Yahoo Advertising Serves Up Malware For Thousands

wjcofkc writes "Thousands of users have been affected by malicious advertisements served by ads.yahoo.com. The attack, which lasted several days, exploited vulnerabilities in Java and installed malware. The Netherlands based Fox-IT estimates that the infection rate was at about 27,000 infections per hour. In response to the breach in security, Yahoo issued the following statement, 'At Yahoo, we take the safety and privacy of our users seriously. We recently identified an ad designed to spread malware to some of our users. We immediately removed it and will continue to monitor and block any ads being used for this activity.' While the source of the attack remains unknown, Fox-IT says it appears to be 'financially motivated.' The Washington Post cites this incident as a reminder that Java has become an Internet security menace."

Become?

[gstoddart]

The Washington Post cites this incident as a reminder that Java has become an Internet security menace.

As far as I've been concerned, Java and Javascript have both always been security menaces.

Letting web-sites and advertisers execute code has been a recipe for problems for a long time, which is why many of us here likely already block it.

This is just another example of why we can't trust the companies doing the advertising, because they're part of the problem -- if Yahoo is serving malware, Yahoo can't be trusted.

Re:Become?

[Nerdfest]

Java as a language is pretty much as secure as any other. Allowing it to run arbitrary code as 'applets' by default is a huge problem as the sandboxing seems quite poor.

Re:Become?

[gstoddart]

Java as a language is pretty much as secure as any other.

In the abstract, as a standalone app, sure.

But on the web? No bloody way. Certainly not by default -- because it's always been a vector from annoying crap and malware.

Re:Become?

[Nerdfest]

Any other language deployed the same way would offer a very similar attack surface. Simply put, it's the new ActiveX.

Re:Become?

[gstoddart]

Yup, didn't trust that either.

NoScript, AdBlockPlus, Ghostery, ScriptSafe, and everything else you can find to keep the crap at bay is the only safe way to use the internet these days.

Between advertising companies who feel entitled to your data, and all of the crap on the internet ... leaving that stuff on by default is just asking for problems.

Re:Become?

[Nerdfest]

RequestPolicy for FireFox is great as well.

Re:Become?

[Z00L00K]

Almost all ads are malicious in one way or another. If they don't carry bad stuff to your computer you can be misled to click on them and $DIETY knows where you end up sometimes. If nothing else they burn a lot of CPU ticks and makes your computer consume more power.

Re:Become?

[ColdWetDog]

Those blank white screens are refreshingly calm.

Re:Become?

[Arker]

I know, this is how I do it too, but doesnt it strike you as a little crazy to have to install all these *extensions* - not to add optional functionality, but to disable all this insanity that should never have been enabled by default to begin with?

Web browsers should ship with support for the web (that means HTML, semantic markup, period) and extensions should be used to add to that, rather than by default supporting every piece of nonsense any adware/spyware/malware pusher might ever want to use, and then having extensions to try and turn that off after the fact.

Re:Become?

[Lennie]

Java exploits, sure. Or plugins in general really.

But Javascript ? How many Javascript exploits have you see that infect the browser or the host ?

I do see Javascript being used to 'deliver' or 'bootstrap' many exploits though.

Re:Become?

Almost all ads are malicious in one way or another.

They may even trick you into buying stuff you don't need.

Re:Become?

[hairyfeet]

They can bitch about "Waaah how can we make money on our websites, waah" but since I started making adblock plus mandatory? The rate of customers bringing PCs back infected has dropped right off the map.

I USED to allow websites who asked nicely to have an exception but I found they abused the goodwill every. single. time. without fail. I consider an ad to be unacceptable if 1.- Its served by flash, too many zero days for flash to allow it s a delivery vehicle. 2.- No Java, see rule 1. 3.- NO THIRD PARTIES, this is a sticking point for some but it really comes down to responsibility. If you use some fly by night third party you can pass the blame and in reality you have no damned clue from minute to minute what is even running on your site when you give space to third parties. YOU might tell your readers "Oh we won't use flash or java for ads" but do you think the third party will care about your pledge? Not a chance.

Until sites come up with a way to serve ads without cranking up the risk to my customers? they can fuck right off. Your "right" to make a living of your dumb ass blog does NOT trump my customers right to have a virus free PC and considering what a nightmare ID theft is I feel zero guilt for blocking your malware spewing third party flash crap. Even Ars Technica, who made a big deal about begging and making their case for unblocking....what did they do with 3 days of me unblocking? they broke rules 1 and 3, showing their ads to be just as dangerous as anybody else. So there will be no exceptions and I'll be happily spreading ABP to everyone who brings a PC through my door.

Re:Become?

[afgam28]

"In the abstract"?! In what world do you live in where standalone, server-side Java and Android apps are rare?

In the abstract, Java applets are a problem, sure. But by far most Java code runs on servers and on Android devices and there isn't as much of a problem with poor sandboxing in those environments.

Re:Become?

[gstoddart]

You know, I don't find there to be many sites I actually want to use that don't get by mostly without allowing scripts and the tracking shit.

Re:Become?

[Darinbob]

Which is ironic since one of its principle design goals, that set it apart from being yet-another-language, was emphasis on sandbox security. But then features crept in...

Re:Become?

[easyTree]

I know, this is how I do it too, but doesnt it strike you as a little crazy to have to install all these *extensions* - not to add optional functionality, but to disable all this insanity that should never have been enabled by default to begin with?

I know; it's almost as if you've completely misunderstood what *insanity* and *should* mean which has led you to erroneous conclusions.

javaScript is *useful* - its presence in browsers indicates that on balance, is benefits are considered to outweigh the risks it creates / allows.
knives are useful - their presence in the world indicates that on balance, their benefits are considered to outweigh the risks they create / allow.

Re:Become?

Personally I use
1. AdBlock Edge which is a fork of AdBlock Plus(No ads. Ever. From anyone. For any reason)
1a. Element Hiding Helper for AdBlockPlus (Also works with AdBlock Edge and can remove individual elements of a website)
2. Noscript (All security conscious people ought to know this one)
3. Ghostery (with auto-update which is bizarrely not default)
4. Self-Destructing Cookies (kills ALL cookies. No exceptions. So what if I have to type my email address a few times.)

If you have more then post them here.

Re:Become?

[fast+turtle]

and this is exactly why I use a god damn hosts file to block most of the fucking advertisers. It's not perfect by a long shot but it certainly helps prevent much of the problem by blocking any connection to known ad-servers like Yahoo's that can and will be compromised. Hell even Doubleclick has served malware in the past and I've blocked them for over a decade in the hosts file (Remember those god damn "Punch the Monkey" ads?) that's what got me started on using the hosts file and the really nice thing about it is the solution is cross platform. I've used it on Linux and Windows and even gave a copy to a friend using a Mac. Worked like a charm for them.

Where in hell is APK when you need him? Lazy fucking bum. Get back to work and earn your money.

Re:Become?

[exomondo]

Web browsers should ship with support for the web (that means HTML, semantic markup, period) and extensions should be used to add to that, rather than by default supporting every piece of nonsense any adware/spyware/malware pusher might ever want to use, and then having extensions to try and turn that off after the fact.

So fork Firefox or Chromium or build a browser atop webkit and offer such a thing. Nothing stopping you from doing it if you really think that's the way it should be.

Re:Become?

[exomondo]

Almost all ads are malicious in one way or another. If they don't carry bad stuff to your computer you can be misled to click on them and $DIETY knows where you end up sometimes. If nothing else they burn a lot of CPU ticks and makes your computer consume more power.

Yeah displaying a link and a one-sentence blurb is really burning a lot of CPU clocks and making my computer consume more power.

Re:Become?

[hairyfeet]

Insightful? Really mods? We ARE talking about Java ya know, a language run by company that infests its customers with shit like the Ask toolbar when they update the thing.

And if what you are saying is true Nerdfest, where is all the C attacks? Obj-C? Visual C++? Hell that last one is probably on more machines than even Java as pretty much every Windows box that has play a stand alone game in the last 5 years has had to install VC++.

Like it or not you hit closer to home than you think with the Active-X comparison, because like Active-X Java is frankly not very good at security. It was written by Sun who wrote shitty code, see the mess that is Open Office for an example, and when Oracle bought it they certainly didn't raise the quality level of the code. There is a reason why you see more people with VC++ or with Chrome browsers yet Java is the one targeted, crooks always good for the easy mark.

Re:Become?

[Sudline]

And we should pay for each website we visit.

Re:Become?

[dinfinity]

Actually, if you use Chrome, ScriptSafe can be set to allow Javascript for the domain you're visiting. This still negates a lot of the security risks, yet allows most of the functionality to work for properly programmed websites, without further interaction.
The only annoyances are having to whitelist scripts from affiliated domains or domains that provide useful external features such as Youtube or Disqus, especially when they trigger a cascade of script inclusions.

When some website refuses to function properly without (temporarily) whitelisting all their crap, I either stop caring about the content or accept the risk and fire up Firefox (where no Javascript blocking occurs).

Re:Become?

[cbhacking]

Um, what's the difference? If I find, say, a user-after-free vulnerability in a JavaScript runtime (these have been found, and exploited, in the past) and use it overwrite an objects function table with arbitrary code (by, say, creating a long JavaScript string that contains the hex-encoded values of the machine cade that I want to execute) and then calling a function on the overwritten object to gain arbitrary code execution... is that not actually a JavaScript exploit for some reason? Did I merely use JS to "deliver" the exploit in a way that is different from exploiting a vulnerability in the Java applet sandbox?

Re:Become?

[TheRaven64]

ActiveX made no attempt at sandboxing. Java does, but the problem is a monoculture. There are four JavaScript implementations in widespread use, and so if you want to exploit a vulnerability in JavaScript you won't get more than one browser. Exploitable JavaScript bugs tend to be partly due to the DOM and other components of the browser. In Java, there is one widely deployed JVM, including all of the supporting libraries. If you find a bug in it, then you can exploit anyone who still has the Java plugin installed. The same is true of Flash.

Re:Become?

[TheRaven64]

How many Javascript exploits have you see that infect the browser or the host ?

Last time I did a CVE search, I found about 20 within the six months prior to when I did the search, across a small handful of browsers. I haven't looked for a few months though, so maybe there's been a miraculous improvement recently.

Re:Become?

[Billly+Gates]

Yes

Java was great and well written at the time in the 1990s. Bare in mind people had Pentium 166's and 28k modems and ran crappy browsers like Netscape back when the opinion of java being slow was ingrainded. A standard cpu today is probably a good 100x - 200x faster.

