothing special. You should try again.

Re:Yup....seen it.

[tunapez]

What I've found to work is, again, unfettered access combined with some sagely advice on where to find safe smut(redtube,youporn,mega...), and setting up a sandboxie icon that looks just like a regular Firefox button. Whether it be masking the icon for sanboxing or to give them a blue E to start FF/Opera/Safari, I find giving less insight into what I'm doing and just making things seem like nothing has changed is the best policy.

Do muni FDs allow internet access outside of email and work site nowadays? I've set-up privately contracted, shared wireless hubs(VZ USB w/ old laptop & wireless-router) @ a couple stations in the past b/c all they got was work related net. Brother on the right coast concurs, his FD does not supply even 1 station/signal to access their department mail accounts. I was told, Internet has too many expenses and liability for the org to shoulder the costs everyday surfing. Add to that it's part of a critical system with lives depending on instant/unrestricted communication, it's paid for with taxpayer money(thus every log & email is available via a public records request) and the chit really gets deep when that Fck-A-FF MySpace page makes the 6 o'clock news.

Re:Yup....seen it.

[Schadrach]

Couple this with setting the permissions on certain registry keys so that "Everyone" is denied the ability to do anything with the key except view it and change permissions, and only "Administrator" can set permissions. A favorite of mine to give that treatment is the file association for executables, as a lot of malware of the "fake AV" type nowadays is changing the association of executables to run itself when you run any other program.

Re:Yup....seen it.

[LordLimecat]

From my experience, simply removing adobe reader and installing foxit (including browser plugins) solves the issue, since its through infected PDF autoloading that ive seen most of my client's infections.

Re:Yup....seen it.

[BrokenHalo]

If you want to build a botnet do you go for the 35 people who like hirsute midget and bald donkey porn, or do you go for the couple million people who casually visit FoxNews and the NYT?

Hey! What about those of us wo are into albino ostrich porn? (Currently zero Google hits: obviously I'll have to invent it...)

Re:Yup....seen it.

[E-Rock]

Because of this we have enabled inPrivate filtering for IE8 via group policy (not the same as inPrivate browsing). It's an effective ad blocking tool. I hate that we have to block the revenue sources of the pages we visit, but when they're being used to deliver malware, I don't see an alternative.

Re:Yup....seen it.

Thank you. I saw it but let it slide. I fought my last battle trying to explain that "downfall" was not a synonym for "drawback". They're words, which have meaning.

I don't object to people not knowing words, but I have a real problem with them using words of which they do not know the definitions. Ignorance is not a sin unless your arrogance prevents learning.

Re:Yup....seen it.

[jafiwam]

It's not the sites, it's the ad networks.

Go get a HOSTS file that blocks ads and keep it updated and pushed out on your network.

I see ZERO ads most days. When some new ad network annoys me, I go add it to my HOSTS file. The same thing can be done with the network DNS server without needing to modify machines.

Believe me, most people don't bitch (very much) about not seeing ads on the internet all of a sudden. They might be curious about it, but usually that's it.

Re:Yup....seen it.

[jafiwam]

This is completely unintelligible. iFrame is a legit and useful web design tool. Go back under your rock in your basement dude, there's some FORTRAN waiting for you there.

Re:Yup....seen it.

[NeoSkandranon]

Teatimer's nice, and I've used it to good effect on various machines, but it seems to kill startup performance and eat a ton of memory. Have you seen similar?

Re:Yup....seen it.

[Xtifr]

I don't object to people not knowing words, but I have a real problem with them using words of which they do not know the definitions.

You obviously don't have any kids. Language acquisition is a fascinating process, and bears little resemblance to what I expected, even though I did it myself once upon a time.

Bottom line: if we tried to follow your rule, kids wouldn't be able to speak until they'd learned to read. Which might have some advantages, I admit, but seems unlikely to be practical. :)

Re:Yup....seen it.

[Trarman]

That is a good solution, except, my hosts file got so huge it slowed down all internet access like I was dialup again.

Re:Yup....seen it.

[Skratchez]

I thought we were the mods. :ohdear: But yeah, follow Taco's law, rate down if it's irrelevant or interesting, not because you are the legendary grammar Nazi or if you disagree with a valid point.

Re:Yup....seen it.

[ppanon]

While there probably are children still learning the use of language using slashdot, it seems to be a reasonable expectation that most posters would be adults with a reasonable command of language who can be held to a higher standard. That said, due to its international nature, this type of problem on slashdot is more likely to be ESL-related.

Re:Yup....seen it.

[mzs]

I have this setup at work. It is firefox 3.0.x on FreeBSD 6.2. I also see that brief screen about the screen reader and then it quickly goes to the familiar classic page. It does not loop endlessly like it does for you. I have had trouble like this before with my banking site where I had a cookie that would trip it up. The easiest thing to do to check if it is something of that sort is to create a new blank firefox profile and try it in that to see if it is such a problem. Then if it works, you can use the cookie manager to remove cookies until you have nuked the troublesome one. For that one I allow session cookies, but on exit/start I clean them all anyway. Maybe you need to be more permissive? Again I use CookieMonster, so I do not believe that the about:config settings are really used. Good luck.

Re:Yup....seen it.

[GameboyRMH]

Yeah Foxit (I'd say without browser plugins, I mean does it HAVE to open in a browser window? That's one less component to exploit) + Flashblock will go a long way to keeping these things out. Browsers are really falling behind on security and privacy these days, none of them even have built-in flash cookie management.

Re:Yup....seen it.

[mzs]

My url matches this glob (all concatenated together, ignore white space)

http ://
us.mc[1-9][0-9][0-9] .mail.yahoo.com/mc/showFolder?fid=Inbox&order=down
&tt=[1-9][0-9]
&pSize=[1-9][0-9]
&.rand=[1-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]

Re:Yup....seen it.

[mzs]

In the preview I did not catch that the backslash escape was lost on the question mark, you get the idea though.

Re:Yup....seen it.

[cffrost]

I hate that we have to block the revenue sources of the pages we visit [...]

Maybe you could ask them to sign you up for some kinda junk mail promo or spam list or something...?

One lesson to learn

[courteaudotbiz]

Never ever click an ad!

Re:One lesson to learn

[Anonymusing]

FTA: "Users don't need to click on anything to get infected; a computer becomes infected after the ad is loaded by the browser."

Re:One lesson to learn

[julesh]

Never ever click an ad!

Clicking not necessary. I was infected with malware earlier this month without any interaction after visiting the Pirate Bay. An advert used javascript to redirect me to an obscure URL ( http://uqwaaa.in/cgi-bin/gjj ), which proceded to use a Firefox flaw of some kind to infect me. 3.6 doesn't seem to be susceptible, but 3.5.7 which I was running at the time *was*. The exploit installed a Firefox extension that randomly redirects links from google, yahoo and bing to advertising pages.

Re:One lesson to learn

[ygthb]

So who says they clicked, it could be auto delivered. I have seen many arenas where they mandate anti-virus (usually crap) and do nothing about malware.

Not many know about locking down host files, using ad-aware, spybot s&d, or the like. I still use javacools stuff.

Re:One lesson to learn

[oldspewey]

Indeed, and for people browsing Fox News, you don't even need a computer to be infected.

Re:One lesson to learn

[L4t3r4lu5]

I guess I'll start whitelisting advertising when they can stop drive-by malware infecting my computer.

AdBlock can stay enabled for the time being. Sorry, Ars.

Re:One lesson to learn

Two pieces:

Ad blocking hosts file

Flashblock

Web browsing just got a whole lot faster.

Re:One lesson to learn

[ShadowRangerRIT]

Last I checked, Flashblock isn't a security feature, it's a convenience feature. The Flash loads, but is quickly suspended and replaced in the DOM by the button. But it still has a brief window in which to do something malicious. If you want security, you need Adblock and/or NoScript (for blacklisting and whitelisting respectively). I personally run all three; untrusted sites are locked down by NoScript, and trusted sites are unlocked by NoScript, but have the Flash blocked for convenience/performance.

Re:One lesson to learn

[alexhs]

FTA: "Users don't need to click on anything to get infected; a computer becomes infected after the ad is loaded by the browser."

Which probably actually means :

Users don't need to click on anything to get infected; a Microsoft Windows OS becomes infected after the ad is loaded by Microsoft Internet Explorer.

Re:One lesson to learn

[TheThiefMaster]

Don't block using a hosts file, it's not for that. If you do, at least redirect to 0.0.0.0 (guaranteed invalid address) not 127.0.0.1 or 255.255.255.255.

For browsing adblock is better, for general blocks (like what a hosts file would give) use a damn firewall.

Re:One lesson to learn

[stony3k]

Use Noscript - it warns you when a URL hijack attempt occurs

Re:One lesson to learn

[commodore64_love]

Yes becasue it is an established fact that Fox has no bias

STRAWMAN ARGUMENT. I never said that. What I said was that CNN, MSNBC, ABC, CBS, et cetera have a pro-government and anti-individual-liberty bias.

Point - They are ALL biased, therefore if you're going to attack FOX for bias, then you should be attacking all the TV media outlets for the same reason.

Re:One lesson to learn

[Talderas]

Nope, I've had users get infected with this that solely use Firefox for web browsing. This is not a virus that exploits Windows, it's really targeted at exploiting Adobe vulnerabilities plus a few others.

Re:One lesson to learn

[commodore64_love]

P.S.

Outside news sources? Like BBC? Also biased in a pro-government and pro-EU manner. There really is no such thing as an unbiased source, although I do enjoy watching Russia Today for its unique perspective.

Re:One lesson to learn

[somersault]

Does anyone know of an equivalent to having a hosts file that you can use in conjuction with a Windows or Linux DNS server so that you can just block sites at the actual DNS server rather than having to keep updating the hosts file blacklist on all clients?

Re:One lesson to learn

[L0rdJedi]

It might be Windows only, but it certainly is not limited to Internet Explorer. I use FireFox at home exclusively and ran into one of these. It threw up a screen that looks just like the Windows security center telling me I might be infected. Before seeing this, I always thought people were just being careless. After seeing it, I was pissed that a site like the NY Times would allow such an ad on their site. Suddenly, the "safe sites" aren't so safe anymore.

Re:One lesson to learn

[L0rdJedi]

Which is great for someone technical, but ends up involving a lot more calls to the help desk if you put it on a regular users machine. "Hey, I got this message about a warning of some kind?". You'll get about 5 of those in a row before deciding to turn it off and find another solution.

