Online Publishers Powerless Against

By Lisa Vaas  |  Posted 2007-11-14 Print this article Print

RBNs Malicious Ads"> The RBN operatives are going directly to both independent publishers—thats where DoubleClick gets involved, as those independents turn to the firm for ad hosting—as well as small advertising networks as they purchase space for their shape-shifting badvertising.

The malicious ad creators are submitting creatives—thats advertising speak for ad content—that look perfectly fine at first blush. Except for nasty little SWF files tucked away in Flash files, that is. Often, the RBN operators are scraping ads off the site theyre abusing and inserting the SWF into those. That way, a reader may complain about getting sent a malicious ad, but when hes asked what ad he saw before being sent to the bad one, it turns out to be a carbon copy of a legitimate ad, making it all the harder to track down the bad ad.
This is the first time that security researchers have seen Flash technologies used in this way and on this scale. Thats surprising, Jackson said, given that the technologies have been there for more than a year. Finjan, for its part, has been warning about malicious code in advertising since its Q1 2007 Web Trends Report.
Users have grown accustomed to trusting advertisers. They think they have control over what type of ads they run, but they dont tell buyers that they cant run Flash ads. Yet new Web programming languages make this malware all too easy to cook up. "With JavaScript, there are so many ways to obfuscate ActionScript," Jackson said. ActionScript is a scripting language mostly used to develop sites and software using Adobes Flash Player platform, in the form of SWF files embedded into Web pages. "The big issues that security researchers who deal with Web exploits and downloaders on Web pages struggle with every day are the different ways you can make JavaScript do different things. As long as you accept Flash and it has ActionScript, theres no way to rule out a repeat of this fiasco." Many have focused on DoubleClicks entanglement in the RBN badvertising fiasco, given its high profile and the fact that Google wants to buy the company. But DoubleClicks not the only big ad network thats gotten tangled up in this, Jackson said. As of Nov. 13, DoubleClick had resolved its problems with the bad ads. There were still problems with other ads, though, particularly on independent sites, he said. Roger Thompson at Exploit Prevention Labs on Nov. 13 posted a video documenting a malicious banner ad running across the DoubleClick network on Nov. 9 that affected Major League Baseballs and the National Hockey Leagues It was also found running on Billboard Magazines site. In that particular case, the malicious banners hijacked user sessions, closed down the site and then tried to force the user to download an official looking (but fake) anti-virus application. For its part, SecureWorks was working to clean up between 10 and 12 online publishers as of Nov. 13. Nowhere to go Both security researchers and online advertising managers are at a loss regarding how to stop the onslaught. Smith told eWEEK that beyond the lack of tools to check Flash ads and other creatives, one of the problems is that theres nowhere to go to stay informed of these types of situations. "One of the major problems in the adverting operations world is that there is no HUB of information where we can get the latest news, updates on the newest technologies, where the industry is moving towards, etc. etc." she said in an e-mail. "Its pretty much a free for all. If [the badvertising problem] wasnt included on [an industry] distribution list, I would have no idea whats going on out there." Even that industry distribution could be giving Smith bad information. Smith found out about a flash-checking site called AdOps Tools from the distribution list. The site has a field in which a visitor can insert the Flash file in question. If it checks out, the ad operations manager will reload the ad back into DoubleClick. In fact, the AdOps site looks a little fishy itself. Its riddled with typos, the kind that scream out "scam." In its "About" section, a message reads, "In this section you will find informations about this sites and also a contact form for enqueries." There is no form for "enqueries." Has this suspicious-looking site ever snagged a Flash file poisoned with malicious code? Smith laughs. "Ive never used it before," she said. "I just found out about it recently." Maybe thats a good thing. While he was on the phone with eWEEK, Jackson submitted a Flash file with malicious SWF code that hed retrieved in his research of the badvertising blitz. AdOps froze up. As of Nov. 14, Jackson hadnt reported back on what else might be going on under the covers in this, the only site that Smith knows of to turn to for help in stopping the tide of malicious code before it gets in front of thousands of potential victims. Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.

Lisa Vaas is News Editor/Operations for and also serves as editor of the Database topic center. Since 1995, she has also been a Webcast news show anchorperson and a reporter covering the IT industry. She has focused on customer relationship management technology, IT salaries and careers, effects of the H1-B visa on the technology workforce, wireless technology, security, and, most recently, databases and the technologies that touch upon them. Her articles have appeared in eWEEK's print edition, on, and in the startup IT magazine PC Connection. Prior to becoming a journalist, Vaas experienced an array of eye-opening careers, including driving a cab in Boston, photographing cranky babies in shopping malls, selling cameras, typography and computer training. She stopped a hair short of finishing an M.A. in English at the University of Massachusetts in Boston. She earned a B.S. in Communications from Emerson College. She runs two open-mic reading series in Boston and currently keeps bees in her home in Mashpee, Mass.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel