Yahoo Advertising Serves Up Malware For Thousands

← Back to Stories (view on slashdot.org)

Yahoo Advertising Serves Up Malware For Thousands

Posted by samzenpus on Sunday January 5, 2014 @04:18AM from the have-some dept.

wjcofkc writes "Thousands of users have been affected by malicious advertisements served by ads.yahoo.com. The attack, which lasted several days, exploited vulnerabilities in Java and installed malware. The Netherlands based Fox-IT estimates that the infection rate was at about 27,000 infections per hour. In response to the breach in security, Yahoo issued the following statement, 'At Yahoo, we take the safety and privacy of our users seriously. We recently identified an ad designed to spread malware to some of our users. We immediately removed it and will continue to monitor and block any ads being used for this activity.' While the source of the attack remains unknown, Fox-IT says it appears to be 'financially motivated.' The Washington Post cites this incident as a reminder that Java has become an Internet security menace."

43 of 184 comments (clear)

Min score:

Reason:

Sort:

Become? by gstoddart · 2014-01-05 04:23 · Score: 5, Insightful

The Washington Post cites this incident as a reminder that Java has become an Internet security menace.
As far as I've been concerned, Java and Javascript have both always been security menaces.
Letting web-sites and advertisers execute code has been a recipe for problems for a long time, which is why many of us here likely already block it.
This is just another example of why we can't trust the companies doing the advertising, because they're part of the problem -- if Yahoo is serving malware, Yahoo can't be trusted.

--
Lost at C:>. Found at C.
1. Re:Become? by Nerdfest · 2014-01-05 04:39 · Score: 4, Insightful
  
  Java as a language is pretty much as secure as any other. Allowing it to run arbitrary code as 'applets' by default is a huge problem as the sandboxing seems quite poor.
2. Re:Become? by gstoddart · 2014-01-05 04:52 · Score: 4, Insightful
  
  Java as a language is pretty much as secure as any other.
  In the abstract, as a standalone app, sure.
  But on the web? No bloody way. Certainly not by default -- because it's always been a vector from annoying crap and malware.
  
  --
  Lost at C:>. Found at C.
3. Re:Become? by Nerdfest · 2014-01-05 04:56 · Score: 4, Insightful
  
  Any other language deployed the same way would offer a very similar attack surface. Simply put, it's the new ActiveX.
4. Re:Become? by gstoddart · 2014-01-05 05:11 · Score: 4, Informative
  
  Yup, didn't trust that either.
  NoScript, AdBlockPlus, Ghostery, ScriptSafe, and everything else you can find to keep the crap at bay is the only safe way to use the internet these days.
  Between advertising companies who feel entitled to your data, and all of the crap on the internet ... leaving that stuff on by default is just asking for problems.
  
  --
  Lost at C:>. Found at C.
5. Re:Become? by Nerdfest · 2014-01-05 05:16 · Score: 4, Interesting
  
  RequestPolicy for FireFox is great as well.
6. Re:Become? by Z00L00K · 2014-01-05 06:30 · Score: 2
  
  Almost all ads are malicious in one way or another. If they don't carry bad stuff to your computer you can be misled to click on them and $DIETY knows where you end up sometimes. If nothing else they burn a lot of CPU ticks and makes your computer consume more power.
  
  --
  If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
7. Re:Become? by ColdWetDog · 2014-01-05 07:14 · Score: 4, Funny
  
  Those blank white screens are refreshingly calm.
  
  --
  Faster! Faster! Faster would be better!
8. Re:Become? by Arker · 2014-01-05 07:38 · Score: 2
  
  I know, this is how I do it too, but doesnt it strike you as a little crazy to have to install all these *extensions* - not to add optional functionality, but to disable all this insanity that should never have been enabled by default to begin with?
  Web browsers should ship with support for the web (that means HTML, semantic markup, period) and extensions should be used to add to that, rather than by default supporting every piece of nonsense any adware/spyware/malware pusher might ever want to use, and then having extensions to try and turn that off after the fact.
  
