Google's Doubleclick Ad Servers Exposed Millions of Computers To Malware

← Back to Stories (view on slashdot.org)

Google's Doubleclick Ad Servers Exposed Millions of Computers To Malware

Posted by timothy on Friday September 19, 2014 @10:59AM from the but-zedo-is-awesome dept.

wabrandsma (2551008) writes with this excerpt from The Verge: Last night, researchers at Malwarebytes noticed strange behavior on sites like Last.fm, The Times of Israel and The Jerusalem Post. Ads on the sites were being unusually aggressive, setting off anti-virus warnings and raising flags in a number of Malwarebytes systems. After some digging, researcher Jerome Segura realized the problem was coming from Google's DoubleClick ad servers and the popular Zedo ad agency. Together, they were serving up malicious ads designed to spread the recently identified Zemot malware. A Google representative has confirmed the breach, saying "our team is aware of this and has taken steps to shut this down."

22 of 226 comments (clear)

Min score:

Reason:

Sort:

And they wonder why I block ads... by Derekloffin · 2014-09-19 11:03 · Score: 5, Insightful

It is stuff like this that just demonstrates how annoying the internet ad delivery mechanisms are. Not only are they intrusive, bandwidth wasting, and often impairing my user experience, they can also spread malware.
1. Re:And they wonder why I block ads... by UnknownSoldier · 2014-09-19 11:05 · Score: 5, Insightful
  
  Indeed.
  My hosts file (across my Windows, Linux, and OSX) machines have been using the excellent MSVP hosts (http://winhelp2002.mvps.org/hosts.htm) for years.
  Plus, it speeds up internet browsing instead of having the browser ping 10+ different domains.
2. Re:And they wonder why I block ads... by amiga3D · 2014-09-19 11:06 · Score: 5, Funny
  
  I always though doubleclick was a malware site. You mean it's not? Or it wasn't but now it is?
3. Re: And they wonder why I block ads... by Anonymous Coward · 2014-09-19 11:25 · Score: 5, Informative
  
  Just use adblock+. It is much faster.
4. Re:And they wonder why I block ads... by TubeSteak · 2014-09-19 11:33 · Score: 5, Informative
  
  Sometimes pages serves content from a different domain but that is rare enough to manage manually.
  Not anymore.
  Far too many sites (/. included) have or use a CDN for content.
  And they will fetch at least half a dozen scripts for bookmarking/sharing with facebook/linkedin/tumblr/twitter/pinterest/googlehangouts/etc
  Then, they'll try and fetch a non-zero number of tracking/website monitoring scripts.
  Ghostery says http://slashdot.org/images/njs.gif is a 1x1 pixel tracker for WebTrends.
  
  --
  [Fuck Beta]
  o0t!
5. Re:And they wonder why I block ads... by sexconker · 2014-09-19 11:49 · Score: 4, Interesting
  
  Sometimes pages serves content from a different domain but that is rare enough to manage manually.
  Not anymore.
  Far too many sites (/. included) have or use a CDN for content.
  And they will fetch at least half a dozen scripts for bookmarking/sharing with facebook/linkedin/tumblr/twitter/pinterest/googlehangouts/etc
  Then, they'll try and fetch a non-zero number of tracking/website monitoring scripts.
  Ghostery says http://slashdot.org/images/njs.gif is a 1x1 pixel tracker for WebTrends.
  None of that shit is "content" that I want to load, and most of the time blocking it all has little to no effect on the content I want to see.
6. Re:And they wonder why I block ads... by TrollstonButterbeans · 2014-09-19 11:53 · Score: 3, Insightful
  
  Wastes bandwidth, chews up CPU, blasts noise at you and with 57 tabs open it is hard to tell from where, starts videos, does crappy things if you accidentally hover the mouse over the window.
  
  And spread malware.
  
  I use AdBlock Plus, of course. With Flashblock carrying the other half of the burden.
  
  I am happy these jerks almost exclusively use Flash, HTML5 scares the shit out of me.
  
  --
  Priest: "Universe from nothing, no laws of physics, sped up time"+ huge discrepancies. Creationism? No. Big Bang Theory
7. Re: And they wonder why I block ads... by gman003 · 2014-09-19 13:36 · Score: 3, Informative
  
  Depends on the browser - IIRC on Chrome, it can't prevent ads from being downloaded, it can only prevent them from rendering. Or at least that was the case several years ago, maybe Chrome's added the APIs for it by now.
8. Re:And they wonder why I block ads... by martin-boundary · 2014-09-19 19:49 · Score: 4, Interesting
  
