DoubleClick Serves Up Vast Malware Blitz

By Lisa Vaas  |  Posted 2007-11-12 Print this article Print

Updated: The third-party ad network says it now has monitoring capabilities in place to catch the problem malware.

Rogue anti-spyware software that pushes fraudulent PC scans has found its way onto DoubleClick and legitimate sites, including CNN, The Economist, The Huffington Post and the official site of the Philadelphia Phillies. DoubleClick officials told eWEEK that they have recently implemented a security monitoring system to catch and disable a new strain of malware that has spread over the past several months. This system has already captured and disabled about 100 ads, the company said in a statement, although it didnt mention this episode in particular.
The bogus anti-spyware onslaught is only part of a bigger wave thats also included porno ads being swapped for normal ads on sites such as The Wall Street Journal. Its not yet clear whether the same fraudsters are behind both the porn and the fraudulent anti-spyware ads.
Sunbelt Software has confirmed that Trojans were being downloaded from ads served by DoubleClick as recently as Nov. 11. This malware is the kind that repeatedly pops bogus warning messages about computer infections in users faces until they give up in despair and pay $30 to $40 for a junk "security" program. "The stuff thats installed is this rogue anti-spyware software that … gives you fake alerts, [such as] Your computer is infected, you must run this. Basically its extortion. … They try to push you to buy their software," Sunbelt President Alex Eckelberry told eWEEK. Read here about how most malware is made in China. The malware application is a variant on WinFixer, a piece of malware that pretends to be a diagnostic tool. These arent Trojans that steal account information, but they are illegal due to misleading advertising and other statutes. "It just pummels you with these alerts that your machine is infected, your machine is infected. It just wears you down. Its not stealing information, its not a virus. It just convinces you to spend $30 to $40 to buy their absolutely garbage application. Once it gets on your machine, it will pound you. Every time you start up your machine," it will pester users with bogus scareware warnings, Eckelberry said. He said Sunbelt will be contacting the Federal Trade Commission Nov. 12. The reach of DoubleClick, one of the Internets largest online advertising services, is vast, to the extent that the scope of the impact is unknown. However, the only sites at risk are those that signed agreements with the advertiser that is distributing the malware in question, a German marketing company called AdTraff. Its not DoubleClick which is ultimately responsible. DoubleClick is an ad-serving platform that only provides the technology used by publishers to deliver ads from advertisers with whom the publishers have signed agreements. DoubleClick does not directly deal with the advertisers, although it does attempt to protect its clients from malicious code masking as advertisements by checking on materials stored in its database. "We view the security aspect as one part of our service, but we make it clear to [clients] that they have to do sufficient quality assurance," said Sean Harvey, senior product manager for DoubleClicks ad management platform. "They have to be checking with advertisers to make sure theyre legitimate, and to make sure the creative is not malicious." Recently, DoubleClick discovered one company in particular that was trying to sign direct deals with publishers. DoubleClick found that the rich media ad in question was clean but called an external file that would in turn call something else, in a "very creepy, encrypted kind of way," Harvey said. "It was very hidden, very hard to see what was going on, and it would call [a] malware site." Because of that find, DoubleClick has since deployed a mechanism for scanning advertising material, not because its responsible for the safety of the materials that customers store in its systems, Harvey said, but as a service to its customers and to protect its reputation. The sites involved—The Economist and the others—are ultimately responsible for any malicious code delivered through their ads or sites. EWEEKs publisher, Ziff Davis Enterprise, is a DoubleClick customer. ZDEs networks have not been infected with the ads, most of which are associated with affiliate marketers. Page 2: DoubleClick Serves Up Vast Malware Blitz

Lisa Vaas is News Editor/Operations for and also serves as editor of the Database topic center. Since 1995, she has also been a Webcast news show anchorperson and a reporter covering the IT industry. She has focused on customer relationship management technology, IT salaries and careers, effects of the H1-B visa on the technology workforce, wireless technology, security, and, most recently, databases and the technologies that touch upon them. Her articles have appeared in eWEEK's print edition, on, and in the startup IT magazine PC Connection. Prior to becoming a journalist, Vaas experienced an array of eye-opening careers, including driving a cab in Boston, photographing cranky babies in shopping malls, selling cameras, typography and computer training. She stopped a hair short of finishing an M.A. in English at the University of Massachusetts in Boston. She earned a B.S. in Communications from Emerson College. She runs two open-mic reading series in Boston and currently keeps bees in her home in Mashpee, Mass.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel