Zero Day

Ryan Naraine and Dancho Danchev

Research: 1.3 million malicious ads viewed daily

By Dancho Danchev | May 18, 2010, 2:45pm PDT

Summary: New research released by Dasient indicates that based on their sample, 1.3 million malicious ads are viewed per day, with 59 percent of them representing drive-by downloads, followed by 41 percent of fake security software also known as scareware.

New research released by Dasient indicates that based on their sample, 1.3 million malicious ads are viewed per day, with 59 percent of them representing drive-by downloads, followed by 41 percent of fake security software also known as scareware.

The attack vector, known as malvertising, has been increasingly trending as a tactic of choice for numerous malicious attackers, due to the wide reach of the campaign once they manage to trick a legitimate publisher into accepting it.

More findings from their research:

The probability of a user getting infected from a malvertisement is twice as likely on a weekend and the average lifetime of a malvertisement is 7.3 days
97% of Fortune 500 web sites are at a high risk of getting infected with malware due to external partners (such as javascript widget providers, ad networks, and/or packaged software providers)
Fortune 500 web sites have such a high risk because 69% of them use external Javascript to render portions of their sites and 64% of them are running outdated web applications

The research’s findings are also backed up by another recently released report by Google’s Security Team, stating that fake AV is accounting for 50 percent of all malware delivered via ads.

The increased probability of infection during the weekend can be attributed to a well known tactic used by the individual/gang behind the campaign. Once the social engineering part takes place, in an attempt to evade detection, they would first feature a legitimate ad, wait for the weekend to come thinking that no one would react to the attack even if it was reported, and show the true face of the campaign.

Case in point is NYTimes malvertising campaign (Sept. 2009):

The creator of the malicious ads posed as Vonage, the Internet telephone company, and persuaded NYTimes.com to run ads that initially appeared as real ads for Vonage. At some point, possibly late Friday, the campaign switched to displaying the virus warnings. Because The Times thought the campaign came straight from Vonage, which has advertised on the site before, it allowed the advertiser to use an outside vendor that it had not vetted to actually deliver the ads, Ms. McNulty said. That allowed the switch to take place.

Why would a malicious attacker engage in malvertising attacks, compared to relying on hundreds of thousands of compromised sites?

Malvertising is not an exclusive practice used by a team of cybercriminals specializing it in. It’s done in between the rest of the malicious campaigns and activities the gang/individual is involved into.

From a cybercriminal’s perspective, a high trafficked web site would naturally mean greater click-through rates, or as we’ve seen in previous cases, actual pop-ups of the ubiquitous fake scanning progress screen. Moreover, when direct compromise of this host cannot take place, they would attempt to locate and abuse the weakest link in the trust chain, in this case the third-party advertising network having access to the site. The problem then multiplies due to the re-syndication of the ad inventory from a particular publisher to another.

Related posts: Fake Antivirus XP pops-up at Cleveland.com; Scareware pops-up at FoxNews; Gawker Media tricked into featuring malicious Suzuki ads; MSN Norway serving Flash exploits through malvertising

One of the main problems publishers face, is that in order to stay competitive in the marketplace, they emphasize more on the efficiency of acquiring new customers, compared to the security practices that would prevent such a attack from taking place, and clearly that also includes the use of commercial anti-malvertising solutions.

This efficiency vs security approach can be best seen in a major malvertising campaign profiled in February, 2010, where the malicious attackers targeted as many efficiency-centered publishers as possible, successfully infiltrating known services, such as DoubleClick and Yieldmanager.

In an attempt to trick the average end user who may get suspicious and realize that a scareware pop-up appeared through a malicious ad, the attackers included a “visual social engineering” element, by naming the subdomains using the trusted Google Analytics brand.

In terms of protection from an end user’s perspective, Windows users browsing the Web in a sandboxed environment, using least privilege accounts, NoScript for Firefox, and ensuring that they are free of client-side exploitable flaws, will mitigate a huge percentage of the risk.

Have you been a victim of malvertising? When and where was the last time you were exposed to a bogus scareware “You’re infected” pop up? Who should be held responsible, the publisher for accepting the ads and the lack of automatic malicious content scanning mechanisms, the site that featured it, or the end user for his lack of situational awareness on what malvertising and scareware is in general?

Talkback, and share your opinion.

Kick off your day with ZDNet's daily e-mail newsletter. It's the freshest tech news and opinion, served hot. Get it.

More from “Zero Day”

Microsoft to share vulnerability details with governments

Microsoft warns of serious, unpatched Windows 7 flaw

Topics

Security, Malware, Cyberthreats, Advertisement, Malvertising, Advertising & Promotion, Marketing, Dancho Danchev

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response.

Full Bio
Disclosure
Contact

Vendor HotSpot

Here to help you with your Document Management Needs

Read the DocuMentor blog now

Learn More »

Talkback Most Recent of 37 Talkback(s)

Follow via:: RSS; Email Alert

Almost too easy

About time people start reconsidering the operating system on their computers.... After all, there are much safer alternatives. For free.
pjotr123
18th May 2010
- Reply to
- Flagged
Bad advice

@pjotr123

Linux or MacOS for that matter don't have the share to be attacked in this manner.

Second, having a person or persons jump ship, carrying over their bad habits, only for the malware authors to follow will only mitigate the problem for a short bit, then Mac and Linux would see the same things happening there as well.

Despite what the "advocates" say, each OS has their share of vulnerabilities, and with each new revision, more will pop up. Despite the arrogance of most Mac users, and the "many eyes" theory of Linux users, I can guarantee there remain unseen and unpatched vulnerabilities in those camps.
Cylon Centurion
18th May 2010
- Reply to
- Flagged
The same, flawed argument from market share, again, eh?

News flash.. there are millions of computers out there not running Windows. If it really was as easy to make something nasty for them, somebody would do it, since distributing something to over a million computers is pretty damn hard in itself.

Windows is hacked because it's easier to hack it, not because if somebody had a perfect distribution system they could theoretically infect more computers.

Also, you do know that if Linux became more popular, the number of people defending its code base would increase, right? There would be far more white hats out there looking through it, finding vulnerabilities and fixing them before the bad guys. Same with OSX probably, but to a lesser extent, since it's closed source and thus only employees can work on it.
AzuMao
19th May 2010
- Flagged
RE: Research: 1.3 million malicious ads viewed daily

@Azumao News Flash, there are hundreds of millions of computer out there running Windows, and an insignificant handful of millions running various flavors and distributions of Linux.

The large windows botnets are larger than Linux's entire installed base.

Sure, market share means nothing, you just keep telling yourself that.
rtk
19th May 2010
- Flagged
RE: Research: 1.3 million malicious ads viewed daily

@NStalnecker The market share argument is provably false, but I don't care one way or another. I watch as Windows users fight with viruses and virus detection schemes. I often shake my head and think "how can these guys stand to use Windows"? By the time a Windows machine is reasonably protected, there are easily as many, if not more CPU cycles, devoted to protection than are used for actually for productivity. As long as my OS is ignored by these bastards, the more time I can spend (or my CPU can spend) doing real work and not inspecting, building up or repairing "the castle walls".
Heart_Man_2000
19th May 2010
- Flagged
@rtk completely ignoring my argument and attacking a straw man instead, eh?

That doesn't further your cause any.

The vast majority of malicious hackers out there will never get anywhere close to infecting even a million hosts, so whether they go after Linux or Windows doesn't depend on market share, since both have over a million. Windows is just easier to hack, there's no excuse to it. And if Linux did have more market share and Windows less, guess what? More people fixing stuff on Linux, less people fixing Windows. It works that way, at least.
AzuMao
19th May 2010
- Flagged
RE: Research: 1.3 million malicious ads viewed daily

@pjotr123

The following Phentermine is not i implore your can you repeat that?? You consider this is.
Phentermine
22nd Aug
- Reply to
- Flag
Firefox

If you use Firefox then you should use Adblocker Plus.
Does what it says perfectly from my experience with it.
MoeFugger
18th May 2010
- Reply to
- Flag
One of the reasons

@MoeFugger

I switched back to Firefox full time.
Cylon Centurion
19th May 2010
- Reply to
- Flag
An even better, and easier way; ditch Windows.

Also, LOL at the trolls still blathering about market share. Apache has more market share yet it's still more secure than IIS. Windows gets hacked more because it's easier to hack. Whether there are a billion or a million computers running something doesn't matter when even if you can make a really profitable virus for one, sending it to several thousand computers isn't going to be very easy, the millions of Linux ones would be more than enough. Thus, it is simply a matter of which is easier to hack. Windows.
AzuMao
18th May 2010
- Reply to
- Flagged
RE: Research: 1.3 million malicious ads viewed daily

@AzuMao As you've been told repeatedly, web servers aren't desktops. Servers are generally managed by more knowledgeable people and are not used as clients surfing web sites.

Despite that, Apache is hacked apart daily.
rtk
19th May 2010
- Reply to
- Flagged
I didn't say they were. And one compromise in that segment a day would be..

..not nearly as bad as MS's "commercial grade" software.

Also, why do you keep telling people random off-topic things for no reason whatsoever? I never said servers were desktops, I said when two things both have more market share than you can handle, it's a matter of which is less secure, not which is more popular.

Now if there were, say, only 10 Linux-based PCs, it might not be profitable to make a virus for it. But once you get into the millions, all that really matters is if you can do it or not.
AzuMao
19th May 2010
- Flagged
RE: Research: 1.3 million malicious ads viewed daily

@AzuMao The comparison of Apache v IIS is in no way related to the topic at hand, your continuous attempts to try and relate them are what is off topic and verging on trolling. In fact, let's let the mods decide.
rtk
19th May 2010
- Flagged
rtk, are you really this dense or just playing dumb to annoy me?

I didn't say IIS vs Apache was relevant, I said the fact that market share is unrelated to being hacked was relevant.
AzuMao
19th May 2010
- Flagged
Responsibility for malware ads

Who is responsible for the malware ads, the website, the ad producers or the users? It should be everyone. The host of the website should be actively involved in making sure that the content is malware free, the ad producers should also be active in preventing their ads from being hacked and the users should be alert as well.

I used to see ads that told me my computer was slow and may have malware; those I can ignore. Last summer I got hit a few times with a drive by scareware that replaced my desktop with a huge warning and would not let me get on the internet. I was able to fix the problem by rolling back a few days before the infection.

The clumsy malware is being replaced by a stealthier form that does not seem to impact the user's computer. It works more in the malware author's interest to be able to infect many computers without showing any symptoms of infection.

Jumping to another OS without understanding that a lot of malware is installed by people who click "yes" on popups and links. Fixing the OS is not fixing the vulnerabilities that are at the heart of the internet. A lot of malware attacks can be prevented if the internet was designed to be less trusting and spoofing is better controlled.
sboverie@...
19th May 2010
- Reply to
- Flag