Two Major Ad Networks Found Serving Malware

Trailrunner7 writes "Two major online ad networks — DoubleClick and MSN — were serving malware via drive-by download exploits over the last week, experts say, after a group of attackers was able to trick the networks into displaying their ads by impersonating an online advertising provider. The scheme involved a group of attackers who registered a domain that was one letter away from that of ADShuffle.com, an online advertising technology firm. The attackers then used the fake domain — ADShufffle.com — to dupe the advertising networks into serving their malicious banner ads. The ads used various exploits to install malware on victims' PCs through drive-by downloads, according to information compiled by security vendor Armorize."

Re:Of course!

[icebike]

Doubleclick is Owned by Google, so they probably don't need to tamper.

Oh, ah, Whooosh, I guess.

Noscript wins again

[wizardforce]

One more example of why ad blocking has its security benefits. What's worse is that doubleclick and friends are used by pretty much every site out there including Slashdot. It's a shame that although a lot of people would be willing to support sites like Slashdot allowing a few ads to load occasionally; doubleclick just isn't trustworthy enough to allow that.

Re:Noscript wins again

[cappp]

And this is why I blanket block all ads on all sites. It's an incrediably blunt instrument, but its the only way to avoid this kind of thing apparantly.

What sucks is that I'd actually like to support the sites I frequently visit, and ad views clearly have a significant effect on their various bottom lines, but I just can't justify exposing myself to whatever that week's ad-based crazy shit danger happens to be. It's similar to how I feel about porn sites - the responsible part of my wants to subscribe and send them a little cash for the assistance rendered by their presentation of jiggly bits being jiggly...but that same responsible part is also well aware that any kind of commercial interaction with said pornographers has a suspicious way of going horribly wrong.

So now I find myself chosing between doing that right thing - supporting the services I use - and the secure thing. And as it happens, the secure thing wins out.

Re:Noscript wins again

[oobayly]

Well I thought I was running a properly configured box. Everything up to date, not using IE etc. Clicked on a link and got a Google warning about the sit. Fine I thought, I'll use the get me out of here button and suddenly I'm being bombarded by AV warnings. Noticed a Java console icon in the Systray, so that was how it arrived. What was unbelievable was that within seconds every HTML doc was infected with fucking vbscript.
I gave up on windows for home use there and then and now use Linux full time (instead of occasionally), and just windows for .net stuff.
As an aside, time to install Ubuntu, about 40 minutes. Time to install XP (from slipstreamed SP3 CD), half a fucking day including a call to India to ask for an OEM number that fucking worked. None of the driver bullshit either.

Re:Noscript wins again

[Ecuador]

You are not bad on the insulting department. Not great on the how things work department though, but with that attitude you can't possibly be helped.

Just so we are clear, originally I did not think you were dumb. My tone was aiming to make it clear to you and to other people that debit cards are a bad idea regardless how well you think you have thought things through. In my second favorite forum (FW Finance) I have read so many stories about how people have gotten screwed, it is not even funny. For example, do you know that debit card transactions are processed by the end of the day in an order the Bank decides? What do you think will happen with a fraudulent charge the same day as a legit purchase? Also, did you know that normally a merchant asks for authorization before putting a charge through (and gets declined in your case if you don't have funds), but at least the VISA network also allows charges WITHOUT authorization (and think whether a fraudster will ask for authorization)? That was probably how I got a negative charge on an account that had no overdrawing and if you think a negative balance on your bank account does not mean that is your money missing, you are sadly mistaken.
  Anyway, I at least hope you don't use a really bad (customer-friendly-wise) bank (like, say, BofA).
And to re-iterate, no, I did not think you were dumb, but you did come out as a douche with your second post.

Praise for adblock

[Matt+Perry]

This is why I block all ads and all your moral arguments and begging be damned. Ad blocking is sensible risk management.

Re:Praise for adblock

[Deathlizard]

Let em whine. I'm sorry, These ad firms put themselves into this mess.

The day ad firms decided to allow advertisers to use Flash and JavaScript in their advertisements is the day I started blocking them. Seriously, What was wrong with simple images and text? Was the monkey way too easy to punch or something?

Re:is there anyone left NOT running adblock?

[scdeimos]

Really, what kind of idiot to you have to be to run a machine configured like that these days?

How about 90% of the people on the internet, those who are in the "mom and pop" or "poor student" class of user and don't actually know anything about computers except for turning them on and off, and double-clicking the Outlook Express and Internet Explorer icons.

There really should be a license requirement for using computers on the internet - you don't let unlicensed drivers on the road, do you?

Re:When the fuck will ad networks learn?

[jack2000]

Some one should put an option in firefox( a native option mind you not a whole extension) that basically says break third party javascript. We'll see who wins the damn war then.

And if sites start puting bullshit javascript on the main domains then fuck em.

Computers are a dying breed

This is exactly why iPad type "computers" are the coming thing. Locked down in a walled garden and simple to use. Few people *really* need a 'real' computer when a small "device" will do everything they need.

I always wondered that acquisition

At the time Google bought DoubleClick, Google owned the advertisement network with the best reputation (Goolge AdWords/AdSense. Relevant, not-very-annoying text ads) and DoubleClick had perhaps the worst reputation (horrible flash banners, etc.) of them all. I couldn't understand why Google would buy that. Then again, these days Google is pretty horrible towards Ad publishers (closing or freezing accounts without offering any explanation, etc... If you aren't a big name, expect to get buttfucked by Google) while DoubleClick is decent-ish (they should really send their lawyers after dishonest advertisers more... But arguably that's the publisher's responsibility). So doubleclick screws the users but is good for the publishers, Google screws the publishers but is good for the users, both are pretty fine for advertisers. I guess it works out.

(Disclaimer: I work for an agency that does - among other internet related things - SEO, internet advertising and the like. I'm obviously not in any way assosciated with either of the companies unless you count the fact that we hold a number of Google certificates...)

This is why we need to go back to....

[toygeek]

88x31 and 468x60 animated GIF's.

I'm going to implement ad blocking at the router level at my house....

Re:When the fuck will ad networks learn?

[jimicus]

Your idea, while clever, isn't going to solve the problem. Javascript will just wind up being pulled in at the server side rather than through <script src="http://dooberidooberidoo....">

The problem is a combination of idiot ideas concerning computer security. Read something like "The Six Dumbest Ideas in Computer History" some time - it's eye-opening and it explains a lot. In the case of web browsing and Javascript, you've essentially integrated four of those ideas into basic computer use.

For those who haven't time to read the article, I'll summarise the idiot ideas that have made it into web browsing:

1. Default Permit. Why on Earth is it the default for most web browsers to run every single little thing they download? It's completely insane - seriously, I can't think of a better way to transmit malware than to sit somebody at a computer and give them a nice easy way to download and automatically run every silly thing they can find, even if the only thing they will run is supposedly sandboxed.

2. Enumerating Badness. We tell ourselves that it's OK to do this, as long as the end user (if they must run Windows at all) does so with half-decent AV installed. But AV works by keeping a list of "things that are bad" and blocking them all - you know how long that list is these days? You only need one thing to slip the net and your system's 0wned anyway. It's the computer equivalent of having sex with every disease-ridden cheap whore you can find working the streets and hoping to Christ the condom never breaks. The bad thing only needs to be lucky once, you need to be lucky every time.

3. Penetrate and Patch. Today the issue is at the server end. Four days ago, the issue was in Firefox (latest release was on the 9th December, it fixes a number of security holes). Next week it might be in Adobe Reader or Chrome. Exactly when did it start making good sense to play whack-a-mole with security holes? You don't see them building high-security prisons out of temporary Portakabins and then tacking extra things on in a blind panic every time inmates escape, so why are so many pieces of software that are likely to be exposed to malware designed in exactly this way?

4. Educating users. Telling people not to click blindly on every ad doesn't work, as anyone who's ever done serious amounts of user support can attest. You always have some people who will click on everything that appears on their PC, if education was going to fix that it would have stopped being a problem years ago. There's a damn good reason why larger companies frequently lock their PCs down so thoroughly they may as well be dumb terminals, and it's not because the IT department is run by a bunch of power-thirsty mini-hitlers. It's because it's the only way to stop the helpdesk being overrun with people ringing in to say "I clicked on this attachment and now I've got everyone complaining that I emailed them a virus. I didn't!".

Re:is there anyone left NOT running adblock?

[RobertLTux]

and what i say to those people is
sure i will stop blocking ads when

1 every provider can certify under penalty of law that the ads being served are relevant safe to view and are less than 10% of the page content

2 everybody stops cramming 60% of a given page with various ads cross site links and widgets so that an article thats 4 paragraphs does not need to be on 8 pages because the content pane is smaller than a postit

3 everybody also stops doing videos for everything and actually writes articles (a video of a talking head should be replaced with what the talking head said)

Re:I've seen stuff coming from MSN for quite somet

[mlts]

One of my honeypot VMs I use for Web browsing got hit by that when I was visiting a top named site.

In my experience, now that a lot of users are not just running executables willy-nilly, compromised ad networks serving up malicious pages to try to compromise browsers or add-ons is the #1 threat in my book.

To drive the point home, I use AdBlock on the main machine I use for Web browsing. I have yet to see a single script related to PC Antivirus. In reality, AdBlock provides more protection than most AV utilities, because once the Web browser is compromised, most AV utilities are completely useless in detecting and stopping that.