Online Publishers Powerless Against RBNs Malicious Ads

Online advertising managers have no tools to stop malicious code from infiltrating their sites, and the RBN gang is reaping the ill-gotten benefits.

Nov. 12 was just another busy day in the life of an advertising manager for a well-regarded online publisher. Well call her "Laurie Smith," but it doesnt matter who she is or who the publisher is, because her experience is typical in an industry that is now enduring a plague of malware infiltration that its all but powerless to stop.

Smith was lucky that day. Unlike scores of other online publishers advertising managers—such as those at Google, Yahoo, the Wall Street Journal, The Economist, Major League Baseballs and the National Hockey Leagues—by the end of the day, she could breath a sigh of relief since her sites advertising was not overlaid with malicious code.

There is, in fact, a scourge of so-called "badvertising" infiltrating legitimate sites. Since Sept. 22, the ads have been finding their way into the servers of the advertising industrys biggest players, such as DoubleClick.

Yes, Smith was lucky that day, but thats all it was: luck. She, like her peers in the industry, have no tools to fish out malicious script in Flash ads. The result: Many sites have had up to a 1,000 percent increase in complaints from readers annoyed at inappropriate ads theyve seen on what are supposed to be sites with solid reputations.

Online advertising managers like Smith cant do much. She told eWEEK that she knows its up to her to do proper quality assurance to make sure the site isnt serving up malicious code. DoubleClick is just a tool used to serve up her sites ads, and it cant be held accountable for what gets served on the sites—although the company does try to protect its clients.

She needs to check advertising to make sure its not malicious, but the question is: How? What tools does an online advertising manager have to check these advertising materials? For her, the problem is that DoubleClick doesnt give her the correct tools, she told eWEEK in an e-mail exchange.

"They should have a spyware application built into DoubleClick," she said.

The RBN connection

If only it were so simple. In fact, there is no such anti-spyware that could be built into an ad-serving platform such as DoubleClick. The buyers who are purchasing advertising space on sites and then swapping in malicious ads are far too sophisticated to code their malicious code with something so crude as to be picked up by anti-spyware software.

In fact, once security researchers trace the ads back to their source, its not surprising to find the coding sophistication and business savvy behind the badvertising, because IP addresses and other clues all lead back to the most notorious gang online: the RBN (Russian Business Network).

In fact, according to security experts who have been tracking the sudden surge of badvertising, which was still ongoing as of Nov. 14, ads from an RBN front company called AdTraff and other RBN front organizations are using JavaScript and Flash in ingenious new ways, inserting SWF (Shockwave Flash Object) files into Flash animations that then spawn entirely different—and thoroughly malicious—ads than depicted in the submitted Flash file.

The readers are seeing ads for porn, Viagara and bogus anti-spyware programs that keep popping into visitors faces and just wont go away until the ads wear them down. They see them on well-reputed publishers sites, on Google, on Yahoo—places where they dont think theyd have to watch their e-back.

The ads are maddening. Lots of people give up and wind up buying the application to get the annoying popups out of their faces. These files are in fact malicious code, and they are planting Trojans and other malware. More often than not, users who buy the anti-spyware will have their credit card information sold to thieves.

Code will be placed on their machines—not so much backdoors rather than blatant front doors, with the code receiving instructions from servers associated with the RBN. With the code in place, their systems are turned into zombies and their capacity sold on the black market.

Bait and switch

Many advertising professionals dont realize it unless theyre helped with forensics by a security firm, but the cause of all the reader complaints goes back to a scenario that probably looked something like this: It was near the end of the quarter, and it was do or die for sales quotas.

A hungry advertising salesman for the publisher was contacted by a buyer. Maybe the buyer paid by credit card or by wire. He might have been located in the Bahamas, but hey, who cares? It was end of quarter, and the buyer represented money in the kitty.

Don Jackson, a researcher for SecureWorks, described it as bait and switch. The ads submitted are innocuous—nothing that would flag Smiths attention. One ad, for example, sold to a major online publisher thats working with SecureWorks to cleanse itself of this badvertising, was for an internationally recognized camera and film maker that had a new digital camera coming out for the holidays—a stocking stuffer point-and-shoot.

A big part of the problem is that the bad behavior has been sporadic. The innocent-looking ads are hard to catch in the act as they pull their switch. RBN servers at AdTraff, for example, have been standing ready to answer the rotating script in the bad ads, ready to react whenever the malware authors give the go-ahead and the innocent-looking ad puts out a call to spawn an ad with malicious intent.

Page 2: Online Publishers Powerless Against RBNs Malicious Ads