Hackers Use Banner Ads on Major Sites to Hijack Your PC

The worst-case scenario used to be that online ads are pesky, memory-draining distractions. But a new batch of banner ads is much more sinister: They hijack personal computers and bully users until they agree to buy antivirus software. And the ads do their dirty work even if you don't click on them.The malware-spiked ads have been spotted on various legitimate websites, ranging from the British magazine The Economist to baseball's MLB.com to the Canada.com news portal. Hackers are using deceptive practices and tricky Flash programming to get their ads onto legitimate sites by way of DoubleClick's DART program. Web publishers use the DoubleClick-hosted platform to manage advertising inventory." CT: Link updated to original source instead of plagerizer.

oh great

[deftones_325]

So now I need to buy penis-enlargment pills AND and anti-virus.

Re:oh great

[FuzzyDaddy]

Yes, those two things often go together.

What are these "ads" you're talking about ?

[galaad2]

That's why Firefox+NoScript+AdBlock Plus+Flashblock were invented

Re:

[FudRucker]

with NoScript the use of FlashBlock is redundant, NoScript blocks all plugins (not just flash)...

Re:

[galaad2]

i beg to differ, Flashblock does have a purpose even together with NoScript:

on some sites i want to allow scripts but block flash... and this is the best solution i've found.

Re:

[FudRucker]

you have a point there, my eyes are opened, thanks...

Re:

[Ginger Unicorn]

dont forget filterset.g updater and cookiesafe

Never Experienced This

[ilovegeorgebush]

I've never come across one of these ads. In fact, I rarely get ads as I use the Adblock Plus [mozilla.org] plugin for Firefox. This just gives even more reason to ban advertisements entirely. Thanks!

Re:Never Experienced This

[Otter]

Adblock doesn't block these, as they constantly change the domain names. NoScript, which is otherwise way too paranoid and obtrusive for my taste, will do it.

Unrelated thoughts:

1) YouTube video is a rather inefficient way to distribute this analysis.

2) The security guy is way too kind to the sites hosting these ads. I've written to several of them, telling them how sleazy the ads are and how bad they make the site look, and the ads are still there.

3) How did YouTube decide that "ridiculously hot LATINA girl dancing, not asian!" is a Related Video? Except in the sense that it's always relevant, I mean.

Re:Never Experienced This

[doombringerltx]

3) How did YouTube decide that "ridiculously hot LATINA girl dancing, not asian!" is a Related Video? Except in the sense that it's always relevant, I mean.

Finally a reason to RTFA

Re:Never Experienced This

[orclevegam]

Actually, these are getting into some reputable sites through places like DoubleClick, which is one of the domains that AdBlock targets, so in this case it will protect you. Now, on less reputable sites that are getting these things directly instead of through DoubleClick, yeah, AdBlock won't do much there.

Re:

[rucs_hack]

most advert serving domains still, for some reason place the images to be used in */ads/* or */banners/*, something like that anyway. A well written rule file for adblockplus (e.g most available ones) have the capacity to block many previously unknown ad servers. Then of course if they are spotted, they go on the list.

Re:

[Constantine XVI]

AdBlock Plus, as mentioned by GP, has a built-in filter updater to combat exactly what you mentioned.

Very stupid idea

[TheMeuge]

This just gives even more reason to ban advertisements entirely.

The "let's ban it" attitude seems awfully familiar. Are you a member of the US, UK, or EU parliament by any chance?

Like it or not, but advertising generates (directly and indirectly) the revenue that drives the Internet. When advertisement is passive, and does not attempt to hijack your computer, it is theoretically an win-for-all scenario: the advertisers get their clients, the consumers get their products, and the sites that host the a

Re:

[IBBoard]

When advertisement is passive...

Hackers are using deceptive practices and tricky Flash programming...

Not quite passive if they're using Flash, though. I'm selective with my AdBlocking because I know some webmasters rely on the revenue. Anything that's overly flashy (be it flash or animated GIF) or anything too large/overlapping/intrusive gets the page or folder containing the add blocked. If it happens too many times then the entire domain goes.

As for the drive-by infection, hasn't that been going on for a

Re:

[orclevegam]

On reputable sites I usually disable AdBlock plus, but I always use FlashBlock, as nothing annoys me more than flash ads.

Re:

[GIL_Dude]

I had understood that advertisers didn't pay for "impressions" (ad views) anymore and only paid for click throughs. If that is true (and I may be wrong about it - I certainly admit that), then if you are not going to click on an ad you might as well block them since the site admin isn't getting paid anyway. (And, even worse - for the few who self host the ads, you would be costing them bandwidth).

Re:

[John Hasler]

> Not quite passive if they're using Flash, though. I'm selective with my AdBlocking
> because I know some webmasters rely on the revenue.

If I did that the "harm" would just be transferred to the advertisers as I will never buy what they are selling. I see no reason to worry about it, though.

Re:

[ilovegeorgebush]

I meant ban it personally in my browser. Not on the whole of the web, you clod!

