Slashdot Mirror

← Back to Stories (view on slashdot.org)

Ad Networks Lay Path To Million-Strong Browser Botnet

Posted by Soulskill on from the your-computer-is-broadcasting-an-ip-address dept.

jfruh writes "Every day, millions of computers run unvetted, sketchy code in the form of the JavaScript that ad networks send to publishers. Usually, that code just puts an advertiser's banner ad on a web page. But since ad networks and publishers almost never check the code for malicious properties, it can become an attack vector as well. A recent presentation at the Black Hat conference showed how ad networks could be used as unwitting middlemen to create huge, cheap botnets."

11 of 105 comments (clear)

  1. Yep, that. by intellitech · · Score: 5, Informative

    Ghostery and Adblock FTW.

    --
    vos nescitis quicquam, nec cogitatis quia expedit nobis ut unus moriatur homo pro populo et non tota gens pereat.
  2. Re:No Script by akeeneye · · Score: 3, Interesting

    The equivalent on Chrome is "NotScripts".

    --
    The man who dies rich dies disgraced. -- Andrew Carnegie
  3. Like hell they do by WD · · Score: 4, Informative

    If you care about security, you're running NoScript. And they do not run.

    1. Re:Like hell they do by tgd · · Score: 2, Interesting

      If you care about security, you're running NoScript. And they do not run.

      Why bother using the web, then? Most sites won't work with scripting disabled to any usable extent.

      If you want to be safe from evil ad networks, just don't use the web. Problem solved.

      But saying "just don't do it" in reference to things that the overwhelmingly vast majority of people need or want to do is not solving the problem, and is distracting to the need to actually solve the problem.

  4. And they're wondering... by Opportunist · · Score: 4, Insightful

    ...why we use adblock and noscript, whining that we deprave them of income.

    It's not that your ads are obnoxious, albeit even that alone would suffice as a reason. They're dangerous to us.

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  5. Re:Somewhat scary by Splab · · Score: 2

    Thats the reason why I use adblock, I only block the adnetworks, not the local site served stuff.

    If site operators want me to view ads, then they bloody well can vet them and host them themselves.

  6. Re:Somewhat scary by Opportunist · · Score: 3, Insightful

    The problem is less that I need all the bells and whistles. The problem is more that a sizable portion of webpages simply doesn't work without its bells and whistles.

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  7. The author is lying by SpicyBrownMustard · · Score: 4, Informative

    I've worked with several ad networks, on a number of issues, and can say with absolute confidence that the author has no concept of how the technology actually works, which results in an outright lie in his thread-starter.

    The JavaScript code originates with the ad delivery platform (DoubleClick, OpenX, 24/7, etc.), sometimes outsourced to the ad networks -- DoubleClick is a white label delivery platform for many ad networks. The JavaScript is tightly controlled and constantly subject to real-time auditing by several providers such as The Media Trust. The advertisers simply provide the assets -- the banner creative -- that is delivered by the ad network, optimization systems, and ad delivery platforms.

    Currently, yes, it all sucks and is why we have had blockers, but is also the only option to monetize free content -- for now.

    1. Re:The author is lying by Dynamoo · · Score: 2
      The assertion that ad networks do not check code is certainly untrue overall. But some networks check code more closely than others, and the bad guys use all sorts of techniques to evade detection (geotargetting, for example, or changing the behaviour of the ad when it is being examined on the ad network's own IP range). The lengths some bad actors go to are impressive, and be in no doubt that there is a state of war between most ad networks and the bad guys.

      However, it is true that certain ad networks do very minimal checking or even seem to be in league with malware pushers. But publishers soon drop ad networks like this and they end up being relegated to the scummy tier of publishers only.

      Oh.. it's hardly new anyway. Here's a report from 2004.

      --
      Never email donotemail@WeAreSpammers.com
  8. They Finally Notice. by John+Sokol · · Score: 2

    We were using java, flash and javascript to do this sort of stuff as early back as 1996.
    Massive DDOS attacks were generated this way.
    Even played around with Distributed computing all from banners place on various web sites.
    We were able to run stuff in browsers that was next to impossible to remove.
    And with browsers restoring all the windows most common users would never figure out how to kill these things.

    --
    I am always doing that which I can not do, in order that I may learn how to do it. - Pablo Picasso
  9. Re:/. - JavaScript? by jones_supa · · Score: 2

    The old non-JS discussion system is still there. To enable it, follow these steps:

    - Click your user name at the top of the page
    - From the pop-up menu, click on Account
    - From the pop-up dialog's top bar, click Discussions
    - Select the Classic Discussion System (D1) radio button
    - Click the Save button

    Was this answer helpful: yes or no? Would you also like to send all information from your computer to assist us in improving the performance and responsiveness of our product?