Nov. 12 was just another busy day in the life of an advertising manager for a well-regarded online publisher. Well call her “Laurie Smith,” but it doesnt matter who she is or who the publisher is, because her experience is typical in an industry that is now enduring a plague of malware infiltration that its all but powerless to stop.
Smith was lucky that day. Unlike scores of other online publishers advertising managers—such as those at Google, Yahoo, the Wall Street Journal, The Economist, Major League Baseballs MLB.com and the National Hockey Leagues NHL.com—by the end of the day, she could breath a sigh of relief since her sites advertising was not overlaid with malicious code.
There is, in fact, a scourge of so-called “badvertising” infiltrating legitimate sites. Since Sept. 22, the ads have been finding their way into the servers of the advertising industrys biggest players, such as DoubleClick.
Yes, Smith was lucky that day, but thats all it was: luck. She, like her peers in the industry, have no tools to fish out malicious script in Flash ads. The result: Many sites have had up to a 1,000 percent increase in complaints from readers annoyed at inappropriate ads theyve seen on what are supposed to be sites with solid reputations.
Online advertising managers like Smith cant do much. She told eWEEK that she knows its up to her to do proper quality assurance to make sure the site isnt serving up malicious code. DoubleClick is just a tool used to serve up her sites ads, and it cant be held accountable for what gets served on the sites—although the company does try to protect its clients.
She needs to check advertising to make sure its not malicious, but the question is: How? What tools does an online advertising manager have to check these advertising materials? For her, the problem is that DoubleClick doesnt give her the correct tools, she told eWEEK in an e-mail exchange.
“They should have a spyware application built into DoubleClick,” she said.
The RBN connection
If only it were so simple. In fact, there is no such anti-spyware that could be built into an ad-serving platform such as DoubleClick. The buyers who are purchasing advertising space on sites and then swapping in malicious ads are far too sophisticated to code their malicious code with something so crude as to be picked up by anti-spyware software.
In fact, once security researchers trace the ads back to their source, its not surprising to find the coding sophistication and business savvy behind the badvertising, because IP addresses and other clues all lead back to the most notorious gang online: the RBN (Russian Business Network).
In fact, according to security experts who have been tracking the sudden surge of badvertising, which was still ongoing as of Nov. 14, ads from an RBN front company called AdTraff and other RBN front organizations are using JavaScript and Flash in ingenious new ways, inserting SWF (Shockwave Flash Object) files into Flash animations that then spawn entirely different—and thoroughly malicious—ads than depicted in the submitted Flash file.
The readers are seeing ads for porn, Viagara and bogus anti-spyware programs that keep popping into visitors faces and just wont go away until the ads wear them down. They see them on well-reputed publishers sites, on Google, on Yahoo—places where they dont think theyd have to watch their e-back.
The ads are maddening. Lots of people give up and wind up buying the application to get the annoying popups out of their faces. These files are in fact malicious code, and they are planting Trojans and other malware. More often than not, users who buy the anti-spyware will have their credit card information sold to thieves.
Code will be placed on their machines—not so much backdoors rather than blatant front doors, with the code receiving instructions from servers associated with the RBN. With the code in place, their systems are turned into zombies and their capacity sold on the black market.
Bait and switch
Many advertising professionals dont realize it unless theyre helped with forensics by a security firm, but the cause of all the reader complaints goes back to a scenario that probably looked something like this: It was near the end of the quarter, and it was do or die for sales quotas.
A hungry advertising salesman for the publisher was contacted by a buyer. Maybe the buyer paid by credit card or by wire. He might have been located in the Bahamas, but hey, who cares? It was end of quarter, and the buyer represented money in the kitty.
Don Jackson, a researcher for SecureWorks, described it as bait and switch. The ads submitted are innocuous—nothing that would flag Smiths attention. One ad, for example, sold to a major online publisher thats working with SecureWorks to cleanse itself of this badvertising, was for an internationally recognized camera and film maker that had a new digital camera coming out for the holidays—a stocking stuffer point-and-shoot.
A big part of the problem is that the bad behavior has been sporadic. The innocent-looking ads are hard to catch in the act as they pull their switch. RBN servers at AdTraff, for example, have been standing ready to answer the rotating script in the bad ads, ready to react whenever the malware authors give the go-ahead and the innocent-looking ad puts out a call to spawn an ad with malicious intent.
Page 2: Online Publishers Powerless Against RBNs Malicious Ads
Online Publishers Powerless Against
RBNs Malicious Ads”>
The RBN operatives are going directly to both independent publishers—thats where DoubleClick gets involved, as those independents turn to the firm for ad hosting—as well as small advertising networks as they purchase space for their shape-shifting badvertising.
The malicious ad creators are submitting creatives—thats advertising speak for ad content—that look perfectly fine at first blush. Except for nasty little SWF files tucked away in Flash files, that is. Often, the RBN operators are scraping ads off the site theyre abusing and inserting the SWF into those. That way, a reader may complain about getting sent a malicious ad, but when hes asked what ad he saw before being sent to the bad one, it turns out to be a carbon copy of a legitimate ad, making it all the harder to track down the bad ad.
This is the first time that security researchers have seen Flash technologies used in this way and on this scale. Thats surprising, Jackson said, given that the technologies have been there for more than a year. Finjan, for its part, has been warning about malicious code in advertising since its Q1 2007 Web Trends Report.
Users have grown accustomed to trusting advertisers. They think they have control over what type of ads they run, but they dont tell buyers that they cant run Flash ads.
Yet new Web programming languages make this malware all too easy to cook up. “With JavaScript, there are so many ways to obfuscate ActionScript,” Jackson said. ActionScript is a scripting language mostly used to develop sites and software using Adobes Flash Player platform, in the form of SWF files embedded into Web pages.
“The big issues that security researchers who deal with Web exploits and downloaders on Web pages struggle with every day are the different ways you can make JavaScript do different things. As long as you accept Flash and it has ActionScript, theres no way to rule out a repeat of this fiasco.”
Many have focused on DoubleClicks entanglement in the RBN badvertising fiasco, given its high profile and the fact that Google wants to buy the company. But DoubleClicks not the only big ad network thats gotten tangled up in this, Jackson said. As of Nov. 13, DoubleClick had resolved its problems with the bad ads. There were still problems with other ads, though, particularly on independent sites, he said.
Roger Thompson at Exploit Prevention Labs on Nov. 13 posted a video documenting a malicious banner ad running across the DoubleClick network on Nov. 9 that affected Major League Baseballs MLB.com and the National Hockey Leagues NHL.com.
It was also found running on Billboard Magazines site. In that particular case, the malicious banners hijacked user sessions, closed down the MLB.com site and then tried to force the user to download an official looking (but fake) anti-virus application. For its part, SecureWorks was working to clean up between 10 and 12 online publishers as of Nov. 13.
Nowhere to go
Both security researchers and online advertising managers are at a loss regarding how to stop the onslaught. Smith told eWEEK that beyond the lack of tools to check Flash ads and other creatives, one of the problems is that theres nowhere to go to stay informed of these types of situations.
“One of the major problems in the adverting operations world is that there is no HUB of information where we can get the latest news, updates on the newest technologies, where the industry is moving towards, etc. etc.” she said in an e-mail. “Its pretty much a free for all. If [the badvertising problem] wasnt included on [an industry] distribution list, I would have no idea whats going on out there.”
Even that industry distribution could be giving Smith bad information. Smith found out about a flash-checking site called AdOps Tools from the distribution list. The site has a field in which a visitor can insert the Flash file in question. If it checks out, the ad operations manager will reload the ad back into DoubleClick.
In fact, the AdOps site looks a little fishy itself. Its riddled with typos, the kind that scream out “scam.” In its “About” section, a message reads, “In this section you will find informations about this sites and also a contact form for enqueries.” There is no form for “enqueries.”
Has this suspicious-looking site ever snagged a Flash file poisoned with malicious code? Smith laughs.
“Ive never used it before,” she said. “I just found out about it recently.”
Maybe thats a good thing. While he was on the phone with eWEEK, Jackson submitted a Flash file with malicious SWF code that hed retrieved in his research of the badvertising blitz.
AdOps froze up. As of Nov. 14, Jackson hadnt reported back on what else might be going on under the covers in this, the only site that Smith knows of to turn to for help in stopping the tide of malicious code before it gets in front of thousands of potential victims.
Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.