Forgot your password?
typodupeerror
Botnet Security Advertising

Ad Networks Lay Path To Million-Strong Browser Botnet 105

Posted by Soulskill
from the your-computer-is-broadcasting-an-ip-address dept.
jfruh writes "Every day, millions of computers run unvetted, sketchy code in the form of the JavaScript that ad networks send to publishers. Usually, that code just puts an advertiser's banner ad on a web page. But since ad networks and publishers almost never check the code for malicious properties, it can become an attack vector as well. A recent presentation at the Black Hat conference showed how ad networks could be used as unwitting middlemen to create huge, cheap botnets."
This discussion has been archived. No new comments can be posted.

Ad Networks Lay Path To Million-Strong Browser Botnet

Comments Filter:
  • by Anonymous Coward

    For Firefox fans there is an add on called "no script" that prevents Javascript from running automatically. There should be an equivalent for Chrome folks too.

  • You mean there are other attack vectors, too?

  • by Anonymous Coward

    From what I've seen, it seems like ad networks are either the main form of malware vector, or at least close to it. It isn't true proof, but I have had no issues with infections when using AdBlock and an add-on blocker (even if it is Chrome's "click to play" item), but if I fire up a VM and go browsing without those utilities... all hell breaks loose. Antivirus utility? Yeah, right. Those are OK for maybe scanning an infected machine's HDD that is mounted on another box. However, rootkits, especially R

  • Well, it's scary enough to make me want to turn off Javascript (unless I'm running Firefox—and I'm not—and can't turn it off). But Javascript provides to web pages features and abilities that I'd rather like to keep. For example, I love AJAX and how it allows a sufficiently sophisticated browser to do something like what Google did with Gmail. When I first saw Gmail my jaw dropped. "WOW!" I knew then that the thick client's life was limited. But as things get more and more nasty I'm wonder

    • by Splab (574204)

      Thats the reason why I use adblock, I only block the adnetworks, not the local site served stuff.

      If site operators want me to view ads, then they bloody well can vet them and host them themselves.

    • Re:Somewhat scary (Score:4, Insightful)

      by Opportunist (166417) on Wednesday July 31, 2013 @01:14AM (#44431751)

      The problem is less that I need all the bells and whistles. The problem is more that a sizable portion of webpages simply doesn't work without its bells and whistles.

      • by BenoitRen (998927)

        It's even worse than that. Basic navigation even breaks without JavaScript enabled.

        Yesterday I tried visiting the websites of two electronic chain stores (owned by the same parent company) with JavaScript turned off. I couldn't get past their language selection page as the cookie that saves your selection is set by a JavaScript onclick handler!

  • ...I blanket-block all ads. As much as I don't like ads, I'd tolerate them if they had the trust they need to _earn_ to run Javascript/Java/Flash content on my machine.
    • You trust Oracle Java and Adobe Flash enough to run them on your machine?

      • by sqrt(2) (786011)

        I have Java on my machine but it's not exposed to the web. Javascript is enabled on a site by site basis with the default setting being to deny all scripts. Usually sites will at least render well enough to read an article even if the layout is garbled. I can still get the content so that's good enough. None of their ad/tracking scripts get to run, ever. Sites like Slashdot get to run Javascript but right now I look and there are four domains on this page which have their scripts blocked: google-analytics.c

  • Like hell they do (Score:5, Informative)

    by WD (96061) on Wednesday July 31, 2013 @12:50AM (#44431633)

    If you care about security, you're running NoScript. And they do not run.

    • Re: (Score:3, Interesting)

      by tgd (2822)

      If you care about security, you're running NoScript. And they do not run.

      Why bother using the web, then? Most sites won't work with scripting disabled to any usable extent.

      If you want to be safe from evil ad networks, just don't use the web. Problem solved.

      But saying "just don't do it" in reference to things that the overwhelmingly vast majority of people need or want to do is not solving the problem, and is distracting to the need to actually solve the problem.

      • by tlhIngan (30335)

        Why bother using the web, then? Most sites won't work with scripting disabled to any usable extent.

        If you want to be safe from evil ad networks, just don't use the web. Problem solved.

        But saying "just don't do it" in reference to things that the overwhelmingly vast majority of people need or want to do is not solving the problem, and is distracting to the need to actually solve the problem.

