Slashdot Mirror
Malware Delivered By Yahoo, Fox, Google Ads
WrongSizeGlass writes "CNET is reporting that Avast has tracked over 2.6 million instances of malware that have been served up to unsuspecting web surfers since last December by ad services such as Yahoo's Yield Manager, Fox Audience Network's Fimserve.com and even some from Google's DoubleClick. Some high-profile sites include The New York Times, Drudge Report.com, TechCrunch and WhitePages.com. The practice has been dubbed 'malvertising.'
I usually suspect the users of 'careless web activity' when I delouse a PC, but now I'm going to have to give some the benefit of the doubt."
At my work, we allow unrestricted access to the net, but log everything. We had a recent spate of vundo variants come through, and when we went through the logs, almost all of them were via the NYTimes or Wa Post. Frustrating, when large companies like this make work for you. For the most part, the allow everything, log it and using IDPS on the front-end(s) has helped quite a bit.
Sent from your iPad.
Really, who is surprised by this? What's the cost of an ad and fake credentials compared to getting a chance to infect millions of computers?
Say no to unsolicited content altogether! Adblockers ftw.
which is totally what she said
FTA: "Users don't need to click on anything to get infected; a computer becomes infected after the ad is loaded by the browser."
Liberal? Conservative? Compare perspectives at Left-Right
Yet another reason to use ad blockers. I'm starting to think Firefox should come with it out of the box.
AccountKiller
Never ever click an ad!
Clicking not necessary. I was infected with malware earlier this month without any interaction after visiting the Pirate Bay. An advert used javascript to redirect me to an obscure URL ( http://uqwaaa.in/cgi-bin/gjj ), which proceded to use a Firefox flaw of some kind to infect me. 3.6 doesn't seem to be susceptible, but 3.5.7 which I was running at the time *was*. The exploit installed a Firefox extension that randomly redirects links from google, yahoo and bing to advertising pages.
I would like to support sites by viewing their ads but if it leaves you more open to viruses even on high-profile sites then it is not worth the risk.
Troll is not a replacement for I disagree.
1) Flash-based Banner Ad
2) JRE Exploit (CVE-2008-5353)
3) Adobe Reader Exploit
4) Profit?
From what I saw when this happened to me:
1) Javascript-based banner ad
2) MFSA2010-01 (or something similar that was present in Firefox 3.5.7)
3) Mozilla extension to redirect links from google, yahoo and bing to a site of your choice
4) Site that serves large numbers of per-impression banners for dubious porn sites
5) Profit.
In addition, you can also use the Plugin Check to make sure you have the most recent versions of plugins to decrease the risk of attack. And don't forget to turn on DEP for all programs and services on Windows.
What a fool believes, he sees, no wise man has the power to reason away.
The way I see it, no browser should be designed to require admin rights. All that it needs is a sandboxed environment for temporary files. When this mantra gets in the developers' heads, such exploits will no longer be possible. Of course, by that time, other type of exploits will be invented, but we'll cross that bridge when we reach it.
right...
And Ars Technica says I shouldn't block ads.
I repeatedly told their staff that I don't block Ars Technica, but I do block ad servers. If they want to send me ads let them server them from their own domain.
Sites resposible for ad-vectored infections should be hit with hundreds of small claims court lawsuits to recoup the costs to clean up the infections.
Maybe then they'll learn.
> I usually suspect the users of 'careless web activity' when I delouse a PC...
They are guilty of 'careless web activity': not blocking ads.
Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
Let's see here... an anti-malvertising/malware firm reporting lots and lots of malicious "bad things" being served up by those terrible pesky Internet ads... no agenda here. The report failed to follow-through and dig into the real problem with malicious payloads associated with online ads, the ad network daisy-chain. If network-A has no impression for you, you're handed off to network-B, which may have no impression and then gives you to network-C... and so on. As your impression traverses the daisy chain, the likelihood of hitting a low-tier ad network that allows any wanker with a (stolen) credit card to order millions of impressions increases... where the malware begins. We scan our ad tags daily, using two methods -- a dozens-of-times-an-hour service, and our own script on a minimally-protected PC. We've never seen malware from a advertising assets delivered by a top-tier ad network... when we see malware, it's ALWAYS from a provider down the daisy-chain.
Indeed, and for people browsing Fox News, you don't even need a computer to be infected.
If libertarians are so opposed to effective government, why don't they all move to Somalia?
Then we should start blocking the ad networks from our networks.
If lots of people started doing that, I wonder how quick Google, Yahoo, et all would start screening advertisers for malware?
Corporatism != Free Market
Very good point, especially in light of Ars Technica's recent plea to users to stop blocking ads.
I, too, would be than more willing to disable the protective measures I've got in place, but as long as these sites rely on third party advertisers that are more concerned with eyeball collection than system security, we have a stalemate. If sites want me to see their ads, they have the burden of making sure the ads are safe (less annoying, would also be good). If I lower my guard out of "friendship" for a site, only to get a drive by download as a reward, I'm going to take it as a major breech of trust.
I'm not tense. I'm just terribly, terribly, alert.
They complain about advertising revenues while they are serving up ads that contain malware. To someone who hates ads to begin with, that's like saying "we know you don't enjoy crawling over broken glass, so how about crawling over glass mixed with AIDS-infected blood and barbed wire?"
how about badvertising?
That's why I am so pissed at site designers who go "lalala I can't hear you" whenever I request they make their site accessible without "active content" (i.e. Javascript, Flash, Java or even worse things).
It's nifty and all, but nowadays it's the main malware distribution mechanism. And you can't tell users "just switch off Javascript", because suddenly, half of the Web won't work (I do switch of Javascript: no, not NoScript. Just The Real Thing -- and for most, I'm even glad *this* half of the Web doesn't work -- but I can't tell a regular user to do the same). Heck, those $@#%! web designers even do regular links with javascript snippets for reasons inscrutable to me. Disgusting.
Advertisers? Do you hear me? I'll look at pngs, jpegs and gifs, even animated. I'll read text. but I won't even see your Javascript/Flash/whatever stuff.
There. Had to be said.
> Doesn't really help in a business environment - few adblockers allow you to
> deploy and manage them centrally. Frankly, it would make more sense to block
> ads at the firewall.
Privoxy does exactly that.
Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
Yes becasue it is an established fact that Fox has no bias
STRAWMAN ARGUMENT. I never said that. What I said was that CNN, MSNBC, ABC, CBS, et cetera have a pro-government and anti-individual-liberty bias.
Point - They are ALL biased, therefore if you're going to attack FOX for bias, then you should be attacking all the TV media outlets for the same reason.
"I disapprove of what you say, but I will defend to the death your right to say it." - historian Evelyn Beatrice Hall
I have a running dialogue with a webmaster of a celebrity paps site (ok, sue me) about the various bits of malware that are being served up by her various advertisers. This began a few months ago, and it took a while before I figured out they could not be expected to know this was happening. She has tracked down the source of these adverts to an agency that offered her triple the usual rate. Now she knows, among other things, that if it's too good to be true, there is a reason why.
But, she and I have synched clocks so she can know to the few seconds what I got. She has to report back precise details to get her advertisers to figure out what happened, cause most of her direct advertisers are contracting out ads to other agencies, and they sell other ads, and the chain gets long and obscure in no time at all.
So far, she is helpful, but last week I sent her a screenshot of a nasty one installing that 2010 antivirus onto one of my virtual machines, and it turned out to be her oldest and most loyal sponsor, and an entirely legitimate ad that had gotten hijacked on the way to her server. Yup, her server is compromised, and some ads are being re-written on the fly from other sources. Makes sense to me, just another vector. This is not good - even honest webmasters are vulnerable, though she called in a team/favor to fix up her server, which is supposed to be monitored for this stuff. Oh well.
Is there any defense? I'm using VPC2007 to run browsers just to be able to look at the nasty stuff being inflicted on me (not the celebs, thank you) and I can't imagine the fun of doing this from my desktop. Ewww.
When the NYT is being used, we are past blaming the source.
Not to mention the waiting time I see for ad servers. I want the damned content I asked for, thank you, perhaps webmasters need to find a way to ditch slow ads and let us see what we wanted to in the first place, ok? Thanks!
deleting the extra space after periods so i can stay relevant, yeah.
Yup, I've seen it, too. I run a gaming web site that gets around 2 million page loads a month. A long time ago, I made a deliberate decision not to run ads. My rationale at the time was that I didn't mind paying the hosting cost because it's my hobby. Some people pay a lot on woodworking, some people pay a fortune on golf. My hobbyist indulgence is paying the monthly fee for a VPS to host the site.
A while back, when I needed more power for the site and the hosting costs went up, I made a deal to move the site (which was a MediaWiki-based wiki) to Wikia. They promised me that there would only be one ad on the site, that it would never be injected in the content, that it wouldn't be obtrusive, and other such things. After the site was moved, they proceeded to go back on these promises, and several more.
After less than a year, the other administrators and I decided to re-host the site ourselves, and ask for donations. Again, we don't run ads, and thanks to donations, I'm almost breaking even on the hosting costs.
Recently, someone pointed me back to Wikia's site. It is a tragedy. Aside from being woefully out of date, there were six or eight ads, including javascript and Flash ads that obscure parts of the screen and injected into the articles. Worst of all, some of the "malvertising" discussed in this article.
Here's what's kind of bad. Because Wikia uses SEO crappy games, their site still comes up on top of the search results in Google. (You should see the page titles, they're 10 or 15 words long.) I recently posted a message on the game's official forums warning people of the malevolent advertising, because I wanted to make sure people used the right URL for our wiki, and it was a good chance to reiterate how important it is to us to keep the site ad-free.
A week or so ago, one of the guys at Ars Technica ranted in an article about how people who use ad blocking are stealing content. It's the same argument I've seen higher profile people (Rubert Murdoch, I'm looking at you...) make the same claim. I said then, and I still maintain, that using ad blocking and Flash blocking is not just a matter of convenience, but a matter of maintaining the security of my system.
Fortunately, I like sites like Ars Technica, because they provide an alternate means of reading their content without "stealing" it, and I have a paid subscription to the site. However, as long as a site's only business model is advertising, I don't feel one iota of guilt in protecting my system. If they block content if ad blockers are being used, more power to them, I'll find another site to read.
But stories like this, stories I've actually felt first-hand, are why I support sites without advertising, I do what I can to opt out of advertising, and I don't force advertising on visitors to sites I run myself.
I work at a pinch hitter Tier 2 Pay to Play tech support company that is outsourced to by several major ISPs.
I see these damned things all the time. Usually they come with names like XP Antivirus 2010 or "Vista Security Center" or somesuch crap. They almost exclusively look the same, and there are new names that appear every so often -- XP Antivirus 2010 was "Internet Security 2010" not too long ago, for example. I suspect there is a kit that these companies are using to make their products.
They are almost exclusively coming in from banner ads. Specifically they use a Flash ad that, after a few minutes, or upon webpage close, or mouseover, opens an infected PDF file on a random infected server. Google Chrome occasionally catches these domain names, usually they are IP addresses or something similar.
Flashblock is NOT foolproof (although it does help), as occasionally they just have the ad banner on an infected server that auto-redirects you to a PDF file immediately.
They are occasionally Java files instead, but almost exclusively they are PDF files.
They're actually getting very creative in their infections. XP AV 2010, for example, sets itself up as the handler for EXE files -- in order to remove it, you have to install Malwarebytes and rename the mbam.exe file as 1.com or something similar. You can also dive into the registry to fix the EXE thing, except if the program is running it will just break it again immediately. Either windows does not have support for hijacking the .COM support in Windows XP/Vista/7, or these viruses just aren't thinking to try yet. Once they do, then our options drop to "OS Reinstall", as you can literally not run anything.
Some of these programs install themselves in such a way that if you attempt to load Safe Mode, your OS will intentionally BSOD. Or, in at least one infection, the screen filled with ASCII smiley faces and didn't continue.
Combofix will also remove most of these, and usually with "Security Center" or "XP AV 2010" we give up and run Combofix immediately.
The solution to prevent future infections isn't to move to Firefox or Chrome -- these infect those just as easily, although Chrome seems to just crash it's Flash plugin instead. In order to fix these, you have to update Adobe Flash, Adobe PDF, and Sun Java to the latest versions. PDF is the most important, but not the only one. Better browsers won't work. Antimalware programs won't work. The only way to fix it is to patch the holes.
Two weeks ago, someone asked me to reinstall Windows XP for them. Their disk was XP SP3.
I reinstall, and open IE to visit Windows Update
Instantly, I get a Vundo variant from a malicious ad attacking the out-of-date Flash Player that came with XP that installs without any user intervention whatsoever.
This only served to reinforce that I was right and not a webmaster/free content hating jerk when I block ads online.
Does anyone know of an equivalent to having a hosts file that you can use in conjuction with a Windows or Linux DNS server so that you can just block sites at the actual DNS server rather than having to keep updating the hosts file blacklist on all clients?
which is totally what she said
1 is flat-out false.
2 is technically correct.
3 is true.
4, while true, is pointless. A far better (and simpler, easier) job of this can be done with a local caching DNS server.
5 is the same as 4.
6 is stupid and wrong. Text editors that can easily handle 30MB of text are rare under Windows, and nobody should ever do that anyways.
7 is completely stupid. There might be bugs in Window's HOSTS implementation. If there are, they will never be corrected. An AdBlock bug, or a DNS server bug, will be corrected within hours at the longest.
8 is vacuously true.
9 is completely false. Any malware that doesn't have admin access can get it trivially, under any Windows platform. It is impossible to lockdown the HOSTS file to the point that an admin-level malware cannot interfere with it.
10 is entirely wrong. See 6), and inspect any modern ad blocker. They've had 3-click-to-block for years now.
11 is flat-out wrong. See 9).
It takes you over an hour to process one million db entries? That's shameful. What are you doing that takes 4ms per entry? And why wouldn't "cat HOSTS | sed -e 's/[\t ]+/ /g' -e 's/[ ]+$//g' | sort -dfu" be faster and easier than processing text in assembler?
Just another "DOJ fascist authoritarian totalitarian bootlicker" -- Zeio
Yep. You don't have to click on anything to get infected. We've had a couple of our systems infected over the past couple of months. What scares me is:
1. We were running the latest version of Firefox
2. Acrobat Reader was fully patched (version 8, not 9. But, we have to leave the JS enabled)
3. Adobe Flash was up-to-date
4. Windows was fully patched
5. We have web filters
6. They got past 2 layers of IDS/IPS and 3 layers of antivirus scanners (different engines)
7. Users are NOT admins!!!
Since then, we have switched to a few new products and attempted to tighten things up even more, but these things have gotten incredibly complex. In one case, it was a triple attack. The Flash ad (0-day exploit) loaded an exploited PDF (0-day exploit) that took advantage of a 0-day IE exploit (keep in mind we use Firefox), which compromised the system. We have a nuke-from-orbit policy on any system we suspect has been infected, but what a waste of time!
It was hosted from a site in India. The user was on Yahoo's website (we've had 4 infections through Yahoo's ads). They did NOT click on anything!
Be very afraid!
I fix PC's for a living and I have been seeing this too. Some people all the do is Facebook and they are getting "XP Antivirus" or it's variants, and I know there is no way they are doing anything. They all use Firefox, etc. The last 2 weeks I have been putting on Ad Block Plus and explaining to them what it does because I was having people get infected again in a manner of weeks after I clean it up the first time. I know that kinda sucks for website revenue, but what else is there to do. One guy got infected from Photobucket, and it was repeatable.
the biggest change this has for me is that it has moved installing adblocking software from just 'something i do for my personal computers' to 'something i do on any computer i touch, even professionally'.
it was the ad server's responsibility to regulate what they distribute. instead, they have just become an avenue for zero-day attacks that can spread across the web in no time at all. since they did NOT act responsibly in preventing this type of attack (really, is there NO review process at all on what they serve out to millions of people?), it falls on us, the users, to protect ourselves. when companies complain about lost revenue due to adblocking software, this is your justification.
frog blast the vent core
Same experience except: my sneaky trick is to install mbam on the infected computer, then run the same version of it off a flash drive. Surprisingly, it works.
Also, do you think using Foxit instead of Adobe might help? For that matter, setting PDFs to not auto-open?
Why is it somehow un-ethical to block ads again?
Perhaps it's a good idea for big sites with a reputation to maintain to borrow just a bit from the old model where they sell ad space with an approval process directly to advertisers and serve the images from their own servers.
Guaranteed invalid? No. ~$ telnet 0.0.0.0 22
Trying 0.0.0.0...
Connected to 0.0.0.0.
Escape character is '^]'.
SSH-1.99-OpenSSH_5.0 NetBSD_Secure_Shell-20080403-hpn13v1
^]cl
telnet> cl
Connection closed.
A big class action against DoubleClick, etc. would be appropriate. They "exceeded authorized access", as defined in the Computer Crime and Abuse Act. That they got the attack from someone else isn't an absolute defense. The ad network obtained "something of value" for the attack. If they sent out one attack after they'd been informed, they were doing so "knowingly".
The ad network has the right to find and sue the source of the ad, but that's their problem, not the end user's problem. This is well-established law. In general, you can sue the party you dealt with, and they can sue the next party up the chain.
No, just run Combofix. Then MBAM. It'll fix it. It's a rootkit, which is blocking MBAM and Webroot from seeing it.
That's the most terrifying thing about these things -- they literally install as rootkits, without admin privileges, even on a fully up to date WinVista or Win7 box. UAC, Security Policies, etc do nothing.
It's no wonder Google got hacked by China.
1) Tell me: Does performing a lookup into a one-million-entry list require more or less CPU than performing a lookup into an empty list? The page will be parsed no matter what you do.
4) Dan Kaminsky's work is important. But the flaw he found is non-trivial to exploit, has never been discovered in the wild, and on a private DNS server is trivial to protect against. (Like, oh, say, using Source Port Randomization)
6) Okay, my mistake. Let's try that, open notepad, open some 30MB file. Oh, look at that. It's locked up. Two minutes later, it's loaded the file. That's certainly easier than the three clicks required to block an entire adserver with AdBlock.
7) What profanity? Is WebSense blocking me? Untwist your panties, grandpa. And again, Dan Kaminsky. One flaw renders the entirety of DNS unusable? I suppose you throw your car away when it runs out of gas, too.
As for your PS, I don't care what you call it. A file containing a series of organized entires in a regular structure is a database. The fact that it's not SQL matters not in the slightest. The fact that it takes you an hour to process this "not a database" with only a million entries is shameful, and the shell script I provided you would likely perform the same task in under a minute. Why so defensive?
Just another "DOJ fascist authoritarian totalitarian bootlicker" -- Zeio