Ad Networks Lay Path To Million-Strong Browser Botnet

jfruh writes "Every day, millions of computers run unvetted, sketchy code in the form of the JavaScript that ad networks send to publishers. Usually, that code just puts an advertiser's banner ad on a web page. But since ad networks and publishers almost never check the code for malicious properties, it can become an attack vector as well. A recent presentation at the Black Hat conference showed how ad networks could be used as unwitting middlemen to create huge, cheap botnets."

No Script

For Firefox fans there is an add on called "no script" that prevents Javascript from running automatically. There should be an equivalent for Chrome folks too.

Re:No Script

For Firefox fans there is an add on called "no script" that prevents Javascript from running automatically. There should be an equivalent for Chrome folks too.

It's called NoScript.

And there's no "NoScript equivalent" for Chrome folks, sadly.

Re:No Script

[akeeneye]

The equivalent on Chrome is "NotScripts".

Re:No Script

[Bigbuzzman]

The equivalent on Chrome is "ScriptSafe".

Re:Disable JavaScript?

[Skapare]

I just block the ad networks.

Yep, that.

[intellitech]

Ghostery and Adblock FTW.

Re:Yep, that.

[Somebody+Is+Using+My]

Or Abine DoNotTrackMe, which I marginally prefer over Ghostery because the latter is run by the ad networks (of course, I'd prefer an OpenSource alternative...)

NoScript, Perspectives, Flashblock, BetterPrivacy and HTTPS Everywhere round out the package.

And occassionally PrefBar so I can change my browser UserAgent on the fly, just to mess with 'em...

Re:Yep, that.

[Flere+Imsaho]

Don't forget noscript. Very nice to have when you stumble across a compromised site directly serving malware.

Re:Yep, that.

[OdinOdin_]

What can Ghostery do that RequestPolicy can not ?

https://www.requestpolicy.com/

It Ghostery just targetted as abusers of 1x1 img pixel and tracking cookies ? As RequestPolicy seems to be a generic solution from any information not coming from the target website you are visiting.

Huh?

[real-modo]

You mean there are other attack vectors, too?

Seems to be the main source of malware...

From what I've seen, it seems like ad networks are either the main form of malware vector, or at least close to it. It isn't true proof, but I have had no issues with infections when using AdBlock and an add-on blocker (even if it is Chrome's "click to play" item), but if I fire up a VM and go browsing without those utilities... all hell breaks loose. Antivirus utility? Yeah, right. Those are OK for maybe scanning an infected machine's HDD that is mounted on another box. However, rootkits, especially RAM based ones will still be a gotcha.

I see nothing good about ad servers. They are a vector for malware at worst, at best, are a constant source of behavioral tracking and monitoring. At best, they throw a few bucks a month at sites that use them.

I like the idea of a subscription clearinghouse and micropayments, but there are issues of privacy and anonymity to be worked out.

Somewhat scary

[mendax]

Well, it's scary enough to make me want to turn off Javascript (unless I'm running Firefox—and I'm not—and can't turn it off). But Javascript provides to web pages features and abilities that I'd rather like to keep. For example, I love AJAX and how it allows a sufficiently sophisticated browser to do something like what Google did with Gmail. When I first saw Gmail my jaw dropped. "WOW!" I knew then that the thick client's life was limited. But as things get more and more nasty I'm wondering if perhaps the thick clients are not a safer approach for some applications.

Re:Somewhat scary

[Splab]

Thats the reason why I use adblock, I only block the adnetworks, not the local site served stuff.

If site operators want me to view ads, then they bloody well can vet them and host them themselves.

Re:Somewhat scary

[Opportunist]

The problem is less that I need all the bells and whistles. The problem is more that a sizable portion of webpages simply doesn't work without its bells and whistles.

Re:Somewhat scary

[BenoitRen]

It's even worse than that. Basic navigation even breaks without JavaScript enabled.

Yesterday I tried visiting the websites of two electronic chain stores (owned by the same parent company) with JavaScript turned off. I couldn't get past their language selection page as the cookie that saves your selection is set by a JavaScript onclick handler!

Re:Disable JavaScript?

I just block the ad networks.

If you're a content provider and are concerned about ad blocking hitting your bottom line then you need to be in your ad provider's face about this shit or I don't wanna hear any bitching.

This is why...

[klingers48]

...I blanket-block all ads. As much as I don't like ads, I'd tolerate them if they had the trust they need to _earn_ to run Javascript/Java/Flash content on my machine.

A whitelist of safe ad servers?

[ScottCooperDotNet]

You trust Oracle Java and Adobe Flash enough to run them on your machine?

Re:A whitelist of safe ad servers?

[sqrt(2)]

I have Java on my machine but it's not exposed to the web. Javascript is enabled on a site by site basis with the default setting being to deny all scripts. Usually sites will at least render well enough to read an article even if the layout is garbled. I can still get the content so that's good enough. None of their ad/tracking scripts get to run, ever. Sites like Slashdot get to run Javascript but right now I look and there are four domains on this page which have their scripts blocked: google-analytics.com, googleadservices.com, rpxnow.com, and doubleclick.com. Three of those are outright blacklisted across the entire internet in my browser.

I'm worried that one day they'll start running ad/tracking scripts from the same domain, then it'll become much harder to allow only some scripts on a page and deny malicious ones (I consider the activity of advertising to be malicious by its nature).

Flash gets to run, but I have a click to play plugin so flash objects don't run by default except on a few sites like Youtube.

Like hell they do

[WD]

If you care about security, you're running NoScript. And they do not run.

Re:Like hell they do

[tgd]

If you care about security, you're running NoScript. And they do not run.

Why bother using the web, then? Most sites won't work with scripting disabled to any usable extent.

If you want to be safe from evil ad networks, just don't use the web. Problem solved.

But saying "just don't do it" in reference to things that the overwhelmingly vast majority of people need or want to do is not solving the problem, and is distracting to the need to actually solve the problem.

Re:Like hell they do

[tlhIngan]

Why bother using the web, then? Most sites won't work with scripting disabled to any usable extent.

If you want to be safe from evil ad networks, just don't use the web. Problem solved.

But saying "just don't do it" in reference to things that the overwhelmingly vast majority of people need or want to do is not solving the problem, and is distracting to the need to actually solve the problem.

Most javascript that aren't site related are third-party. So you can allow the site level javascript to run without allowing the evil infected (and most likely from Google*) javascript through.

If it wasn't for the craziness of some websites (eBay, Amazon, Google (and its properties - YouTube, etc), most news sites), you could get a pretty decent experience with enabling first-party only JavaScript. But most sites also seem to need stuff like jquery and the like.

It's why Flash or plugins is a bad idea over HTML5 - you cannot get the same amount of control through the plugin. Like how I can prevent my browser from loading up Google-owned DoubleClick javascript but only through an HTML web page. If the webpage has an embedded Flash object then that flash object can pull in javascript from anywhere, including blocked sites.

* - Remember, Google owns the vast majority of online ad networks out there, and from a branding perspective, you won't see something like "DoubleClick - a Google-owned company", So it would eventually be Google the one serving up the ads via one of their companies.

Re:Like hell they do

[Flere+Imsaho]

You teach NoScript which sites you allow scripts to run on, or use the "allow this time" option. It takes a few weeks for it to learn your trusted sites, but once you get in the habit of clicking "allow this time" for one-off visits, it becomes second nature. As is frequently the case, there's a trade-off between usability and security.

NoScript is invaluable when you access a site that's been compromised and is directly serving malware via scripts.

For sites you have allowed in NoScript, filter out marketing-scum-ware with Ghostery and AdBlock. Security is like an Ogre, it has layers. Defense in depth!

Uninformed

Nice to know BlackHat has finally caught up with 2007 when malvertising was publicly identified as an issue (see https://isc.sans.edu/diary/Malvertising/3727). Strange that people actually working in the anti-malvertising world have never heard of these researcher's work.

I guess we can ignore RiskIQ and Twitters purchase of Dasient. The tens of millions a year spent on prevent malvertising is clearly "nothing". The methods being used might not be as effective as some want, it isn't due to a lack of funding. After 42 years we still can't reliably stop malware.

Re:Uninformed

[Opportunist]

BlackHat ain't what it used to be...

Re:Uninformed

[NJRoadfan]

What surprises me is that it was publicly identified in 2007. It was a problem for years before that.

Re:Disable JavaScript?

[CheshireDragon]

adblock plus? done :/

And they're wondering...

[Opportunist]

...why we use adblock and noscript, whining that we deprave them of income.

It's not that your ads are obnoxious, albeit even that alone would suffice as a reason. They're dangerous to us.

Re:And they're wondering...

[Neil+Boekend]

They pay for the use you have of the sites. Do you really think Google's servers run on unicorn farts?
Do you pay Google for the electricity for their servers? And their bandwith?

Separate from that crappy scrips are not required to display an ad. Noscript is necessary and sufficient to prevent what the article is talking about.
Adblock isn't required and could be considered theft. If you don't want the site owner to be paid for the service he provides you then you can always choose not to use that site. Using the site but preventing them from getting paid is dodgy at best IMHO.

Re:And they're wondering...

[HybridST]

For now adblock and noscript work well enough. What about after the other side develops NoBlock and AdScript?

Re:And they're wondering...

[JazzLad]

Do you ever go to the bathroom during the commercials of a TV show? Because, you know, that's dodgy at best & could be considered theft.

Re:And they're wondering...

[John+Bokma]

The people who have a bathroom break during each and every TV commercial are non-existent. The people who read each and every ad on each and every web page are non-existent.

Re:And they're wondering...

[JazzLad]

So where is the line in the sand? It's ok to mute commercials and go get a bite to eat, but using a DVR to skip is stealing? Skipping w/ DVR is no different than adblock.

Re:And they're wondering...

[John+Bokma]

Yes, I think it's OK to go to the bathroom during commercials, or prepare some food for the same reason I think it's OK to turn a page and not read an ad or not scroll all the way down to read all ads on a web page.

Where to draw the line? No matter were it's drawn there will be always people who consider it their right to block each and every ad. Like there are people who think it's OK to have a dog barking the whole day in their backyard while they are at work, etc.

Re:And they're wondering...

[Neil+Boekend]

You choose to give your work away for free. Good choice.
But it is your choice, since it's your work. Not everyone feels like that. Some choose to ask money directly for their work, some choose to display advertising to pay for their work. That's also the choice of the creator.
If you don't want to pay for the work with advertising then you can simply not use it. There are plenty of websites that I don't use because I dislike the amount of adds they display. Their loss, because that does limit the income from adds.
But blocking the adds and using the work anyway is dodgy at best IMHO. We don't have to agree on that, you can feel different. I won't hate you for it.

The author is lying

[SpicyBrownMustard]

I've worked with several ad networks, on a number of issues, and can say with absolute confidence that the author has no concept of how the technology actually works, which results in an outright lie in his thread-starter.

The JavaScript code originates with the ad delivery platform (DoubleClick, OpenX, 24/7, etc.), sometimes outsourced to the ad networks -- DoubleClick is a white label delivery platform for many ad networks. The JavaScript is tightly controlled and constantly subject to real-time auditing by several providers such as The Media Trust. The advertisers simply provide the assets -- the banner creative -- that is delivered by the ad network, optimization systems, and ad delivery platforms.

Currently, yes, it all sucks and is why we have had blockers, but is also the only option to monetize free content -- for now.

Re:The author is lying

[mrbester]

Audited by whom? Not developers with any care or consideration to best practises and standards. Or are you seriously suggesting that document.write and blocking code is just fine?

Re:The author is lying

[gishzida]

From your comment I'd say you have no clue how the ad networks are being used as a malware delivery system and since any number of the readers here have already attested "mouse over" attacks do exist....What I am hearing you say the ad networks have done absolutely nothing to prevent their networks being used as an attack vector... say something like vetting the URLs provided for the "banners"... I can tell you that at least 6 years ago I had a "mouse over" attack from a banner served on TheRegister.co.uk... talk about biting the hand that feeds IT!

On the other hand since installing ad block plus and NoScript on the systems on my network I have not had one single pop-up malware attack or other browser related malware / trapdoor / ransomware infection... Script blocking add-ons seem to be the only protection against the ad networks failure to keep virus free advertizing.

Re:The author is lying

[Dynamoo]

The assertion that ad networks do not check code is certainly untrue overall. But some networks check code more closely than others, and the bad guys use all sorts of techniques to evade detection (geotargetting, for example, or changing the behaviour of the ad when it is being examined on the ad network's own IP range). The lengths some bad actors go to are impressive, and be in no doubt that there is a state of war between most ad networks and the bad guys.

However, it is true that certain ad networks do very minimal checking or even seem to be in league with malware pushers. But publishers soon drop ad networks like this and they end up being relegated to the scummy tier of publishers only.

Oh.. it's hardly new anyway. Here's a report from 2004.

Re:The author is lying

[zwei2stein]

The only option?

Hardly.

You can accept donations. You can have freemiums. You can offer merchandise.

Re:The author is lying

[RabidReindeer]

BULLSHIT.

1. There is no such thing as "free content" with ads. When it has ads, IT IS NOT FREE ANYMORE. It costs the most valuable thing I have: The freedom to think my own thoughts! You should read up on "mirror neurons" (the ability to put yourself in the shoes of others) and how the primitive parts of the brain can't tell the difference between imagination (like ads) and reality. But working in advertisement, you must already know that, and use the other thing everybody in advertisement is an expert in: Lying.

2. If your website got something of *actual value* (=not abundantly available for free everywhere else), then you can *always* do the same thing every other *service-based business (model)* is doing: You ask a fair price for it in *advance*. If the only way to "monetize" your site is via advertising, then you have to face the fact that YOUR HAVE NOTHING OF ANY WORTH TO OFFER WHATSOEVER! In that case, please just go bankrupt, and quit ripping us off with your meaningless worthless shit. And most of all: Quit bitching about it!

Get over yourself. This is the 21st Century. Lower Prices Every Day. Information wants to be Free.

Unless you have a very vertical product where you have limited competition, people are not going to pay to visit your site. You local ISPs and utility companies haven't got the memo yet, so they still expect to get paid, and they do have limited competition. Ergo, ads.

They Finally Notice.

[John+Sokol]

We were using java, flash and javascript to do this sort of stuff as early back as 1996.
Massive DDOS attacks were generated this way.
Even played around with Distributed computing all from banners place on various web sites.
We were able to run stuff in browsers that was next to impossible to remove.
And with browsers restoring all the windows most common users would never figure out how to kill these things.

Re:Disable JavaScript?

[FatLittleMonkey]

If you're a content provider and are concerned about ad blocking hitting your bottom line then you need to stop using ad networks and host your own ads or I don't wanna hear any bitching.

FTFY

It stuns me that media operators who have run their own in-house advertising divisions for their dead-tree versions for decades, suddenly act like one-man amateur blogs for their online versions, needing third-party-hosted ad networks.

Re:Disable JavaScript?

[AlphaWolf_HK]

I think the reason for that is that they aren't just ads anymore - they're collecting intelligence on the visitors. It doesn't work as well when you host the ads on your own, you need a third party to be able to track what pages your visitors are navigating to when they navigate away from your own site (assuming of course the site they navigate to is within the ad provider's network) as the web browser isn't going to allow multiple domains to share information.

It's one thing to show sponsored messages to users, but it's even more profitable to find out what your users want. Self hosted ads aren't as good at the later.

Good thing Firefox makes javascript obligatory

Damn good thing that Firefox 23 makes javascript obligatory:

http://news.slashdot.org/story/13/07/01/1547212/firefox-23-makes-javascript-obligatory

Re:Good thing Firefox makes javascript obligatory

[Neil+Boekend]

Blanked disabling Javascript means large portions of the internet become useless, so NoScript is a better solution IMHO anyway.