It is dated now true and Oracle is the one who put Ask crapware. But Java at least has a sandbox unlike VC?! Of course it has not been updated until recently but it is there and it worked until the last couple of years.

Java executes code but so does any other language. So does any other language that is more bare metal than interpreters like JavaScript. The problem is code execution without the user doing anything. Terrible idea!! Even reader has logic in it so it also executes code hence security issues with that too.

ActiveX has no sandboxing at all. However, it does have signed applets default in IE 6 and higher which make running untrusted code harder but still these should not be in a browser.

VC++ is not as safe as Java and would be a fucking disaster. I wished Java could have turned into something more and came more up to date. Oracle is trying but slowly as Java 8 will have things C# had since 2005 with Lambda. Still no LinQ like functionality. Java is a classic example of a great technology left to be bad management. The fact it is so and still widely used showed it was certainly not a crappy product and was cutting edge and is still modern even today even if its sandboxing is lacking.

Re:Become?

[DarwinSurvivor]

For the amount of money Yahoo is being paid to serve these adds, they should be heavily reviewing any that are anything more than an image with a link.

Re:Become?

[DarwinSurvivor]

Not quite. Javascript can also make outgoing connections. There used to be a lot of attacks that used javascript to connect to machine on your side of the router (or even local ports). Browser developers have been working on closing these for a while now, but they haven't fixed them all yet.

The usual platitudes and bullshyte promises

[stevez67]

They'll continue to monitor, as in do something about a malicious ad once someone else identifies it and spreads the word.

Slashdot Serves Up Epic Fail Beta

Hey samzenpus, you better have another job lined up.

Netcraft confirms http://beta.slashdot.org is dying!

Re: Slashdot Serves Up Epic Fail Beta

It does seem to be dying. I used to come one here several times a day. Now I might come by once a week. Mostly hoping the old site would reappear. Sad watching a once great site die.

Re: Slashdot Serves Up Epic Fail Beta

[Nerdfest]

I just had a look at it. It doesn't look awful, but continues the same mistake made with other attempts, in that it has *way* the hell too much white space.

Re: Slashdot Serves Up Epic Fail Beta

Don't you know you're not supposed to use a PC on the net any more? It's strictly for tablets and phones -- tiny screens, most options removed, no keyboard support. Get out of the stone age and stop being productive!

Re:Slashdot Serves Up Epic Fail Beta

[Kimomaru]

It looks fine, but it's too fancy for my taste. Personally, when a someone tries to doll up a site to make it prettier, it always kind of irks me. It feels like it's losing its quality, so they have to compensate by making it prettier. I'm sure that's not the case here, but let's drop this redesign stuff. Unless you make it easier to navigate with a text-based browser.

Re:Slashdot Serves Up Epic Fail Beta

[ConceptJunkie]

But beta.slashdot.org serves you tons of stock photos. A stock photo for every story! That's what made /. great: meaningless images.

Image/text only ads

[El_Muerte_TDS]

This wouldn't be an issue if they could only serve image or text only ads. Possible image based exploits can easily be prevented by re-saving the uploaded image so that the image only contains valid content.

But no, ad farms want to provide functionality to reach maximum annoyance for the users. You can blame Java all you want, but it's not the source of this problem.

Re:Image/text only ads

Indeed, the ad ops teams that "screen" these ads cant read code, and even if they could, the code in the ad tags is "minified" JS and they just can't logistically read each ad tag because of the sheen number of ads they need to run each day/week.

If Java didn't exist, nor Flash or Acrobat, these criminals would STILL be using the ad networks to compromise the browser itself. That's not to say the plugin model is a good one, but it's important to focus on the real problem.

This is true for all websites too. I suspect the WashPo uses the same ad ops standards Yahoo does, same as Slashdot, same as everyone. It's ad networks running arbitrary, 3rd-party, unknown code on users machines that's really fucking dangerous.

Re:Image/text only ads

[SpaceLifeForm]

Ask yourself this: How many ad farms are really NSA operations?

Re:Image/text only ads

[digitalaudiorock]

I use NoScript all the time. Just recently...the last few week actually...I started noticing that a number of things on yahoo finance just plain stopped working because they required javascript from yimg.com...as if I'm going to allow that...ffs.

Re:Image/text only ads

[Ol+Olsoc]

I use NoScript all the time. Just recently...the last few week actually...I started noticing that a number of things on yahoo finance just plain stopped working because they required javascript from yimg.com...as if I'm going to allow that...ffs.

Last few weeks? You're lucky.

I did a script check on aoms sites recently. just kept enabling them until the sites worked. Ones like the New York Times had dozens of scripts that had to be enabled just to see the content. Yahoo is bad enough, but no where near the worst. They really do want you to allow facebook in order to see or comment.

And thtat's the interesting part. Facebook and twitter - and of course Google in one form or another are tracking you even if you've never been to the respective sites.

Re:Image/text only ads

[Ol+Olsoc]

Wasn't there something posted in here a few months ago about spoofing tracking reports? It might be fun to have google think the whole world only visited Goatse and tubgirl.

Re:Image/text only ads

[Anarchduke]

it appears yimg.com is owned by https://www.markmonitor.com/
Not sure exactly what markmonitor does, even though it says they do "brand protection" I just downloaded one of markmonitors white pages to try and figure it out.

Source Unknown?

Source unknown? Bullshit! Yahoo didn't run the ads without payment. Payment == traceable. Or is Yahoo accepting Bitcoins now?

Re:Source Unknown?

[KingOfBLASH]

No they're just going to blame the NSA for being malicious hackers, and skip over taking any sort of responsibility for the situation.

Re:Source Unknown?

[hawguy]

Source unknown? Bullshit! Yahoo didn't run the ads without payment. Payment == traceable. Or is Yahoo accepting Bitcoins now?

Unless, of course, payment==stolen credit card number.

adaware

[fermion]

It has been my contention that when websites no longer serve malware through Ads, then they can start complaining that users blocks ads. This is not an uncommon occurrence, even for large websites, and the fix is not always immediate. I recall not that long ago when the New York Times was serving malware for the entire weekend.

Re:adaware

[Anonymous+Brave+Guy]

It has been my contention that when websites no longer serve malware through Ads, then they can start complaining that users blocks ads.

Indeed. I block 100% of ads my tools can identify, I consider this a routine security precaution, and I make no exceptions. Sorry to the honest site operators, I won't take offence if you decide to block me because I block your ads, but no, I won't whitelist you. This became my policy shortly after the only virus infection I've ever been aware of picking up on any computer I operate, which was a Java zero day exploit I picked up browsing normally reputable tech news sites.

Re:adaware

[A_Non_Moose]

Agreed.

Similar story here, when I left an IE session open on Drudge and went to sleep.

Woke up and saw "Antivirus 2009" or some such crapware.

Turned out to be 2 0-day exploits to javascript and pdfs to load executable code.

Insult to injury was I turned off javascript in pdfs explicitly and an update turned it back on. Son of a beeyotch.

Flew under the radar of Symantec 9 or 10, IIRC. Sucked because I was still in .edu and had no time for that kinda shite, but dealt with it just the same.

Now it is the "only if I allow it" kinda rule...even then there is a 90% chance of "oh, hell no!".

Re:adaware

[Billly+Gates]

Don't use IE. Its been said here for over 10 years now and you should know better.

Even if its not IE 6 anymore it still does not support adblock. Get foxit unless you really need adobe. You can disable launch in browser. Also create a standard user and stop using XP. You never would have become infected.

Re:adaware

[flappinbooger]

It has been my contention that when websites no longer serve malware through Ads, then they can start complaining that users blocks ads. This is not an uncommon occurrence, even for large websites, and the fix is not always immediate. I recall not that long ago when the New York Times was serving malware for the entire weekend.

Yeah, they outsource their ad space to someone, that company gets them from who knows where. It isn't necessarily that easy to find out where each ad comes from.

Ads and email attachments are obviously the most common attack vectors I hear about. Also binding malware to pirated files or crackz are notorious too. Not all cracks or pirated warez are malwared but a lot are.

Re:adaware

[PNutts]

A guy at work went to Druge a few years ago and got his work PC zapped. A visit to LiveLeak set off my A/V but nothing got in.

Re:adaware

[cbhacking]

IE has had a built-in ad blocking solution (it's marketed as an anti-tracking solution, but it works fine on ads) since IE8. IE9 and later can even load filters from EasyList (who do the most widely-used AdBlock Plus list) and automatically update it. Extensions (called add-ins, sometimes "Browser Helper Objects") that provide ad-blocking have been available since at least IE6, and probably before.

In the interest of avoiding monoculture, not using IE makes some sense (although these days, anything much more mainstream than Opera has enough users to be an attractive target).
In the interest of supporting open-source browsers (or if you believe that the "many eyes..." theory makes up for the relative lack of resources for security testing compared to a major corporation), using Chromium or Firefox makes sense, but they've had exploits as well.
In the interest of punishing MS for its past behaviors, using something other than IE makes sense.
But complaining that IE can't block ads or similar, well, that really doesn't make any sense at all. IE has more built-in ad blocking than many of its competitors, even though it's turned off be default and most people don't know how to turn it on.

In any case, the exploit that got A_Non_Moose was a JS bug in his PDF reader. You'd do better to recommend he stop using Acrobat (the only reader I know of that not only enables JS by default but turns it back on, silently, each time you update). If his browser was configured to open PDFs in Acrobat automatically, it doesn't matter *what* browser he was using.

"has become"?

[grub]

a reminder that Java has become an Internet security menace

Java has always been a security menace.

Re:"has become"?

Not sure if parent is trolling, or just confused.

Most of us know the difference between Java (a perfectly secure language) and the ability to run applets in a browser (a feature that can be exploited if the sandboxing is insecure). It doesn't matter whether we're talking about Java Applets or ActiveX. Hell, even interactive PDF forms have been used as attack vectors.

Re:"has become"?

[grub]

I meant running in the browser, not playing Minecraft. That ActiveX or PDF are also insecure doesn't change the fact that Java (in the browser) is shit and always in need of security updates.

Re:"has become"?

[Billly+Gates]

Anything that executes code or reads it is potentially insecure.

Best defense is always to run updated oses with updates on, do not as root or admin, turn off anything that launches in a browser like PDF and Java. And for heavens sake run Av folks!

I know many say with a smile they run XP with an admin account with an ancient version of ff like 3.6 with no protection whatsoever!! Lord I bet such things have tons of Trojans and key loggers on (ff 3.6 has +40 holes as it is not maintained?!)

Anyway Avast is light and it as well as comodo dragon filter less trusted ad networks. You can disable PDF reader in its preferences and you can keep Java for eclipse but disable it in your browser addons. Done with a limited account, adblockers, Av software and a modern os mixed with shit launching automatically and you are pretty secure.

Not Java but shitty Java browser plugins

Java is a much safer language than say C because of the built in checks. It's the proprietary crappy browser plugins that make this kind of attacks possible.

Re:Not Java but shitty Java browser plugins

[Jawnn]

Java is a much safer language than say C because of the built in checks. It's the proprietary crappy browser plugins that make this kind of attacks possible.

For 99% of the users out there, that is an absolutely pointless distinction.

And this is why...

[bmo]

... using ad blocking and/or host files to deep-six ad networks not only produces a nicer user experience, but it's a valid security measure.

Trusting the web site is not enough. You have to trust the ad network too. Since any Joe Schmoe can buy ad space on an ad network, trusting the ad network means you're trusting Joe Schmoe.

I don't know about you guys, but I don't.

--
BMO

Re:And this is why...

[TubeSteak]

FireFox + NoScript replaced my ad-blocker for years

Now, I only find ad-blockers or hosts files to be necessary for handling crap that's embedded in flash files.

/Does Chrome have a proper NoScript equivalent yet?

Re:And this is why...

[gstoddart]

/Does Chrome have a proper NoScript equivalent yet?

ScriptSafe + DoNotTrackMe + Ghostery + AdBlockPlus are what I have in Chrome.

ScriptSafe does about the same as NoScript.

Re:And this is why...

[Billly+Gates]

Unfortunately Windows 8 and higher ignore host files. You can use avast or Comodo dragon which blocks less trusted ad networks in addition to adblock.

Re:And this is why...

[perpenso]

Unfortunately Windows 8 and higher ignore host files. You can use avast or Comodo dragon which blocks less trusted ad networks in addition to adblock.

What Windows 8 does is irrelevant if one takes some old retired PC and installs Linux or *BSD on it and sets it up as a router.

Re:And this is why...

[allo]

use adblock edge, abp is getting more and more stuff you do not want. read the blog entries from some time ago. Its not only the acceptable ads* stuff, they are working with ad companies at some more points.

* which is a big deal anyway, because one of the first types of acceptable ads were the sedo-typo-squatting ads on misspelled domains.

Re:And this is why...

[Arker]

The last I checked there was no way to block scripts prior to download - the best the extension could do was step in after they have been downloaded and parsed and then walk them back out. Not acceptable, not even close.

Re:And this is why...

[zippthorne]

Chrome has per-domain javascript white/blacklisting built-in.

Re:And this is why...

[cbhacking]

Erm... bullshit? The only thing I'm aware of that's even *close* to what you're saying is that in Win8 and newer, the built-in anti-malware feature (Windows Defender) will remove entries for several well-known domains, including some advertising networks but also things like search engines and such, from the HOSTS file. Either turning off Defender, or setting it to Exclude the HOSTS file, will cause HOSTS to work like normal.

Yahoo is getting worse everyday

New Yahoo Mail = complete unusable dog shit

New Flickr = complete fuck up! They don't even read user feedback.

New Ad delivery = source of malware! Even porn sites don't do that.

Re:Yahoo is getting worse everyday

yep, blocked *.yahoo at the point i noticed them installing psudo-malware with uTorrent (the persistent default search engine replacement software which uses far more CPU time than something that supposedly just monitors search engine settings and resets them to Yahoo should. It was very malware like in it's choice of installation folder too and of course the fact it was both unwanted and self-repairing)

once a company starts doing that shit they end up on my block list, permanently. uTorrent made it too for bundling the crap.

sounds like I dodged a bullet by having them blocked.

Re:Yahoo is getting worse everyday

[hyades1]

Wish I had a mod point to move you up the food chain a bit.

Thunderbird is my friend.

[couchslug]

I kept my old Yahoo webmail accounts but use Thunderbird to read those as well as Gmail. Avoids dealing with asstastic webmail page layout as well as being bothered with adverts.

Good on you, Yahoo...

[DrPBacon]

If that's the whole statement, then wow... that's really pathetic.

Really?

[kurkosdr]

" Fox-IT says it appears to be 'financially motivated" (Insert Nicolaw Cage "you don't say" pic here) Also, Yahoo has the billing info, IP address and username of the fine fellows behind this. Can't they sue them, or at least publish that info? Oh, I forgot, that would be "aggravating a partner" which is bad for the bottom line...

Fools who dont run AV

[Billly+Gates]

For the idiots who say with a smile they do not run AV software and think they are malware free because they don't click on anything, I told you so.

Some people even on Slashdot do not have a basic understanding of online security. Yes Linux Trojans exist too because like Mac users you all think you are invulnerable.

Basics: if you must use Java disable it in your browsers or put it in intranet zone only if you use IE at work. Disable adobe reader from launching automatically. Use foxit if you can or disable it in browser launching in which I do. Use flashblock and adblock. Even IE has adblock these days. Last do not run a browser with an admin/root account! In Windows I use a separate limited/standard account and do not browse as root in Linux. Doh. Run Windows updates!! But they may break my apps .... Please. I never had an issue and my security is worth it. Do that and these attacks will be plugged 90% of the time.

Do these in addition to not clicking on shit and then your system will be pretty darn secure.

Re:Fools who dont run AV

[Bigbutt]

Hmm, I generally don't run AV software on my systems but I'm pretty sure MSE has been running for a while so I do, just not on purpose. I didn't before that since I first started mucking with computers in 1980 or so.

I've never had a hit from it though. Well, I take that back. I had some archival e-mails from way way back that I knew had viruses in them (the old 'I Love You' type email viruses). When MSE kicked off the first time, it scanned that directory and pinged on them. But nothing since that initial run and I knew they were there.

I do run malwarebytes from time to time with no hits.

But I also run noscript and abp on all my systems. Plus I don't click on links or open documents from folks I don't know, including the link in your signature.

[John]

Reminder...

[ameline]

> "The Washington Post cites this incident as a reminder that Java has become an Internet security menace."

That should read "The Washington Post cites this incident as a reminder that advertising has become an Internet security menace."

Adblock+ -- part of a sensible security policy.

Yahoo knows

[EmperorOfCanada]

The moment that Yahoo allowed advertisers to use java they knew that minimally those ads would be used to annoy the crap out of the users. If your ad is a static picture with a clickable link then you don't need Java. What you need java for is to start prying into the user's business. Animations, sound, geolocations, saving data to the user's machine. So any "legitimate" ad using Java is halfway to being malware already. Plus why use Java instead of Flash? Generally ads should be made by Graphic artist types who are more familiar with Flash. Thus the primary reason to use Java is to access some feature that flash has blocked in Flash.

So if your goal with a Java ad is to circumvent something that Adobe has blocked then it probably should remain blocked. On top of that most users have turned off Java so it can't be to reach a wider audience.

So when Yahoo allows advertisers to use Java they knew perfectly well that the advertisers were up to no good whatsoever. Their acting surprised that some of the scumbags took it even further is total BS.

Basically at this point, anyone who has Java turned on in the browser is the same as having a house with a weeks worth of newspapers stacked up at the front door. Effectively a greeting card inviting the criminals in.

Re:Yahoo knows

[asmkm22]

For what it's worth, a big reason they changed from making ads in Flash to Java is because

a. People used to complain about Flash, and how slow and insecure it was.
b. Flash didn't work very well with mobile phones (or at all for a long time).

Re:Yahoo knows

[akozakie]

"Allow Java"? Sorry, but you can't really block Java if you allow scripting or redirection.

With redirection, you lose control over what the ad actually serves. You'd have to re-check it all the time. What will you do if it serves malware only to every tenth visitor? And never to yahoo IP space?

With scripting... Well, unless you have the resources to manually analyze every ad before you allow it (who would accept that much delay?), you will never be entirely sure what the code does. Static analysis can only go so far, there will always be ways to obfuscate the beejeezus out of the script in a way you cannot parse. Dynamic analysis is costly and what will you do if the code is in a way non-deterministic (includes a Java applet depending on time, random number, or whatever)? Plus, if any links appear in either analysis, see redirection, you don't know what will be served.

The only relatively secure ad service is one that only allows images (uploaded to the ad service, not linked) and text with limited markup. No scripting at all. But that's not what the advertisers want and they are the paying customers.

The most you can do is some screening of the ads and quick, effective handling of any incoming reports to minimize bad PR. It seems that this is what they do - good for them.

Sorry, but that's what happens if ads are the main source of income. In this model the ads are inherently unsafe - unless you have a very secure browser setup, but that will break some pages.

If users pay for a service, secure ads as additional income source are possible - but that's rare. Free = unsafe, sorry. Accept the risk or protect yourself.

Re:This justifies my habits ...

[giantgeek]

The Washington Post cites this incident as a reminder that Java has become an Internet security menace.

You can read about Java as the Internet security menace in the link above, but first you need to enable Java Script to read the article.

Thousands?

[wonkey_monkey]

Yahoo Advertising Serves Up Malware For Thousands

The attack, which lasted several days... the infection rate was at about 27,000 infections per hour.

That's nearly 2 million at least. C'mon Slashdot, it's not like you to supply a less sensational headline than necessary.

Re:This justifies my habits ...

[EmperorOfCanada]

I used Lynx up until 2010 until I realized that it might be compromised. So now just telnet to port 80 and manually send GETs and POSTs.

How is the source unknown?

[viperidaenz]

The source is a Yahoo ad customer. Do they not know who pays them? Or do they not want to lose a paying customer by outing them?

Re:How is the source unknown?

[Greyfox]

Perhaps they were paid with a stolen credit card. It's not like those are hard to come by.

Yahoo doesn't immediately know

[viperidaenz]

The ad didn't contain a Java applet.
It directed people to a website that then delivered the malware. Apparently it automatically redirected the browser, but that hasn't been confirmed.

So Yahoo allow Javascript in the ads, not Java.

Re:Yahoo doesn't immediately know

[EmperorOfCanada]

Ah good clarification. So a good policy for yahoo would be if your site uses Java applets there is an 80% chance you are being a tool. I thought the coverage of Java Applet Ads would be pretty poor. I am not sure of the exact stats but with mobile devices growing this number must also be in freefall.

The only legitimate sites that I see where a java applet is a critical feature are older science websites. Astronomy calculators would be a common example.

Personally I am excited about the prospects of asm.js for when you want to put something hardcore in a browser. Something that might have been ported from C++ or some such language.

Re:Dalvik

[viperidaenz]

Because there isn't really much wrong with Java, from a security point of view.

The Oracle Java Browser plugin on the other hand, is pretty dodgy.

Use click to play

[tulcod]

Java zero days are easily avoided by using "click to play", which does exactly what it sounds like: disable flash and java applets until you click them. In Chromium, this is easily enabled in Settings -> Show advanced settings -> under "Privacy", Content Settings -> choose "Click to play" under Plug-ins.

Java (and Flash likewise) has never been safe, and it's a shame that click to play is not the default. Additionally, animated ads are often Flash or Java-based, so this also kills distracting movies.

Re:This justifies my habits ...

[innocent_white_lamb]

You don't need javascript to read that article. The text and photo are at the bottom of the page. Just scroll past all of the whitespace at the top and you'll fine it.

Re:This justifies my habits ...

[thestuckmud]

]You can read about Java as the Internet security menace in the link above, but first you need to enable Java Script to read the article.

That, or disable CSS (e.g. View/Page Style/No Style in Firefox).

But does it run on Linux?

[mspohr]

As usual (unfortunately). Both the article and the summary are pathetic examples of journalism which should try to at least inform.
For instance, it would be useful to know (at a minimum) which OSs, browsers, etc are vulnerable, whether any of the virus detection programs will block or remove the malware and what effects the malware has on systems when they are infected.
In other words, this article is just "scareware" warning about some unspecified threat to do something bad to somebody and no idea who, what, when or where.

Re:But does it run on Linux?

[asmkm22]

Did you even read the articles, or did you just click the first link in the summary and call it a day? The one linking specifically to Fox IT's blog, which is the source of this discovery, goes into great detail about this. They specifically mention the following:

This exploit kit exploits vulnerabilities in Java and installs a host of different malware including:

ZeuS
Andromeda
Dorkbot/Ngrbot
Advertisement clicking malware
Tinba/Zusy
Necurs

Re:But does it run on Linux?

[mspohr]

But do any of these run on Linux.. or Mac OSX?
I guess we should just assume that they all run on Windows although the article is silent on this subject.
Does any antivirus program detect or block any of these?
What should I do if I think I have been "exposed"?

Useless articles.

Re:But does it run on Linux?

[asmkm22]

None of those malware packages are new. They've been covered numerous times in the past. Google them up yourself if you weren't paying attention for the last 6 years. I certainly don't want to have to read through a bunch of information that I already know because it's not exactly new.

Re:But does it run on Linux?

[ShoulderOfOrion]

I think it's a given that if a virus, worm or whatever could actually infect a Mac or Linux box that would be in the headline, or at least the first paragraph.

Freaking ad networks

[Dega704]

Hence why I advise people to install AdBlock on their browsers. The way things have been for the pas few years, it's probably more effective than antivirus software. (Before you flame me, I am speaking tongue-in-cheek. You really should have both.)

I'm confused...

[jddeluxe]

People still visit yahoo's website? How quaint!

Re:This justifies my habits ...

[Kimomaru]

Wow, that's hard core.

Wrong view of security

[Sigma+7]

reminder that Java has become an Internet security menace."

The big three browsers can trivially block Java, through something as simple as "click to play", or "always launch plugins from this site". Any browser that auto-executes stuff by default is broken.

On the other hand, I've had a malware distribution attempt via Javascript. It's certainly designed to attack Chrome, since it wipes the previous page content and URL, replacing it with its own.

Oh, and a trivial Javascript exploit that browsers took 10+ years to fix.

while(true) {alert("haha");}

3rd party malware.

[ralphaostrander]

Adblock plus. Is all you need to know. In settings dont allow some.

This is the perfect example of why adblock plus

[ralphaostrander]

should not default to allow any. Let the use take the risk in allowing do not assume it for me unless your going to pay for my damages.

Arguably...

[easyTree]

...this is their Raison d'être - "advertisments - malware for the brain."

Java? What about Javascript?

[cjonslashdot]

"...reminder that Java has become an Internet security menace."

Actually, the largest menace is Javascript. That's why so many people use NoScript.

Any kind of in-browser active code execution will inevitably have security challenges.

Flash is a major resource hog, too

[knorthern+knight]

I don't have Java installed. I run linux, but Java is cross-platform, and I don't fall into the "it can't happen here" camp. Besides, I save a few hundred megabytes of disk space by not installing Java.

Flash is another issue altogether. I follow one forum that autoruns Flash movie ads on occasion. If you hovered over the ad, it would enable sound too.Firefox used to lock up for a few minutes. Running with system load = 3 or 4, on a 2-core machine is begging for thrashing/near-lockup.

I now use 2 browsers...
1) one browser has Flash disabled entirely
2) the other one I launch when I see a link to Youtube/whatever. When the video finishes, I close it. The taskbar has a mini-version of "top" running. Sometimes, after turning off the Flash browser, I'll watch the system load fall from 1.3 down to 0.3... satisfying.

Re:Browser addons noted = inferior to hosts

[PNutts]

Why do apk's posts remind me of reading a Dr. Bronner's soap label?

Re:To the downmodder of my post

[TranquilVoid]

Can you think of any advantages to in-browser ad blockers?

Re:Browser addons noted = inferior to hosts

[fractoid]

Oh man, that stuff. It's like the Time Cube of liquid soap.

Malwarebytes Anti-Exploit Beta

[PNutts]

A/V doesn't protect against a lot of this stuff. Malwarebytes has a new anti-exploit beta for us Windows folks.

From the FAQ:

17- What techniques does MBAE use to detect and block exploits?

MBAE incorporates multiple exploit detection and blocking techniques at different stages of the typical exploit attack to provide a truly complete solution against all types of current and future exploits.
  Stage 1 Layer: This layer of MBAE incorporates multiple techniques to detect and block exploits during stage 1 of the exploit attack, before the shellcode is allowed to run. In some cases, MBAE detects and prevents exploits before the operating system Data Execution Protection (DEP) protection.
  Stage 2 Layer: This layer of MBAE incorporates multiple memory protection and payload execution techniques which prevent exploits from executing their stage 2 payload, thereby protecting the computer even if operating system protections and stage 1 protection techniques have been bypassed.

That's why I never use IE

[bobjr94]

Most people running something other than IE with an ad block or script block most likely never would have had any problems. My boss still likes IE for whatever reason, needless to say Im at his computer every month or 2 removing spyware, viruses or a total computer hijacking (pay us 100$ to unlock this pc). Last virus he picked up was from an ad on msn.

Re:That's why I never use IE

[cbhacking]

You can block ads and scripts in IE just fine. Heck, there are even built-in ways to do it, using filter lists from folks like EasyList (better known for their popular AdBlock Plus filter list). No need to download an extension (MS calls them "add-ons" but they are much the same thing) as long as you're using IE9 or newer, but ad-blocking and script-filtering are available at least as far back as IE6. There's also options like blocking using a HOSTS file or similar.

Your boss's problem isn't that he uses IE, it's that he doesn't know how to use the Web safely at all. Your problem isn't that your boss likes IE (which does actually have some nice features, such as its tab groupings and translation "accelerator") but that you know one safe way to use the Web (which your boss doesn't like) but are apparently not smart enough to find one that he does like (despite the fact that such things certainly exist).

Using Firefox in its default configuration would be just as vulnerable.

Yes, really

[cbhacking]

With all due respect, his post was a lot more insightful than yours. You don't appear to know what you're talking about.

First of all, "deployed the same way" as in "deployed using an HTML <object> or <applet> element that instructs the browser to download and execute the code". The Microsoft Visual C++ redistributable runtime does not include any such mechanism for deploying C++ code. For that matter, not all Java runtime installations do either.

Second, just what do you think ActiveX is programmed in? Hint: it's not its own language. It's a packaging system for COM classes, which are almost without exclusion written in C++, and it *is* possible to deploy and run it in the browser in much the same way as Java applets (object tags). Unlike Java, they run with basically no sandbox but instead require considerable amounts of confirmation before they download. The idea is that they are powerful but unsafe, so only use the ones that you trust. Unfortunately, a number of pre-installed ActiveX controls on Windows have security vulnerabilities in them, so an attacker who finds a way to exploit one of those pre-installed ones doesn't need to get the user to download anything. Hence the way that modern versions of IE require the user to confirm before running an ActiveX control that they've not previously indicated that they trust (and also give you an ability to disable ActiveX completely or only enable it on a site-by-site basis).

I don't care for the Java installer any more than you do, but the security issues with Java applets have literally nothing to do with the language. The only way you could say Java itself is at fault is if you were to argue that Java shouldn't have any OS bindings at all (that is, no ability to access the file system, no ability to create processes, no ability to open network sockets, etc.). This is essentially the situation with JavaScript, of course; while the Java applet sandbox tries to *restrict* the use of functionality like I just mentioned, the JavaScript runtime (as found in browsers) simply lacks APIs to access such risky features. Even there, though, that's not a characteristic of the JavaScript *language* but merely of the sandboxed runtime used to execute JS in the browser. Other uses of JS, ranging from Windows Script Host to Node.JS, are perfectly capable of doing such things.

Does Chrome have a proper NoScript equivalent?

[drobety]

HTTP Switchboard. This puts to rest all the false claims out there that Chrome doesn't have the proper API to block scripts. This thing does what NoScript, Request Policy and AdBlock do all together, plus it has nice privacy enhancing options.

Re:Well said (& agreed WITH a difference)

[hairyfeet]

The only problem I have with using HOSTS is that it requires updating to be of use and when it comes to customers? If I did my job right hopefully I won't be seeing them again for years. With ABP and Privdog I don't have to worry about "will they update the thing" as it is done automatically with the latest version every time they launch the browser.

That said I've found a way to go one better than HOSTS, at least for me and my customers, remember how I ran my own DNS? Well I don't have to do that now that Comodo offers their secure DNS for free and with Dragon and IceDragon I can have the browser and ONLY the browser run through their secure DNS. This way anything like games or Steam can hook up directly while the biggest attack vector, the browser, is filtered. Its nice, again auto updating, and best of all for me its a "set and forget" so once set I don't have to ever touch it again and in point of fact since making ads verbotten the only infections I see now are social engineering (Yuo want teh tittiez? Run "Iz_Not_Viruz_Iz_Codex" to see teh hot tittiez!) or when they get "toolbarred" because they refuse to read EULAs. All the actual bugs? Gone, zip zero zilch nada squat.