Web Development optimize

Malvertising: Adverts that bite

Malvertising is insidious. Follow all the rules and still get caught. Is there anything we can do?

The first time I came across "malvertising", I thought, "Who would want to advertise malware?" Bad guys, I guess. Then I found out that malvertising (courtesy of Online Trust Alliance):

"Is the practice of injecting malicious or malware-laden advertisements into legitimate online-advertising networks. It can occur through deceptive advertisers or agencies running ads or compromises to the ad supply chain including ad networks, ad exchanges, and ad servers."

Interesting example

AdShuffle.com is a large marketing-technology company that serviced many of the big ad-providing platforms -- MSN and DoubleClick for example -- during last year's Christmas rush. It seems AdShufffle.com was providing both MSN and DoubleClick malicious banner ads.

If victims visiting sites with malicious banner ads happened to have any Windows, Adobe, or JavaScript vulnerabilities, it was all over. No need to click on anything. You became the proud owner of drive-by malware delivered by the Eleonore Exploit Kit.

It seems the bad guys had found another "low-hanging fruit": Vulnerable websites.

Oops

I wonder if you made the same mistake. Notice anything different in how AdShufffle is spelled? Where did that "third f" come from? Hmm. Well, attackers registered the domain AdShufffle.com and conned the advertising networks into using their malicious banner ads instead of the correct ones from AdShuffle.com. Nice.

And, that's just one example. In their first quarter 2011 Threats Report (page 14), McAfee estimates over 8000 malicious websites are being created each day.

It can happen to the best of websites

I asked and most people responded, "We're very careful; we never go to ‘those kind of websites.'"

The bad guys must have taken a similar survey. They now prefer taking over what's considered "prime Web real-estate". I don't think I'd get much argument about the New York Times website being primo digital property:

The New York Times explained further on their website:

"Some NYTimes.com readers have seen a pop-up box warning them about a virus and directing them to a site that claims to offer antivirus software.

We believe this was generated by an unauthorized advertisement and are working to prevent the problem from recurring. If you see such a warning, we suggest that you not click on it. Instead, quit and restart your Web browser."

Who is responsible?

We as visitors to websites have little recourse, other than practicing safe Internet. The real onus is on everybody who has a part in what's displayed on the website. The Online Trust Alliance (OTA) offers the following advice in their Anti-Malvertising Guidelines:

"Infrastructure must be hardened and business processes re-examined. Business, infrastructure providers, ISPs, web publishers and the interactive advertising supply chain need to work to help counter this abuse."

That's great if the organizations accept responsibility. To that end, the expression "money talks" might be helpful. Deloitte agrees:

"Bottom line. Anything that makes large numbers of Internet users decide that clicking online advertisements could be a bad or dangerous thing threatens the current business model of almost every company that does business online."

OTA honor roll

Each year, the OTA recognizes public websites, private websites, and government agencies that adopt technologies designed to protect user privacy and identity:

"OTA Honor Roll criteria include implementation of email authentication, Extended Validation SSL Certificates (EV SSL), and testing for malware and known site vulnerabilities. In addition, federal government sites were evaluated for their support of DNSSEC."

Don't get too excited:

"While the number honored in 2011 represents a promising 3-fold increase from this time last year, 74% of the top websites analyzed did not qualify and remain vulnerable to the increased levels of cybercrime and online fraud."

More specifically:

"The Honor Roll achievement was as high as 26.7% of the FDIC 100 and 24.6% of the Fortune 500. Only 12% of top federal government sites qualified."

That's depressing.

User recourse

Malvertising is not new malware, just a different delivery vehicle. That means the mantra is the same. Keep all software up to date, so on, and so on. You know the drill.

Google has something that might help: Safe Browsing Diagnostic. If your web browser has the API, it will warn you when a website has been reported. I checked out AdShufffle and this is what I got:

The Safe Browsing Diagnostic tries to answer the following:

  • What is the current listing status for the website?
  • What happened when Google visited this site?
  • Has this site acted as an intermediary resulting in further distribution of malware?
  • Has this site hosted malware?

Final thoughts

This is a tough one. If all that's required is to simply visit a website there is little defense. I wonder if it's time for what Howard Beale said in the 1976 movie, Network (YouTube): "I'm mad as hell!"

About

Information is my field...Writing is my passion...Coupling the two is my mission.

52 comments
grandan
grandan

Oops I wonder if you made the same mistake. Notice anything different in how AdShufffle is spelled? This may be another thread however I really hate it when Journalists especially incorrectly spell words. In this instance after Adshuffle is spelled: should correctly be - Spelt not Spelled, every one appears to use this nowadays, why? My punctuation is bad (shameful Teacher) but the miss-spelling of words is an outrage to people trying to educate us! Even the BBC in England use this and it just grates - Am I correct or wrong? sorry.

GreyTech
GreyTech

I use Secunia's PSI to check I am keeping up to date, Firefox with NoScript,Flash block, Ghostery and Foxit in safe mode for pdfs, I also use WOT although it is sometimes a pain as it does report a few as bad when they are in fact it is a sub-domains of a free multi-web server. In NoScript I mark all the ad servers as untrusted and it doesn't take long for all my regular sites to get marked as 'allowed'. Using Comodo's DNS servers shows up a few baddies. I have never been hit with a drive-by and have noticed a few baddies being blocked. I also use Sunbelt Software's Vipre for anti-virus and anti-spyware with a hardware firewall in my router and Comodo's firewall on all my home network PCs most of which do not have any browsers. Every month or so I run Malwarebytes to check nothing has crept in. Except for the occasional tracking cookie nothing has got in so far. I check every time I install something new, that all the tick boxes are what "I" want not necessarily the defaults. Windows 7 UAC is set to its highest level. I favour banks that use Rapport. I also backup automatically and keep really important stuff off-site encrypted with Truecrypt. Passwords on non-trivial sites are all different and strong. I always check all my bank statements match my own system. Is it enough, hopefully. Vigilance it the watchword. (or is it paranoia!)

Who Am I Really
Who Am I Really

gotta hate IE, me, I use Firefox with: - NoScript - AdBlock Plus - FlashBlock never once seen one of those popups, Drive-by DL, etc. and if I access a site and nothing appears to work without allowing scripting etc. like whole sites done in Flash, or whole sites done in JS that not even the text appears without allowing JS or Flash then it's "See ya, wouldn't wanna be ya ! I'll find what I need somewhere else"

pikeman666
pikeman666

It's a minefield. I was getting regular alerts about sites trying to "do stuff". Stay away!

fvazquez
fvazquez

What about Lavasofts' Ad-aware?, in my case it has helped me a lot, from almost frozen PCs to make them functional again... I recommend it, because it's free and it works, at least to me. Another Anti-malware is Spybot Search & destroy, it works and may also cohabit in the same PC giving really good results. That's what I use when I have no budget or simply because I trust this anti-malware couple. When I have enough budget to acquire software then I choose Kaspersky Internet Security, since it may detect, among other things, webpages that have been injected or have data fishing scripts on them... Thats my contribution and I hope this may be of some help to anyone. Cheers!

jkid4179
jkid4179

I do internal IT for a school district and was getting 2-5 Help Desk calls a week for about 2 months regarding "Drive-by Malware". Probably 9/10 times the user was using Google images when it happened. I sent out an email to the entire staff to use Bing instead of Google when image searching and the occurances dropped considerably.

SKDTech
SKDTech

Which is why I love AdBlock Plus and NoScript. I was recently involved in a discussion on another site which has a standing ban policy on the use of adblocking extensions. The owners of the site maintained that without ad revenue they would be unable to continue operations. While I understand that point, I cannot in good conscience advocate surfing the web without an adblocker while malvertisments are common. It is quite a conundrum for the majority of websites which are clean themselves, but rely on ad-revenue in order to keep the lights on.

Michael Kassner
Michael Kassner

Just what we need. Visit a website: Get advertisements and malware.

Michael Kassner
Michael Kassner

I was attempting to point out that people responsible for the ad service missed the extra "f": "Well, attackers registered the domain AdShufffle.com and conned the advertising networks into using their malicious banner ads instead of the correct ones from AdShuffle.com. " I purposely exaggerated the "f" in order to point that out.

Michael Kassner
Michael Kassner

I have written about Rapport, but haven't much feed back about it. What's your take on it?

HAL 9000
HAL 9000

But thought it was a Typo and ignored it. Col

JCitizen
JCitizen

because of extension problems, but: 1. Avast has script blocking - behavior based I think. 2. MVPS for Windows is a pretty thorough ad blocker, SpywareBlaster fair. 3. MBAM has an IP blocker that thwarts many ads the previous two don't. I've not had a drive by in two years or so. Kind of like you said, once you give No Script permission, you just got to hope the site isn't compromised.

Michael Kassner
Michael Kassner

It is appreciated. What alerts were you getting? Browser?

seanferd
seanferd

I don't think that is what happened. And what happens when people actually do complain about something for which there is no current solution? They should just shut up? I'm really weary of the "if you don't have a solution, quit talking about the problem" crowd.

JCitizen
JCitizen

with AdAware. I prefer Avast(also with script blocker), but to each his own. AdAware is not really an adblocker, but I have tried to install test files on Vista x64 and AdAware silently prevents it. I had to shut down AdWatch to do it, and even then, it found it on a quick scan anyway, so it does work on things that have a definition - which won't help zero day exploits, but then it is only one rivet in the armor anyway. Lavasoft's Adaware does help clip a LOT of unneeded chatter between temp files, advertisements and their servers, and any cookie commands that may be in place. I can't get reliable page loads on Vista Home Premium x64 without it! (edited) Had to replace chink with rivet, as apparently chink is a racist remark - HA! :p

Michael Kassner
Michael Kassner

I have written extensively about how to prevent and remove malware. I linked one such article in this one. So, I did not want to rehash it. And the best bet still, is to keep your computer up-to-date. Also, all of the options you mentioned use signatures and that means there is lag time. I might suggest using ad-blocking extensions and an app like NoScript. All are free.

kevlar700
kevlar700

If saying use Bing is your solution then you've got far worse problems. You don't need a rogue network accepted for this. What do advertisers want, DATA, what do advertisement providers want. Data. Exploits from images should simply be fixed, not a huge issue. Adobe flash on the other hand is constantly exploitable. As the flash advertisements are closed and obfuscated they can and do hide all sorts legitimately and illegitimately, including exploits. It seems we only realise these things when we are slapped in the face with big flashing lights, i.e. when the makers don't really care if we notice. Install noscript or flashblock and only run the flash you choose. Usually an occasional youtube vid not a possibly dodgy advert on 80% of websites. Emails are dodgy because they come to you, not you choosing them. Adverts are just the same.

Michael Kassner
Michael Kassner

It seems that attack vector is gaining steam. I first heard about it this past February. I suspect Google will take the brunt of it due to its market share.

JCitizen
JCitizen

for sites that I support; but then I trust the site webmaster!

Michael Kassner
Michael Kassner

I first ran across malvertising in 2008-2009. Even so, there are lots of people unaware of it. Also, I checked and did not find any reference to it on TR. So, I wanted to change that.

Slayer_
Slayer_

I hope TR doesn't get one of these ads

GreyTech
GreyTech

I haven't noticed it working but from the Banks' view they are confident that it evades any software key loggers and man-in-the-middle attacks. I am sure it wouldn't stop any hardware key loggers but as I don't do banking from public PCs I am not concerned. My slight concerns without it would be rogue techies at the phone exchange or at a street junction box, where they could target particular lines.

Michael Kassner
Michael Kassner

I have been trying to find out the details about the slip up. So far, I am not having much luck.

Who Am I Really
Who Am I Really

only allow the minimum necessary to get a site functional and don't allow any "ad domains" I rarely whitelist any site / domain etc. only using Temporarily Allow when necessary so far on the new TR I don't have to allow anything on the previous version (the one with the Thumbs) I only ever had to "allow" the .com.com domain for the site to work and currently I only suffer from "can't vote" disease + / - always goes to page not found instead of applying the vote

Who Am I Really
Who Am I Really

but rather a necessity, Back in the DOS days when Viruses were proliferating all over the PC world those in the security world used this example: Sticking floppies from unknown systems into yer system, is like not using a rubber and sharing / having multiple partners They presented two options: - buy an AV program - abstain from sharing / using floppies of unknown origin the major problem I see with most, if not all AV programs is they still don't detect in browser Mal-activity or if they claim they do, they don't do it very well _

santeewelding
santeewelding

Now, I don't have to contract with Murder, Inc.

