You might have read a story a few weeks ago in the Wall Street Journal (subscription required) announcing that “[Web] ads are becoming a delivery system of choice for hackers seeking to distribute viruses over the Internet.”
Those banners that appear on Web pages often have more than sales pitches. The story says “Eighty percent of malicious computer code on the Internet is found in online ads, according to a recent study by computer-security firm Finjan Inc.” It spends a lot of time talking about an incident in May where malicious code found its way onto ads served by TomsHardware.com.
Its all true, of course. The problem with the story is that it was news several years ago. Third party ad networks have been a major source of malware delivery for quite a while. Remember the WMF bug from December 2005? The major vehicle for its delivery was through ad networks. For example, researcher Ben Edelman, now a professor at Harvard, demonstrated forced installs of adware through the WMF vulnerability.
Were not talking Adsense or DoubleClick or anyone “respectable.” The ad networks that spread the WMF vulnerability tended to be the ones advertising on pornography and wrestling sites, but not exclusively. The site that Edelman found was not shady; he described it as “an ordinary commercial Web site.” Not to excuse that site, but as the WSJ article explains, the number of companies involved in putting up ads can be surprisingly large, and a failure at any one of them can let an attack through.
There used to be a class of adware distributor called the “mass adware installer”—IST, MediaMotor, Pacerd, EliteMediaGroup, DollarRevenue and TopInstalls, for example—that were taken down through 2006 for a number of reasons, including government scrutiny. A major reason they found themselves on the radar was that they overplayed their hand using the WMF vulnerability.
And its not just Web ads. There are a lot of ad-based free games out there, and these are even more dangerous. Browsers have been such a magnet for attacks that their authors are very aware of the possibility and try make it difficult. Its virtually impossible to install malware or anything else on IE7 under Windows Vista, for example, because of this new attitude of paranoia.
But when you install a game application that reads ads from a third party network, the ad can do anything the application can do, and it wont have all the sandboxes and other protections of the browser. I recently heard such a story of a gaming vendor whose software installed DriveCleaner and WinAntiVirus Pro, rogue security programs, without the consent of the user.
Defending ads against malware is a hard job, but the tools to do it are basically there for those who want to invest time and money in them, and some networks do put the money into it. Its because of an environment like this that its easy to see why Google has such an interest in monitoring Web sites that issue malware. Googles Adsense network is massively popular and, while its automated systems havent been perfect, there have been no big scandals about malicious code in ads. And Googles ads themselves are simple and plain, like its home page, making them a much safer, if more boring, option than ads with complicated HTML, flash and other features.
It may be everybodys job to prevent such attacks, but you cant count on them doing it. Your best defense is what youve been hearing for years: run your computer, especially when browsing the Web, with the least privilege you can get away with. Run anti-malware software, including an IPS, and keep it up to date. Install operating system patches as quickly as possible. And dont go clicking willy-nilly on every bouncing ball on the screen.
Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.
More from Larry Seltzer