DoubleClick Serves Up Vast Malware Blitz

Updated: The third-party ad network says it now has monitoring capabilities in place to catch the problem malware.

Rogue anti-spyware software that pushes fraudulent PC scans has found its way onto DoubleClick and legitimate sites, including CNN, The Economist, The Huffington Post and the official site of the Philadelphia Phillies.

DoubleClick officials told eWEEK that they have recently implemented a security monitoring system to catch and disable a new strain of malware that has spread over the past several months. This system has already captured and disabled about 100 ads, the company said in a statement, although it didnt mention this episode in particular.

The bogus anti-spyware onslaught is only part of a bigger wave thats also included porno ads being swapped for normal ads on sites such as The Wall Street Journal. Its not yet clear whether the same fraudsters are behind both the porn and the fraudulent anti-spyware ads.

Sunbelt Software has confirmed that Trojans were being downloaded from ads served by DoubleClick as recently as Nov. 11. This malware is the kind that repeatedly pops bogus warning messages about computer infections in users faces until they give up in despair and pay $30 to $40 for a junk "security" program.

"The stuff thats installed is this rogue anti-spyware software that … gives you fake alerts, [such as] Your computer is infected, you must run this. Basically its extortion. … They try to push you to buy their software," Sunbelt President Alex Eckelberry told eWEEK.


Read here about how most malware is made in China.

The malware application is a variant on WinFixer, a piece of malware that pretends to be a diagnostic tool.

These arent Trojans that steal account information, but they are illegal due to misleading advertising and other statutes. "It just pummels you with these alerts that your machine is infected, your machine is infected. It just wears you down. Its not stealing information, its not a virus. It just convinces you to spend $30 to $40 to buy their absolutely garbage application. Once it gets on your machine, it will pound you. Every time you start up your machine," it will pester users with bogus scareware warnings, Eckelberry said.

He said Sunbelt will be contacting the Federal Trade Commission Nov. 12.

The reach of DoubleClick, one of the Internets largest online advertising services, is vast, to the extent that the scope of the impact is unknown. However, the only sites at risk are those that signed agreements with the advertiser that is distributing the malware in question, a German marketing company called AdTraff.

Its not DoubleClick which is ultimately responsible. DoubleClick is an ad-serving platform that only provides the technology used by publishers to deliver ads from advertisers with whom the publishers have signed agreements. DoubleClick does not directly deal with the advertisers, although it does attempt to protect its clients from malicious code masking as advertisements by checking on materials stored in its database.

"We view the security aspect as one part of our service, but we make it clear to [clients] that they have to do sufficient quality assurance," said Sean Harvey, senior product manager for DoubleClicks ad management platform. "They have to be checking with advertisers to make sure theyre legitimate, and to make sure the creative is not malicious."

Recently, DoubleClick discovered one company in particular that was trying to sign direct deals with publishers. DoubleClick found that the rich media ad in question was clean but called an external file that would in turn call something else, in a "very creepy, encrypted kind of way," Harvey said. "It was very hidden, very hard to see what was going on, and it would call [a] malware site."

Because of that find, DoubleClick has since deployed a mechanism for scanning advertising material, not because its responsible for the safety of the materials that customers store in its systems, Harvey said, but as a service to its customers and to protect its reputation.

The sites involved—The Economist and the others—are ultimately responsible for any malicious code delivered through their ads or sites.

EWEEKs publisher, Ziff Davis Enterprise, is a DoubleClick customer. ZDEs networks have not been infected with the ads, most of which are associated with affiliate marketers.

Page 2: DoubleClick Serves Up Vast Malware Blitz