        Most javascript that aren't site related are third-party. So you can allow the site level javascript to run without all

      • You teach NoScript which sites you allow scripts to run on, or use the "allow this time" option. It takes a few weeks for it to learn your trusted sites, but once you get in the habit of clicking "allow this time" for one-off visits, it becomes second nature. As is frequently the case, there's a trade-off between usability and security.

        NoScript is invaluable when you access a site that's been compromised and is directly serving malware via scripts.

        For sites you have allowed in NoScript, filter out marketing

  • by Anonymous Coward

    Nice to know BlackHat has finally caught up with 2007 when malvertising was publicly identified as an issue (see https://isc.sans.edu/diary/Malvertising/3727). Strange that people actually working in the anti-malvertising world have never heard of these researcher's work.

    I guess we can ignore RiskIQ and Twitters purchase of Dasient. The tens of millions a year spent on prevent malvertising is clearly "nothing". The methods being used might not be as effective as some want, it isn't due to a lack of funding.

  • by Opportunist (166417) on Wednesday July 31, 2013 @01:11AM (#44431737)

    ...why we use adblock and noscript, whining that we deprave them of income.

    It's not that your ads are obnoxious, albeit even that alone would suffice as a reason. They're dangerous to us.

    • by HybridST (894157)

      For now adblock and noscript work well enough. What about after the other side develops NoBlock and AdScript?

  • The author is lying (Score:4, Informative)

    by SpicyBrownMustard (1105799) on Wednesday July 31, 2013 @01:22AM (#44431785)

    I've worked with several ad networks, on a number of issues, and can say with absolute confidence that the author has no concept of how the technology actually works, which results in an outright lie in his thread-starter.

    The JavaScript code originates with the ad delivery platform (DoubleClick, OpenX, 24/7, etc.), sometimes outsourced to the ad networks -- DoubleClick is a white label delivery platform for many ad networks. The JavaScript is tightly controlled and constantly subject to real-time auditing by several providers such as The Media Trust. The advertisers simply provide the assets -- the banner creative -- that is delivered by the ad network, optimization systems, and ad delivery platforms.

    Currently, yes, it all sucks and is why we have had blockers, but is also the only option to monetize free content -- for now.

    • by mrbester (200927)

      Audited by whom? Not developers with any care or consideration to best practises and standards. Or are you seriously suggesting that document.write and blocking code is just fine?

    • by gishzida (591028)

      From your comment I'd say you have no clue how the ad networks are being used as a malware delivery system and since any number of the readers here have already attested "mouse over" attacks do exist....What I am hearing you say the ad networks have done absolutely nothing to prevent their networks being used as an attack vector... say something like vetting the URLs provided for the "banners"... I can tell you that at least 6 years ago I had a "mouse over" attack from a banner served on TheRegister.co.uk..

    • by Dynamoo (527749)
      The assertion that ad networks do not check code is certainly untrue overall. But some networks check code more closely than others, and the bad guys use all sorts of techniques to evade detection (geotargetting, for example, or changing the behaviour of the ad when it is being examined on the ad network's own IP range). The lengths some bad actors go to are impressive, and be in no doubt that there is a state of war between most ad networks and the bad guys.

      However, it is true that certain ad networks do

    • The only option?

      Hardly.

      You can accept donations. You can have freemiums. You can offer merchandise.

  • by John Sokol (109591) on Wednesday July 31, 2013 @01:25AM (#44431801) Homepage Journal

    We were using java, flash and javascript to do this sort of stuff as early back as 1996.
    Massive DDOS attacks were generated this way.
    Even played around with Distributed computing all from banners place on various web sites.
    We were able to run stuff in browsers that was next to impossible to remove.
    And with browsers restoring all the windows most common users would never figure out how to kill these things.

  • Damn good thing that Firefox 23 makes javascript obligatory:

    http://news.slashdot.org/story/13/07/01/1547212/firefox-23-makes-javascript-obligatory [slashdot.org]

    • Blanked disabling Javascript means large portions of the internet become useless, so NoScript is a better solution IMHO anyway.
  • Why don't they fix javascript, limit it to a handful of requests so it can download its data but not spam requests in a loop? Disable its popup ability, too. I have never needed it, and if I did, I'd be happy to click an open window approve box.

  • Unless they are paying for their ads using anonymized Bitcoins couldn't the ad company be served a warrant and the perpetrator found through the payment records?

"Love may fail, but courtesy will previal." -- A Kurt Vonnegut fan

Working...