Re:

[Anonymous Coward]

The "let's ban it" attitude seems awfully familiar. Are you a member of the US, UK, or EU parliament by any chance?

Like it or not, but advertising generates (directly and indirectly) the revenue that drives the Internet. When advertisement is passive, and does not attempt to hijack your computer, it is theoretically an win-for-all scenario: the advertisers get their clients, the consumers get their products, and the sites that host the advertisement get their costs and expenses covered.

You are very much mis

Your company/family/school

[KiloByte]

Right, we all use Adblock and the like. Yet, you can't force everyone in the vicinity to do so, there are lesser minds who opt for Opera, and there's even a tiny portion of giants on Links -- and let's not even mention how low SOME folks can fall.

I would say that adzapper (if you use squid) or a DNS-based blacklist is quite mandatory wherever you do have a say. Glancing at the logs of ISPs I have root at, roughly 1/4 of all freaking http requests go to lowlifes -- and even that based on my grossly incomplete list of ad/spyware/tracking scum.

Yeah, 25%. That's horrible.
And there are some customers dumb enough to complain if you do protect them from ads, so you can't do this in an ISP scenario. But in a company, school or family? Hell yeah, there's no reason for doubleclick.com to get through, ever.

Re:

[SirTalon42]

Opera has had a built in AdBlock for quite a while now (which is easier to use IMO, right mouse click on the page, block content, then click on all the ads you see then done). So does Konqueror and a lot of other free (and Free) browsers. Firefox is probably one of the few that doesn't...

Re:

[Constantine XVI]

I've noticed that not only does Konq have a built-in adblocker, it comes with (at least in the Kubuntu build) a pre-set filter list, which cannot be said of Opera.

Re:

[John Hasler]

I use Privoxy. It does an excellent job of blocking all ads while working with any browser.

Re:Your company/family/school

[Nicolay77]

Opera is faster and more secure. Opera 9.5 is even faster, making Safari bite the dust. It also uses less memory.

It also can block ads (although not with a blacklist as FF, but you can block whole domains).

To me the lesser minds are the ones that can't respect other people choices.

Re:

[the_womble]

Noscript is a lot better at protecting you from stuff like this: no Javascript, Flash Java etc. runs unless you let it. The malware need not be in an ad, there are a lot of other ways of getting people to their sites.

I run Firefox with Noscript on Linux, and using a different browser (I used to use a different user) for sensitive websites. Is this malware likely to affect me?

Re:

[truthsearch]

I actually prefer to see the advertisements. I want to know if a site I go to is more interested in annoying or intrusive ads than the visitor's experience. If a site has annoying ads I simply don't use the site any more. This way the sites that I like can still get revenue from my page views while the sites that choose to annoy me lose me forever.

These sights should drop DoubleClick immediately and switch to another ad partner. They should also consider a lawsuit. If they do nothing but point a finger

Re:

[xtracto]

Yeah... maybe it is that I only surf the same 5 or 6 websites each day (gmail, slashdot, news.google, jornada, google, wikipedia mostly + scientific journals from SCOPUS datasbase or citeseer) but since installing AdBlock I have not seen an ad for quite some time while browsing.

However it is really annoying when I have to use some computer with IE 5,6 or 7 without adblock because I feel the web *very* polluted. It akin to when you live in a small city with almost no advertising and then you move to Mexico C

And the funny thing is...

[Noryungi]

Some people complain about Firefox AdBlock? Sheesh.

Note to self: remember to program Adblock to reject everything from DoubleClick from now on, on all home computers.

Re:

[Henry V .009]

You still program Adblock? Give Adblock Plus and its automatically updating filters a try.

Re:

[Oktober Sunset]

Plus a free jelly mould in the shape of Texas.

First site on my block list

[HangingChad]

Note to self: remember to program Adblock to reject everything from DoubleClick from now on, on all home computers.

I use Adblock and NoScript on Firefox. Doubleclick is the first site on the block list in both apps. That's why I couldn't figure out why Google wanted to buy them.

Re:

[orclevegam]

Actually I don't use NoScript because a lot of the sites I frequent have AJAX components, but I do use FlashBlock and that takes care of a lot of the problems.

Re:

[Turing Machine]

NoScript lets you approve sites on an individual basis.

Re:

[John Hasler]

> Then you can selectively add secondary sites, like Google Analytics.

Why?

AdBlock and NoScript

[Timinithis]

I use these exclusively, are there reports that this method gets by them? I know that if the ad is blocked, it isn't downloaded, but is that all it takes, download the ad and you have the virus?

Sounds like a reason to just block all double-click items...

I don't enable flash/scripts on any page unless it is needed -- like scripts for /.

Re:

[secPM_MS]

I don't see a need for blocking adds. The problem is not the adds per. se., but the active content. Active content may be malicious. Unfortunately, rich media is the draw for the bulk of the viewer base and rich media tends to use active content.

The viewer / user if presented with Hobson's choice: accept active content, get the desired benefit - while taking the risk; or block active content, be safe, and not get the desired benefit.

If the user wants to view the content and be relatively safe, they can

Re:

[Sleepy]

I am paranoid. I run Windows Server 2008, running as a normal user. IE 7 is configured as my default browser in enhanced security mode, which is locked down and secure.

The really paranoid admins would never surf from their server, period. For that matter there is also no desktop interface on a paranoid setup. These are potential attack vectos.

If you are that cautions, why not run your browser virtualized? just install a VMWare 'browser appliance' (or if you 'require' a Windows browser, install XP inside of

Re:

[Stradivarius]

Even passive content like a JPEG may be malicious/unsafe. Suppose someone discovers a buffer overflow exploit in how IE processes images. You can bet that you'll start seeing images crafted to trigger the exploit and thus hijack the viewing computer. They may well end up on Doubleclick's network.

When you have (inevitably) imperfect software paired with untrusted content providers, there is no guaranteed way to be safe. Which is what makes Doubleclick such a menace - you can't even trust reputable sites an

who is to blame

[cpearson]

Great, now we can await a round of finger pointing to begin over who is liable.

Re:

[Detritus]

The simple solution is to assign final responsibility to the web site that is delivering the tainted ads. They are the ones who have ultimate control over what content gets delivered to the user. "We contracted it out" should never be accepted as an excuse.

Ah, let the blame game begin

[SuperBanana]

The malware-spiked ads have been spotted on various legitimate websites, ranging from the British magazine The Economist to baseball's MLB.com to the Canada.com news portal.

...and since those sites outsource to Doubleclick, they'll point a finger at them. Doubleclick will no doubt point the finger at some previously-unheard-of company that "solicits advertisements for the Doubleclick network", and they'll point the finger at their "client."

Meanwhile, The Economist, MLB, Canada.com, etc won't take responsibility for the content they present on their website (after all, they chose to use Doubleclick, they chose to put advertisements on the website, they chose not to require approval of ads before they were shown on their website, etc.) Funny how everyone is trigger-happy when it comes to copyright, but when it comes to content they present causing harm, it ain't theirs, eh? :-)

Doubleclick, of course, won't accept responsibility for vetting advertising distributed via their channel (which seems like a standard business procedure for, oh, an advertising network?) The only comfort is the mechanism of the free market: if website users get pissed enough, said websites might put pressure on Doubleclick or leave them altogether. That's bad for Doubleclick business, so maybe Doubleclick will consider vetting ads better, or run checks to see that flash code doesn't do certain things, etc. Then again, if the malicious banner ad suppliers are paying good enough money, Doubleclick may be perfectly happy to issue a press release "apologizing" and keep right on doing business as usual.

Re:Ah, let the blame game begin

[Frosty Piss]

Meanwhile, The Economist, MLB, Canada.com, etc won't take responsibility for the content they present on their website (after all, they chose to use Doubleclick, they chose to put advertisements on the website, they chose not to require approval of ads before they were shown on their website, etc.) Funny how everyone is trigger-happy when it comes to copyright, but when it comes to content they present causing harm, it ain't theirs, eh?

And speaking of "trigger-happy", you seem to point the finger right back at the Web sites for not inspecting the ads and the underlaying code. Well, that's what they hire DoubleClick for, thats one of the points for using outside ad servers. DoubleClick (and its Mother Ship Google) where not doing their jobs. It was THEIR responsibility to know that the ads THEY served where ligit or not. That's why THEY make the "big bucks". Google is good, Google is God...

chain of responsibility

[SuperBanana]

And speaking of "trigger-happy", you seem to point the finger right back at the Web sites for not inspecting the ads and the underlaying code. Well, that's what they hire DoubleClick for,

And who decided to hire DoubleClick, instead of (as you mention) Google AdSense or a hundred other advertising networks, all of varying reputation, levels of annoying-ness, etc? Who negotiated the terms of the contract, which could have required vetting of ads by Doubleclick? Who had the power to chose between text, GIF, and Flash based ads? Who benefits financially from the presentation of those ads?

So, again tell me who is responsible for ME getting an infected PC visiting that website? If GM makes a car and the wheel falls off because Bob's Bolts sold them defective bolts, I can still sue GM for selling me a car on the reasonable assumption that GM would test bolts before putting them in a hundred thousand vehicles...and GM made the decision to buy from that particular supplier.

The way the world works is: I sue GM. GM then sues Bob's Bolts for damages (ie to reputation, the money they had to give me and spend on legal defense, cost of recall, etc.) Bob's Bolts then may sue Smith's Steel for selling them crappy steel.

Or, in this case: I sue The Economist for infecting my machine. The Economist turns around and sues Doubleclick for providing malicous ads. Doubleclick may then turn around and sue the company that made the malicious ads, for violating the terms of contract with Doubleclick specifying no malicious content...

Yeah sure

[gerf]

When you find a company that allows people to use their copyrighted material however they want, and also takes responsibility (monetarily and apologetically both), for their own mistakes, let me know. And they have to still be in business, that is..

Re:

[Ed Avis]

...and nobody blames the real culprits: whichever idiots designed the Flash player, browser and OS so that an advertisement on any random, untrusted website can download things to your machine without your permission. It's 2007. If we have to have things like the Flash player, why on earth doesn't it run in a sandbox with no access to your files? Why doesn't every single window popped up by Flash have a mandatory button 'go away and don't ever show me popups from this Flash file again'?

Re:

[CodeBuster]

Doubleclick may be perfectly happy to issue a press release "apologizing" and keep right on doing business as usual.

Which is why many of us have elected to employ the nuclear option (FireFox + AdBlock Plus + NoScript) instead of dealing with crap like this. I really don't give a damn about doubleclick or any of their double talk (pun intended). How many more people will choose the nuclear option after reading articles like this? We shall see.

TFA = Site scraping?

[Anonymous Coward]

The flibby link is identical to this Wired blog post [wired.com] by Betsy Schiffman, dated four days earlier.

ISP's should block DoubleClick

[RichMan]

This is a good enough reason for ISP's concerned about security to block DoubleClick. You spam the net with bad referrals you get binned. Also think of the traffic that would get binned, way better than blocking p2p.

Do it for a month and DoubleClick and their ilk will be extra sure about not hosting bad stuff.

Re:

[Dunbal]

This is a good enough reason for ISP's concerned about security to block DoubleClick.

      Wishful thinking. ISP's are far too busy doing IMPORTANT things like going after P2P and torrent users than doing TRIVIAL things like block spam and malicious code.

The Problem is Ubiquitous

[yintercept]

The problem isn't unique to Doubleclick. It exists anytime you have multiple parties producing dynamic content for a site. The producers of Malware seek out every opportunity to inject their slime onto the net. If you have a forum, guestbook or allow comments on blogs, you will get hit by bots trying to find ways to inject malware into a post. The people playing this game buy expired domains and fill them with malware garbage.

If you look at the logs for any web site, you will probably find hits from malw

Not exactly new

[Anonymous Coward]

This has been going on since flash 8 was released with a vulnerability. I got hit by this about a year ago, maybe a little more.

  Suddenly windows security center, that I routinely turn off because I can't stand the nagging, started up and told me that my computer was insecure and that I should go to a certain website and buy their virus defender software.

Not very subtle to a savvy person like myself, but I imagine some people would fall for it.

The box also started throwing up connection error message boxes, presumably because my external firewall were blocking outgoing connection attempts. Again not subtle, but it's an uncommon setup for a home user.

Third, it must have rooted the box somehow because certain files became invisible. "test.exe" among them. Renaming a textfile to text.exe would make it disappear, and the folder would be unremovable. Cygwin came to the rescue there. Also I noticed only because I happened to have lots of little crap programs laying around.

The virus scanners did not pick up on this.

This is the only time I have actually contracted a virus. Needless to say I hosed the box (PING is not disk image). What I learned from the experience is that knowing your system is way more effective than a virus scanner, and B) don't trust flash which is how I got the damn thing. I thought I was safe with firefox.

Re:

[orclevegam]

FlashBlock is your friend.

Re:

[Kingrames]

Flashblock is one of the most annoying plugins ever. I don't mind when it spares me the problems on a news site, but on sites like ytmnd, where I have to click the flashblock 3 times per site in sequence just to see something, it gets real annoying real fast.

I just wish they could change it to where it would allow whitelisting of certain domains like noscript does.

At least back to 2004

[Kelson]

Yeah, I immediately thought of a set of malicious ads that triggered an IFRAME exploit [netcraft.com] back in 2004. The Register found them on their own site [theregister.co.uk], pulled the ads and apologized to their readers. The Internet Storm Center did a pretty good write-up of the incident [sans.org].

Terrible relationships with their advertisers

[sseaman]

Content providers need to be responsible for the content of the ads posted on their sites - that's a given. TFA indicates that these content providers (the people behind NHL.com, for example) simply received payment for these ads via credit card or wire transfer and then posted the content. If these sites used a network television model, they would have intimate relationships with the advertisers and would work together to provide less offensive and more effective ads. I don't think they need to go that far (network television ads are far from perfect, although they are quite effective), but clearly MLB.com and NHL.com need to be held responsible for the content on their sites, and hopefully this will encourage better cooperation between site hosts and advertisers.

Re:

[EtoilePB]

If these sites used a network television model, they would have intimate relationships with the advertisers and would work together to provide less offensive and more effective ads.

If they followed a network television model, they would also be held more responsible for the content of the advertising on their sites. I don't work in network television, but my partner does -- coming home from work all the time with *facepalm* stories. They have to be very cognizant of what they put, where, and most espec

Say.. doesn't Slashdot use Doubleclick?

[Animaether]

I'm pretty sure it does because I had to wait 30 seconds for any page of Slashdot's to render fully yesterday because Firefox was busy waiting for ad2.doubleclick.com or somesuch subdomain of theirs. The current page source certainly has doubleclicky ads.

Now, granted, the malware distributors typically tag ads for subjects not often seen on Slashdot (but I get them on, e.g., the Sinfest comic - huh, imagine that).

I'd say it's about time Doubleclick (that's you, Google, if you finally get to say you did indeed acquire it and everybody OK'd the deal.) gets held a little more responsible for this sort of thing being done through their network for which they collect money.

Re:

[orclevegam]

I just got a new workstation at my office and hadn't got around to installing FlashBlock/AdBlock+ like I normally do, but the dice.com add on slashdot finally convinced me to do it. For some reason whenever the dice.com ad loaded it would bring firefox to a crawl until I killed the window it was in or reloaded that page and got a different ad cycled in.

Re:

[bogie]

You know what would be a great addon for Firefox? An Extension that somehow would intelligently work around Firefox hanging on a non-responsive external to the site servers. Instead of using Adblock et al, let the site have their ads but route around the ones that cause pages not to load. Nothing worse than going to your favorite site an wondering what is taking so long only to see ad2.doubleclick.com sitting in the status bar.

Re:

[Animaether]

To be fair, I'd say this is a Firefox rendering issue. It already has the HTML page.. short of any javascripted source-code injection stuff, it should be all set to render the page .. minus the missing 'loading' element. But yes, all the same, it bugs me when the status bar shows that, of all things, it's an -ad- that's the instigating cause.

Re:

[Hatta]

What would be great is if Firefox would move to a multi-threaded UI.

Re:

[cyclocommuter]

Yes, Slashdot uses Doubleclick, I can see doubleclick as one of the domains/sites blocked by NoScript when I click on its (NoScript) icon when I am on Slashdot.

Doubleclick sent out a notice Friday

[night_flyer]

here's a list of the sites that contained the malware:
100it.info, 10smi.info, 2greatfind.com, 2quickfind.com, 3akoh.net, Ad2cash.net, Ad2profit.com, Adcomatoz.com, Adgurman.com, Adhokuspokus.com, Adnetserver.com, Adredired.com, Adsolutio.com, Adtraff.com, Adverdaemon.com, Adverlounge.com, Adzyclon.com, Alg-search.com, Alhoster.com, Aligarx.biz, All-search-it.com, Alphatown.us, Anmira.info, Anonymbrowser.com, Antivirussecuritypro.com, Aptprog.com, Art-earn.biz, Astalaprofit.com, Autodealer-search.com, B2adz.com, Bazaard.com, Belkran.com, Belshar.com, Bestadmedia.com, Best-biznes.info, Best-cools.info, Bestdatafinder.com, Besteversearch.com, Bestpharmacydeals.com, Best-screensavers.biz, Bestsearchnet.com, Bestshopz.com, Bestwm.info, Bestwnvmovies.com, Bezzz.info, Bi-bi-search.com, Bizadverts.com, Bizmarketads.com, Blessedads.com, Bm-redy.com, Bovavi.com, Brandmarketads.com, Bucksinsoft.com, Burnads.com, Cancerno.com, Candid-search.com, Carpropane.com, Cashloanprofit.com, Casinoaceking.com, Casinoby.com, Casinodealsgalore.com, Cha-cha-search.com, Cheap-auto-deals.com, Checkstocklist.com, Chushok.com, Clever-at-search.com, Clubheat.info, Come-from-stars.com, Co-search.com, Creamme.net, Cryptdrive.com, Cyndyk.info, Deuscleanerpay.com, Didosearch.com, Diphelp.biz, Dmitry-v.info, Doma2000.com, Durtsev.com, Easybestdeals.com, Energostroj.com, Enothost.com, Eroticabsolute.com, Errordigger.com, Errorinspector.com, Evrogame.info, Fandasearch.com, Fantazybill.com, Fastwm.info, Fastzetup.info, Fati-gati-search.com, Favourable-search.com, Favouriteshop.com, Feel-search.com, F-host.net, Fifaallchamp.com, Fight-arts.com, Fileprotector.com, Findbyall.com, Firstbestsearch.com, Firstlastsearch.com, First-ts.com, Foamplastic.net, Fokus-search.com, Force-search.com, Forceup.com, Forex-instruments.info, Forvatormail.com, Freepcsecure.com, Freerepair.org, Freetvnow.net, Friedads.com, Fulsearch.com, Getfreecar.com, Gibdd.us, Glass-search.com, Glorymarkets.com, Gosthost.net, Great4mac.com, Greyhathosting.com, Gt-search.com, Hackerpro.us, Hardlinecenter.com, Hebooks-service.com, Hintway-international.com, Homeofsite.com, Hromeos.com, Hyip2all.org, Icq-lot.org, Iddqdmarketing.com, Ideal-search.com, Idea-rem.com, I-forexbank.biz, I-games.biz, Imamis.net, Individ-search.com, Information-advertising.info, Infyte.com, Initial-search.com, Insochi2014.com, Installprovider.com, Internetadaultfriend.com, Internetanonymizer.com, Internetsupernanny.com, Intervarioclick.com, Investmentsgroup.org, Invulnerableads.com, It-translation.biz, Izol-tech.com, Kamerton-tests.com, Kazilkasearch.com, Keytooday.com, Keywordcpv.com, Kiridi.net, Kpoba.net, Kurgan45.info, Ladadc.com, Lanastyle.com, Ldizain.info, Libresystm.com, Liders.biz, Linii.net, Liveclix.net, Loffersearch.com, Londasearch.com, Lovecraft-forum.net, Loveopen.info, Lseom.biz, Luckyadcoin.com, Luckyadsols.com, Mad-search.com, Magicsearcher.com, Mailcap.info, Manage-search.com, Marketingdungeon.com, Mass-send.com, Max-expo.net, Maxyanoff.com, Mediatornado.com, Mega-project.biz, Megashopcity.com, Mightyfaq.com, Misc-search.com, Mobilesoftmarketing.com, Mobiletops.com, Mobilorg.org, Moneycometrue.com, Moneypalacecash.com, Mounthost.net, Myfavouritesearch.com, Myhealth-life.org, Myonlinefinance.com, Mysurvey4u.com, Mythmarketing.com, Mytravelgeek.com, Myusefulsearch.com, Napol.net, Navygante.com, Netmediagroup.net, Netturbopro.com, Newbieadguide.com, Nryb.com, Of-by.info, Olgalml.com, Ol-search.com, Onedaysoft.com, Onestopshopz.com, Onwey.com, Opensols.com, Original-search.com, Osetua.com, Osminog.org, Parischat.org, Passwordinspector.com, Pcsoftw.com, Pcsupercharger.com, Performanceoptimizer.com, Piramidki.com, Podelkin.info, Popadprovider.com, Popsmedia.com, Popupnukerpro.com, Postcity.info, Prenetsearch.com, Prevedmarketing.com, Prizesforyou.com, Pro-dom.info, Propotolok.info, Pro-svet.info, R2d2adverising.com, Radiosfera.net, Rocktheads.com, Roller-search.com, Rombic-search.com, Rus-invest.net, Rusnets.info, Russia-post.com, Sajruen.info, Samson-pro.com, Sauni.net, Se7ensearch.com, Search-and-win.com,

Re:

[Frosty Piss]

None of the sites listed in the "story" are on this list. Where did this list come from? Or is this some SEO trick for a bunch of spam sites?

Re:

[night_flyer]

from what I gathered, these are the sites linked to the ads that showed up on the sites listed in the article

Re:

[night_flyer]

heres the rest of the email notice...

Over the last several months, website publishers using a variety of platforms have inadvertently served ads that contain malware executables. As we noted in the communication we sent in early October, the ads appear to have originated from small "agencies". These agencies go by a variety of names, and generally claim to be based in Europe or Canada.

Our security monitoring system (active on DART for Publishers, DART for Advertisers and DoubleClick Advertising Exchange) ha

Re:

[roman_mir]

All of the below names sound like they were (almost certainly) created by a Russian speaking person:

3akoh.net, Adgurman.com, Adhokuspokus.com, Adzyclon.com, Aligarx.biz, Chushok.com, Dmitry-v.info, Doma2000.com, Durtsev.com, Energostroj.com, Enothost.com, Eroticabsolute.com, Fati-gati-search.com, Fokus-search.com, Gibdd.us, Insochi2014.com, Kazilkasearch.com, Keytooday.com, Kiridi.net, Kpoba.net, Kurgan45.info, Ladadc.com, Liders.biz, Linii.net, Maxyanoff.com, Olgalml.com, Osetua.com, Osminog.org, Piramidki.com, Podelkin.info, Prevedmarketing.com, Propotolok.info, Pro-svet.info, Radiosfera.net, Rombic-search.com, Rus-invest.net, Rusnets.info, Russia-post.com, Sauni.net, Serebro1.info, Sergp.info, Sevna.org, Sotaman.info, Spbcoffee.info, Stolovaya.info, Svadba-buket.info, Svadba-center.info, Svadba-dress.info, Svadba-rings.info, Svadba-scenarii.info, Svadba-toast.info, Svadba-vikyp.info, Vkpb.net, Wape3a.net, Wmbserg.org, Wmolotok.org, Wmrabota.info, X-lave.info, Zappinads.com, Zapsibir.com, Zvukko.net

Old news.. and a very old problem.

[Dynamoo]

Seriously, I wrote about exactly the same thing here [dynamoo.com] a month ago, although I could identify Doubleclick as the network running the ads. It's quite amusing to see that the fake anti-spyware app claims that you have Windows malware on your Linux box.

Still, griping aside it's good to see this hijack getting a higher profile. However, I had a note from someone who had come across a hijacked banner on Yahoo! just today, so it's clear that the banners are still out there.

Banner hijacks for this type of rich m

Re:

[GIL_Dude]

So far, these have all been Flash based attacks from what I am reading. I know few folks use it yet (ever?), but what about SilverLight? Does it enable these same vectors? I know some sites (like MLB.COM) do some of their stuff in SilverLight these days (probably got special help setting it up or got paid to do it or something). Anyway, it makes me wonder if it is really ALL rich media or if it is really specific to a design issue with Flash?

Re:

[Emetophobe]

I clicked on your "not a new problem" link. Avast (free edition) popped up a Trojan warning. What exactly is on that page?

hosts file

[phrostie]

all the more reason to set up a host file

http://www.mvps.org/winhelp2002/hosts.htm [mvps.org]

Re:

[gmack]

Some of the less reputable ad networks have already moved to random subdomains to get around this. To fix them I created a that can be matched against multiple domains. [innerfire.net]

I use a flash blocker so I use this zone file on sites where the ads annoy me in spite of me not seeing flash.

And then I can just add each domain I want to block like this. [innerfire.net]

yet another reason...

[fotbr]

to block doubleclick

Adblock, hosts file, iptables, surfing the net with lynx, etc. Pick a method you like and enjoy life without doubleclick.

Why aren't we blaming the browser?

[bhmit1]

Everyone is cheering for AdBlock when they read this, but why is it ok that a browser can install spyware, viruses, etc when you are browsing a web page? Shouldn't this be something that can only happen on sites that you explicitly permit or upon agreeing to a dialog asking if it's ok to run a given program? If you can experience this problem with double-click, then you can experience the same problem with any web site out there, so I'd much rather see us fixing the security holes in various browsers.

Re:Why aren't we blaming the browser?

[moderatorrater]

Flash is a plugin, it's what needs to enforce a security model. Also, sites need to step up and stop allowing exploitative ads. If an ad is clearly posing as a windows dialog box, then that ad shouldn't be allowed onto your site.

Re:

[bhmit1]

Fair enough, we need to fix flash, not ban one of the unlimited number of sites that use flash. Of course, if individual users want to disable flash on their machine, I have no problem with that, but that shouldn't be the security solution for everyone.

And for ads posing as dialog boxes, I'd want to see a window manager that ensures the distinction is always clear. If a web page is able to alter the screen to the point that all you see is a "this workstation has been locked, please enter your password" sc

Re:

[bzipitidoo]

So much security is not practical. Why stop at the browser? Blame the OS too. And blame people for not making regular backups. Maybe all users should run SE Linux so a suborned browser can't screw up the system. Maybe the browser, and every other app, should be run as a different user, or in a chroot jail, or in a virtual machine. But of course few run SE Linux or any of those other measures because, sort of like Vista, it's a huge pain to have to constantly work through and around the security measur

Doubleclick could fix this in 2 seconds

[oni]

From TFA: The malware looks like a ordinary Flash file, with its redirect function encrypted, so that when publishers upload it, the malware is not detectable.

All Doubleclick has to do is require the actionscript source code for all ads. There is *no good reason* for an advertiser to hide anything from doubleclick. Send doubleclick your sourcecode. They will compile it into a .swf file. If you don't like that policy, then you can find another distributer for your ads. If your actionscript is so convoluted or obfuscated that doubleclicks programmer can't figure it out, then you can wait in line until the programmer can figure it out, or you can simplify it.

Problem solved.

the common denominator

[FudRucker]

the common denominator in all this is MS-Windows, get rid of windows (if possible) and you will be much better off with an immunity from this sort of infection, use some variation of *nix (BSD of Linux) and as others in this article commented using AddBlock & NoScript extensions on Firefox is your best bet at stopping this sort of thing...

Popup? Click the red X square.

[pentalive]

Since I can't trust any of the buttons in a pop up, I usually close them using the red X square, We call it the "Go Away Box" around here, so I've forgotten its given name. Will this work for this kind of ad? I am thinking it's safe because my OS is putting that button on a frame around the ad's window.

Google hole that allows a similar attack

[Animats]

There's a related hole in Google Maps, an "open redirector", that allows this exploit. Here's an example:

Caution - hostile URL Close the page displayed; don't click on anything on it. [google.com].

Note that it fools Slashdot, and most link scanners in spam filters, into accepting the URL as leading to "google.com". But, in fact, it redirects to the "malware-scan.com" hostile site, which will try to install an Active-X control.

We've been finding attacks like this up with SiteTruth [sitetruth.com], by using PhishTank [phishtank.com] information to down-rate sites that have open redirectors. We've found open redirectors on Google and AOL. They're actively being exploited.

So we're currently down-rating Google [sitetruth.com], and AOL. [sitetruth.com]. It may seem drastic to downrate an entire major site because they have a few "minor" exploits. PhishTank itself only blacklists specific hostile URLs. But that's no longer enough. Most modern phishing attacks use a unique URL, and often a unique subdomain, for each user attacked. SiteTruth thus takes a harder line. If a domain hosts something one of the data sources says is an attack, it downrates the whole domain automatically.

It's within the power of the site operator to close such security holes. We encourage them to do so.

Banner attacks started as early as 2004

[1sockchuck]

In reality, these kind of attacks have been happening for years. Netcraft first reported on banner network hijacking more than three years ago, in August 2004 [netcraft.com], and cited similar attacks that may go back as far as 2001. High-profile sites that have been affected almost from the start. In November 2004 [netcraft.com], the web sites of The Register, NBC/Universal, The Golf Channel, The A&E Network and Sony Pictures Digital were used to distribute malware.

Who broke the link?

[LWATCDR]

"hhttp:wwwwiredcomtechbizmedianews200711doubleclick"
Is so not a valid url.

In Soviet Russia

[Scroatzilla]

...the monkey punches you.

Adding insult to disgust to injury...

[JRHelgeson]

PayPal has a "Virtual Debit Card" that you can use to access your PayPal account. Prior to downloading the software, you're asked to verify your system requirements. If everything checks out, you can then download and install the software.

Here's the rub - when you click on the "Download Now" button, it actually sends you to DoubleClick.net site. Then the DoubleClick.net site redirects you back to the PayPal site and starts downloading the application. If you have DoubleClick.net blocked in your hosts file, like I do, then you can't download the software.

Why?

It is so that DoubleClick.net can plant a first-party cookie, spy on your activities, direct advertisements to you... PayPal has just submitted ALL your information AND the fact that you use PayPal, AND the fact that you purchase stuff online, AND, AND, AND... Then DoubleClick.net can target you for highly targeted advertisements.

This is just unconscionable. PayPal deserves all the flame they're gonna get over this one.

Re:

[JRHelgeson]

True, problem solved. Delete the cookie, no problem.
My point is that any trust PayPal had was destroyed the moment they redirected my browser... What else are they doing with my financial information?

Re:

[Allicorn]

Javascript's alignment notwithstanding, it is not implicated by TFA in this particular situation. This is about the evils of Flash.

Re:

[Minwee]

I forget. Is the Evil Flash Barry Allen, or is it Wally West?

Re:

[dave420]

"Common gutter computer"? grow up :)

Re:

[wordsnyc]

I have three low-end Dells running Linux.

They say they'll be waiting for you in the parking lot.

Re:

[montyzooooma]

Anyone know if using Opendns DNS servers helps at all to prevent infection? Longshot I know.

Re:

[MyLongNickName]

What exactly does this have to do with Darwinism? Does the virus cause the computer to kill the user so he/she cannot reproduce? And is computer illiteracy genetic? If not, then my next suggestion is that parent poster just likes to feel smug about his computer knowledge...

Re:

[darthflo]

It's the other way round. Computer-illiterate Fred's computers get infected, work slower or stop working alltogether, Jack, who knows a bit about computers is called up (friends, family or geek squad), fixes it, receives money. After a few of said encounters, Jack possesses lots of money while Fred's really poor. Jack then gets to have loads of unprotected sex with lots and lots of supermodels, producing a filthy rich uber-generation of semi-computer-savvy children while Fred's happy to be able to afford a

Re:I only found these ads on....

[morgan_greywolf]

BTW these ads are not directly dangerous unless you are running on some old browser/old Windows system, but yes, they are annoying as hell.

Um, wrong. Watch the video [youtube.com]. The guy is running Windows XP SP 2.

Re:

[fredklein]

If you say no....nothing happens

Perhaps you missed the part(s) in the video where he specifically clicked 'CANCEL', and it still scans his PC.

It politely asks you to download and run a trojan.

And asks you...and asks you.. and asks you....

Re:

[gazbo]

Oh no, I just assumed that not everybody would be as credulous as the person who made the video. Of COURSE it's not scanning his PC, any more than you're really the 1,000,000th visitor to the webpage. It's nothing more complex than

window.confirm('Do you want to scan....');window.location.href='http://advert.com/pretend_to_scan.gif';

And yes, it asks you repeatedly. How is that "directly dangerous?" Annoying, yes (as the OP said), but not directly dangerous (as, once again, the OP said).

Re:I only found these ads on....

[Ron Bennett]

One should click the "X" to close out such windows - or likely better yet, especially when in doubt, do so via keyboard CTRL-F4 (think that's the combo).

Anyone who has done some VB programming, etc is well aware that the labels on dialogue boxes can say most anything and be assigned to most anything - problem here is that most Window's users don't know that "Cancel" can be assigned to the same function as "Yes", etc ... don't trust any option shown, use the "X" instead; that's not full-proof either, but much safer than clicking "No", "Cancel", etc.

Ron

Re:

[Metaphorically]

One should click the "X" to close out such windows - or likely better yet, especially when in doubt, do so via keyboard CTRL-F4 (think that's the combo).

And why is it that the close button in the corner is special? It may be the safest because normally it isn't hooked but depending on the situation it could be. Windows sends messages to the program whose window is going to be closed. What's more, an application can draw it's own window decorations (like Winamp does, for example) where the corner bit looks like a normal close but isn't.

Even in a web page, someone can make an image that looks exactly like a default message box on your OS (which can be gue

Re:

[foobsr]

WareZ engines like astalavista.com

It is 2007!

They now say: "Note: Astalavista.com is NOT affiliated with Astalavista.box.sk, there are NO cracks/serials/keygens/warez etc. hosted on the Astalavista.com's server, and never were! Moreover, Astalavista.com is a security site, therefore requests for anything illegal are simply directed to the wrong party, and get ignored immediately!"

CC.