Two Major Ad Networks Found Serving Malware

Trailrunner7 writes "Two major online ad networks — DoubleClick and MSN — were serving malware via drive-by download exploits over the last week, experts say, after a group of attackers was able to trick the networks into displaying their ads by impersonating an online advertising provider. The scheme involved a group of attackers who registered a domain that was one letter away from that of ADShuffle.com, an online advertising technology firm. The attackers then used the fake domain — ADShufffle.com — to dupe the advertising networks into serving their malicious banner ads. The ads used various exploits to install malware on victims' PCs through drive-by downloads, according to information compiled by security vendor Armorize."

Of course!

[MadUndergrad]

What do you expect from a company called "Doubelclick"? I bet Googel tampers with their search results too.

Noscript wins again

[wizardforce]

One more example of why ad blocking has its security benefits. What's worse is that doubleclick and friends are used by pretty much every site out there including Slashdot. It's a shame that although a lot of people would be willing to support sites like Slashdot allowing a few ads to load occasionally; doubleclick just isn't trustworthy enough to allow that.

Re:Noscript wins again

[cappp]

And this is why I blanket block all ads on all sites. It's an incrediably blunt instrument, but its the only way to avoid this kind of thing apparantly.

What sucks is that I'd actually like to support the sites I frequently visit, and ad views clearly have a significant effect on their various bottom lines, but I just can't justify exposing myself to whatever that week's ad-based crazy shit danger happens to be. It's similar to how I feel about porn sites - the responsible part of my wants to subscribe and send them a little cash for the assistance rendered by their presentation of jiggly bits being jiggly...but that same responsible part is also well aware that any kind of commercial interaction with said pornographers has a suspicious way of going horribly wrong.

So now I find myself chosing between doing that right thing - supporting the services I use - and the secure thing. And as it happens, the secure thing wins out.

Re:Noscript wins again

[Jah-Wren+Ryel]

What sucks is that I'd actually like to support the sites I frequently visit, and ad views clearly have a significant effect on their various bottom lines,

Ad views have become the defacto micropayment system. If we had an alternative, sites wouldn't have to be dependent on privacy-invasive and security-breaking ad systems. I'm sure that many would anyway, but they would at least have other options.

but that same responsible part is also well aware that any kind of commercial interaction with said pornographers has a suspicious way of going horribly wrong.

Micropayments could solve that problem too - anonymous microcash would be almost completely immune to the kind of abuses that you are avoiding.

Re:Noscript wins again

[CosmeticLobotamy]

A "push" credit card transaction would also solve those problems. Why is it that I can only pay for something by giving my entire credit balance to someone and trusting them to give me back everything but what their invoice says? Why can't I say, "Hey, MasterCard, give this guy $50." He gets an email, his automatic email-getting-password-sender-outer tells me how to get to his jiggly bits. ... I mean, the jiggly bits he has video of, not the ones between his pockets.

Re:Noscript wins again

[hairyfeet]

As a PC repair guy with waaaay too many click happy customers I'd say your best bets in the free AV category are MS Essentials and Comodo AV. In my experience thanks to its auto sandboxing of all apps unless told otherwise Comodo is a little better protection, but of course as with most of the "smart" AVs it has a bit of a learning curve, and will ask you questions for about a week until you've launched all your daily apps. Nice thing is it has built in limited whitelists with core Windows system behaviors so it don't bug you when Windows is doing what it is supposed to be doing, like scheduled tasks. MS Essentials doesn't ask you squat and is pretty unobtrusive but I wouldn't recommend it for those that are click happy or go to dodgy sites because of its lack of sandboxing and registry virtualization so if anything does manage to get past it your borked. But it does have a good detection rate and is a hell of a lot less bloated and buggy than AVG.

As for TFA this is why I install Firefox with ABP on every customer's PC and show them how easy it is to use. by having them block ads I've found their rates of return because of infection dropped by a good 80%. While I understand that sites like /. need to make money, having their PCs turned into a zombie or having their CC stolen by a keylogger simply makes ads too risky at this point in time. It is as I said that JavaScript is becoming just as big a vector of infection as ActiveX ever was. I'm sure that we'll look back in 5 to 10 years and go "WTF were we thinking?" with JavaScript just as we do with ActiveX now. Trusting third party code served up from some ad bunch with no control over content or risk is just a bad way for a site to do business. If they are gonna serve ads than maybe we should go back to simple text and picture ads which don't require code to run.

