Slashdot Mirror
Google's Doubleclick Ad Servers Exposed Millions of Computers To Malware
wabrandsma (2551008) writes with this excerpt from The Verge:
Last night, researchers at Malwarebytes noticed strange behavior on sites like Last.fm, The Times of Israel and The Jerusalem Post. Ads on the sites were being unusually aggressive, setting off anti-virus warnings and raising flags in a number of Malwarebytes systems. After some digging, researcher Jerome Segura realized the problem was coming from Google's DoubleClick ad servers and the popular Zedo ad agency. Together, they were serving up malicious ads designed to spread the recently identified Zemot malware. A Google representative has confirmed the breach, saying "our team is aware of this and has taken steps to shut this down."
I have been blocking doubleclick on the corporate firewall for years, and in every hosts file I come in contact with. No one ever complained, but now if they do, I have ammunition. If you serve up a web site, you should personally vouch for not only the product you are advertising, but the source of the advert as well. I blame Google for placing advertising dollars above their users (I know, they don't have users, they have sheep for fleecing).
you will not be able to view the content.
Sounds like a challenge!
(Not a very hard one, but a challenge nonetheless)
W..w..W - Willy Waterloo washes Warren Wiggins who is washing Waldo Woo.
Sometimes pages serves content from a different domain but that is rare enough to manage manually.
Not anymore.
Far too many sites (/. included) have or use a CDN for content.
And they will fetch at least half a dozen scripts for bookmarking/sharing with facebook/linkedin/tumblr/twitter/pinterest/googlehangouts/etc
Then, they'll try and fetch a non-zero number of tracking/website monitoring scripts.
Ghostery says http://slashdot.org/images/njs.gif is a 1x1 pixel tracker for WebTrends.
None of that shit is "content" that I want to load, and most of the time blocking it all has little to no effect on the content I want to see.
Yeah, we get that, but you know what? Serve up simple JPEG ads, non executable, and refuse anything else. That will kill all malware on your ad server. Don't do that, and a lot of people are going to block ads, and you can monetize that right up your ass. There's no reason at all to have anything in an ad on a website other than images and text. Filter everything else, or die.
Maybe we could make an ad blocker to enforce that? I understand double click needs scripts to track ad effectiveness, but there's no excuse for serving up ads from their customers containing executable content, in the age of giganame password/credit card leaks. None at all.
I worked at Zedo pretty early on. I did a year there, pretty much exactly year 2000 (now coworkers now know who I am).
I was their C guy, did an apache module for the adserver, and some mild javascript work until they got a better Javascript coder than me. I also helped out a bit in Java and DB work, and most of the Linux/FreeBSD sysadmin for a bit. We were in a small live-work loft in SOMA where I walked through two slums to get to work.
In the beginning, it was about "choice". We had a small on page ad client. At first a Java one, then a Javascript one, with a GUI that let you choose your ad. It was new, different, and a way to try to get people the ads they want and not have to keep huge track of users. (You can check the patent out if you like though I can tell you this was theoretical design and it wasn't built this way). It put the emphasis on the ad, not on the tracking. Ads needed to be designed to be engaging or they'd just be skipped. We kept track of your ad choices, not your pages. It was fun, true startup culture. We were going after the (then) mighty Doubleclick, railing the fact that they stored too much info. I remember tailing the server logs on our first paying gig, cheering as I noticed the URI fragment for the first ad clickthru. We checked the guys IP address, noticed he had an ICQ run webserver on his box, and talked to him over ICQ thanking him for clicking. In hindsight, yeah, that must have freaked him out.
We didn't see Google coming to crush the ad market at all. I had already left but Im sure Google's elephant sized footprints in the market made them radically change their business plan. I didn't talk to them much, and on the web I read stories about intrusive Zedo cookies, heard them called "king of the popunder" and heard stories about "popup blocker blockers". This made me a bit sad, why do all that? But I guess you either do that, or throw in the towel and close up shop. I can't say what I'd do if it was my savings on the line.
As an aside (always a tangent!) I had an 8MM videocamera. Though I filmed some stuff in San Francisco (hey Dave, any news on the video for me?) I always wanted to film us. But I couldn't both work and film. I was actually slightly pissed when Startup.com came out. Hey that was my idea! But you can't objectively film what you're in.
This whole idea that seems to be pervasive on the net that I should find a "legitimate" excuse to block out the commercial crap that ad companies want to stick down my throat is insidious. l don't need an excuse like "it's malware", I reserve the right to filter out any and all information I don't like. I reserve the right to pick and choose the fonts, to pick and choose the colours, to pick and choose the pictures, and to pick and choose the bits of content of every web page that's offered to me.
I don't accept package deals. I don't care about the experience the content provider wants me to have. I don't care that companies have stupid business models where they try to sell ad space, or try to collect my data to make their ends meet. It's not my problem, and I'll ignore it just because I feel like it. The fact that I'm also blocking malware is just icing on the cake. And if I'm bored, I'll teach others how to do all that too. Just because I'm bored.
I'm not some guest on somebody else's net, where I'm supposed to stay inside a walled garden of bullshit and I need permission to sit down on a chair. It's as much my web as everyone else's, and I'll do what I please with the bits going through my section of tube, malwaew or no malware.
Obviously you've never loaded one of the "aggressive" flash ads with a bunch of buttons and clickable crap built into the animation? Because I have seen one of those drag a 3GHz quad down to a crawl thanks to all the crap its trying to render being spread like the clap across a dozen CDNs, half of whom take forever and a day to respond or time out, which causes it to call the next CDN in its list...yeah sorry but the new ads are even nastier than you can imagine.
If you want to see it for yourself just surf some "mainstream" sites like CNN, AOL, Yahoo "News" and the like for a couple hours with no adblocking, just be sure to have an offline disc image so you can blast the OS and restore from images. Hell I used to use a VM at the shop to let an image get the latest drive bys to test various AVs and stay up to date on removal methods but not anymore, with the latest bloated mess called "interactive ads" I had to quit because even with a C2D doing nothing but running the VM those bastards would slam it so hard I'd be lucky if I could kill the VM, it would just redline the cores to the firewall, nasty shit. Maybe if I slapped in a C2Q and limited the VM to only 2 or 3 cores I could do it again but frankly articles like this only prove my theory correct, back any precious memories, nuke the OS, and make sure they have a choice of browsers with ABP loaded into all of them.
Oh and just FYI since insisting that my customers only use browsers I've preloaded with ABP? I've watched infections disappear, even my most clueless click happy customers only have to call me for hardware or networking issues. Of course it turned out just as I told my clueless former boss it would, because I'm "the guy that builds PCs so they don't mess up" I get referrals up the ying yang so I don't have to worry about repeat business, they are happy to tell everybody and their dog the ONLY place they should get a PC fixed or have one worked on is from/by me.
ACs don't waste your time replying, your posts are never seen by me.