Major Ad Networks Found Serving Malicious Ads

Two major online ad networks–DoubleClick and MSN–were serving malware via drive-by download exploits over the last week, experts say, after a group of attackers was able to trick the networks into displaying their ads by impersonating an online advertising provider.

Online ad networksTwo major online ad networks–DoubleClick and MSN–were serving malware via drive-by download exploits over the last week, experts say, after a group of attackers was able to trick the networks into displaying their ads by impersonating an online advertising provider.

The scheme involved a group of attackers who registered a domain that was one letter away from that of ADShuffle.com, an online advertising technology firm. The attackers then used the fake domain–ADShufffle.com–to dupe the advertising networks into serving their malicious banner ads. The ads used various exploits to install malware on victims’ PCs through drive-by downloads, according to information compiled by security vendor Armorize.

The ad networks only served the malicious content for a short period of time, but the episode shows just how difficult the drive-by download problem can be to address.

“Users visit websites that incorporate banner ads from DoubleClick or
rad.msn.com, the malicious javascript is served from ADShufffle.com
(notice the three f’s), starts a drive-by download process and if
successful, HDD Plus and other malware are installed into the victim’s
machine, without having the need to trick the victim into doing anything
or clicking on anything. Simply visiting the page infects the visitors,” Armorize CTO Wayne Huang said in a blog post describing the scheme.

“Known sites affected: Sites that incorporate DoubleClick or rad.msn.com banners, including for example Scout.com (using DoubleClick), realestate.msn.com, msnbc.com (using both), and mail.live.com. We’d like to note here it’s very possible that multiple exchanges, besides those listed here, have been serving the fake ADShufffle’s ads.”

In some instances, the attackers used the notorious Eleonore exploit pack and the Neosploit package to accomplish the drive-by downloads. The attacks exploited a wide variety of vulnerabilities in browsers and Adobe Reader.

When a victim visited a site that was displaying one of the malicious banner ads, the user’s browser tries to render the malicious ad and contacts the back-end ad server. The server pulls in the malicious ad content from ADShufffle, which uses some malicious JavaScript to exploit one of a number of vulnerabilities. The JavaScript generated an iFrame that used the Eleonore exploit pack to finish the compromise and drop some malicious files on the PC.

It’s a classic drive-by download scenario, but in this case it’s made all the more troublesome by the broad reach of the legitimate ad networks that were victimized by the attack. Armorize researchers contacted officials at DoubleClick after discovering the scheme.

“We reached out to DoubleClick and in less than a few hours time they arranged a meeting with a group of their experts on anti-malvertising and incidence response. We were very surprised and impressed with the speed that DoubleClick acted. We provided details, and DoubleClick said they were already on top of the issue,” Huang said.

“At the same time, our CEO Caleb Sima received a private email indicating that mail.live.msn, together with other big websites, were serving drive-by downloads via malvertising. We started to investigate other ad exchanges, because it was apparent that ADShufffle.com was able to trick multiple ad exchanges into serving their malicious javascript.”

A spokesman for Google, which owns DoubleClick, told the IDG News Service that the malicious ads were only being served for a short amount of time, and that the company’s own malware filters detected the ads, as well.

Suggested articles

Discussion

  • Anonymous on

    Another good reason to use adblock and noscript

  • Anonymous on

    but you need firefox to use noscript... my location bar keeps on using baidu, at least in my region, with no way(?) to disable... I had to decide, do I use noscript and submit to baidu, or just boycott firefox?

    It was an easy decision, by the way... 

  • Jamie on

    "my location bar keeps on using baidu"

    You should get a new copy of Firefox if you can't change the search provider - that is not standard behaviour. 

  • Dave Gillam on

    Generic options include one or more of the following:

    - add doubleclick.com (and net, etc) to your hosts file, pointing to 127.0.0.1

    - use a proxy, and make sure doubleclick domains are blocked.

    - do the same for msn.com, if you don't normally use that service.

     

    Cheers

  • Anonymous on

    @Andrew, if web content providers were the SOURCE of the actual ads, like TV, radio, and print media are, this issue would not exist. Time for them to grow up and learn that people who are going to their sites do not appreciate a whole raft of potentially harmful crap being showed down their browser from parties the site has NO control over.

  • Anonymous on

    advertising is an abomination, and i do not choose to submit myself to it

    if that means i eventually have to pay for internet content, so be it

    i am a person, not a consumer

  • Anonymous on

    This also a problem with JavaScript as well, Oracle/ Sun; open source it completely and allow the community to completely integrate it with the browser and secure it. The other is the browser; if it were run in a virtual environment (or chroot) viruses/malware would not spread. Here's one vote for making applications completely virtual, reducing programs ability to change sensitive operating system files. Probably the single largest waste of time is when IT is called to remove malware spending a few hours removing vundo or some of the other variants (who ever made PC Security 2010 should pay)...

    History Lesson:

    Firefox is developed by Mozilla which derived most of its code from Netscape whose owner was AOL before its source code was opened in 1998.  So it was american made... doh! Firefox also recently implored google and micro$oft to stop being evil and installing plugins into their respective browsers without the users knowledge. I support open source especially since it was the true intent of the web... Free exchange on knowledge and information for the betterment of everyone!

    This also a problem with JavaScript as well, Oracle/ Sun; open source it completely and allow the community to completely integrate it with the browser and secure it. The other is the browser; if it were run in a virtual environment (or chroot) viruses/malware would not spread. Here's one vote for making applications completely virtual, reducing programs ability to change sensitive operating system files. Probably the single largest waste of time is when IT is called to remove malware spending a few hours removing vundo or some of the other variants (who ever made PC Security 2010 should pay)...

     

    History Lesson:

     

  • Em on

    1) Javascript is not Java -- it is not a Sun/Oracle product. Firefox uses an open source Javascript engine.

    2) While sandboxing is great, virtualizing is NOT the same as securing -- you just exchange one set of insecurities for another.

    History Lesson:

    "Firefox is developed by Mozilla"
    Correct.

    " which derived most of its code from Netscape"
    Incorrect. Firefox is a fork of Mozilla, which was a replacement of the old Netscape engine. Netscape switched to the new Mozilla engine (from the old one, which they called Mozilla) when it was deemed stable.

    "The last whose owner was AOL before its source code was opened in 1998. "
    Incorrect. Netscape was a private company competing against Microsoft, started by the same person who wrote the Mosaic browser at NCSA (the original web browser). Netscape owes some of its original codebase to Mosaic. When Microsoft finally killed Netscape, Inc., AOL bought it and its developers for a song. The developers had already joined the *open source* Mozilla movement to create a new engine. AOL adopted this new engine in their AOL Browser and Netscape Communicator products.

    " So it was american made... doh! "
    Huh? Netscape Communicator was American-made, but I don't know what this has to do with anything. Mozilla (and therefore Firefox) were and are a global effort.

    "Firefox also recently implored google and micro$oft to stop being evil and installing plugins into their respective browsers without the users knowledge. "
    They also implored Apple to stop doing so. Not sure what this has to do with anything, other than that the Firefox group doesn't like corporations side-stepping their plugin management interface.

    "I support open source especially since it was the true intent of the web... "
    Incorrect. The web doesn't have intent. The original designer of hypertext thought it would be a great way to manage documents, later discovered its failings, and went on to invent replacements which were never embraced. The original implementer of the World Wide Web wanted a human-based interface to the internet to replace Archie, FTP, and other similar technologies that lacked context.

    "Free exchange on knowledge and information for the betterment of everyone!"
    Define Free as Libre (not Beer), and you've got it. This was mostly done in a University setting, which makes sense. It was later opened up to commercial ventures, at which point "Free" became either Libre or Beer, pick zero to two.

  • Anonymous on

    FYI:
    The monkif virus has been doing this since last winter. Very old news.

  • BSAFH on

    The wifes PC got hit by one of these over a month ago.  I'm sick of Micro$ofts crap security.  She now runs Ubuntu on her laptop.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.