Question from the less tech-y

[Camael]

From TFA:-

“Basically, when a web browser goes to a page, that page can force the browser to do whatever it wants – make web connections, download illegal files, attack other Internet sites, make illegal searchers – whatever,” Grossman told me in an interview last week.

Assuming you're using the latest Firefox with Adblock and Noscript, how true is that claim?

Would it, for example, stop the ad network attack vector mentioned in TFA?

I used to assume running Noscript is sufficient protection, but with all the news of exploits floating around, I'm no longer sure.

Re: Disable JavaScript?

How do you disable Java or 3rd party ads on platforms like iPhone or iPad?

Re: Disable JavaScript?

[oPless]

Java isn't support on iDevices.

You must be confusing Java with Javascript. Which ... ... IS NOTHING TO DO WITH JAVA AT ALL.

Please hand in your geek pass to the DHS official and make your way to gitmo. Oh wait. They only do that for leakers...

Re:/. - JavaScript?

[jones_supa]

The old non-JS discussion system is still there. To enable it, follow these steps:

- Click your user name at the top of the page
- From the pop-up menu, click on Account
- From the pop-up dialog's top bar, click Discussions
- Select the Classic Discussion System (D1) radio button
- Click the Save button

Was this answer helpful: yes or no? Would you also like to send all information from your computer to assist us in improving the performance and responsiveness of our product?

It's been 20 years wth

[Impy+the+Impiuos+Imp]

Why don't they fix javascript, limit it to a handful of requests so it can download its data but not spam requests in a loop? Disable its popup ability, too. I have never needed it, and if I did, I'd be happy to click an open window approve box.

Re:Disable JavaScript?

[UltraZelda64]

1. Disable third-party cookies
2. Install Adblock Plus + Element Hiding Helper
3. Install NoScript
4. Install DoNotTrackMe
5. Turn on the worthless "Do Not Track" header, if only just to further get the point across.
6. Clear cookies if you previously went to sites before disabling them, because you've likely got some Facebook tracking garbage on your machine.

Done.

Paper trail

[morgauxo]

Unless they are paying for their ads using anonymized Bitcoins couldn't the ad company be served a warrant and the perpetrator found through the payment records?

Re:Disable JavaScript?

[foniksonik]

There are three metrics for ads online. Impressions, clicks and conversions. Ad companies get paid for each at different rates.

The ads may read a cookie set previously or will set a cookie using an iframe. It has a beacon gif to log impressions. The destination reads the cookie using an iframe with same domain as prior. It also uses a beacon to log impressions.

The cookie tells the ad network: this user came from campaign id xxxxx. That cookie will also be read again on an order confirmation or any conversion success page (a thanks page for sign up or whatever).

So you have a beacon on the content site (payee) for impressions, a cookie set to track click throughs across domains via a 3rd party iframe and beacons on the destination (payer) to log click throughs and possibly conversions.

The beacons will send back a set of data including the campaign id, user agent info, time stamps, and anything needed by the contract which is provided by the payer, eg If its an affiliate program then the order subtotal (no tax or shipping) will be sent to log a commission. The user agent and and uid are used for analysis and segmentation to do things like a/b testing an offer (will a 5% or 10% discount work better - 5% is often good enough to drive traffic and 10% may not convert to higher sales).

Agreed, DoNotTrackMe is better.

[Burz]

Its independent and doesn't slow my browser down like Ghostery does. The latter isn't really written with users in mind... its primary purpose is to give the ad industry a 'self-compliance' fig leaf.

Re:Disable JavaScript?

[sjames]

And that is part of why people object to them (other trhan giving you cooties that is). No other medium has had the ability to automatically track people who read the ads and they have done fine. Some tracking for conversions can be done with discount codes or through the url in the ad.

I'll bet if the ad networks are held liable for malware they distribute, they'll suddenly be fine with those limitations.