Any time something pops up on a users computer that they aren't use to seeing, they're going to do one of two things. They're either going to call you up about it (not a bad thing if it doesn't happen to often) or they're going to try to "fix it" themselves. That usually ends up making the problem worse. I don't know what it is, but most people are simply incapable of just reading a screen and making a decision. I guess it's the same thing as the oil light on a car. People see it, don't know exactly what it means, but since the car keeps going, they don't worry about it.

Re:One lesson to learn

[Vancorps]

You sound like Glenn Beck, using scare tactics to shame the citizenry into bending to you will ironically much like the fascists to which you referred.

The reason other networks don't need to be acknowledge for their bias is that they are up front about it. For instance Rachel Maddow and Keith Olberman are both unapologetic and don't present their opinions as unfact in stark contrast to O'Reilly, Beck, Hannity, and all the other talking heads on Fox.

CNN lacks content to have a bias and when they do have content and present news it is presented as news. Their editorial shows are like MSNBC where biases are spelled out from the beginning so again, no need to lump Fox in with them as they are definitely a unique animal. If they didn't present their content as news no one would have a problem with them.

Re:One lesson to learn

[Vancorps]

A lot of DNS servers support blacklisting. If you have Windows server 2008 or most versions of Bind on the Linux side you can use blacklists like you'd expect. In short, it depends on which DNS server you use. There are other DNS servers for Linux that also support blacklisting.

Re:One lesson to learn

[bipbop]

Guaranteed invalid? No. ~$ telnet 0.0.0.0 22
Trying 0.0.0.0...
Connected to 0.0.0.0.
Escape character is '^]'.
SSH-1.99-OpenSSH_5.0 NetBSD_Secure_Shell-20080403-hpn13v1
^]cl

telnet> cl
Connection closed.

Re:One lesson to learn

[theaveng]

Beck, O'reilly and Hannity have said multiple times that they are biased conservatives or libertarians.

That you did not know that indicates you know nothing about FOX because you apparently don't watch it. How do you judge something as "junk" if you don't watch it? Hmmm. Must be magic.

Re:One lesson to learn

[Vancorps]

None of them advertise themselves as being libertarians. O'Reilly and Hannity are staunch republicans, conservative or liberal is not a bias, republican or democrat is. Much like the fact that there are conservative democrats and liberal republicans.

Despite the conclusion you have leapt to I have in fact watched plenty of Fox news as I work at locations that are Fox strangleholds. Additionally much of my family identifies with Fox so going home results in more of the same.

I'll also notice that you didn't comment on what I actually wrote in regards to how content is presented. They present opinions as facts and that is where my complaint was with them. Of course that's in addition to the outright lies they have spread and getting facts wrong often enough that they are either incompetent or screwing up on purpose to further their agenda.

Re:One lesson to learn

[Dragonslicer]

CNN lacks content to have a bias

This is why I always laugh at people that claim CNN is biased. CNN doesn't have a "left" or "right", "liberal" or "conservative", or "Democrat" or "Republican" bias. CNN's only bias is towards repeating whatever people with no lives send them via Twitter.

Re:One lesson to learn

[mundanetechnomancer]

having a long hosts file can cause long delays on laptops when connecting to wireless networks, the dns cache service has to check with the file. this is especially noticeable on netbooks

Re:One lesson to learn

[theaveng]

FOX presents opinions as facts

Ditto ABC, CBS, NBC, and CNN. When you hear someone like Katie Couric say something like, "Colon exams should be free," she is presenting an opinion as fact. All of these TV outlets do it.

Re:One lesson to learn

[TheThiefMaster]

That's a bad implementation then, the IP RFC says that 0.0.0.0 is only valid as a source address (meaning "this machine") not a destination address.

Even if your implementation treats it like localhost, you're no worse off than 127.0.0.1. Amusingly 255.255.255.255 is a broadcast address, so really stupid to use, despite having seen it recommended.

Re:One lesson to learn

[oldspewey]

Would probably have fit in 1930s Germeny with ease.

What an utterly foolish retort. I suggest you take a good, long look at the fascist leadership of 1930's Germany and the propaganda efforts there. Then, take a good, long look at the kinds of policies and positions broadcast by Fox News. Your attempts to paint people who distrust Fox News with a Nazi brush are, at the very least, ironic.

Re:One lesson to learn

[Vancorps]

And that doesn't make it okay for Fox to do. That's besides the point that you're example is her clearly stating an opinion without any context as to presenting it as a fact. Like the original reports on Fox about Obama's birth certificate and misrepresenting the numbers of people involved in rallies that were actively supported by Fox News making it seem like the public has a growing problem with current events when the events at hand actually point in the other direction. It's much like the reporting that everyone hates the healthcare bill except when they are polled on the contents of the bill where they actually rate very highly.

Fox does this at a rate no other organisation can match. The closest bet is MSNBC and even they don't often present opinion as fact.

Re:One lesson to learn

[brkello]

If you want to say all news networks are biased you are just being lazy. There are different degrees and by far Fox News is the worst offender. If you are unable to recognize this difference, you aren't trying very hard.

Re:One lesson to learn

[brkello]

People take their words as fact. They hide behind the "Oh, I am just an opinion show" when people try to hold them accountable. Then whatever misinformation they say is reported in their actual new segments as "some people are saying this..." repeat the Beck and friends garbage. More of Fox is opinion than news...shouldn't they be called Fox Opinion?

Re:One lesson to learn

[brkello]

Except "Colon exams should be free" isn't a fact. There is no way to present that as a fact. A fact would be "Most colon diseases can be detected early and prevented". Fox News says things like "Health care bill has death panels". They present something as a fact that isn't one.

Re:One lesson to learn

[commodore64_love]

I think the first amendment (liberated press) allows them to say whatever they want, even if it's not true. It's called freedom. If you don't want to watch FOX, fine, but then you ought to just drop the subject. Not keep pounding "FOX sucks" into the sand like a troll day-after-day-after-day. It gets tiresome.

And don't try to pretend as if the DNC-NBC is unbiased either.

Remember it was MSNBC that did a story about "gun toting protestors" at an Obama speaking event who "appear to be prejudiced or even racist against a sitting black president." And then it was discovered that MSNBC LIED in the report. The gun toters were actually black themselves (i.e. not racist), but by using careful editing of the video (not showing faces) MSNBC conveniently hid that fact and portrayed the black gun owners as white racists.

BOTTOM LINE: The MSNBC channel is no better. While FOX is biased towards the R's, MSNBC is biased towards the D's. So by slamming FOX, and pretending MSNBC is flawless, all you do is demonstrate your own bias and hate.

Re:One lesson to learn

[commodore64_love]

CNN is very clearly pro-Democrat or pro-big government. You probably don't notice it because you, yourself, are pro-D or pro-government but the bias is definitely there. I see it every time I turn on the channel.

For example when a CNN reporter gives a report which assumes government should be providing healthcare for free, and different methods of paying for it. The reporter never once offers the other option: Keeping government out of healthcare.

Another example was the CNN Sunday coverage of the vote. The reporters were so happy with the results, I thought they were going to pull-out their Barak Obama posters and throw a party. That's pro-D and/or pro-big-government bias.

Me, being Jeffersonian and anti-monopoly, would prefer the government was so small as to be almost invisible so I could make my own choices. But CNN never, never, never discusses that option.

Re:One lesson to learn

[commodore64_love]

>>>take a good, long look at the kinds of policies and positions broadcast by Fox News.

Well... I disagree. While FOX has a bias, its bias is generally in favor of LESS government, while the 1930s German propaganda was in favor of More government. Like taking over the car industry (folks' wagon). And taking over the healthcare industry (guaranteed for everyone). And fining people who don't comply..... hmmmm.

The german people ate it up, without realizing they were losing freedom with each new program passed.

Re:One lesson to learn

[flimflammer]

I have to wonder how you get the idea that "Colon exams should be free" is a statement being asserted as a fact, when it is clearly an opinion based on the fact that colon exams are not free.

Re:One lesson to learn

[An+anonymous+Frank]

You could put that hosts file on your proxy host.

Surprise! Oh, wait...

[bhamlin]

Really, who is surprised by this? What's the cost of an ad and fake credentials compared to getting a chance to infect millions of computers?

Say No To Flash

The number one reason to avoid Flash is the advertisements. The numerous exploits means that it is just a matter of displaying the ad, and voila, you have most injected visitors.

JavaScript based ads are not much better, but they're at least not as easy to exploit as Flash based ads.

Re:Say No To Flash

[somersault]

Say no to unsolicited content altogether! Adblockers ftw.

Re:Say No To Flash

[jimicus]

Doesn't really help in a business environment - few adblockers allow you to deploy and manage them centrally. Frankly, it would make more sense to block ads at the firewall.

Actually, now I think of it, that's a damn good idea. It'd mess up the page layout for a lot of things but if you served up a blank JPEG of the relevant size that shouldn't matter too much...

Re:Say No To Flash

[L4t3r4lu5]

I just re-enabled AdBlock. I disabled it after the Ars Technica article regarding advertisement supported websites.

I'm happy to have unobtrusive text advertising, even images. Moving images and flash irritate me, but drive-by malware?

AdBlock stays on.

Re:Say No To Flash

[somersault]

We do actually have that option in the content filter on our firewall. When I enabled it before I got complaints from one of the directors because they actually click on ads -.-

Re:Say No To Flash

[commodore64_love]

That's one of the things I like about Opera Turbo -
- it blocks flash ads by default and displays a giant |> play button.
More browsers should do that.

What I don't like about Opera is how many websites refuse to serve it with javascript, and instead serve a broken nonfunctional page. I get a little frustrated with constantly right-clicking and choosing "mask as firefox" or "mask as explorer" to get a page to load properly. That isn't Opera's fault of course but it would be a lot easier if they had a global "mask" setting, so I wouldn't have to do one page at a time.

Re:Say No To Flash

[commodore64_love]

Or how about GIFs and PNGs? Back in the 90s and early 2000s that's what ads were, and it worked just fine. There's no need to waste bandwidth on a 1000 kilobyte or more Flash ad when a ~100 kilobyte animated GIF can do the same job.

Re:Say No To Flash

[John+Hasler]

> I just re-enabled AdBlock. I disabled it after the Ars Technica article
> regarding advertisement supported websites.

Whining. If they don't want to send you their page they are free to ignore your GET requests.

Re:Say No To Flash

[L0rdJedi]

I tried this too. It turned out that our marketing department wanted to see the ads they were buying (or at least wanted to make sure they were showing up correctly), so I had to remove some of the blocks.

Re:Say No To Flash

[TheRaven64]

Or how about GIFs and PNGs? Back in the 90s and early 2000s that's what ads were, and it worked just fine

And back then we had libpng and zlib bugs that gave you arbitrary code execution when the browser tried to load a malformed GIF or PNG. The more things change, the more they stay the same.

Re:Surprise! Oh, wait...

[HungryHobo]

as far as I know the margins on selling infections aren't that fantastic.
I depends on who you're infecting though.

Good thing

[Jaysyn]

Good thing the combo of AdBlock, NoScript & FlashBlock will basically prevent these kinds of attacks.

Re:Good thing

[bunratty]

In addition, you can also use the Plugin Check to make sure you have the most recent versions of plugins to decrease the risk of attack. And don't forget to turn on DEP for all programs and services on Windows.

Re:Good thing

[Bearhouse]

Mod up, mod up...
How many times do we have to repeat this?
For those without Firefox and those extensions you point out, do your 'hosts' file:
http://en.wikipedia.org/wiki/Hosts_file
Good for Chrome lovers and, of course, non-Windows platforms.
Yes - Apple and *Nix users are vunerable too...especially if in a mixed network with Windows boxen.

Peerblock is worth a look too...
http://www.peerblock.com/releases

Re:Good thing

[0ld_d0g]

Unfortunately, that makes the web unusable for many people. Most people commenting here aren't the kind who get infected by malware.

Re:Good thing

[gzipped_tar]

Using hosts file to re-route malicious domain is an ugly hack and should never be used. There are more efficient and maintainable firewalling tools. The hosts file should tell facts instead of lies.

Re:Good thing

[NatasRevol]

How exactly are Mac an *nix users vulnerable?

All of the malware being delivered only runs on Windows.

Re:Good thing

[ShadowRangerRIT]

Well, AdBlock and Flashblock don't cause a problem for most people in my experience. NoScript drives them crazy though. And given that Flashblock (last I checked) doesn't provide real security (the Flash is loaded briefly before being replaced in the DOM, so the window of vulnerability remains), you're stuck with hoping the AdBlock filters are up to date. It's better than letting them browse on unprotected IE6, but without NoScript you're still vulnerable to exploits served from very new hosts (too new to show up in the AdBlock filters).

Re:Good thing

[Jaysyn]

When I "fix" a Windows PC I always make sure to explain to the owner exactly what NoScript does & how to use it. I also stress to them how important it is that they actually use it & don't just "enable all" scripts. I generally don't charge my friends or co-workers for the 1st time I clean a PC but the on the two occasions I did get a PC back that had the floodgates opened so to speak, I charged the owner about $10 less than what Best Buy does for cleaning a PC. You can't fix stupid, but you can make them pay for it.

Re:Good thing

[gzipped_tar]

Srsly, is learning Networking 101 so much more difficult, arduous and benefiting than flirting with weasel words like "my own reality"?

Re:Good thing

Basically as more Windows machines become infected, the levels of smug exuded by Mac users can reach dangerous levels. In such an emergency oxygen masks will lower, help yourselves, then the children.

Re:Good thing

[NatasRevol]

That's good right?

Since your Windows PC will be in flames from all the malware running on it.

Re:Good thing

[TheRaven64]

Maybe it also runs under WINE? After I installed VirtualPC on my old PowerPC Mac, all of the viruses I was sent via email got a nice Windows icon on them, maybe you can do something similar with WINE on *NIX now?

Re:Good thing

[mzs]

I concur with ShadowRangerRIT, for most people noscript is much too difficult to use. There are two big problems.

In many situations there is some site they go to for the first time and it does not work. Then the ones that are trying go and click on the noscript icon or message and are promptly presented with a list of ten or so sites with blocked scripts. They pick one essentially arbitrarily (hopefully the same domain) and then let the page reload. But 7 out of ten times it is some cross domain script that needs to be allowed. So it still does not work. At this point they may try one more by guessing or simply give-up on noscript.

The other big problem is when it does not work but now the page is missing any indication of flash content. There they may go through the steps above or they may just decide right then and there that this noscript extension is breaking this website, and that is the last that they ever use it.

Re:Good thing

[BlackSnake112]

We have had mac machines running things that attacked the windows machines at work. The mac user did allow the software to be installed. They were prompted for their password to install it. It's OSX, it's apple, they are safe. Wrong. The software was trying to gain access by guessing the account and password and sending them to a machine in China. Well, CA and the owner of the site is in China. It actually sent the failed ones as well. It could have been doing more, but that is what we found first.

This person got this by visiting a dating site. He was prompted for his apple password when the site loaded. No he was not looking to date Chinese girls. We did a few tests (with test machines). On windows logged in with guest access, errors on page load. Windows with regular user or admin, page loaded fine. Machine appeared fine. It wasn't. On linux, a bunch or errors messages (can't find C:\windows, missing file, etc.). Yes the faculty did have to explain to his director why he was looking at dating sites while at work on university machines. I was not there for that meeting. I so wanted to be.

Re:Good thing

[NatasRevol]

Why the fuck do you have people using ANY computer that know the admin password?
And why the fuck to you have people ENTERING the admin password when they visit a website?

Change the admin credentials, problem solved right there. At least on a Mac.

Re:Good thing

[daeley]

The blockers aren't the ones responsible for making the Web unusable. It's the people trying to turn the Internet into television.

Re:Good thing

[troll8901]

I guess it's not safe to reveal in Slashdot that you allow your users to have local admin access to their own PCs. You'll get flamed to a crisp.

I particularly enjoy reading honest anecdotes written by other people. But I guess with such negative feedback that these anecdotes attract, they'd simply get lesser.

Re:Good thing

[metamatic]

Yes, but NoScript functionality really needs to be part of the core Firefox product. Security shouldn't be something that you have to download plugins to get.

(Meanwhile, Mozilla devs are working on adding address books to the browser. Yeah, nice sense of priorities there.)

Adblockers anyone

[Galestar]

Yet another reason to use ad blockers. I'm starting to think Firefox should come with it out of the box.

Re:Adblockers anyone

[Monkeedude1212]

The problem is that a large amount of money on the internet is made through advertisements. If Firefox gains marketshare, and starts with adblocking, thats tons of revenue stream being cut off. Google makes a lot of money through advertising, and they seem to be the only ones pushing for progress right now. I don't know if I'd want to go and reduce their income.

In Alberta - it's illegal to have a billboard on a Highway. Based solely on the idea that it causes more accidents because billboards are distracting. This isn't a direct attack on the speed limit, a major factor, or Alchohol, another major factor. Because attempting to control those other 2 factors would cause a huge upset.

Same with internet advertising, you can't just stop it all and make the world a better place.

Re:Adblockers anyone

[rtaylor]

You might want to double check FireFox's revenue streams before suggesting they implement adblocking by default.

Re:Adblockers anyone

[delinear]

You could conceivably stop all flash and scripted ads though. Sure there have been cases in the past of people exploiting image formats but they're all pretty well locked down now, if you can't get your message across with images and text then you can't expect your audience to be too sympathetic when your flashy advert allows the bad men to infect their PCs.

Re:Adblockers anyone

[Monkeedude1212]

The problem is that you need a script of some form to track redirects. Otherwise you don't know how effective ads are on what sites, so you don't know how much to pay to who.

Because of this - it will always be present that people will find some way to sneak malware into whatever script you run.

Re:Adblockers anyone

[kent_eh]

The problem is that a large amount of money on the internet is made through advertisements.

Then it's in the financial best interest of the ad networks to stomp this out. Hard and fast.
When they were merely annoying only some people blocked their content.
Once it becomes well known that they are an actual threat, then a much larger group will be blocking their stuff, and their entire business sector is in serious financial jeopardy.

Re:Adblockers anyone

[Mandrel]

The problem is that a large amount of money on the internet is made through advertisements. If Firefox gains marketshare, and starts with adblocking, thats tons of revenue stream being cut off. Google makes a lot of money through advertising, and they seem to be the only ones pushing for progress right now. I don't know if I'd want to go and reduce their income.

Particularly as Firefox is funded by a Google product placement deal.

Re:Adblockers anyone

[cbreak]

They could just parse referrers and relay all links (clicks) on the banner over their own server. That way they have tracked both banner shows and clicks.

Re:Adblockers anyone

[PhxBlue]

The problem is that a large amount of money on the internet is made through advertisements.

And whose problem is that, exactly? When I first got started on the Internet (1995), there was almost no advertising whatsoever. I didn't miss them then, and (thanks to AdBlock) I don't miss them now. Advertising can still work as a model, but advertisers need to get smart about it, a la Google ads. Plain text, non-obtrusive ads are the only safe method of Internet advertising -- even JPGs can be compromised.

Re:Adblockers anyone

[JesseMcDonald]

You can't trust the referrer. It's completely voluntary. For example, no matter what link I just followed your server will see its own address in the referrer header, not the address of the previous page.

A better scheme is to include the original site's ID in the URL.

Re:Adblockers anyone

[metamatic]

Yeah, I think advertisers are the real reason why the Mozilla devs are adamantly against making NoScript functionality a core part of Firefox.

However, Google's added the functionality to the recent nightly builds of Chrome, so as soon as it stabilizes I'm just going to switch. Mozilla can pull their heads out of their asses and start serving users rather than advertisers, or lose their market share.

[Opinions mine, not my employer's.]

Re:Adblockers anyone

[cbreak]

Executing JavaScript is also voluntary. You have to trust the client to give you the correct data, otherwise you can give up on it and just store on the server side which add you send to which web page.

Much more profitable than click-throughs...

1) Flash-based Banner Ad
2) JRE Exploit (CVE-2008-5353)
3) Adobe Reader Exploit
4) Profit?

Re:Much more profitable than click-throughs...

[julesh]

1) Flash-based Banner Ad
2) JRE Exploit (CVE-2008-5353)
3) Adobe Reader Exploit
4) Profit?

From what I saw when this happened to me:

1) Javascript-based banner ad
2) MFSA2010-01 (or something similar that was present in Firefox 3.5.7)
3) Mozilla extension to redirect links from google, yahoo and bing to a site of your choice
4) Site that serves large numbers of per-impression banners for dubious porn sites
5) Profit.

Adblocker

[wisnoskij]

I would like to support sites by viewing their ads but if it leaves you more open to viruses even on high-profile sites then it is not worth the risk.

Re:Adblocker

[jedidiah]

Yes. This goes way beyond being "merely annoyed". If it becomes a security issue then ads need to go in general.

This is another example of how "outsourcing" leads to loss of quality and control. If you are going to spam someone then you need to be in control of the relevant content. You need to take responsibility for it. That seems to be the real problem here. You end up needing to whitelist 10 or 20 scripting hosts for the average "legitimate" website.

Re:Adblocker

[ajs]

You could always whitelist ads on sites that you want to support while turning off JavaScript (e.g. using noscript). Most ads will still display (unless they're flash, and then it really was their choice, wasn't it?)

That's what I do. I even leave Slashdot's ad opt-out checkbox unchecked.

Re:Adblocker

[daveime]

I think you'll find very few malware writers outsource to India. They prefer their malware to actually work !

Re:Adblocker

[Tlosk]

I think your point is spot on, this is why big reputable sites need to take charge of their own advertising instead of farming everything out to 3rd parties that are getting it wrong a lot lately.

You may save some money in the short term by not having to deal with the overhead yourself, but unless all the content that is getting shoveled your way is reputable you just force your readers to block everything to keep their systems safe.

But realistically what this means is using ads that don't rely on delivery mechanisms with a huge attack surface like flash and active scripting.

Re:Adblocker

[jedidiah]

I was speaking of all of the ad images getting owned and infecting the readers of the Post and such.

The real defense line

[geegel]

The way I see it, no browser should be designed to require admin rights. All that it needs is a sandboxed environment for temporary files. When this mantra gets in the developers' heads, such exploits will no longer be possible. Of course, by that time, other type of exploits will be invented, but we'll cross that bridge when we reach it.

Re:The real defense line

[FlyingBishop]

Designing a browser not to require admin rights will never prevent users from running it as admin.

Re:The real defense line

[Neil+Watson]

In UNIX one might try running the browser as another user via 'su'. That user could be isolated with no useful data or access. Probably some X permissions will have change to allow the browser to display on an X server owned by another user.

Could this be accomplished with Windows?

Re:The real defense line

[Culture20]

The way I see it, no browser should be designed to require admin rights. All that it needs is a sandboxed environment for temporary files. When this mantra gets in the developers' heads, such exploits will no longer be possible. Of course, by that time, other type of exploits will be invented, but we'll cross that bridge when we reach it.

The way I see it, no browser updates should be designed to require admin rights. Back in the day, FF installers for windows didn't require admin rights; anywhere a user could install was fair game. I don't know if that's still true. But, what if the core executables were owned by root, but updates could be owned by various users? i.e. on opening, browser checks web for updates, if it finds some, it downloads the updated exe or dll to local user dir, and then restarts itself using the new version. If no updates are found on the web, it checks local user dir to see if there were updates previously downloaded, and restarts using the latest downloaded update. Then every user can update their browser.

Even better: Make the command line browser updater work _only_ on the command line so that sysadmins can update hundreds of machines at a time. Why do command line browser updaters need to open a GUI for a progress bar?

Re:The real defense line

[geegel]

Most users follow the path of minimal resistance (i.e. they will most likely go with default settings). If these settings mean security by design, most of these problems would disappear.

Re:The real defense line

[geegel]

Basically yes. What's to stop a developer to code a browser with an emulator type architecture? You load the environment and in that environment you load the browser, while restricting its rights to the bare minimum.

Re:The real defense line

[The+MAZZTer]

Huh? AFAIK none of the major players require admin rights. In addition Chrome (on XP/Vista/7) and IE8 (on Vista/7, not XP) both sandbox themselves and have been doing so for over a year now...

Re:The real defense line

[geegel]

Well, most Windows users login into their OS with admin rights and when they launch the browser they automatically assign these rights. Basically, a browser should start with minimum rights regardless of what type of user launches it. Thank you for helping me clarify my point.

Chrome and IE8 have a combined market share of about 30% according to statcounter. This is indeed the right approach, but until ALL the major players and their most important versions take the route of sandboxing, malvertising will continue to be a reality.

Re:The real defense line

[ShadowRangerRIT]

Well, the browser can lower its own privileges just fine. IE8 (and IE7 IIRC) run with lower privileges than a normal user for that reason. Even if you tell it to execute as admin, it programmatically lowers its privileges at runtime.

Re:The real defense line

[wiredlogic]

Back in the day, FF installers for windows didn't require admin rights; anywhere a user could install was fair game. I don't know if that's still true.

It isn't. You have to be admin now. This gets annoying when I get update notices on a regular account and don't want to shut down and switch over to admin to update.

Re:The real defense line

[Rysc]

Better be careful with permissions and umask settings or your downloaded files won't be readable/writable by your regular user. Some kind of auto(or easy)-chown would really be ideal here.

Re:The real defense line

[Rysc]

I've been predicting for a couple of years now that most software will go this way, sooner or later. On the server side per-daemon jails are not unheard of and switching to per-daemon VMs seems like a logical isolation maneuver. Doing it for user apps presents considerably more challenge, but I expect it to happen. It will probably be Apple who does it first, since they have already embraced isolating all app resources (.app bundles) even if it's not yet a 100% solution.

Mark my words: Within 10 years double-clicking an icon to launch an app in its own VM will be normal. The system will eventually make it so seamless that your average user doesn't know that's what's going on; he'll just see a window as usual.

Re:The real defense line

[TheRaven64]

The problem with this approach is that the browser itself contains useful data - things like access to your Internet banking site, for example. Ideally the browser would create a new process when you navigate to a new site and chroot() that instance so that it can't get any access to the filesystem beyond that. That way, a compromised browser would only ever gain access to caches and passwords for the site that performed the attack. The wrapper would reparent each of these processes' windows into something that would give the appearance of a single application.

Re:The real defense line

[FlashBIOS]

Until that happens, check out Sandboxie. Sandboxie is a fantastic piece of software that I've been using for years on my browser (and more importantly at home, my wife's and son's). It is largely transparent, and regularly updated. And, it works with any software, not just the browser.

http://sandboxie.com/

Re:The real defense line

[Culture20]

Back in the day, FF installers for windows didn't require admin rights; anywhere a user could install was fair game. I don't know if that's still true.

It isn't. You have to be admin now. This gets annoying when I get update notices on a regular account and don't want to shut down and switch over to admin to update.

But did you install into c:\Program Files\ or into your own user dir? I haven't installed it as a non-admin for a long time.

Ars Technica

And Ars Technica says I shouldn't block ads.

I repeatedly told their staff that I don't block Ars Technica, but I do block ad servers. If they want to send me ads let them server them from their own domain.

Sites resposible for ad-vectored infections should be hit with hundreds of small claims court lawsuits to recoup the costs to clean up the infections.

Maybe then they'll learn.

Re:Ars Technica

[shadowbearer]

I will definitely second that, I am cleaning up a computer right now that got hit with a drive-by infection; ended up with a TDSS variant and enough other crap on it to make the machine nearly unusable. The user swears up and down that he didn't click on any ads, and his browsing history reflects that. I've been seeing a lot more infections like this lately, even on machines whose users know better than to click ads (old customers). Took some time to track down where these were coming from; this news comes as no surprise to me. Back about two months ago one of my home machines here got infected that way - and not only is it thoroughly locked down with up to date antivirus and antispyware, I was using it at the time, and I KNOW I didn't cause the infection myself. Tracked it to an advertisement loaded at the same time I was viewing a NYT article. I knew for certain that I hadn't clicked on any ads; this just confirms my hypothesis at the time. I spend nearly all my time fixing computers just removing infections. If this is going to continue, it is going to make it nearly impossible for even the most careful users to keep their machines clean. I agree that the main hosts need to start being careful who they host their ads from, it is ultimately their responsibility to ensure they don't host malware drive-by advertising. SB

'careless web activity'

[John+Hasler]

> I usually suspect the users of 'careless web activity' when I delouse a PC...

They are guilty of 'careless web activity': not blocking ads.

Re:'careless web activity'

[FlyingBishop]

Don't block ads. Use NoScript. Blacklists are easily compromised. Whitelists are much more difficult.

Re:'careless web activity'

[John+Hasler]

> Don't block ads. Use NoScript.

I use NoScript to block scripts. I use Privoxy to block ads.

> Blacklists are easily compromised. Whitelists are much more difficult.

Nothing gets through and I can selectively allow scripts.

Re:'careless web activity'

[delinear]

I'm more than happy to tolerate ads if it supports my continued free access to some great web content and services. To be honest, I pretty much never notice them anyway so if the site owner benefits from them being there and I don't suffer any detriment, that's a true win-win situation (I've never blocked /. ads for the same reason, even though they kindly give me the option to disable them, I'm happy enough with the service they provide). If, however, I was similarly infected by visiting a reputable site I'd seriously rethink that policy. Google got so big on the back of offering very basic, minimal intrusion advertising so why do we need yet more dancing monkeys when they're a possible threat to my security?

ORLY?

[SpicyBrownMustard]

Let's see here... an anti-malvertising/malware firm reporting lots and lots of malicious "bad things" being served up by those terrible pesky Internet ads... no agenda here. The report failed to follow-through and dig into the real problem with malicious payloads associated with online ads, the ad network daisy-chain. If network-A has no impression for you, you're handed off to network-B, which may have no impression and then gives you to network-C... and so on. As your impression traverses the daisy chain, the likelihood of hitting a low-tier ad network that allows any wanker with a (stolen) credit card to order millions of impressions increases... where the malware begins. We scan our ad tags daily, using two methods -- a dozens-of-times-an-hour service, and our own script on a minimally-protected PC. We've never seen malware from a advertising assets delivered by a top-tier ad network... when we see malware, it's ALWAYS from a provider down the daisy-chain.

Re:ORLY?

[John+Hasler]

Why don't you think that the top tier services should be held responsible for the results of their daisy-chaining? They got paid for handing you off.

Re:ORLY?

[shoehornjob]

Every major av vendor I know of (Symantec, Mcafee, Panda, Trend Micro, Kaspersky etc) do something like this so I disagree that there is a hidden agenda here. We saw the NY Times exploit on Slashdot a while back so they're not spreading FUD. As far as digging into the real problem, I guess it depends on the audience.

Re:ORLY?

[SpicyBrownMustard]

I do think they should be responsible, but the nature of the report -- specifying top-tier domains as a *SOURCE* of malware -- is deceptive and inaccurate.
The daisy-chain is the problem in both this and privacy concerns.

Re:ORLY?

[SpicyBrownMustard]

And every major AV vendor obfuscates and over-states the threat associated with cookies.
nope - no agenda

OK, if the ad networks won't police this

[WCMI92]

Then we should start blocking the ad networks from our networks.

If lots of people started doing that, I wonder how quick Google, Yahoo, et all would start screening advertisers for malware?

google ads?

[pikine]

I thought the text-only ads from Google will not allow an advertiser to embed Javascript. Not sure about their newer Flash ads which can embed ActionScript, but one would think Google will be more careful with that. Maybe it is possible that Google still unknowingly redirects you to a malware page after you click on an ad, but the pie chart in TFA does not show Google DoubleClick (probably an insignificant amount under Others). In addition, Google may use the automated method behind stopbadware.org to determine whether an ad is clean or not. I'd be surprised if they're not already doing that.

What is interesting is, although the chart does not show Google, the article still lumps Google Ads to their headline. Why? It's more catchy to sling mud on Google? What kind of irresponsible journalism is that?

Make the Ads Safe

[The+Angry+Mick]

I would like to support sites by viewing their ads but if it leaves you more open to viruses even on high-profile sites then it is not worth the risk.

Very good point, especially in light of Ars Technica's recent plea to users to stop blocking ads.

I, too, would be than more willing to disable the protective measures I've got in place, but as long as these sites rely on third party advertisers that are more concerned with eyeball collection than system security, we have a stalemate. If sites want me to see their ads, they have the burden of making sure the ads are safe (less annoying, would also be good). If I lower my guard out of "friendship" for a site, only to get a drive by download as a reward, I'm going to take it as a major breech of trust.

Re:Make the Ads Safe

[IICV]

Are the Breeches of Trust related in any way to the Trousers of Time?

On a more serious note, this is exactly why Ars Technica's plea was in vain - they want users to stop blocking ads, because that will bring them more money from the people who buy ads on their site. However, the people who buy ads on their site aren't making enough revenue from the ads as it is, and so resort to these intrusive, virus-laden pieces of shit in a weird attempt to generate more revenue.

This is why I don't feel bad about blocking those big complex ads, even after reading Ars's article. The people who buy them will eventually go out of business, because their business model is unsupportable. They are simply not the future of the Internet - or at least, not the future of my Internet.

Re:Make the Ads Safe

[The+Angry+Mick]

Heh heh. That's what I get for not proof reading. I blame the Lederhosen of Lethargy.

Re:Make the Ads Safe

[hoggoth]

Your posts have inspired me to put on my Culottes of Confusion.

Re:Make the Ads Safe

[unixpgmr]

I agree entirely with that statement. As long as third party scripting is done, I am very wary. Once a breach of trust is made, It will be very hard for the site to win back my trust.

Re:Make the Ads Safe

[psydeshow]

as long as these sites rely on third party advertisers that are more concerned with eyeball collection than system security, we have a stalemate. If sites want me to see their ads, they have the burden of making sure the ads are safe (less annoying, would also be good). If I lower my guard out of "friendship" for a site, only to get a drive by download as a reward, I'm going to take it as a major breech of trust.

Bingo. If your site relies on ad revenue to survive, maybe you should be the one serving the ads so that you have control over what's appearing next to your precious content.

Because here's the thing: ad blockers do not block server-included ads. Right? They block 3rd-party ads that are placed using client-side includes.

If you (as a content provider) trust your advertisers enough to serve the ads from your own site (and take responsibility for redistributing any malware they hand you, yes?) then I won't try to block your ads. It would be like blocking the photos embedded in your stories, or the graphics of your ui. It just wouldn't make sense.

The problem is that most sites are apparently so desperate for money that they will allow *anyone* to put *anything* on their pages. They may not intend for that to be the case, but that's the nature of client-side includes. When you use them, you have no control over what some other site is going to decide to do.

Re:Make the Ads Safe

[NeoSkandranon]

I guess I have the panties of perplexity.

_>

Re:Make the Ads Safe

[bughunter]

the panties of perplexity

Which are only slightly worse than the Skivvies of Skepticism.

Makes it hard to meet them halfway

[MikeRT]

They complain about advertising revenues while they are serving up ads that contain malware. To someone who hates ads to begin with, that's like saying "we know you don't enjoy crawling over broken glass, so how about crawling over glass mixed with AIDS-infected blood and barbed wire?"

malvertising?

how about badvertising?

Say NO to active content.

That's why I am so pissed at site designers who go "lalala I can't hear you" whenever I request they make their site accessible without "active content" (i.e. Javascript, Flash, Java or even worse things).

It's nifty and all, but nowadays it's the main malware distribution mechanism. And you can't tell users "just switch off Javascript", because suddenly, half of the Web won't work (I do switch of Javascript: no, not NoScript. Just The Real Thing -- and for most, I'm even glad *this* half of the Web doesn't work -- but I can't tell a regular user to do the same). Heck, those $@#%! web designers even do regular links with javascript snippets for reasons inscrutable to me. Disgusting.

Advertisers? Do you hear me? I'll look at pngs, jpegs and gifs, even animated. I'll read text. but I won't even see your Javascript/Flash/whatever stuff.

There. Had to be said.

On the contrary!

[Errol+backfiring]

Watch an ad and you're f*cked automatically!

Ban Javascript!

[tedhiltonhead]

Ad networks should not enable their clients to include Javascript, Flash, Java, or other active content in the first place. If they have a compelling business case for doing so, all code should be "whitelist" filtered before being distributed. The ad network's reputation is on the line every time they serve an impression.

Ars Says

[JackSpratts]

It's a small price to pay for not using AdBlock. So remember: don't use it.

Are you kidding me?

[malp]

The simple act of browsing the web should never under any circumstances infect your computer. The web browser is simply a viewer. It should only have permission to save bookmarks, cookies, and maybe a few other things to disk. If your operating system allows the web browser to infect your computer or to modify itself without prompting you first, someone seriously dropped the ball when designing your OS. Relying on anti-virus protection or only visiting reputable web-sites is like piling sandbags in front of your house when you shouldn't have built in a flood-plane in the first place.

Re:Are you kidding me?

[kalirion]

A browser is an application, like any other. Should an OS have a list of all web browsers and treat them differently from every other program?

Privoxy

[John+Hasler]

> Doesn't really help in a business environment - few adblockers allow you to
> deploy and manage them centrally. Frankly, it would make more sense to block
> ads at the firewall.

Privoxy does exactly that.

Adblock and Noscript

[erroneus]

Once again, we cannot trust advertising that does not come directly from the web site being contacted. No surprise there. Further, there are times when we cannot trust advertising that DOES come from the site being contacted.

The only safe content, so far, is based on simple text and pictures.

Are you listening advertisers? TRUST the people you are advertising through to host and deliver your ads appropriately. RESPECT your audience enough to avoid using flash and other nonsense. Do this and people will not block your ads so much. People block not only because it is annoying, it is a risk to do otherwise.

i hope the folks at Ars see this

[fightinfilipino]

i understand their position, but they're got to realize ours. hours wasted cleaning out malware/spyware does not make for a good browsing experience, period.

You can't tell the enemy from your friends...

[rickb928]

I have a running dialogue with a webmaster of a celebrity paps site (ok, sue me) about the various bits of malware that are being served up by her various advertisers. This began a few months ago, and it took a while before I figured out they could not be expected to know this was happening. She has tracked down the source of these adverts to an agency that offered her triple the usual rate. Now she knows, among other things, that if it's too good to be true, there is a reason why.

But, she and I have synched clocks so she can know to the few seconds what I got. She has to report back precise details to get her advertisers to figure out what happened, cause most of her direct advertisers are contracting out ads to other agencies, and they sell other ads, and the chain gets long and obscure in no time at all.

So far, she is helpful, but last week I sent her a screenshot of a nasty one installing that 2010 antivirus onto one of my virtual machines, and it turned out to be her oldest and most loyal sponsor, and an entirely legitimate ad that had gotten hijacked on the way to her server. Yup, her server is compromised, and some ads are being re-written on the fly from other sources. Makes sense to me, just another vector. This is not good - even honest webmasters are vulnerable, though she called in a team/favor to fix up her server, which is supposed to be monitored for this stuff. Oh well.

Is there any defense? I'm using VPC2007 to run browsers just to be able to look at the nasty stuff being inflicted on me (not the celebs, thank you) and I can't imagine the fun of doing this from my desktop. Ewww.

When the NYT is being used, we are past blaming the source.

Not to mention the waiting time I see for ad servers. I want the damned content I asked for, thank you, perhaps webmasters need to find a way to ditch slow ads and let us see what we wanted to in the first place, ok? Thanks!

Re:You can't tell the enemy from your friends...

[bjohnson]

Of course there's a defense.

Stop
Using
Windows

There, it's easy.

Re:You can't tell the enemy from your friends...

[rickb928]

No, you're just changing the venue. Or the rules, depending on your chosen metaphor.

Nothing is secure. Some are more or less secure, but nothing is absolutely secure.

Now, as an interesting defense, I've taken to opening some sites on my phone. A few behave very, very badly, begging me to visit them with a 'supported' browser. Ha!

Twice from Slashdot

[Alistair+Hutton]

I've been hit twice in two weeks with attempted installs of trojans/fake anti-spyware just from visiting pages linked to from Slahsdot stories. Not amusing.

I sure am glad...

[NewbieProgrammerMan]

...that I never removed DoubleClick from the list of sites that aren't allowed to deliver content to my browser.

AdBlockPlus and Ghostery

[XB-70]

I install Firefox on every machine I set up and then add AdBlockPlus and Ghostery. It's amazing what these two block. Mind you, they are not perfect and sometimes you have to allow some code to get through with Ghostery or the site does not work. Lastly, of course, you should use Linux. That helps a lot...

Re:AdBlockPlus and Ghostery

[NorQue]

Ghostery seems to be fishy, being owned by an advertising company. Easy Privacy filter for Ablock Plus might be a better solution.

Follow the money..

[js_sebastian]

We do actually have that option in the content filter on our firewall. When I enabled it before I got complaints from one of the directors because they actually click on ads -.-

Wow... so these are the guys that actually pay for all of our free internet services? By all means do not ad-block them or the internet will collapse!

nobody has to suport your idiot business model

[Thud457]

Advertising shitheads that want to run ad servers and serve up ads to hapless intarweb users should vet the content their customers are asking them to serve up. And not allow their customers to upload new content without being vetted. They should report any customers that misbehave. And they should be forced to do all this, on pain of literally having some guy named bubba come an break a finger for each offense.

Yeah, this does not square with Googles analysis..

[Tran]

The other day someone posted a nice link to Google's facebook analysis, so I tried some of the pages mentioned above.
For example:
http://google.com/safebrowsing/diagnostic?site=drudgereport.com/

Seems that Google has a different opinion on this information.

Why I don't run ads

[KingSkippus]

Yup, I've seen it, too. I run a gaming web site that gets around 2 million page loads a month. A long time ago, I made a deliberate decision not to run ads. My rationale at the time was that I didn't mind paying the hosting cost because it's my hobby. Some people pay a lot on woodworking, some people pay a fortune on golf. My hobbyist indulgence is paying the monthly fee for a VPS to host the site.

A while back, when I needed more power for the site and the hosting costs went up, I made a deal to move the site (which was a MediaWiki-based wiki) to Wikia. They promised me that there would only be one ad on the site, that it would never be injected in the content, that it wouldn't be obtrusive, and other such things. After the site was moved, they proceeded to go back on these promises, and several more.

After less than a year, the other administrators and I decided to re-host the site ourselves, and ask for donations. Again, we don't run ads, and thanks to donations, I'm almost breaking even on the hosting costs.

Recently, someone pointed me back to Wikia's site. It is a tragedy. Aside from being woefully out of date, there were six or eight ads, including javascript and Flash ads that obscure parts of the screen and injected into the articles. Worst of all, some of the "malvertising" discussed in this article.

Here's what's kind of bad. Because Wikia uses SEO crappy games, their site still comes up on top of the search results in Google. (You should see the page titles, they're 10 or 15 words long.) I recently posted a message on the game's official forums warning people of the malevolent advertising, because I wanted to make sure people used the right URL for our wiki, and it was a good chance to reiterate how important it is to us to keep the site ad-free.

A week or so ago, one of the guys at Ars Technica ranted in an article about how people who use ad blocking are stealing content. It's the same argument I've seen higher profile people (Rubert Murdoch, I'm looking at you...) make the same claim. I said then, and I still maintain, that using ad blocking and Flash blocking is not just a matter of convenience, but a matter of maintaining the security of my system.

Fortunately, I like sites like Ars Technica, because they provide an alternate means of reading their content without "stealing" it, and I have a paid subscription to the site. However, as long as a site's only business model is advertising, I don't feel one iota of guilt in protecting my system. If they block content if ad blockers are being used, more power to them, I'll find another site to read.

But stories like this, stories I've actually felt first-hand, are why I support sites without advertising, I do what I can to opt out of advertising, and I don't force advertising on visitors to sites I run myself.

Re:Why I don't run ads

[Seedy2]

I saw the word "malvertising" and thought it was redundant. I have always considered ALL advertising to be malware. Including print and TV advertising. They are all an attempt to force me to view their message, which I neither want nor asked for, and block or delay me viewing what I want to see.

Re:Why I don't run ads

[psithurism]

week or so ago, one of the guys at Ars Technica ranted in an article about how people who use ad blocking are stealing content... I said then, and I still maintain, that using ad blocking and Flash blocking is not just a matter of convenience, but a matter of maintaining the security of my system.

Well if his business model is trading content for malware, then it's just plain unfair that you get content but he doesn't get to give you malware. In fact now he has to use twice as much malware on the honest costumers who don't adblock him.

Re:Why I don't run ads

[bzipitidoo]

I don't allow ads because some of my hardware is very old and slow. Firefox 3.6 takes 30 seconds to come up on a 133 MHz Pentium system. Flash is so slow I seldom install it. Ok, ok, hardware that old ought to be thrown out. Not worth even the electricity it takes to power them, let alone the time it takes me to install the latest OSes. But I like to keep them around. I sometimes find such machines useful for performance testing. Gives you an appreciation for how bloated KDE, Gnome, and even XFCE is. If I'm scratching around looking for every little performance boost, I'm sure not overlooking ads. I'm not keeping ads if I'm giving up compositing and anti-aliasing.

Re:Why I don't run ads

[vux984]

Well if his business model is trading content for malware, then it's just plain unfair that you get content but he doesn't get to give you malware

If his business model can be trivially rendered non-viable, its up to him to change it, not us to suffer with it.

Re:Why I don't run ads

[kalirion]

Sure, just like highway billboards and road-side bombs are really similar, when you think about it.

Re:Why I don't run ads

[psithurism]

If his business model can be trivially rendered non-viable, its up to him to change it, not us to suffer with it.

Agreed. I avoid the checkout counter at the local supermarket as I exit with groceries, it trivially renders their business model non-viable, but really, it's up to them to change it, not me to suffer with it.

Re:Why I don't run ads

[ekhben]

I look forward to a future where it is a crime to ignore or outright avoid advertisements.

Re:Why I don't run ads

[psithurism]

Well if his business model is trading content for malware, then it's just plain unfair that you get content but he doesn't get to give you malware

If his business model can be trivially rendered non-viable, its up to him to change it, not us to suffer with it.

Actually I figured out how to improve his business model: the malware serves you the content, now he can be sure that you're infected and maximizing his profits before you get to access his content.

Re:Why I don't run ads

[vux984]

I avoid the checkout counter at the local supermarket as I exit with groceries, it trivially renders their business model non-viable, but really, it's up to them to change it, not me to suffer with it.

What? You've never seen a supermarket in with a security gaurd? Or where they check receipts as you leave? Or where they've renovated the store to make avoiding the checkout much harder, added turnstiles at the entrance to make going "out" the "in" harder, etc, etc. Of course a certain level of theft is inevitable... but I'm sure you are the price of goods on the shelves already covers a certain level of anticipated theft.

So far they've adapted just fine to people 'avoiding the checkout counter'. That's why they're still in business. If avoiding the checkout counter became so epidemic that all these measures didn't work, rest assured they'd adapt.

Re:Why I don't run ads

[vux984]

Actually I figured out how to improve his business model: the malware serves you the content, now he can be sure that you're infected and maximizing his profits before you get to access his content.

Exactly. Like DRM music. ;)

Of course my response to that was to stop consuming content. And now drm free music is readily available again.

I'm a professional Malware removal guy. Literally.

[_KiTA_]

I work at a pinch hitter Tier 2 Pay to Play tech support company that is outsourced to by several major ISPs.

I see these damned things all the time. Usually they come with names like XP Antivirus 2010 or "Vista Security Center" or somesuch crap. They almost exclusively look the same, and there are new names that appear every so often -- XP Antivirus 2010 was "Internet Security 2010" not too long ago, for example. I suspect there is a kit that these companies are using to make their products.

They are almost exclusively coming in from banner ads. Specifically they use a Flash ad that, after a few minutes, or upon webpage close, or mouseover, opens an infected PDF file on a random infected server. Google Chrome occasionally catches these domain names, usually they are IP addresses or something similar.

Flashblock is NOT foolproof (although it does help), as occasionally they just have the ad banner on an infected server that auto-redirects you to a PDF file immediately.

They are occasionally Java files instead, but almost exclusively they are PDF files.

They're actually getting very creative in their infections. XP AV 2010, for example, sets itself up as the handler for EXE files -- in order to remove it, you have to install Malwarebytes and rename the mbam.exe file as 1.com or something similar. You can also dive into the registry to fix the EXE thing, except if the program is running it will just break it again immediately. Either windows does not have support for hijacking the .COM support in Windows XP/Vista/7, or these viruses just aren't thinking to try yet. Once they do, then our options drop to "OS Reinstall", as you can literally not run anything.

Some of these programs install themselves in such a way that if you attempt to load Safe Mode, your OS will intentionally BSOD. Or, in at least one infection, the screen filled with ASCII smiley faces and didn't continue.

Combofix will also remove most of these, and usually with "Security Center" or "XP AV 2010" we give up and run Combofix immediately.

The solution to prevent future infections isn't to move to Firefox or Chrome -- these infect those just as easily, although Chrome seems to just crash it's Flash plugin instead. In order to fix these, you have to update Adobe Flash, Adobe PDF, and Sun Java to the latest versions. PDF is the most important, but not the only one. Better browsers won't work. Antimalware programs won't work. The only way to fix it is to patch the holes.

Ad CDNs have been a nightmare

[Coopjust]

Two weeks ago, someone asked me to reinstall Windows XP for them. Their disk was XP SP3.

I reinstall, and open IE to visit Windows Update

Instantly, I get a Vundo variant from a malicious ad attacking the out-of-date Flash Player that came with XP that installs without any user intervention whatsoever.

This only served to reinforce that I was right and not a webmaster/free content hating jerk when I block ads online.

Re:Ad CDNs have been a nightmare

[Coopjust]

To be clear: It was an ad on the MSN homepage.

Common sense for me will be going to the control panel and changing the homepage to Windows Update first now.

Re:Ad CDNs have been a nightmare

[PhxBlue]

This only served to reinforce that I was right and not a webmaster/free content hating jerk when I block ads online.

I hate that webmasters seem to think we're responsible for their prosperity. Webmasters: If your advertising model works, great. If not, find another model or get off the Internet.

Re:Ad CDNs have been a nightmare

[mholda]

Why not just go Start -> Run -> Windows Update?

Re:Ad CDNs have been a nightmare

[Coopjust]

To be honest, I forgot the shortcut was even there.

On XP, I slipstream now. On Vista & 7, it's all in the control panel anyways.

Re:Ad CDNs have been a nightmare

[shadowbearer]

Doesn't help users with new computers that were built without opening IE first, nor those who use MSNBC as a homepage. If MSNBC's homepage had one malware ad on it, you can bet there are or will be more. Sigh :( SB

Re:Ad CDNs have been a nightmare

[Coopjust]

http://www.microsoft.com/technet/security/advisory/979267.mspx

Microsoft is aware of reports of vulnerabilities in Adobe Flash Player 6 provided in Windows XP.
The Adobe Flash Player 6 was provided with Windows XP and contains multiple vulnerabilities that could allow remote code execution if a user views a specially crafted Web page.

You were saying?

Re:So at what point does Adobe become liable?

[ShadowRangerRIT]

That's what EULAs are for. Software is much harder to do right than hardware, so people accept a certain amount of misbehavior in exchange for more powerful software that doesn't cost an arm and a leg. We could do bug free software, but it drastically limits the scope of the software and drastically increases the cost. The software used for aircraft control is usually subject to this level of testing, along with that used in a lot of embedded systems. But for a general purpose computer, you need to do things like conditional code, interacting processes, etc., that make it nearly impossible to do 100% thorough tests. Yeah, Adobe is doing worse than it should, but the only solution to that is to stop using it. And until everyone does, Adobe will continue to get away with it.

Re:So at what point does Adobe become liable?

[ShadowRangerRIT]

That said, even in these theoretically 100% testable scenarios things sometimes go wrong. Assuming Toyota's issues aren't purely mechanical, it will be an object lesson in how even extremely limited functionality software can have critical failures in edge conditions.

Re:CUSTOM HOSTS FILES ARE THE SUPERIOR ANSWER

[geekboy642]

1 is flat-out false.
2 is technically correct.
3 is true.
4, while true, is pointless. A far better (and simpler, easier) job of this can be done with a local caching DNS server.
5 is the same as 4.
6 is stupid and wrong. Text editors that can easily handle 30MB of text are rare under Windows, and nobody should ever do that anyways.
7 is completely stupid. There might be bugs in Window's HOSTS implementation. If there are, they will never be corrected. An AdBlock bug, or a DNS server bug, will be corrected within hours at the longest.
8 is vacuously true.
9 is completely false. Any malware that doesn't have admin access can get it trivially, under any Windows platform. It is impossible to lockdown the HOSTS file to the point that an admin-level malware cannot interfere with it.
10 is entirely wrong. See 6), and inspect any modern ad blocker. They've had 3-click-to-block for years now.
11 is flat-out wrong. See 9).

It takes you over an hour to process one million db entries? That's shameful. What are you doing that takes 4ms per entry? And why wouldn't "cat HOSTS | sed -e 's/[\t ]+/ /g' -e 's/[ ]+$//g' | sort -dfu" be faster and easier than processing text in assembler?

Careless web activity SHOULD NOT be a problem

There's no such a thing. I don't buy the "web user stupidity" argument from all the paid M$ astroturfers that dodge the fundamental underlying issue.

Unless a user purposely download and install and enter the admin password, he's not being careless. The OS is. And that is an entirely different topic.

How on earth is it possible that by simply surfing the Web from your browser your PC can become part of a botnet?

The answer is simple: sloppy security, from the browser up to the OS.

A carefully conceived OS doesn't "get rooted" by surfing the Web. A carefully conceived browser does NOT leave anything escape its sandbox.

Truth is: most browsers are abysmal piece of ***t developed by security-clueless programmers and regarding Windows, my views are not printable, not even as an AC.

Re:I'm a professional Malware removal guy. Literal

[mr.bri]

Yep. You don't have to click on anything to get infected. We've had a couple of our systems infected over the past couple of months. What scares me is:

1. We were running the latest version of Firefox
2. Acrobat Reader was fully patched (version 8, not 9. But, we have to leave the JS enabled)
3. Adobe Flash was up-to-date
4. Windows was fully patched
5. We have web filters
6. They got past 2 layers of IDS/IPS and 3 layers of antivirus scanners (different engines)
7. Users are NOT admins!!!

Since then, we have switched to a few new products and attempted to tighten things up even more, but these things have gotten incredibly complex. In one case, it was a triple attack. The Flash ad (0-day exploit) loaded an exploited PDF (0-day exploit) that took advantage of a 0-day IE exploit (keep in mind we use Firefox), which compromised the system. We have a nuke-from-orbit policy on any system we suspect has been infected, but what a waste of time!

It was hosted from a site in India. The user was on Yahoo's website (we've had 4 infections through Yahoo's ads). They did NOT click on anything!

Be very afraid!

Difficult change in habbits

[LoudMusic]

I usually suspect the users of 'careless web activity' when I delouse a PC, but now I'm going to have to give some the benefit of the doubt."

I too have found myself in this situation and it is really difficult for me to not immediately jump to conclusions. To this day the only malware detected on my computers were put there by software I should have known better than to install. When I stopped installing that software I stopped having problems. But I know a lot of people who get viruses regularly and never use any warez and claim to be very careful about what they open from emails and where they browse on the web and which browsers they use.

Re:Difficult change in habbits

[bipbop]

I had a Windows box compromised, because I foolishly had Adobe's PDF reader installed, which was up-to-date but had Javascript enabled. (At the time, I had no idea PDFs even had Javascript support. Blecch.) A website served an ad containing a PDF, which popped up Adobe's application. The window closed itself a fraction of a second later, but I saw it, and figured out what happened.

I'd put "uses Adobe Reader" on the list of high-risk activities, to be avoided when at all possible.

This is NEWs?

[SpacePunk]

Anybody that's been dealing with this stuff already knew that it was being served up by ad servers. The people running the ad servers evidently do not check scripts for malware before they are put into rotation, and they'll sell ad rotation to anybody that has the money with no questions asked.

This is not new news, I am not shocked by this, nobody should be.

Re:I'm a professional Malware removal guy. Literal

[Archon-X]

Things have indeed changed: posting with the attitude that sloppy practices are the only vector for attacks is dated.
I recently had my laptop (OEM fresh, everything updated, running chrome) owned by something nasty. MalwareBytes, WebRoot, etc etc - all turn up blank.

How it got on remains a mystery - and the only fix seems to be the mentioned nuke-from-orbit.

Doubleclick too...

[Tteddo]

I fix PC's for a living and I have been seeing this too. Some people all the do is Facebook and they are getting "XP Antivirus" or it's variants, and I know there is no way they are doing anything. They all use Firefox, etc. The last 2 weeks I have been putting on Ad Block Plus and explaining to them what it does because I was having people get infected again in a manner of weeks after I clean it up the first time. I know that kinda sucks for website revenue, but what else is there to do. One guy got infected from Photobucket, and it was repeatable.

Re:I'm a professional Malware removal guy. Literal

[herksc]

FYI: If you can kill the malware process and then delete it, you can manually re-associate EXEs to run as applications in the File Types menu. Just did this for a machine on my network last week. Of course I also ran Malware Bytes...

I just dealt with a truly nasty version yesterday though that not only sets itself up as the handler for EXE files, but also closes the task manager immediately when you try to open it. In order to remove it I had to boot the machine using a Linux live CD, and then remove the offending files.

ad servers really shot themselves in the foot here

[Vorpix]

the biggest change this has for me is that it has moved installing adblocking software from just 'something i do for my personal computers' to 'something i do on any computer i touch, even professionally'.

it was the ad server's responsibility to regulate what they distribute. instead, they have just become an avenue for zero-day attacks that can spread across the web in no time at all. since they did NOT act responsibly in preventing this type of attack (really, is there NO review process at all on what they serve out to millions of people?), it falls on us, the users, to protect ourselves. when companies complain about lost revenue due to adblocking software, this is your justification.

Re:I'm a professional Malware removal guy. Literal

[mzs]

I second this. I see exactly this with PDF files routinely. I have simply uninstalled acrobat (aka adobe reader) on all on the Windows machines at this point and use SumatraPDF instead. It is only a matter of time until they start using zero-day exploits.

Re:CUSTOM HOSTS FILES ARE THE SUPERIOR ANSWER

[Vancorps]

Notepad can easily handle 30meg text files or even 2gig text files. When your list is that long it makes sense to go the server route, but in my experience you only need a couple megs to block the majority of sites and performance is not noticeably impacted then.

Nice Solution

[bizitch]

Try Ghostery - the ad script killing plugin for Firefox - nukes everything - awesome

Re:I'm a professional Malware removal guy. Literal

[beavioso]

I had to clean up a vundo and Antivirus 2009 on a few of my relatives computers. The best thing I've found is the Ultimate Boot CD for windows (UBCD for windows). You need a legitimate copy of a Windows OS disc and then it creates a boot CD of a clean fresh new OS with a whole host of tools.

It's a great way to attack the virus from a fresh OS install running off a RAM disk.

Re:I'm a professional Malware removal guy. Literal

[E-Sabbath]

Same experience except: my sneaky trick is to install mbam on the infected computer, then run the same version of it off a flash drive. Surprisingly, it works.

Also, do you think using Foxit instead of Adobe might help? For that matter, setting PDFs to not auto-open?

So what do I do to protect the family network?

[techie42]

This new form of attach makes me sad as I recently chewed out my kid for infecting two differtent computers at home. But, last night I got hit by a side panel ad that set off my AV alert. I have also seen some unusual firewall alerts so there is still something there under the hood. The last time I got hit I accendently clicked on a questionable ad while attempting to scroll down the page. But at least I knew that I had clicked. What to do about this? Do I run web browing and email sandboxie? Do I setup VMplayer copies of Windows to browse and email? Are there other (better) solutions? Tea-Timer and the rest seem to drive my wife and Teen age daughter nuts with prompts (and they are never sure what is okay anyway.)

Re:i'd rather have a malware infested web with ads

[sourcerror]

Google does fine with their text-ads, most ad-blockers leave it alone as well.

Remind me

[sjames]

Why is it somehow un-ethical to block ads again?

Perhaps it's a good idea for big sites with a reputation to maintain to borrow just a bit from the old model where they sell ad space with an approval process directly to advertisers and serve the images from their own servers.

Sue DoubleClick

[Animats]

A big class action against DoubleClick, etc. would be appropriate. They "exceeded authorized access", as defined in the Computer Crime and Abuse Act. That they got the attack from someone else isn't an absolute defense. The ad network obtained "something of value" for the attack. If they sent out one attack after they'd been informed, they were doing so "knowingly".

The ad network has the right to find and sue the source of the ad, but that's their problem, not the end user's problem. This is well-established law. In general, you can sue the party you dealt with, and they can sue the next party up the chain.

Re:I'm a professional Malware removal guy. Literal

[_KiTA_]

No, just run Combofix. Then MBAM. It'll fix it. It's a rootkit, which is blocking MBAM and Webroot from seeing it.

That's the most terrifying thing about these things -- they literally install as rootkits, without admin privileges, even on a fully up to date WinVista or Win7 box. UAC, Security Policies, etc do nothing.

It's no wonder Google got hacked by China.

Re:I'm a professional Malware removal guy. Literal

[darkain]

No need for an OS reinstall yet. Actually, it isn't too bad...

I used a clean machine to export the registry keys for the EXE file association to a .REG file. Reboot the infected machine into safe mode, import the .REG file, and then use a program such as System Explorer or Security Task Manager to help clean up any bad processes.

Next, locate the exact filename of the virus (av.exe as one example). Rename/Remove the virus EVE file. Then create a DIRECTORY with same name in the same path (so a directory named "av.exe") - While the virus creators have been finding craftier and craftier ways to get it to execute itself on systems, this is an absolute stupid simple way to prevent it from even being writable (until they change the filename or path for where it saves itself).

Oh, and there is always PeerBlock with a daily updated list, which is great at blocking 3rd party malware servers entirely (this has worked much MUCH better at being up-to-date with Malware lists than any AV application as of recent) - http://www.peerblock.com/

life safety !== internet

[tivoKlr]

Your brother is likely working somewhere where they don't want to provide internet access bureaucratically. FD's are notorious for micromanagement, and internet access is so easy and tasty a target when it comes to exerting control over your minions.

As for the critical systems part, at least in our installation, there were no critical life safety systems running on our internal network, just our incident report database system, the personnel scheduling system, exchange and SMB. Last time I checked the rig rolled out the door regardless of the internet. Dispatching is handled over the airwaves, no internet required. In fact, I'd be hard pressed to trust any life safety item that REQUIRES the internet, seems like an oxymoron to me...just like the fact that the ultrasound machine (GE) I use at work runs XP, but then again, it's not life safety.

Remember, it's all about control when you're in IT (or in management at a FD). You can either be a dick or a doormat, but the best people fall somewhere in between, albeit a modicum of paranoia helps to one keep the generosity in check.

Re:So whats going to be done about it?

[compro01]

You can bet your ass these people aren't operating out of the US and you're going to have to trace through layers upon layers of contracting and shell corporations to track down the people actually behind this crap.

OT: no such law exists

[freeweed]

In Alberta - it's illegal to have a billboard on a Highway. Based solely on the idea that it causes more accidents because billboards are distracting. This isn't a direct attack on the speed limit, a major factor, or Alchohol, another major factor. Because attempting to control those other 2 factors would cause a huge upset.

Everyone once in a while people post things that are 100% incorrect.

Alberta highways are full of billboards. No such law exists. From advertising the local ski resorts (of which we have many), to "keep Ottawa out of Alberta" (ie: Alberta separatists), we have plenty of billboards.

And those are only 2 examples out of the hundreds I saw last time I went on the road.

There are rules to limit them, but they are most certainly not illegal. If they are, it's certainly a law that's not being enforced very well.

There are guidelines, but no ban..

Re:OT: no such law exists

[Monkeedude1212]

The ones you see are on Native People's soil. I cannot buy land from the government and put up a billboard.

Re:CUSTOM HOSTS FILES ARE THE SUPERIOR ANSWER

[Schadrach]

1 is only semi-false. Using a HOSTS file doesn't use significant CPU that you aren't already using because your request is already going to hit your HOSTS file anyways. I suppose technically having a very large HOSTS file would consume more parsing it than a small one, but in comparison to alternatives, it's CPU light at the least.

Re:Time to blow you AWAY "geek wannabe"

[geekboy642]

1) Tell me: Does performing a lookup into a one-million-entry list require more or less CPU than performing a lookup into an empty list? The page will be parsed no matter what you do.
4) Dan Kaminsky's work is important. But the flaw he found is non-trivial to exploit, has never been discovered in the wild, and on a private DNS server is trivial to protect against. (Like, oh, say, using Source Port Randomization)
6) Okay, my mistake. Let's try that, open notepad, open some 30MB file. Oh, look at that. It's locked up. Two minutes later, it's loaded the file. That's certainly easier than the three clicks required to block an entire adserver with AdBlock.
7) What profanity? Is WebSense blocking me? Untwist your panties, grandpa. And again, Dan Kaminsky. One flaw renders the entirety of DNS unusable? I suppose you throw your car away when it runs out of gas, too.

As for your PS, I don't care what you call it. A file containing a series of organized entires in a regular structure is a database. The fact that it's not SQL matters not in the slightest. The fact that it takes you an hour to process this "not a database" with only a million entries is shameful, and the shell script I provided you would likely perform the same task in under a minute. Why so defensive?

Re:I'm a professional Malware removal guy. Literal

[Statecraftsman]

SumatraPDF ftw.

Re:I'm a professional Malware removal guy. Literal

[shadowbearer]

Yes, using Foxit does seem to help, but unfortunately it doesn't seem to be 100% compatible with all pdf files. Anyone know any more about that? SB

Re:I'm a professional Malware removal guy. Literal

[DMUTPeregrine]

I, too, clean many malware infested machines. I've never had a problem with .exe handling being rewritten, because I do all my cleaning from a boot CD. Why you'd ever try to clean a machine from an infected install is beyond me. OS reinstall is pretty much never necessary, though it can be cheaper (when the time needed to backup data, install OS, install apps, & restore data is smaller than the time needed to clean the infection.)

Re:I'm a professional Malware removal guy. Literal

[kalirion]

Combofix will also remove most of these, and usually with "Security Center" or "XP AV 2010" we give up and run Combofix immediately.

I hadn't heard of combofix before, so I googled it.

From combofix.net:

Known issues
        * ComboFix is made to only run on 32-bit versions of Microsoft Windows 2000, Windows XP and Windows Vista.

        * Some antivirus software may detect ComboFix as malicious; for example it uses NirCmd, which is considered as a backdoor by many antivirus software.

        * ComboFix may disrupt internet connectivity.The majority of times only a simple fix is required.

        * ComboFix may attempt deletion all files from the system drive on systems infected with a rootkit.

That last one might give me pause....

Re:Yeah, this does not square with Googles analysi

[SpicyBrownMustard]

Because the "bad stuff" didn't come from the domain you're testing.

Re:I'm a professional Malware removal guy. Literal

[_KiTA_]

That last one might give me pause....

The guy who writes it has English as a second language. Basically it's asking for permission to do delete rootkits it finds, and warning you that Rootkit removal is an art, not a science, and some OS Loss may occur.

Besides, this is the real Combofix site, not that one:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Re:Yeah, this does not square with Googles analysi

[Tran]

Right. but if you put in facebook.com, you see that they are an intermediary for an infection. Is what Google describes for facebook.com different than what you describe? And is it different what the summary claims ( yeah i did not rtfa this time either)?

Thanks! I was wondering what happened to me...

[WoTG]

For the first time in years (i.e. since I was a teenager pirating computer games from 3.5 inch floppy disks), I got malware on my PC last week. PC Total Defender 2010, I think it called itself.

I couldn't figure out how I got caught. I have the standard firewall and antivirus installed, plus SpyBot's TeaTimer tool. And I tend to browse safe sites, anything questionable is done in a virtual machine.

Anyway, it turns out that my Adobe Reader was somewhat out of date, and I had half a dozen versions of JVM installed. I suspected one of these was at fault.

Crazy. How am I supposed to blame my users now?

Re:Now, to COMPLETELY blow you away... apk

[geekboy642]

Go lookup "database" in any mainstream dictionary. No, wait. I'll do it for you. Here's what Princeton's wordnet thinks a database is:

Noun

S: (n) database (an organized body of related information)

Note a lack of references to indexes, attributes, varchars, or any other SQL-specific artifact.
Here's what my deadtree edition Webster's unabridged dictionary thinks a database is:

data base, data bank, a large collection of data in a computer, organized so it can be expanded, updated, and retrieved rapidly for various uses: also written database, databank.

Again note a lack of 'attributes', and a few moments of careful thought will prove that a structured text file matches the definition of database precisely. You, sir, are the one inventing your own definitions.

By the way: When YOU can write such a program, YOURSELF MIND YOU (& make it do ALL THAT I NOTE ABOVE) & not just "use others' tools" as I suspect you are only capable of, & faster than mine? Well, then?? Then, you can talk... otherwise, you're a windbag b.s. artist, period. A talker/wannabe...

Let's consider specifications:
* Remove trailing blanks
* Translate 127.0.0.1, 0.0.0.0, and 0 entries to a specific value (for argument's sake, say '0').
* Remove duplicate entries
* Sort alphabetically

If this is correct, then I can write, and have written, a piece of shellscript that accomplishes all these tasks which runs in under a minute. What possible reason could there be to re-implement the wheel in this case? Surely if you are as established a programmer as that collection of unverifiable citations and forum posts would be intended to support, then you understand the value of relying on code re-use. And it takes no thought at all to consider a <1min script as vastly superior to the >1hr (but entirely hand-written and optimized!) code. I could give you my credentials as a programmer, but you wouldn't believe them, and my past employers certainly wouldn't be willing to divulge sensitive information to a wild-eyed forum troll. So I'm sure you understand why I'd rather just let you think whatever you like about my abilities and education, rather than open up another line of pointless flamewar.

But that's gone rather far afield. The argument, which you seem to've forgotten, is that a HOSTS database is an unsupported and poorly-chosen kludge that a simple AdBlocking extension makes a far superior replacement for, and that if DNS security is your concern, that a local DNS server can be run with heightened security and rendered nigh impervious to Dan Kaminsky's attack. Your religious mania, your ersatz multiple degrees, your claimed work history, they are no more than argumentum ad verecundiam, and mean nothing. Please stay on topic, flamewars are so much more fun that way.

Oh, and:

I met a traveller from an antique land
Who said: Two vast and trunkless legs of stone
Stand in the desert. Near them, on the sand,
Half sunk, a shattered visage lies, whose frown
And wrinkled lip, and sneer of cold command
Tell that its sculptor well those passions read
Which yet survive, stamped on these lifeless things,
The hand that mocked them and the heart that fed.
And on the pedestal these words appear:
"My name is Ozymandias, king of kings:
Look on my works, ye Mighty, and despair!"
Nothing beside remains. Round the decay
Of that colossal wreck, boundless and bare
The lone and level sands stretch far away

You would do well to avoid aggrandizing yourself with that particular reference. Unless you mean to imply you are a washed-up and useless wreck.

Re:You're a script kiddie, & "never will be" w

[geekboy642]

Oh, now you're being boring. Nothing but banal insults? So jejune. Farewell, grandpa.

Re:I'm a professional Malware removal guy. Literal

[_KiTA_]

Why use Adobe Reader in the first place? There are alternatives out there which are less embarrassingly insecure. You should be telling your customers to switch from Adobe Reader, if possible.

Oh, there certainly are alternatives.

But my average user is not "technically savvy". To the point that getting them to type in the URL of our website, then find the icon for our service, is very difficult.

It doesn't help that the company I pinch hit for (the stupidity of which inspired the Dilbert comic) has decided to give our service any of 4 different names depending on which website, state, etc you are in, and decided to hide our icon literally off the screen.

No, literally, you have to scroll down and to the right to find it.

My typical call entails taking 10-20 minutes to get a customer to type in a simple URL (domain.com/servicename), explaining that the My Web Search bar is not the address bar, explaining that again, explaining that you can't put a space in our URL, explaining that I wanted them to spell out the word minus instead of typing in -, etc etc.

Oh, and a VERY large number of these people are running IE6. Or are running machines with 128/256 megs of ram and can't run anything else. Or have tried installing IE8 (it thinks it can run on 64 megs of ram and will auto-install) on a WinXP machine with 128 megs of ram and are upset the machine is slow...

Er, sorry, lost myself for a second. I guess what I'm saying is that these people can't even SPELL "PDF", yet alone uninstall Reader and install a different program. And since my metrics -- i.e., the thing keeping me from being fired -- is based on getting customers off the phone as fast as possible...

(Oh, and our parent phone company does NOT want us giving tech advice or suggesting alternatives to programs like Reader, cause "they're not in the toolkit"...)

Re:I'm a professional Malware removal guy. Literal

[LeonPierre]

I'd like to know which company you work for...