Symantec, Armorize Partner on Scanner That Detects Malware-Tainted Web Ads

Symantec and Armorize have partnered to launch AdVantage, a cloud-based scanner that can find malvertisements on a Web page infecting site visitors.

Symantec and Armorize Technologies have teamed up to launch a new cloud-based scanner to find and block malicious advertisements online.

Symantec AdVantage will give publishers and site administrators the ability to inspect ads running on their Websites for hidden malware, Symantec and Armorize Technologies said Oct. 17. The service was announced at the Online Trust Alliance's Online Trust Forum 2011 in Washington, D.C.

Attackers are increasingly using malicious advertisements, also known as "malvertisements," to distribute malware on Websites, Wayne Huang, co-founder and CEO of Armorize, told eWEEK. Huang noted that just because a site displayed malvertisements did not mean the site had been hacked. The Website owner may retain control of the site, but the criminal can still compromise users by taking advantage of online ads.

"Malvertising poses a serious risk to online publishers and their customers, reputation and revenue," said Fran Rosch, vice president of identity and authentication services at Symantec.

For example, the London Stock Exchange Website was flagged by Google as being malicious in February when some of the ads on its third-party ad network turned out to be serving up malware. While the London Stock Exchange didn't technically serve up malware, users attempting to visit the site were nonetheless hit by drive-by-download attacks.

Malvertising attacks take three forms: cyber-attackers hack Websites and inject malware directly into banner ads; they compromise the ad network and infect the files being served up to customers; or they pose as legitimate advertisers and submit malicious ads.

Instead of hacking a site to inject code, it is much easier to create a "fake identity for $10, $20" and submit an ad to the network that would be displayed on several sites at once, Huang said. Attackers can hit more users with a drive-by-download attack via an ad network much more efficiently than compromising a high-traffic Website, he said.

Symantec AdVantage will scan, detect and report all instances of malvertising detected on a Web page. The scanner sees the site as a standard user and pulls the ad tags for its analysis. Since it is not an inline service, there is no impact on the network performance and nothing for the customer to do beyond providing the URL that the service will scan and protect, according to Matt Huang, co-founder and COO of Armorize, told eWEEK.

Once malware is detected, the service automatically alerts the customer with information about the identity and location of the offending advertisement so that site administrators can remove it from the site. Publishers would be able to see statistics collected by the scanner and compare the quality of ads and the "safety" of the advertising networks with which they work.

"Up until now, even the largest publishers do not possess insight into exactly what ads are presenting to their visitors," Wayne Huang said.

Symantec will provide the sales team and support staff, Geoff Noakes, director of business development at Symantec, told eWEEK. The AdVantage service will be powered by Armorize's HackAlert malware-detection engine. Armorize Labs researchers used the engine to uncover recent malvertising campaigns that struck premier online networks such as Google Doubleclick and Yahoo Yield Manager.

"You would think the larger ad exchanges would be more secure," but ad networks have a hard time managing the large volume of ads, Matt Huang said.

Many of the smaller ad platforms also are likely to have more vulnerabilities than some of the larger ones, making it lucrative to compromise the entire platform to hit a wide number of publishers at once, according to Wayne Huang.

Symantec AdVantage will officially be available to publishers in mid-November. Symantec is currently accepting applications for a six-month long "market preview" in which customers have access to the full service for free. Pricing has not yet been determined, as the preview will help Symantec determine what kind of pricing scheme will work best for this kind of a service, Noakes said.