Follow Slashdot stories on Twitter


Forgot your password?
Advertising Cloud Security

Google's Doubleclick Ad Servers Exposed Millions of Computers To Malware 226

wabrandsma (2551008) writes with this excerpt from The Verge: Last night, researchers at Malwarebytes noticed strange behavior on sites like, The Times of Israel and The Jerusalem Post. Ads on the sites were being unusually aggressive, setting off anti-virus warnings and raising flags in a number of Malwarebytes systems. After some digging, researcher Jerome Segura realized the problem was coming from Google's DoubleClick ad servers and the popular Zedo ad agency. Together, they were serving up malicious ads designed to spread the recently identified Zemot malware. A Google representative has confirmed the breach, saying "our team is aware of this and has taken steps to shut this down."
This discussion has been archived. No new comments can be posted.

Google's Doubleclick Ad Servers Exposed Millions of Computers To Malware

Comments Filter:
  • by Derekloffin ( 741455 ) on Friday September 19, 2014 @07:03PM (#47950667)
    It is stuff like this that just demonstrates how annoying the internet ad delivery mechanisms are. Not only are they intrusive, bandwidth wasting, and often impairing my user experience, they can also spread malware.
    • by UnknownSoldier ( 67820 ) on Friday September 19, 2014 @07:05PM (#47950673)


      My hosts file (across my Windows, Linux, and OSX) machines have been using the excellent MSVP hosts ( for years.

      Plus, it speeds up internet browsing instead of having the browser ping 10+ different domains.

      • by Anonymous Coward on Friday September 19, 2014 @07:25PM (#47950797)

        Just use adblock+. It is much faster.

        • by gman003 ( 1693318 ) on Friday September 19, 2014 @09:36PM (#47951427)

          Depends on the browser - IIRC on Chrome, it can't prevent ads from being downloaded, it can only prevent them from rendering. Or at least that was the case several years ago, maybe Chrome's added the APIs for it by now.

          • by mirix ( 1649853 )

            I'm fairly certain that had something to do with Chrome being made by an advertising company. i.e. it was never a technical restriction, but an imposed one.

            Though some searching makes it look like this is no longer the case.

        • by houghi ( 78078 )

          I use both. So I use Adblock+ AND I use mvps.
          I use mvps as a basis for my own DNS server that I run. That way I do not only block the seperate site on mvps that I like blocked, I also can add sites that mvps doesn't block (I block facebook).

          I also see sites that my provider blocks (TPB among others) without the need to give even more data to others like Google (DNS server

          Next to that I also use Adblock+ that will filter out a lot more stuff.
          If you rely on only one line of defence, you are very wea

      • Re: (Score:2, Funny)

        by Anonymous Coward

        Careful, otherwise you will end up summoning him

      • by jafiwam ( 310805 )


        My hosts file (across my Windows, Linux, and OSX) machines have been using the excellent MSVP hosts ( for years.

        Plus, it speeds up internet browsing instead of having the browser ping 10+ different domains.

        Yup. Been using that for years. Very nice. Very little in the way of bullshit from Google or anywhere else.

    • by amiga3D ( 567632 ) on Friday September 19, 2014 @07:06PM (#47950681)

      I always though doubleclick was a malware site. You mean it's not? Or it wasn't but now it is?

      • I always though doubleclick was a malware site. You mean it's not? Or it wasn't but now it is?

        Odd how that was marked funny. It's actually +5 informative for sure.

      • Let's see, Google owns:
        • AdMob
        • AdSense
        • AdWords
        • FeedBurner
        • DoubleClick
        • Froogle
        • Google Analytics
        • Gmail
        • Urchin

        All of which they are tracking you with (probably more). But I'm sure it's harmless /s

        • As a side note, who the fuck thought that "AdMob" would be a good name for an advertising site? "We're going to MOB you with ADS!"

          Fuck Off, AdMob.

          • by tlhIngan ( 30335 )

            As a side note, who the fuck thought that "AdMob" would be a good name for an advertising site? "We're going to MOB you with ADS!"

            Fuck Off, AdMob.

            Well, they were advertising for mobile devices - basically the iPhone and later Android devices.

            (And Apple and Google were competing to acquire AdMob, but Google eventually paid more and likely paid Apple to create iAds to get around anti-trust).

            Oh yeah, don't forget that Google's ad CDN is

    • Me too. Why I would allow advertising on my browser when all it does is try to lock the system using all the CPU time for stupid animations or videos, promotes highly questionable "products" such as the infamous "CleanMyPC", or plain and simply try to install hostile programs to take control of my computer?
      • by Morgon ( 27979 )

        If a couple of ads are 'locking your system' and 'using all CPU time', maybe you need CleanMyPC after all.
        There's a hit, sure, but you're painting a picture that your system is a bigger bottleneck than a couple of Javascript calls.

        • by hairyfeet ( 841228 ) <bassbeast1968 AT gmail DOT com> on Saturday September 20, 2014 @03:52AM (#47952537) Journal

          Obviously you've never loaded one of the "aggressive" flash ads with a bunch of buttons and clickable crap built into the animation? Because I have seen one of those drag a 3GHz quad down to a crawl thanks to all the crap its trying to render being spread like the clap across a dozen CDNs, half of whom take forever and a day to respond or time out, which causes it to call the next CDN in its list...yeah sorry but the new ads are even nastier than you can imagine.

          If you want to see it for yourself just surf some "mainstream" sites like CNN, AOL, Yahoo "News" and the like for a couple hours with no adblocking, just be sure to have an offline disc image so you can blast the OS and restore from images. Hell I used to use a VM at the shop to let an image get the latest drive bys to test various AVs and stay up to date on removal methods but not anymore, with the latest bloated mess called "interactive ads" I had to quit because even with a C2D doing nothing but running the VM those bastards would slam it so hard I'd be lucky if I could kill the VM, it would just redline the cores to the firewall, nasty shit. Maybe if I slapped in a C2Q and limited the VM to only 2 or 3 cores I could do it again but frankly articles like this only prove my theory correct, back any precious memories, nuke the OS, and make sure they have a choice of browsers with ABP loaded into all of them.

          Oh and just FYI since insisting that my customers only use browsers I've preloaded with ABP? I've watched infections disappear, even my most clueless click happy customers only have to call me for hardware or networking issues. Of course it turned out just as I told my clueless former boss it would, because I'm "the guy that builds PCs so they don't mess up" I get referrals up the ying yang so I don't have to worry about repeat business, they are happy to tell everybody and their dog the ONLY place they should get a PC fixed or have one worked on is from/by me.

    • by TrollstonButterbeans ( 2914995 ) on Friday September 19, 2014 @07:53PM (#47950959)
      Wastes bandwidth, chews up CPU, blasts noise at you and with 57 tabs open it is hard to tell from where, starts videos, does crappy things if you accidentally hover the mouse over the window.

      And spread malware.

      I use AdBlock Plus, of course. With Flashblock carrying the other half of the burden.

      I am happy these jerks almost exclusively use Flash, HTML5 scares the shit out of me.
    • by martin-boundary ( 547041 ) on Saturday September 20, 2014 @03:49AM (#47952531)
      Actually, I block ads because I *can*.

      This whole idea that seems to be pervasive on the net that I should find a "legitimate" excuse to block out the commercial crap that ad companies want to stick down my throat is insidious. l don't need an excuse like "it's malware", I reserve the right to filter out any and all information I don't like. I reserve the right to pick and choose the fonts, to pick and choose the colours, to pick and choose the pictures, and to pick and choose the bits of content of every web page that's offered to me.

      I don't accept package deals. I don't care about the experience the content provider wants me to have. I don't care that companies have stupid business models where they try to sell ad space, or try to collect my data to make their ends meet. It's not my problem, and I'll ignore it just because I feel like it. The fact that I'm also blocking malware is just icing on the cake. And if I'm bored, I'll teach others how to do all that too. Just because I'm bored.

      I'm not some guest on somebody else's net, where I'm supposed to stay inside a walled garden of bullshit and I need permission to sit down on a chair. It's as much my web as everyone else's, and I'll do what I please with the bits going through my section of tube, malwaew or no malware.

  • by Anonymous Coward on Friday September 19, 2014 @07:05PM (#47950679)

    I use Adblockers / flashblocker and NoScript.

    And I utterly will not reconsider for any reason.

    • Wrong.

      Right now, there are a few sites (majorgeeks) that ask you to please allow ads because that's what pays for the site and others simply refuse entry.

      You will reconsider when sites tell you to disable all ad blockers and hosts files that block ad sites or you will not be able to view the content.

      • by MightyYar ( 622222 ) on Friday September 19, 2014 @07:30PM (#47950839)

        you will not be able to view the content.

        Sounds like a challenge!

        (Not a very hard one, but a challenge nonetheless)

      • by reikae ( 80981 ) on Friday September 19, 2014 @07:44PM (#47950905)

        I can't think of any website I wanted to visit this year but couldn't due to adblocking. I doubt it's necessary to reconsider any time soon. Even then, I'll first look into alternative websites.

        • You're not getting it.

          It's not the sites that will block you. It's the ad servers that the site is throwing at you.

          If you aren't alive to the ad servers, you're dead to the website.

      • by sexconker ( 1179573 ) on Friday September 19, 2014 @07:50PM (#47950945)


        Right now, there are a few sites (majorgeeks) that ask you to please allow ads because that's what pays for the site and others simply refuse entry.

        You will reconsider when sites tell you to disable all ad blockers and hosts files that block ad sites or you will not be able to view the content.

        Wrong. The only thing I'll reconsider is visiting those sites.

        • by aevan ( 903814 )
          ...and then someone will capitalise on all those customers lost, and provide an alternate they can palate. ..then they will get too big, make a drastic change or such to lose their group.. and a new alternate will emerge. It's almost like it's happened before.
          • Indeed.

            The Life Cycle of the Internet.

            "Those who fail to learn the lessons of the past are condemned to repeat them."

          • by bwcbwc ( 601780 )

            Yeah, if all the ads were limited to an image, maybe some text and clickable links, it would make everybody happy except the most hard-core advertisers looking for the next big thing and the poor slobs who actually click on the ads.

        • Not when it's all of the sites.

          • by tepples ( 727027 )
            I don't see Wikipedia or All The Tropes adopting such an ad blocker blocker any time soon.
            • Cool. You go to two (2) web sites.

              I think you'll agree that, as regards the Internet demographics, you don't actually use it.

          • That's like saying because we can't fight the government we may as well stop our protests and start loving the government instead. If we can't stop war with a protest we should learn to love the bomb. Do you fail to see the raw anger that these anti-social and irresponsible advertisers are generating? If all of the sites vanish then maybe that will be a good thing.

            • No, that's not like what it's saying.

              What it's like saying is, you have a choice:

              1.) Don't block ad servers
              2.) Block ad servers.

              In the first case, you get to to see the web's content. In the second case, you don't.

      • I not only use AdBlock and Flashblock, I use Facebook block as well. I use the "Google cache" "text-only" version to view anything semi-interesting that won't let me view it, which is pretty rare anyway.
      • Wrong.

        Or, actually, right, given that the GP was expressing his own personal opinion. But, hey, if you know his mind better than he does...

        You will reconsider

        Also you can see into the future. Neat!

        • We all can see into the future. Advertisers are going to deliver their content to your browser FIRST, and then the content will follow.

          We've already been through this.

          Perform the following experiment as a predictive exercise to explain what will happen when you use an ad blocker in the future:

          In your browser, disable cookies.

          Then navigate to sites.

          Enable cookies.

          Document the experience.

      • There's a couple webcomics I read where the "only traitors enable adblock" images are still less obnoxious than the actual ads, so I keep it enabled and just buy some of their swag instead.

        • Then adblock didn't achieve its goal if you are having to buy, right?

          • Yeah it did, he's not seeing ads. Where did it say he *had* to buy? It seems he doesn't mind supporting sites by buying swag; he just doesn't want to see ads.
      • I won't reconsider. When that happens I will not view the content and go elsewhere. Or are you suggesting that there actually is content on the internet that is mandatory viewing?

        • I am suggesting that you, which is not representative of any population greater than one, have no reason to be on the Internet,

      • any site that demands I disable ad-blockers is not a site I NEED to visit. so, its self-filtering.

        (what's the problem, again?)

      • You will reconsider when sites tell you to disable all ad blockers and hosts files that block ad sites or you will not be able to view the content.

