Posted on 12/13/2010 3:34:41 PM PST by Gomez
Two of the world's biggest ad serving networks – one owned by Google and the other by Microsoft – have been caught delivering booby-trapped banner ads that infect computers with malware without any action required on the part of the end user.
The ads on Google's DoubleClick and Microsoft's rad.msn.com contained heavily obfuscated javascript in an attempt to conceal the attack, according to an analysis by web security firm Armorize. As a result, people surfing to Scout.com, MSNBC.com and other sites that relied on the ad platforms were surreptitiously attacked by malicious code that in many cases was able to install malware without any warning.
Among the titles silently thrust on marks was HDD Plus, a piece of malware that falsely claims users have serious system errors that can only be fixed by buying a premium version of the program. The tainted banner ads used code from the Eleonore and Neosploit crimeware kits to exploit at least seven previously patched vulnerabilities in applications such as Adobe Reader, Oracle's Java, and Microsoft's Internet Explorer.
The attacks are only the latest to get past gatekeepers at DoubleClick and other large networks, which are used by smaller websites to deliver ads. In September 2009 a torrent of malicious ads flooded DoubleClick, Yahoo's Right Media and FastClick, a platform owned by ValueClick. Over the past few years there have been at least half a dozen similar breaches. An ad platform is a huge advantage to malware attackers because it allows them to get their exploits in front of potentially millions of people who have no reason to believe they're under threat.
In the attack documented by Armorize, the miscreants appear to have tricked account managers with the use of ADShufffle.com, a domain that fed the malicious banners. The address was designed to look to AdShuffle.com, which regularly works with ad platforms.
“We can confirm that the DoubleClick Ad Exchange, which has automatic malware filters, independently detected several creatives containing malware, and blocked them instantly - within seconds,” a Google spokesman said in an email. “Our security team is in touch with Armorize to help investigate and help remove any affected creatives from any other ad platforms.”
The email didn't say how the tainted ads got carried on DoubleClick or how similar attacks could be prevented in the future.
A Microsoft spokeswoman said the company is investigating the report.
ping
anyone know specifically where we need to avoid going to? If it is in Yahoo, are we safe from using it for e-mail?
Use NoScript with Firefox.
Ban doubleclick, google analytics, and rad.msn.com
Google image search gave me the mother of all viruses two weeks ago. I was searching for a picture of Queen Elizabeth on a Canadian loon dollar to prove they were part of the commonwealth.
Shut my computer down for 3 days while our IT guy tried to get it out. The worst he’s seen in years.
Thanks for nothing, Google.
I block those sites in my hosts file. Works well but makes it difficult to click on paid ads.
“anyone know specifically where we need to avoid going to?’
yeah stay off any site that connects to the internet.
Seriously though, many major sites have had this problem. McAfee put out a stat that over 90% of infections were spread in this manner.
Also, don’t run as a local admin. That helps too.
Some of the anti-virus programs now run your browser in a sandbox designed to prevent this. I dont know how well they work.
I just removed a Trojan called HDD Rescue which is similar to the one described here. I'm pissed that it may have come from MSNBC.com. The only time I go there is from FR links. I can't think of where else it might have come from, as I'm very careful online. I usually use Firefox with its addons for security, but lately that browser has been crashing on me.
I was referred to this http://www.mvps.org/winhelp2002/hosts.htm on FR and have used it for the last couple of years.
It does slow things down some but prevents you from connecting to a long list of known bad sites.
It seems to have worked well.
Firefox with AdBlock, NoScript and FlashBlock: I haven’t seen an ad in a very long time.
I got hit with this crap. What a PITA!
Now what that Freeper just say about Porn!
Some of the malware out there now ‘installs’ to your Windows profile and puts the executable in your Start Up with the program files in (userprofile)\local settings\temp so it can get around the ‘no admin rights’ technique.
The criminals are hard at work writing new stuff every day. Someone needs to find them and shoot them.
The problem is that a lot of this stuff is being done by major corporations - like Advertising.com - and by foreign governments - like Israel has done with ‘Incredimail’.
Tech Ping.
You’re right. I got hit with a damn Google Redirector trojan twice last week and I don’t do “porn sites” and “free music download sites”. The second time I picked it up, I had only been to two sites. Free Republic and the news site in question. I stopped going to the news site and I’ve been okay.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.