  --
  =-=-=-=-=-=-=-=-=-=-=-=-=-=-
  Friends don't let friends enable ecmascript.
9. Re:Become? by Anonymous Coward · 2014-01-05 08:47 · Score: 2, Funny
  
  Almost all ads are malicious in one way or another.
  They may even trick you into buying stuff you don't need.
10. Re:Become? by hairyfeet · 2014-01-05 09:39 · Score: 2
  
  They can bitch about "Waaah how can we make money on our websites, waah" but since I started making adblock plus mandatory? The rate of customers bringing PCs back infected has dropped right off the map.
  I USED to allow websites who asked nicely to have an exception but I found they abused the goodwill every. single. time. without fail. I consider an ad to be unacceptable if 1.- Its served by flash, too many zero days for flash to allow it s a delivery vehicle. 2.- No Java, see rule 1. 3.- NO THIRD PARTIES, this is a sticking point for some but it really comes down to responsibility. If you use some fly by night third party you can pass the blame and in reality you have no damned clue from minute to minute what is even running on your site when you give space to third parties. YOU might tell your readers "Oh we won't use flash or java for ads" but do you think the third party will care about your pledge? Not a chance.
  Until sites come up with a way to serve ads without cranking up the risk to my customers? they can fuck right off. Your "right" to make a living of your dumb ass blog does NOT trump my customers right to have a virus free PC and considering what a nightmare ID theft is I feel zero guilt for blocking your malware spewing third party flash crap. Even Ars Technica, who made a big deal about begging and making their case for unblocking....what did they do with 3 days of me unblocking? they broke rules 1 and 3, showing their ads to be just as dangerous as anybody else. So there will be no exceptions and I'll be happily spreading ABP to everyone who brings a PC through my door.
  
  --
  ACs don't waste your time replying, your posts are never seen by me.
11. Re:Become? by hairyfeet · 2014-01-05 18:53 · Score: 2
  
  Insightful? Really mods? We ARE talking about Java ya know, a language run by company that infests its customers with shit like the Ask toolbar when they update the thing.
  And if what you are saying is true Nerdfest, where is all the C attacks? Obj-C? Visual C++? Hell that last one is probably on more machines than even Java as pretty much every Windows box that has play a stand alone game in the last 5 years has had to install VC++.
  Like it or not you hit closer to home than you think with the Active-X comparison, because like Active-X Java is frankly not very good at security. It was written by Sun who wrote shitty code, see the mess that is Open Office for an example, and when Oracle bought it they certainly didn't raise the quality level of the code. There is a reason why you see more people with VC++ or with Chrome browsers yet Java is the one targeted, crooks always good for the easy mark.
  
  --
  ACs don't waste your time replying, your posts are never seen by me.
The usual platitudes and bullshyte promises by stevez67 · 2014-01-05 04:23 · Score: 3

They'll continue to monitor, as in do something about a malicious ad once someone else identifies it and spreads the word.
Slashdot Serves Up Epic Fail Beta by Anonymous Coward · 2014-01-05 04:23 · Score: 3, Funny

Hey samzenpus, you better have another job lined up.
Netcraft confirms http://beta.slashdot.org is dying!
1. Re: Slashdot Serves Up Epic Fail Beta by Anonymous Coward · 2014-01-05 04:47 · Score: 3
  
  It does seem to be dying. I used to come one here several times a day. Now I might come by once a week. Mostly hoping the old site would reappear. Sad watching a once great site die.
2. Re:Slashdot Serves Up Epic Fail Beta by Kimomaru · 2014-01-05 08:18 · Score: 2
  
  It looks fine, but it's too fancy for my taste. Personally, when a someone tries to doll up a site to make it prettier, it always kind of irks me. It feels like it's losing its quality, so they have to compensate by making it prettier. I'm sure that's not the case here, but let's drop this redesign stuff. Unless you make it easier to navigate with a text-based browser.
Image/text only ads by El_Muerte_TDS · 2014-01-05 04:28 · Score: 5, Insightful

This wouldn't be an issue if they could only serve image or text only ads. Possible image based exploits can easily be prevented by re-saving the uploaded image so that the image only contains valid content.
But no, ad farms want to provide functionality to reach maximum annoyance for the users. You can blame Java all you want, but it's not the source of this problem.
1. Re:Image/text only ads by Anonymous Coward · 2014-01-05 04:59 · Score: 4, Insightful
  
  Indeed, the ad ops teams that "screen" these ads cant read code, and even if they could, the code in the ad tags is "minified" JS and they just can't logistically read each ad tag because of the sheen number of ads they need to run each day/week.
  If Java didn't exist, nor Flash or Acrobat, these criminals would STILL be using the ad networks to compromise the browser itself. That's not to say the plugin model is a good one, but it's important to focus on the real problem.
  This is true for all websites too. I suspect the WashPo uses the same ad ops standards Yahoo does, same as Slashdot, same as everyone. It's ad networks running arbitrary, 3rd-party, unknown code on users machines that's really fucking dangerous.
2. Re:Image/text only ads by SpaceLifeForm · 2014-01-05 05:53 · Score: 3, Interesting
  
  Ask yourself this: How many ad farms are really NSA operations?
  
  --
  You are being MICROattacked, from various angles, in a SOFT manner.
3. Re:Image/text only ads by digitalaudiorock · 2014-01-05 06:04 · Score: 3, Interesting
  
  I use NoScript all the time. Just recently...the last few week actually...I started noticing that a number of things on yahoo finance just plain stopped working because they required javascript from yimg.com...as if I'm going to allow that...ffs.
4. Re:Image/text only ads by Ol+Olsoc · 2014-01-05 10:35 · Score: 2
  
  I use NoScript all the time. Just recently...the last few week actually...I started noticing that a number of things on yahoo finance just plain stopped working because they required javascript from yimg.com...as if I'm going to allow that...ffs.
  Last few weeks? You're lucky.
  I did a script check on aoms sites recently. just kept enabling them until the sites worked. Ones like the New York Times had dozens of scripts that had to be enabled just to see the content. Yahoo is bad enough, but no where near the worst. They really do want you to allow facebook in order to see or comment.
  And thtat's the interesting part. Facebook and twitter - and of course Google in one form or another are tracking you even if you've never been to the respective sites.
  
  --
  The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
Source Unknown? by Anonymous Coward · 2014-01-05 04:28 · Score: 5, Interesting

Source unknown? Bullshit! Yahoo didn't run the ads without payment. Payment == traceable. Or is Yahoo accepting Bitcoins now?
1. Re:Source Unknown? by KingOfBLASH · 2014-01-05 04:32 · Score: 2
  
  No they're just going to blame the NSA for being malicious hackers, and skip over taking any sort of responsibility for the situation.
2. Re:Source Unknown? by hawguy · 2014-01-05 05:37 · Score: 2
  
  Source unknown? Bullshit! Yahoo didn't run the ads without payment. Payment == traceable. Or is Yahoo accepting Bitcoins now?
  Unless, of course, payment==stolen credit card number.
adaware by fermion · 2014-01-05 04:29 · Score: 5, Interesting

It has been my contention that when websites no longer serve malware through Ads, then they can start complaining that users blocks ads. This is not an uncommon occurrence, even for large websites, and the fix is not always immediate. I recall not that long ago when the New York Times was serving malware for the entire weekend.

--
"She's a scientist and a lesbian. She's not going to let it slide." Orphan Black
1. Re:adaware by Anonymous+Brave+Guy · 2014-01-05 04:42 · Score: 4, Informative
  
  It has been my contention that when websites no longer serve malware through Ads, then they can start complaining that users blocks ads.
  Indeed. I block 100% of ads my tools can identify, I consider this a routine security precaution, and I make no exceptions. Sorry to the honest site operators, I won't take offence if you decide to block me because I block your ads, but no, I won't whitelist you. This became my policy shortly after the only virus infection I've ever been aware of picking up on any computer I operate, which was a Java zero day exploit I picked up browsing normally reputable tech news sites.
  
  --
  If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
And this is why... by bmo · 2014-01-05 04:32 · Score: 3, Insightful

... using ad blocking and/or host files to deep-six ad networks not only produces a nicer user experience, but it's a valid security measure.
Trusting the web site is not enough. You have to trust the ad network too. Since any Joe Schmoe can buy ad space on an ad network, trusting the ad network means you're trusting Joe Schmoe.
I don't know about you guys, but I don't.
--
BMO
1. Re:And this is why... by gstoddart · 2014-01-05 05:18 · Score: 3, Interesting
  
  /Does Chrome have a proper NoScript equivalent yet?
  ScriptSafe + DoNotTrackMe + Ghostery + AdBlockPlus are what I have in Chrome.
  ScriptSafe does about the same as NoScript.
  