  Actually, I block ads because I *can*.
  This whole idea that seems to be pervasive on the net that I should find a "legitimate" excuse to block out the commercial crap that ad companies want to stick down my throat is insidious. l don't need an excuse like "it's malware", I reserve the right to filter out any and all information I don't like. I reserve the right to pick and choose the fonts, to pick and choose the colours, to pick and choose the pictures, and to pick and choose the bits of content of every web page that's offered to me.
  I don't accept package deals. I don't care about the experience the content provider wants me to have. I don't care that companies have stupid business models where they try to sell ad space, or try to collect my data to make their ends meet. It's not my problem, and I'll ignore it just because I feel like it. The fact that I'm also blocking malware is just icing on the cake. And if I'm bored, I'll teach others how to do all that too. Just because I'm bored.
  I'm not some guest on somebody else's net, where I'm supposed to stay inside a walled garden of bullshit and I need permission to sit down on a chair. It's as much my web as everyone else's, and I'll do what I please with the bits going through my section of tube, malwaew or no malware.
9. Re:And they wonder why I block ads... by hairyfeet · 2014-09-19 19:52 · Score: 3, Interesting
  
  Obviously you've never loaded one of the "aggressive" flash ads with a bunch of buttons and clickable crap built into the animation? Because I have seen one of those drag a 3GHz quad down to a crawl thanks to all the crap its trying to render being spread like the clap across a dozen CDNs, half of whom take forever and a day to respond or time out, which causes it to call the next CDN in its list...yeah sorry but the new ads are even nastier than you can imagine.
  If you want to see it for yourself just surf some "mainstream" sites like CNN, AOL, Yahoo "News" and the like for a couple hours with no adblocking, just be sure to have an offline disc image so you can blast the OS and restore from images. Hell I used to use a VM at the shop to let an image get the latest drive bys to test various AVs and stay up to date on removal methods but not anymore, with the latest bloated mess called "interactive ads" I had to quit because even with a C2D doing nothing but running the VM those bastards would slam it so hard I'd be lucky if I could kill the VM, it would just redline the cores to the firewall, nasty shit. Maybe if I slapped in a C2Q and limited the VM to only 2 or 3 cores I could do it again but frankly articles like this only prove my theory correct, back any precious memories, nuke the OS, and make sure they have a choice of browsers with ABP loaded into all of them.
  Oh and just FYI since insisting that my customers only use browsers I've preloaded with ABP? I've watched infections disappear, even my most clueless click happy customers only have to call me for hardware or networking issues. Of course it turned out just as I told my clueless former boss it would, because I'm "the guy that builds PCs so they don't mess up" I get referrals up the ying yang so I don't have to worry about repeat business, they are happy to tell everybody and their dog the ONLY place they should get a PC fixed or have one worked on is from/by me.
  
  --
  ACs don't waste your time replying, your posts are never seen by me.
And there's the reason why... by Anonymous Coward · 2014-09-19 11:05 · Score: 5, Insightful

I use Adblockers / flashblocker and NoScript.
And I utterly will not reconsider for any reason.
1. Re:And there's the reason why... by MightyYar · 2014-09-19 11:30 · Score: 3, Interesting
  
  you will not be able to view the content.
  Sounds like a challenge!
  (Not a very hard one, but a challenge nonetheless)
  
  --
  W..w..W - Willy Waterloo washes Warren Wiggins who is washing Waldo Woo.
2. Re:And there's the reason why... by reikae · 2014-09-19 11:44 · Score: 3, Insightful
  
  I can't think of any website I wanted to visit this year but couldn't due to adblocking. I doubt it's necessary to reconsider any time soon. Even then, I'll first look into alternative websites.
3. Re:And there's the reason why... by sexconker · 2014-09-19 11:50 · Score: 4, Insightful
  
  Wrong.
  Right now, there are a few sites (majorgeeks) that ask you to please allow ads because that's what pays for the site and others simply refuse entry.
  You will reconsider when sites tell you to disable all ad blockers and hosts files that block ad sites or you will not be able to view the content.
  Wrong. The only thing I'll reconsider is visiting those sites.
4. Re:And there's the reason why... by Anonymous Coward · 2014-09-19 13:35 · Score: 4, Informative
  