Re:Noscript wins again

[oobayly]

Well I thought I was running a properly configured box. Everything up to date, not using IE etc. Clicked on a link and got a Google warning about the sit. Fine I thought, I'll use the get me out of here button and suddenly I'm being bombarded by AV warnings. Noticed a Java console icon in the Systray, so that was how it arrived. What was unbelievable was that within seconds every HTML doc was infected with fucking vbscript.
I gave up on windows for home use there and then and now use Linux full time (instead of occasionally), and just windows for .net stuff.
As an aside, time to install Ubuntu, about 40 minutes. Time to install XP (from slipstreamed SP3 CD), half a fucking day including a call to India to ask for an OEM number that fucking worked. None of the driver bullshit either.

Re:Noscript wins again

[Ecuador]

You think that is smart eh? Oh, boy, are you in for a suprise!
Using debit cards to be "safer" is the worst idea possible. All credit cards have fraud protection. If someone uses it fraudulently, as long as you catch it within a couple of months, you are not responsible for paying it. When you give your credit card number to someone you are giving access to your credit line, provided by your bank, not your money directly, and when they charge your card they won't draw money from you, they will post a charge for which they will get paid later by the bank and you will be asked to pay for it.
Now, if you give your debit card, you are giving your bank account. A transaction draws money from your account immediately, good luck trying to reverse that later, I mean it is YOUR money gone, not the bank's money. Then, the fact that you don't have overdraft protection does not mean much. First of all you will have the bounce fee. Secondly, there have been many instances where banks go ahead and honor the overdrawing (it has happened to me once, they charged both the fee AND overdrew the account, it was either Wacovia or Chase...) and when you ask them about it they say "because you are a good customer our system allowed it".
There are of course many other reasons for using a credit card. For example you get extended warranty (AMEX doubles 1-year warranties), cashback etc.
If you want to be secure there are virtual account numbers that many CC provide. Some of them can be set with a pre-set limit. But be careful, similar to a bank account there are times where the bank will still honor going over the limit. The difference is, you will NOT have paid it with your money. You will receive a bill showing the fraud and you will file for it to be cleared. It has happened to me a couple of times and I shudder at the thought of that being my debit card...

Re:Noscript wins again

[Ecuador]

You are not bad on the insulting department. Not great on the how things work department though, but with that attitude you can't possibly be helped.

Just so we are clear, originally I did not think you were dumb. My tone was aiming to make it clear to you and to other people that debit cards are a bad idea regardless how well you think you have thought things through. In my second favorite forum (FW Finance) I have read so many stories about how people have gotten screwed, it is not even funny. For example, do you know that debit card transactions are processed by the end of the day in an order the Bank decides? What do you think will happen with a fraudulent charge the same day as a legit purchase? Also, did you know that normally a merchant asks for authorization before putting a charge through (and gets declined in your case if you don't have funds), but at least the VISA network also allows charges WITHOUT authorization (and think whether a fraudster will ask for authorization)? That was probably how I got a negative charge on an account that had no overdrawing and if you think a negative balance on your bank account does not mean that is your money missing, you are sadly mistaken.
  Anyway, I at least hope you don't use a really bad (customer-friendly-wise) bank (like, say, BofA).
And to re-iterate, no, I did not think you were dumb, but you did come out as a douche with your second post.

Trust model

[Inf0phreak]

The trust model of online advertising is in my opinion fundamentally broken. A big part of the security model of the web is domain-based - e.g. the same origin policy - but this goes down the drain with third party ads hosted on yet another third party's server.

With online advertising it was for the first time possible to measure the effect of ad campaigns better than "how many saw it and did we sell more after it?" What did this bring us? "PUNCH THE MONKEY!", "LOOK AT THE BLINKING LIGHTS!", "BEEP BLOOP BEEEEEP!!!" and perhaps most insidiously it broke the domain-based model of trust on the web since everything had to be put on the advertising hosters' servers to deter click fraud and whatnot.

AdBlock doesn't just save you bandwidth and reduces the annoyance of browsing the web, it is also one of the best tools for avoiding drive-by malware from ads.

Re:Praise for adblock

[Deathlizard]

Let em whine. I'm sorry, These ad firms put themselves into this mess.

The day ad firms decided to allow advertisers to use Flash and JavaScript in their advertisements is the day I started blocking them. Seriously, What was wrong with simple images and text? Was the monkey way too easy to punch or something?

Re:is there anyone left NOT running adblock?

[countertrolling]

There really should be a license requirement for using computers on the internet

No way! Next you'll be demanding sobriety checks. So let's just nip that dumb idea in the bud, shall we?

This drive by thingy everyone is talking about

[Ismellpoop]

well its bullshit every time an add tried to install something the package manager won't open them. Shit I've tried every distro out there and I still can't open them up. What am I doing wrong can someone please help me. I really want to see all these cool things the rest of the world is experiencing.

Computers are a dying breed

This is exactly why iPad type "computers" are the coming thing. Locked down in a walled garden and simple to use. Few people *really* need a 'real' computer when a small "device" will do everything they need.

This is why we need to go back to....

[toygeek]

88x31 and 468x60 animated GIF's.

I'm going to implement ad blocking at the router level at my house....

Re:When the fuck will ad networks learn?

[jimicus]

Your idea, while clever, isn't going to solve the problem. Javascript will just wind up being pulled in at the server side rather than through <script src="http://dooberidooberidoo....">

The problem is a combination of idiot ideas concerning computer security. Read something like "The Six Dumbest Ideas in Computer History" some time - it's eye-opening and it explains a lot. In the case of web browsing and Javascript, you've essentially integrated four of those ideas into basic computer use.

For those who haven't time to read the article, I'll summarise the idiot ideas that have made it into web browsing:

1. Default Permit. Why on Earth is it the default for most web browsers to run every single little thing they download? It's completely insane - seriously, I can't think of a better way to transmit malware than to sit somebody at a computer and give them a nice easy way to download and automatically run every silly thing they can find, even if the only thing they will run is supposedly sandboxed.

2. Enumerating Badness. We tell ourselves that it's OK to do this, as long as the end user (if they must run Windows at all) does so with half-decent AV installed. But AV works by keeping a list of "things that are bad" and blocking them all - you know how long that list is these days? You only need one thing to slip the net and your system's 0wned anyway. It's the computer equivalent of having sex with every disease-ridden cheap whore you can find working the streets and hoping to Christ the condom never breaks. The bad thing only needs to be lucky once, you need to be lucky every time.

3. Penetrate and Patch. Today the issue is at the server end. Four days ago, the issue was in Firefox (latest release was on the 9th December, it fixes a number of security holes). Next week it might be in Adobe Reader or Chrome. Exactly when did it start making good sense to play whack-a-mole with security holes? You don't see them building high-security prisons out of temporary Portakabins and then tacking extra things on in a blind panic every time inmates escape, so why are so many pieces of software that are likely to be exposed to malware designed in exactly this way?

4. Educating users. Telling people not to click blindly on every ad doesn't work, as anyone who's ever done serious amounts of user support can attest. You always have some people who will click on everything that appears on their PC, if education was going to fix that it would have stopped being a problem years ago. There's a damn good reason why larger companies frequently lock their PCs down so thoroughly they may as well be dumb terminals, and it's not because the IT department is run by a bunch of power-thirsty mini-hitlers. It's because it's the only way to stop the helpdesk being overrun with people ringing in to say "I clicked on this attachment and now I've got everyone complaining that I emailed them a virus. I didn't!".

Re:I've seen stuff coming from MSN for quite somet

[mlts]

One of my honeypot VMs I use for Web browsing got hit by that when I was visiting a top named site.

In my experience, now that a lot of users are not just running executables willy-nilly, compromised ad networks serving up malicious pages to try to compromise browsers or add-ons is the #1 threat in my book.

To drive the point home, I use AdBlock on the main machine I use for Web browsing. I have yet to see a single script related to PC Antivirus. In reality, AdBlock provides more protection than most AV utilities, because once the Web browser is compromised, most AV utilities are completely useless in detecting and stopping that.