December 12, 2010, 6:00PM
Major Ad Networks Found Serving Malicious Ads
16 Comments
Two major online ad networks--DoubleClick and MSN--were serving malware via drive-by download exploits over the last week, experts say, after a group of attackers was able to trick the networks into displaying their ads by impersonating an online advertising provider.
The scheme involved a group of attackers who registered a domain that was one letter away from that of ADShuffle.com, an online advertising technology firm. The attackers then used the fake domain--ADShufffle.com--to dupe the advertising networks into serving their malicious banner ads. The ads used various exploits to install malware on victims' PCs through drive-by downloads, according to information compiled by security vendor Armorize.
The ad networks only served the malicious content for a short period of time, but the episode shows just how difficult the drive-by download problem can be to address.
Editor's Pick
"Users visit websites that incorporate banner ads from DoubleClick or rad.msn.com, the malicious javascript is served from ADShufffle.com (notice the three f's), starts a drive-by download process and if successful, HDD Plus and other malware are installed into the victim's machine, without having the need to trick the victim into doing anything or clicking on anything. Simply visiting the page infects the visitors," Armorize CTO Wayne Huang said in a blog post describing the scheme.
"Known sites affected: Sites that incorporate DoubleClick or rad.msn.com banners, including for example Scout.com (using DoubleClick), realestate.msn.com, msnbc.com (using both), and mail.live.com. We'd like to note here it's very possible that multiple exchanges, besides those listed here, have been serving the fake ADShufffle's ads."
In some instances, the attackers used the notorious Eleonore exploit pack and the Neosploit package to accomplish the drive-by downloads. The attacks exploited a wide variety of vulnerabilities in browsers and Adobe Reader.
When a victim visited a site that was displaying one of the malicious banner ads, the user's browser tries to render the malicious ad and contacts the back-end ad server. The server pulls in the malicious ad content from ADShufffle, which uses some malicious JavaScript to exploit one of a number of vulnerabilities. The JavaScript generated an iFrame that used the Eleonore exploit pack to finish the compromise and drop some malicious files on the PC.
It's a classic drive-by download scenario, but in this case it's made all the more troublesome by the broad reach of the legitimate ad networks that were victimized by the attack. Armorize researchers contacted officials at DoubleClick after discovering the scheme.
"We reached out to DoubleClick and in less than a few hours time they arranged a meeting with a group of their experts on anti-malvertising and incidence response. We were very surprised and impressed with the speed that DoubleClick acted. We provided details, and DoubleClick said they were already on top of the issue," Huang said.
"At the same time, our CEO Caleb Sima received a private email indicating that mail.live.msn, together with other big websites, were serving drive-by downloads via malvertising. We started to investigate other ad exchanges, because it was apparent that ADShufffle.com was able to trick multiple ad exchanges into serving their malicious javascript."
A spokesman for Google, which owns DoubleClick, told the IDG News Service that the malicious ads were only being served for a short amount of time, and that the company's own malware filters detected the ads, as well.
Commenting on this Article is closed.
Today's Most Popular
- Defense Contractor Northrop Grumman Hiring For Offensive Cyber Ops
- Iranian Students Claim to have Stolen Thousands of Researcher's Records
- Report: Diablo III Users Find Accounts Hacked, Gold Stolen And New 'Mystery' Friends
- Why Google Won't Protect You From Big Brother
- Forget 'Brogrammers,' Women Have The Edge In DEFCON Social Engineering Contest
Most Commented Stories
Newsletter Sign-up
Take Our Poll
The Internet Crime Complaint Center recently warned of malware targeting travelers connecting to Wi-Fi. When traveling, do you
Connect to anything
20%
Only connect to password-protected, secure connections
38%
Only use websites with HTTPS
28%
I don’t pay attention to how I access the internet while traveling
14%
Total votes: 65
Follow Threatpost
 |  |  |  |
| Tumblr |
Comments
Another good reason to use adblock and noscript
but you need firefox to use noscript... my location bar keeps on using baidu, at least in my region, with no way(?) to disable... I had to decide, do I use noscript and submit to baidu, or just boycott firefox?
It was an easy decision, by the way...
"my location bar keeps on using baidu"
You should get a new copy of Firefox if you can't change the search provider - that is not standard behaviour.
Generic options include one or more of the following:
- add doubleclick.com (and net, etc) to your hosts file, pointing to 127.0.0.1
- use a proxy, and make sure doubleclick domains are blocked.
- do the same for msn.com, if you don't normally use that service.
Cheers
I agree in general with your comment. My suggestion was specific to only two providers, which are often involved in bad activity. There are many other advertisement suppliers/methods besides msn and doubleclick.
Cheers
@Andrew, if web content providers were the SOURCE of the actual ads, like TV, radio, and print media are, this issue would not exist. Time for them to grow up and learn that people who are going to their sites do not appreciate a whole raft of potentially harmful crap being showed down their browser from parties the site has NO control over.
Everyone block ads to your heart's content! The Internet and the World Wide Web did fine before ads started "crapping-it-up." It'll do fine without the garbage.
"...many will no longer be able to function as free." - Oh would that that were true - that they'd shut down completely! Reality is they'd find some other way to make their business model work, but making folks pay wouldn't be an option...cause you can't make 'em pay on the Internet.
In the last two decades, can't recall anytime where I HAD to pay for anything on the Internet beyond initial access.
User trends dictate the shape of the Internet, forcing craven marketers to respond. Don't underrate your power!
advertising is an abomination, and i do not choose to submit myself to it
if that means i eventually have to pay for internet content, so be it
i am a person, not a consumer
This also a problem with JavaScript as well, Oracle/ Sun; open source it completely and allow the community to completely integrate it with the browser and secure it. The other is the browser; if it were run in a virtual environment (or chroot) viruses/malware would not spread. Here's one vote for making applications completely virtual, reducing programs ability to change sensitive operating system files. Probably the single largest waste of time is when IT is called to remove malware spending a few hours removing vundo or some of the other variants (who ever made PC Security 2010 should pay)...
History Lesson:
Firefox is developed by Mozilla which derived most of its code from Netscape whose owner was AOL before its source code was opened in 1998. So it was american made... doh! Firefox also recently implored google and micro$oft to stop being evil and installing plugins into their respective browsers without the users knowledge. I support open source especially since it was the true intent of the web... Free exchange on knowledge and information for the betterment of everyone!
This also a problem with JavaScript as well, Oracle/ Sun; open source it completely and allow the community to completely integrate it with the browser and secure it. The other is the browser; if it were run in a virtual environment (or chroot) viruses/malware would not spread. Here's one vote for making applications completely virtual, reducing programs ability to change sensitive operating system files. Probably the single largest waste of time is when IT is called to remove malware spending a few hours removing vundo or some of the other variants (who ever made PC Security 2010 should pay)...
History Lesson:
2) While sandboxing is great, virtualizing is NOT the same as securing -- you just exchange one set of insecurities for another.
History Lesson:
"Firefox is developed by Mozilla"
Correct.
" which derived most of its code from Netscape"
Incorrect. Firefox is a fork of Mozilla, which was a replacement of the old Netscape engine. Netscape switched to the new Mozilla engine (from the old one, which they called Mozilla) when it was deemed stable.
"The last whose owner was AOL before its source code was opened in 1998. "
Incorrect. Netscape was a private company competing against Microsoft, started by the same person who wrote the Mosaic browser at NCSA (the original web browser). Netscape owes some of its original codebase to Mosaic. When Microsoft finally killed Netscape, Inc., AOL bought it and its developers for a song. The developers had already joined the *open source* Mozilla movement to create a new engine. AOL adopted this new engine in their AOL Browser and Netscape Communicator products.
" So it was american made... doh! "
Huh? Netscape Communicator was American-made, but I don't know what this has to do with anything. Mozilla (and therefore Firefox) were and are a global effort.
"Firefox also recently implored google and micro$oft to stop being evil and installing plugins into their respective browsers without the users knowledge. "
They also implored Apple to stop doing so. Not sure what this has to do with anything, other than that the Firefox group doesn't like corporations side-stepping their plugin management interface.
"I support open source especially since it was the true intent of the web... "
Incorrect. The web doesn't have intent. The original designer of hypertext thought it would be a great way to manage documents, later discovered its failings, and went on to invent replacements which were never embraced. The original implementer of the World Wide Web wanted a human-based interface to the internet to replace Archie, FTP, and other similar technologies that lacked context.
"Free exchange on knowledge and information for the betterment of everyone!"
Define Free as Libre (not Beer), and you've got it. This was mostly done in a University setting, which makes sense. It was later opened up to commercial ventures, at which point "Free" became either Libre or Beer, pick zero to two.
FYI:
The monkif virus has been doing this since last winter. Very old news.
You are a 'tard.
The wifes PC got hit by one of these over a month ago. I'm sick of Micro$ofts crap security. She now runs Ubuntu on her laptop.
>> 2) While sandboxing is great, virtualizing is NOT the same as securing -- you just exchange one set of insecurities for another.
Javascript is already sandboxed, but apparently the exploit is taking advantage of a Firefox+Windows or simply a Windows vulnerability.
Asking to add a different form of sandboxing will tend to add a layer of security to whatever exists.
>> Huh? Netscape Communicator was American-made, but I don't know what this has to do with anything. Mozilla (and therefore Firefox) were and are a global effort.
I think the intent was to say that US money is also going to support developers living in the US (without implying that it's only US money or only to those living in the US).
The point may have been to counter the "Buy microsoft and buy American!!!" earlier comment suggesting that giving money to Microsoft is good for Americans because other Americans get it. First, Americans aren't necessarily getting it since Microsoft pulls in huge profits and its stock is partly held by people living in many countries. Second, Americans getting money don't necessarily invest it back in the US (especially if they own international businesses and see better investment opportunities elsewhere). Third, these recipients of USD don't necessarily use such money for good purposes (eg, the money might help fund software patent trolls and other monopolists that raise costs for Americans everywhere).
Cheaper more efficient software, if that is what you get with open source, means that you save more money which then goes towards other purposes. In other words, if Microsoft associated millionaires and billionaires don't get your buck, someone else will (presumably others living in the US if that is where you live).
Good open source software is less expensive, more flexible (especially for a developer), and generally better peer reviewed for vulnerabilities and bugs than comparable closed source.
>> They also implored Apple to stop doing so. Not sure what this has to do with anything, other than that the Firefox group doesn't like corporations side-stepping their plugin management interface.
http://www.itproportal.com/2010/11/30/mozilla-exec-condemns-microsoft-google-and-apple-trojan-horse-plugins/
I think this was an objection to the behavior of large companies to leveraged essentially unaditable closed source software to install unexpected software in the customers' computers.