JCitizen
JCitizen

Can't have enough armor for in-depth defense. As well as No-Script and AdBlock Plus, I encourage IE users to install MVPS for Windows. MBAM also blocks known bad IPs. I haven't had a drive by in two years on my honeypot; and the one that I did have, was stopped by the UAC in Vista x64. Keeping applications updated with the aid of Secunia PSI and File Hippo Update Checker has reduced my profile for vulnerabilities also. This has stopped one drive by that tried to take over my Adobe Reader - I use Foxit, for now. I still get the occasional alerts from Avast, but I'm not sure if it is because I'm clicking on an object or if they were drive bys. So I may still be getting them occasionally.

Michael Kassner
Michael Kassner

And they are going to install an Adobe Reader, but it uses JS. That should be interesting.

AnsuGisalas
AnsuGisalas

Not only do they get free delivery, they get it delivered to a slice of "clientele" that may be resistant to social engineering techniques (due to trusted sites). This is big enough of an incentive that I think they'll use whatever tools they can to get the stuff up where they want to.

Michael Kassner
Michael Kassner

The ad stream typically is not under the web master's control, different domain and different servers. I would be careful in that regards.

Michael Kassner
Michael Kassner

I wish all banks had something similar. It has to help. In my neck of the woods, there aren't any banks supporting it, at least that I know of.

Michael Kassner
Michael Kassner

I always try to take the viewpoint of my father (87) and NoScript would frustrate.

seanferd
seanferd

There isn't a solution. Heck, enterprise networks with legally licenses copies of Windows still get infected with Conficker. Idiots still accidentally start forest fires. What can you do? True, though, it doesn't matter if you allow legitimate, trusted scripts if the malware is coming through those legitimate channels. AdBlock Plus either blocks ads from published lists, and/or your selections. Neither is likely to help immediately unless a malvertising list is published, kept current, and covers all malvertising methods and all individual instances. Then again, cars were a luxury, once. And yet, network and content owners need to do a better job on their end. They still commit terrible, awful, basic errors in their sites and services. Are VMs or sandboxes deeply confusing luxuries? Operating systems and computers were, once. OS vendors are responsible as well, when the malware is using ridiculous flaws for which patches aren't provided, especially when the general architecture of an OS is terrible to begin with. Quite the pickle, really.

Michael Kassner
Michael Kassner

I also think of legacy sites and dis-interested people having to deal with NoScript. In reality, if good sites can have malvertising, how does one know which sites are indeed okay?

seanferd
seanferd

you just have to not be afraid to take two second to allow what you trust. But then, I think maybe you meant "not allowing any scripts at all", which could be rough, indeed.

Michael Kassner
Michael Kassner

That use Flash and JS for business apps. People are required to use them. Hence my calling using NoScript a luxury.

AnsuGisalas
AnsuGisalas

That's really social engineering, I guess.

Michael Kassner
Michael Kassner

That hurts thinking about it. Hey, Ansu. Did the extra "f" get by you?

seanferd
seanferd

send Guido, nevertheless.

seanferd
seanferd

It isn't Adobe code, so I'm not so scared. Personally, though, I don't want my browser displaying PDFs at all. I went to battle to get that to stop years ago, ended up dumping Adobe for Foxit, and IE for SeaMonkey. (Well, not the first time I dumped IE, to be honest.) Better be able to turn that off. And the js better be accessible as a js file that I can remove. Even better if SM does not incorporate that bit of FF code, but SM seems to be on that path of swallowing the FF codebase whole.

seanferd
seanferd

Like, a Javascript Adobe Reader inextricably embedded into the Firefox browser? Or am I entirely misconstruing what you said. Maybe you meant users in general will install the Adobe plugin? Fear is overcoming my powers of rationality and analysis. I'm just so uncertain of what you said there.

AnsuGisalas
AnsuGisalas

Verifying the hashes from a list of bonafide provider sites. Doesn't protect when the provider is cracked and the hashes fixed, but that's a big bad anyway.

Michael Kassner
Michael Kassner

Will have to be put in place. Up until now it has been a trust thing. And, that's not working too well.

Michael Kassner
Michael Kassner

I read the report and had to search fairly hard before finding the error.

Slayer_
Slayer_

Its tricky to see, especially in italics.