  --
  Lost at C:>. Found at C.
Yahoo is getting worse everyday by Anonymous Coward · 2014-01-05 04:32 · Score: 3, Insightful

New Yahoo Mail = complete unusable dog shit
New Flickr = complete fuck up! They don't even read user feedback.
New Ad delivery = source of malware! Even porn sites don't do that.
1. Re:Yahoo is getting worse everyday by Anonymous Coward · 2014-01-05 04:55 · Score: 5, Interesting
  
  yep, blocked *.yahoo at the point i noticed them installing psudo-malware with uTorrent (the persistent default search engine replacement software which uses far more CPU time than something that supposedly just monitors search engine settings and resets them to Yahoo should. It was very malware like in it's choice of installation folder too and of course the fact it was both unwanted and self-repairing)
  once a company starts doing that shit they end up on my block list, permanently. uTorrent made it too for bundling the crap.
  sounds like I dodged a bullet by having them blocked.
Re:"has become"? by Anonymous Coward · 2014-01-05 04:53 · Score: 2, Insightful

Not sure if parent is trolling, or just confused.
Most of us know the difference between Java (a perfectly secure language) and the ability to run applets in a browser (a feature that can be exploited if the sandboxing is insecure). It doesn't matter whether we're talking about Java Applets or ActiveX. Hell, even interactive PDF forms have been used as attack vectors.
Reminder... by ameline · 2014-01-05 05:23 · Score: 2

> "The Washington Post cites this incident as a reminder that Java has become an Internet security menace."
That should read "The Washington Post cites this incident as a reminder that advertising has become an Internet security menace."
Adblock+ -- part of a sensible security policy.

--
Ian Ameline
Yahoo knows by EmperorOfCanada · 2014-01-05 05:32 · Score: 4, Insightful

The moment that Yahoo allowed advertisers to use java they knew that minimally those ads would be used to annoy the crap out of the users. If your ad is a static picture with a clickable link then you don't need Java. What you need java for is to start prying into the user's business. Animations, sound, geolocations, saving data to the user's machine. So any "legitimate" ad using Java is halfway to being malware already. Plus why use Java instead of Flash? Generally ads should be made by Graphic artist types who are more familiar with Flash. Thus the primary reason to use Java is to access some feature that flash has blocked in Flash.

So if your goal with a Java ad is to circumvent something that Adobe has blocked then it probably should remain blocked. On top of that most users have turned off Java so it can't be to reach a wider audience.

So when Yahoo allows advertisers to use Java they knew perfectly well that the advertisers were up to no good whatsoever. Their acting surprised that some of the scumbags took it even further is total BS.

Basically at this point, anyone who has Java turned on in the browser is the same as having a house with a weeks worth of newspapers stacked up at the front door. Effectively a greeting card inviting the criminals in.
Re:This justifies my habits ... by giantgeek · 2014-01-05 05:32 · Score: 2

The Washington Post cites this incident as a reminder that Java has become an Internet security menace.
You can read about Java as the Internet security menace in the link above, but first you need to enable Java Script to read the article.

--
new letter/phrase: hex-u means "www"
Thousands? by wonkey_monkey · 2014-01-05 05:33 · Score: 2

Yahoo Advertising Serves Up Malware For Thousands

The attack, which lasted several days... the infection rate was at about 27,000 infections per hour.
That's nearly 2 million at least. C'mon Slashdot, it's not like you to supply a less sensational headline than necessary.

--
systemd is Roko's Basilisk.
Yahoo doesn't immediately know by viperidaenz · 2014-01-05 05:54 · Score: 3, Insightful

The ad didn't contain a Java applet.
It directed people to a website that then delivered the malware. Apparently it automatically redirected the browser, but that hasn't been confirmed.
So Yahoo allow Javascript in the ads, not Java.
Freaking ad networks by Dega704 · 2014-01-05 07:02 · Score: 2, Informative

Hence why I advise people to install AdBlock on their browsers. The way things have been for the pas few years, it's probably more effective than antivirus software. (Before you flame me, I am speaking tongue-in-cheek. You really should have both.)
Re:But does it run on Linux? by asmkm22 · 2014-01-05 09:33 · Score: 2

Did you even read the articles, or did you just click the first link in the summary and call it a day? The one linking specifically to Fox IT's blog, which is the source of this discovery, goes into great detail about this. They specifically mention the following:
This exploit kit exploits vulnerabilities in Java and installs a host of different malware including:
ZeuS
Andromeda
Dorkbot/Ngrbot
Advertisement clicking malware
Tinba/Zusy
Necurs
Re:But does it run on Linux? by mspohr · 2014-01-05 09:49 · Score: 2

But do any of these run on Linux.. or Mac OSX?
I guess we should just assume that they all run on Windows although the article is silent on this subject.
Does any antivirus program detect or block any of these?
What should I do if I think I have been "exposed"?
Useless articles.