  I just checked both of the sites you mention, and they show up just fine with no warnings or kick-out messages.
  You just have to live with the fact that they both look like they were made in 1996, with no CSS or fancy layouts.
  You don't see it? Here's why:
  - Firefox (current version, just update as they do, no need to hold back)
  - AdBlock+ (to block ad server requests before they ever happen)
  - FlashBlock (to stop execution of Flash objects post-load, but pre-run)
  - NoScript (to whitelist Javascript execution)
  - RequestPolicy (to whitelist Javascript remote loading)
  - NoRedirect (because some sites use an onLoad Javascript to remove a time-delayed meta redirect that kicks you to a "use javascript or die" page)
  - Ghostery (to refuse all sorts of nasties)
  - Click To Play per-element (to put Firefox back to pre-24 behavior for FlashBlock)
  - Click to play switch (to allow me to toggle the above click-to-play modifier)
  I haven't met a site yet that can stop me from browsing any part of it I want. Couple it with Firebug and good old Web Developer Toolbar, and I can extract things they think are hidden.
  That's the problem with all these stupid newbies on the 'net these days: they just don't know how shit works. It's like old-school management just gave them a full-on stupid transplant, and they think they rule the world because they use a frickin' Mac. Nevermind the fact that Mac users are generally about as far removed from "how shit really works" as any computer user can actually get without shorting out their keyboard from the drool.
  No offense if you don't fall into that category. I'm just ranting now. You, in fact, seem to be one of the sane people that blocks all of this crap up front. Just don't give up on getting whatever you want just because they throw up a full-screen div overlay. Nuke that shit from orbit with whatever tools you have, and for god's sake, don't be afraid to use an HTTP mimic tool to scrape whatever you damned well please.
Don't Be Evil by Anonymous Coward · 2014-09-19 11:20 · Score: 3, Funny

Stupidity is sufficient.
No surprise by networkzombie · 2014-09-19 11:22 · Score: 5, Interesting

I have been blocking doubleclick on the corporate firewall for years, and in every hosts file I come in contact with. No one ever complained, but now if they do, I have ammunition. If you serve up a web site, you should personally vouch for not only the product you are advertising, but the source of the advert as well. I blame Google for placing advertising dollars above their users (I know, they don't have users, they have sheep for fleecing).
Re:Google = Direct arm of the CIA/NSA by BenSchuarmer · 2014-09-19 11:25 · Score: 3, Funny

You're wrong!
The CIA and NSA are direct arms of Google.
Yup by Anonymous Coward · 2014-09-19 11:25 · Score: 4, Informative

So to all those site operators that cry foul when I say I block all ads all the time: This would be why. It's not because I object to being shown products I might be interested in. It's not because I'm trying to hurt your revenue stream. It's because ad delivery servers are so ubiquitous, they're a major malware vector.
Sorry, but funding your site is not worth my entire network getting infected. You want me to change, lean on the advertisers to stop pushing security responsibility solely on the end user.
Ad Blockers... by Dega704 · 2014-09-19 11:28 · Score: 5, Informative

One of the best endpoint security tools you can deploy.
Just say block by Animats · 2014-09-19 11:39 · Score: 4, Insightful

DoublcClick has such negative value that their servers should be blocked at firewalls, or at least "host.txt". Even if you have AdBlock, blocking them earlier saves bandwidth.
Popular Zedo? Really? by cant_get_a_good_nick · 2014-09-19 17:29 · Score: 4, Interesting

I worked at Zedo pretty early on. I did a year there, pretty much exactly year 2000 (now coworkers now know who I am).
I was their C guy, did an apache module for the adserver, and some mild javascript work until they got a better Javascript coder than me. I also helped out a bit in Java and DB work, and most of the Linux/FreeBSD sysadmin for a bit. We were in a small live-work loft in SOMA where I walked through two slums to get to work.
In the beginning, it was about "choice". We had a small on page ad client. At first a Java one, then a Javascript one, with a GUI that let you choose your ad. It was new, different, and a way to try to get people the ads they want and not have to keep huge track of users. (You can check the patent out if you like though I can tell you this was theoretical design and it wasn't built this way). It put the emphasis on the ad, not on the tracking. Ads needed to be designed to be engaging or they'd just be skipped. We kept track of your ad choices, not your pages. It was fun, true startup culture. We were going after the (then) mighty Doubleclick, railing the fact that they stored too much info. I remember tailing the server logs on our first paying gig, cheering as I noticed the URI fragment for the first ad clickthru. We checked the guys IP address, noticed he had an ICQ run webserver on his box, and talked to him over ICQ thanking him for clicking. In hindsight, yeah, that must have freaked him out.
We didn't see Google coming to crush the ad market at all. I had already left but Im sure Google's elephant sized footprints in the market made them radically change their business plan. I didn't talk to them much, and on the web I read stories about intrusive Zedo cookies, heard them called "king of the popunder" and heard stories about "popup blocker blockers". This made me a bit sad, why do all that? But I guess you either do that, or throw in the towel and close up shop. I can't say what I'd do if it was my savings on the line.
As an aside (always a tangent!) I had an 8MM videocamera. Though I filmed some stuff in San Francisco (hey Dave, any news on the video for me?) I always wanted to film us. But I couldn't both work and film. I was actually slightly pissed when Startup.com came out. Hey that was my idea! But you can't objectively film what you're in.