        No I won't. I'll just remove that site from my bookmarks file and never go back.
      • by Tom ( 822 )

        If they ask, I'll consider it and I may decide this way or that.

        If they lock me out without ads, I'll never visit their site again. I don't want ads, they don't want me as a visitor, we seem to have a concord.

    • by griffjon ( 14945 )

      I actually find that Ghostery is quite nice.

  • by Anonymous Coward on Friday September 19, 2014 @07:20PM (#47950759)

    Stupidity is sufficient.

  • No surprise (Score:5, Interesting)

    by networkzombie ( 921324 ) on Friday September 19, 2014 @07:22PM (#47950773)
    I have been blocking doubleclick on the corporate firewall for years, and in every hosts file I come in contact with. No one ever complained, but now if they do, I have ammunition. If you serve up a web site, you should personally vouch for not only the product you are advertising, but the source of the advert as well. I blame Google for placing advertising dollars above their users (I know, they don't have users, they have sheep for fleecing).
    • Most of these sites don't know what ads they are serving. They just sign up with some ad suppliers and wait for the pennies to start trickling in with no work or effort on their part. Can you even imagine if television shows did the same thing, allowing anyone and everyone to show an advertisement with no oversight, with viagra being advertised during children's shows and Cheeze Whiz advertised on the Food Channel.

    • It's really not Google or any other advertizing reseller as it is the way ads are normally placed on sites. It makes it nearly impossible for even a careful web site to be safe.

      Most ads are delivered as links to blobs of ECMAscript. They are difficult to check for malware even by knowledgeable webmasters. And, even the best don't know when some innocuous blob downloaded by might change to something evil at any time. The whole system is nearly impossible to make secure.

      For this reason I run NoScript on all s

  • Yup (Score:4, Informative)

    by Anonymous Coward on Friday September 19, 2014 @07:25PM (#47950795)

    So to all those site operators that cry foul when I say I block all ads all the time: This would be why. It's not because I object to being shown products I might be interested in. It's not because I'm trying to hurt your revenue stream. It's because ad delivery servers are so ubiquitous, they're a major malware vector.

    Sorry, but funding your site is not worth my entire network getting infected. You want me to change, lean on the advertisers to stop pushing security responsibility solely on the end user.

  • Ad Blockers... (Score:5, Informative)

    by Dega704 ( 1454673 ) on Friday September 19, 2014 @07:28PM (#47950823)
    One of the best endpoint security tools you can deploy.
    • by ark1 ( 873448 )
      FYI, by default Ad Block plus allows some non intrusive ads from Google and others. Make sure to disable "Allow some non-intrusive advertising" and only whitelist ads on sites you want to support.
  • Just say block (Score:5, Insightful)

    by Animats ( 122034 ) on Friday September 19, 2014 @07:39PM (#47950877) Homepage

    DoublcClick has such negative value that their servers should be blocked at firewalls, or at least "host.txt". Even if you have AdBlock, blocking them earlier saves bandwidth.

    • At home I made my DNS server authoritative for (and admob and few others) all pointing to

      % host
      Using domain server:
      Aliases: has address

      That way mobile devices and everything are covered. Hard to have a hosts file on an unrooted iPhone, etc.

      • by Bengie ( 1121981 ) doesn't respond, so the page won't finish loading until it times out. That's worse than just letting the ad load from a performance perspective.
        • doesn't respond, so the page won't finish loading until it times out. That's worse than just letting the ad load from a performance perspective.

          Seriously? You think if it acted like that anyone would really do that? Or use a hosts file? Really??

        • by Rich0 ( 548339 )

          Meh, that's what NXDOMAIN is for I suppose. That's what I get when I try to resolve them. I must have 25 domains configured this way.

        • If it doesn't respond, isn't that an instant "not available", why would there be a timeout? I try a connect, I instantly get nothing, browser realizes it has to skip. Also, this all happens in the kernel, not even hitting a device driver.

          Why that would be slower than going to google/doubleclick, having them decide on an ad, and sending to me?

        • Wrong, you should get an ICMP response immediately.

          Unless you're firewalling to yourself, which would be incredibly stupid.