--
I don't read your sig. Why are you reading mine?
Flash is a major resource hog, too by knorthern+knight · 2014-01-05 15:45 · Score: 2

I don't have Java installed. I run linux, but Java is cross-platform, and I don't fall into the "it can't happen here" camp. Besides, I save a few hundred megabytes of disk space by not installing Java.
Flash is another issue altogether. I follow one forum that autoruns Flash movie ads on occasion. If you hovered over the ad, it would enable sound too.Firefox used to lock up for a few minutes. Running with system load = 3 or 4, on a 2-core machine is begging for thrashing/near-lockup.
I now use 2 browsers...
1) one browser has Flash disabled entirely
2) the other one I launch when I see a link to Youtube/whatever. When the video finishes, I close it. The taskbar has a mini-version of "top" running. Sometimes, after turning off the Flash browser, I'll watch the system load fall from 1.3 down to 0.3... satisfying.

--

I'm not repeating myself
I'm an X window user; I'm an ex-Windows user
Re:Browser addons noted = inferior to hosts by PNutts · 2014-01-05 16:32 · Score: 2

Why do apk's posts remind me of reading a Dr. Bronner's soap label?
Malwarebytes Anti-Exploit Beta by PNutts · 2014-01-05 17:48 · Score: 2

A/V doesn't protect against a lot of this stuff. Malwarebytes has a new anti-exploit beta for us Windows folks.
From the FAQ:
17- What techniques does MBAE use to detect and block exploits?
MBAE incorporates multiple exploit detection and blocking techniques at different stages of the typical exploit attack to provide a truly complete solution against all types of current and future exploits.
Stage 1 Layer: This layer of MBAE incorporates multiple techniques to detect and block exploits during stage 1 of the exploit attack, before the shellcode is allowed to run. In some cases, MBAE detects and prevents exploits before the operating system Data Execution Protection (DEP) protection.
Stage 2 Layer: This layer of MBAE incorporates multiple memory protection and payload execution techniques which prevent exploits from executing their stage 2 payload, thereby protecting the computer even if operating system protections and stage 1 protection techniques have been bypassed.
Yes, really by cbhacking · 2014-01-06 01:13 · Score: 4, Informative

With all due respect, his post was a lot more insightful than yours. You don't appear to know what you're talking about.
First of all, "deployed the same way" as in "deployed using an HTML <object> or <applet> element that instructs the browser to download and execute the code". The Microsoft Visual C++ redistributable runtime does not include any such mechanism for deploying C++ code. For that matter, not all Java runtime installations do either.
Second, just what do you think ActiveX is programmed in? Hint: it's not its own language. It's a packaging system for COM classes, which are almost without exclusion written in C++, and it *is* possible to deploy and run it in the browser in much the same way as Java applets (object tags). Unlike Java, they run with basically no sandbox but instead require considerable amounts of confirmation before they download. The idea is that they are powerful but unsafe, so only use the ones that you trust. Unfortunately, a number of pre-installed ActiveX controls on Windows have security vulnerabilities in them, so an attacker who finds a way to exploit one of those pre-installed ones doesn't need to get the user to download anything. Hence the way that modern versions of IE require the user to confirm before running an ActiveX control that they've not previously indicated that they trust (and also give you an ability to disable ActiveX completely or only enable it on a site-by-site basis).
I don't care for the Java installer any more than you do, but the security issues with Java applets have literally nothing to do with the language. The only way you could say Java itself is at fault is if you were to argue that Java shouldn't have any OS bindings at all (that is, no ability to access the file system, no ability to create processes, no ability to open network sockets, etc.). This is essentially the situation with JavaScript, of course; while the Java applet sandbox tries to *restrict* the use of functionality like I just mentioned, the JavaScript runtime (as found in browsers) simply lacks APIs to access such risky features. Even there, though, that's not a characteristic of the JavaScript *language* but merely of the sandboxed runtime used to execute JS in the browser. Other uses of JS, ranging from Windows Script Host to Node.JS, are perfectly capable of doing such things.

--
There's no place I could be, since I've found Serenity...