Malware in Ads Is an Old Story

By Larry Seltzer  |  Posted 2007-07-30 Print this article Print

Opinion: Ads on Web pages and other programs can deliver a lot more than a sales pitch, and you have no idea who is sending you the content. It's been going on for years.

You might have read a story a few weeks ago in the Wall Street Journal (subscription required) announcing that "[Web] ads are becoming a delivery system of choice for hackers seeking to distribute viruses over the Internet." Those banners that appear on Web pages often have more than sales pitches. The story says "Eighty percent of malicious computer code on the Internet is found in online ads, according to a recent study by computer-security firm Finjan Inc." It spends a lot of time talking about an incident in May where malicious code found its way onto ads served by

Larry Seltzer says that the adware problem really isnt what it used to be for a variety of business, legal and technical reasons. Click here to read more.

Its all true, of course. The problem with the story is that it was news several years ago. Third party ad networks have been a major source of malware delivery for quite a while. Remember the WMF bug from December 2005? The major vehicle for its delivery was through ad networks. For example, researcher Ben Edelman, now a professor at Harvard, demonstrated forced installs of adware through the WMF vulnerability.

Were not talking Adsense or DoubleClick or anyone "respectable." The ad networks that spread the WMF vulnerability tended to be the ones advertising on pornography and wrestling sites, but not exclusively. The site that Edelman found was not shady; he described it as "an ordinary commercial Web site." Not to excuse that site, but as the WSJ article explains, the number of companies involved in putting up ads can be surprisingly large, and a failure at any one of them can let an attack through.

There used to be a class of adware distributor called the "mass adware installer"—IST, MediaMotor, Pacerd, EliteMediaGroup, DollarRevenue and TopInstalls, for example—that were taken down through 2006 for a number of reasons, including government scrutiny. A major reason they found themselves on the radar was that they overplayed their hand using the WMF vulnerability.

And its not just Web ads. There are a lot of ad-based free games out there, and these are even more dangerous. Browsers have been such a magnet for attacks that their authors are very aware of the possibility and try make it difficult. Its virtually impossible to install malware or anything else on IE7 under Windows Vista, for example, because of this new attitude of paranoia.

But when you install a game application that reads ads from a third party network, the ad can do anything the application can do, and it wont have all the sandboxes and other protections of the browser. I recently heard such a story of a gaming vendor whose software installed DriveCleaner and WinAntiVirus Pro, rogue security programs, without the consent of the user.

Defending ads against malware is a hard job, but the tools to do it are basically there for those who want to invest time and money in them, and some networks do put the money into it. Its because of an environment like this that its easy to see why Google has such an interest in monitoring Web sites that issue malware. Googles Adsense network is massively popular and, while its automated systems havent been perfect, there have been no big scandals about malicious code in ads. And Googles ads themselves are simple and plain, like its home page, making them a much safer, if more boring, option than ads with complicated HTML, flash and other features.

It may be everybodys job to prevent such attacks, but you cant count on them doing it. Your best defense is what youve been hearing for years: run your computer, especially when browsing the Web, with the least privilege you can get away with. Run anti-malware software, including an IPS, and keep it up to date. Install operating system patches as quickly as possible. And dont go clicking willy-nilly on every bouncing ball on the screen.

Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983. Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers blog Cheap Hack More from Larry Seltzer
Larry Seltzer has been writing software for and English about computers ever since—,much to his own amazement—,he graduated from the University of Pennsylvania in 1983.

He was one of the authors of NPL and NPL-R, fourth-generation languages for microcomputers by the now-defunct DeskTop Software Corporation. (Larry is sad to find absolutely no hits on any of these +products on Google.) His work at Desktop Software included programming the UCSD p-System, a virtual machine-based operating system with portable binaries that pre-dated Java by more than 10 years.

For several years, he wrote corporate software for Mathematica Policy Research (they're still in business!) and Chase Econometrics (not so lucky) before being forcibly thrown into the consulting market. He bummed around the Philadelphia consulting and contract-programming scenes for a year or two before taking a job at NSTL (National Software Testing Labs) developing product tests and managing contract testing for the computer industry, governments and publication.

In 1991 Larry moved to Massachusetts to become Technical Director of PC Week Labs (now eWeek Labs). He moved within Ziff Davis to New York in 1994 to run testing at Windows Sources. In 1995, he became Technical Director for Internet product testing at PC Magazine and stayed there till 1998.

Since then, he has been writing for numerous other publications, including Fortune Small Business, Windows 2000 Magazine (now Windows and .NET Magazine), ZDNet and Sam Whitmore's Media Survey.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel