Sunday, March 28, 2010

Malware delivered by Yahoo, Fox, Google ads

From Elinor Mills at CNet ...
Malware that exploits holes in popular applications is being delivered by big ad delivery platforms including those run by Yahoo, Fox, and Google, according to Prague-based antivirus firm Avast.

Viruses and other malware were found to be lurking in ads last year on high-profile sites like The New York Times and conservative news aggregator Drudge, and this year on Drudge, TechCrunch and The practice has been dubbed "malvertising."

Now, researchers at Avast are pointing fingers at some large ad delivery platforms including Yahoo's Yield Manager and Fox Audience Network's, which together cover more than 50 percent of online ads, and to a much smaller degree Google's DoubleClick. In addition, some of the malicious ads ended up on Yahoo and Google sites, Avast claims.
Mills continues,
Found in ads delivered from those networks was JavaScript code that Avast dubbed "JS:Prontexi," which Avast researcher Jiri Sejtko said is a Trojan in script form that targets the Windows operating system. It looks for vulnerabilities in Adobe Reader and Acrobat, Java, QuickTime, and Flash and launches fake antivirus warnings, Sejtko said.

Users don't need to click on anything to get infected; a computer becomes infected after the ad is loaded by the browser, Avast said.

Since the malware started spreading in late December, Avast has registered more than 2.6 million instances of it on customer computers. Nearly 530,000 of those were from Yield Manager and more than 16,300 from DoubleClick, Sejtko said.

Thats pretty scary. Most web surfers feel safe browsing popular well branded sites but they do not realize that many of these sites rely on 3rd party advertising services to manage their banner ads. As a result, should these services fail to properly vet the sources of their ads well established websites can be easily dupped into running malicious ads. As pointed out in the article, all the user has to do is view an infected ad and malware is silently installed behind the scenes. The user in none the wiser.

Ive been following this attack for a while now and if it is still running on Monday I plan on demonstrating it in class.

1 comment:

Marisa White said...

“Malvertising” is an incredibly troubling trend. It is very concerning to learn that someone could get infected simply by loading what they believed to be a trusted web page. A computer could be compromised without the user having to click on or download anything. Even the most cautious internet surfer who is aware of all sorts of attacks would probably assume they are safe from these attacks if they are on a commonly used, legitimate, website for a trusted company such as the New York Times site.

One aspect that seems to be left unaddressed in the situations described in the article is accountability. Sites like the New York Times with a reputation to uphold should take responsibility to ensure that the ads on their page are not harmful to users. They need to carefully scrutinize their ad providers to guarantee the ads are from legitimate, safe sources.

Most computer users who have been compromised are not even aware of the malware, let alone would be able to attribute it back to the site they were infected from. It is therefore difficult to place blame and require these sites to take more responsibility in assuring all content on the site is safe. However, if similar instances continue to occur and are reported in the news, public awareness of these attacks will increase and hopefully more and more users will feel comfortable demanding this accountability.