          • by TCM ( 130219 )

            No, you should be getting a TCP RST.

            Do you kids know anything?

            • You should get an ICMPv4 response with a type value of 3, and code value of 3.

              RST happens when something borks up in an existing session, not in response to a SYN. (exception: when firewalls/NAT gateways are configured to reply with an RST, instead of dropping or ICMP).

              Don't you kids know anything? []

              • by TCM ( 130219 )

                I have no idea WTF you are talking about. A closed TCP port emits an RST. It even says so in the very link you posted:


                "Receipt of a SYN message on a port where there is no process listening for connections."

                Next time you try to be a smart-ass, get your facts straight. Idiot.

                • You really are an asshole, aren't you? The attitude isn't necessary.

                  • by TCM ( 130219 )

                    Because I don't sugercoat idiocy? You had two chances to state simple and correct facts, yet you chose to claim authority over stuff you know jack shit about, being a pompous idiot in the process and now you're all butthurt?

                    Get off my lawn, kid. Good riddance.

      • I have the DNS server point to an IP running pixelserv rather than Notwithstanding browsers with cross-site scripting warnings, ads are replaced with a single pixel image.. saves the iframes of error messages.
    • How does blocking them earlier save bandwidth? AdBlock makes your browser not even try to download the blocked element. I don't see how that results in any useless traffic.

  • by QuietLagoon ( 813062 ) on Friday September 19, 2014 @07:42PM (#47950891)
    ... and doubleclick in particular, do not get past my firewall. Among the reasons I block 'em is this malware distribution issue.
    blocked by three different rules
    blocked by a five-year old exploit protection rule
    blocked (alright, by a geo-location rule, but still blocked!)

    I don't think that one stood a chance here.

  • malwarebytes (imply that they) reported this on 30 August. Did they report it to Google?

    Nearly 3 weeks till it was shutdown on the 19th. That's a hell of a lot of malware getting dished out.

  • by ruir ( 2709173 ) on Saturday September 20, 2014 @12:28AM (#47952001)
    Please be objective in the articles. Windows computers, not "computers". And no malware here, adblock+host files to
  • by cant_get_a_good_nick ( 172131 ) on Saturday September 20, 2014 @01:29AM (#47952183)

    I worked at Zedo pretty early on. I did a year there, pretty much exactly year 2000 (now coworkers now know who I am).

    I was their C guy, did an apache module for the adserver, and some mild javascript work until they got a better Javascript coder than me. I also helped out a bit in Java and DB work, and most of the Linux/FreeBSD sysadmin for a bit. We were in a small live-work loft in SOMA where I walked through two slums to get to work.

    In the beginning, it was about "choice". We had a small on page ad client. At first a Java one, then a Javascript one, with a GUI that let you choose your ad. It was new, different, and a way to try to get people the ads they want and not have to keep huge track of users. (You can check the patent out [] if you like though I can tell you this was theoretical design and it wasn't built this way). It put the emphasis on the ad, not on the tracking. Ads needed to be designed to be engaging or they'd just be skipped. We kept track of your ad choices, not your pages. It was fun, true startup culture. We were going after the (then) mighty Doubleclick, railing the fact that they stored too much info. I remember tailing the server logs on our first paying gig, cheering as I noticed the URI fragment for the first ad clickthru. We checked the guys IP address, noticed he had an ICQ run webserver on his box, and talked to him over ICQ thanking him for clicking. In hindsight, yeah, that must have freaked him out.

    We didn't see Google coming to crush the ad market at all. I had already left but Im sure Google's elephant sized footprints in the market made them radically change their business plan. I didn't talk to them much, and on the web I read stories about intrusive Zedo cookies, heard them called "king of the popunder" and heard stories about "popup blocker blockers". This made me a bit sad, why do all that? But I guess you either do that, or throw in the towel and close up shop. I can't say what I'd do if it was my savings on the line.

    As an aside (always a tangent!) I had an 8MM videocamera. Though I filmed some stuff in San Francisco (hey Dave, any news on the video for me?) I always wanted to film us. But I couldn't both work and film. I was actually slightly pissed when [] came out. Hey that was my idea! But you can't objectively film what you're in.

Think of it! With VLSI we can pack 100 ENIACs in 1 sq. cm.!