Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Malware Delivered By Yahoo, Fox, Google Ads

CmdrTaco posted more than 4 years ago | from the this-is-only-going-to-hurt-a-bit dept.

Google 319

WrongSizeGlass writes "CNET is reporting that Avast has tracked over 2.6 million instances of malware that have been served up to unsuspecting web surfers since last December by ad services such as Yahoo's Yield Manager, Fox Audience Network's Fimserve.com and even some from Google's DoubleClick. Some high-profile sites include The New York Times, Drudge Report.com, TechCrunch and WhitePages.com. The practice has been dubbed 'malvertising.' I usually suspect the users of 'careless web activity' when I delouse a PC, but now I'm going to have to give some the benefit of the doubt."

Sorry! There are no comments related to the filter you selected.

Yup....seen it. (5, Interesting)

Em Emalb (452530) | more than 4 years ago | (#31583228)

At my work, we allow unrestricted access to the net, but log everything. We had a recent spate of vundo variants come through, and when we went through the logs, almost all of them were via the NYTimes or Wa Post. Frustrating, when large companies like this make work for you. For the most part, the allow everything, log it and using IDPS on the front-end(s) has helped quite a bit.

Re:Yup....seen it. (5, Insightful)

tivoKlr (659818) | more than 4 years ago | (#31583362)

Having been an IT admin in my former life, and also having operated in a similar fashion to you, allowing unfettered access to the internet for our employees (it was a Fire Department, and the staff was there for 48 hrs straight, so allowing them some creature comforts such as facebook and youtube was appreciated). Having solid, centrally managed AV on each client machine, along with limited local user rights seemed to be effective.

I wish more facilities would take this tact instead of letting some firewall with a blacklist subscription slowly narrow the available internet to static sites that are considered "safe." True irony that advertising from some of these safe sites are now delivering payloads. Ironically, where I work now (not in IT), plenty of popup ads from news sites make it through, so I would assume we're vulnerable through this vector.

Re:Yup....seen it. (4, Insightful)

Em Emalb (452530) | more than 4 years ago | (#31583518)

Obviously, the biggest hurdle we're having to deal with is user education. I've got a select few folks in various departments learning to work with ad-block and no script, but for the average person, it's hard to figure out what they need to unblock and what they can block with no ill effects. It's frustrating to them, and by extension, our helpdesk guys who end up fielding calls from the same people (over and over) with the same questions. Of course, the other issue we have is vendor lock in, with their stupid sites working correctly ONLY in IE. I hate that, but in my case (financial industry) it's so rampant there's nothing we can do about it except lock stuff down as best we can.

That said...these large companies that aren't paying attention to the ads their serving are just as at fault as any un-educated (or even educated) user is.

Re:Yup....seen it. (4, Informative)

Em Emalb (452530) | more than 4 years ago | (#31583608)

aren't paying attention to the ads their serving are just as at fault as any un-educated (or even educated) user is.

Aw man. They're. Not their. And I make that gaffe while writing about un-educated and educated. Fail, thy name is Em.

Re:Yup....seen it. (2, Informative)

Nos. (179609) | more than 4 years ago | (#31583374)

I work in the security group and we had a few machines on our help desk get infected with the Antivirus Live malware. After some research, we determined that it came through a legitimate site (help desk site that emulates various OS... can't think of the name), or more specifically the ads on the site.

We do run WebSense, but this was a legitimate site that our help desk uses quite frequently. All machines were up to date with McAfee, but it was a new variation. We ran it through VirusTotal.com within hours of the infection and I believe there were only two on the list that picked it up at that time.

So it wasn't the fault of the user and it can't be blamed on our choice of AV vendor. Obviously we need a better way of detecting malware. McAfee does have Artemis, but it failed on VirusTotal as well.

Re:Yup....seen it. (2, Interesting)

commodore64_love (1445365) | more than 4 years ago | (#31583656)

I run a program called "TeaTimer" that automatically blocks changes to your computer or registry. I'm not sure how well it works in a work setting, but for my home PC it's caught numerous browser-based programs from doing damage.

Re:Yup....seen it. (2, Interesting)

Talderas (1212466) | more than 4 years ago | (#31583880)

As I write this message, I am running a scan to make sure I just finished cleaning this virus off one of my user's machines. This user has TeaTimer installed, yet still got infected. It's rather odd, seeing as the infect piggybacks on some registry values. So either the user is mindless hitting Allow on TeaTimer, or the virus is circumventing it.

Re:Yup....seen it. (1)

commodore64_love (1445365) | more than 4 years ago | (#31584048)

>>>the user is mindless hitting Allow on TeaTimer

Yes. TeaTimer won't allow the registry to change unless you first click "ok". As for the annoyance I've not noticed any problems. A lot of times I forget TeaTimer is even running. It's certainly less troublesome thatn NoScript's constantly nagging.

Re:Yup....seen it. (3, Insightful)

Victor_0x53h (1164907) | more than 4 years ago | (#31583922)

I believe using TeaTimer would teach the average user to constantly click "Yes" without thought. As mentioned before this kind of security has a huge education barrier. I haven't run with TeaTimer since it was first introduced with Spybot, but my experience was pretty awful being prompted anytime anything was run.

Also if TeaTimer prevents changes to the registry prompted by some piece of crapware, said crapware has already been executed. What else has it done; how much protection does blocking changes to the registry really provide?

Re:Yup....seen it. (0)

Anonymous Coward | more than 4 years ago | (#31583650)

vundo's nothing. try virut

Re:Yup....seen it. (1, Informative)

Anonymous Coward | more than 4 years ago | (#31584052)

One little hint to avoid/recover from virut.

Don't store passwords in your browser or in any text file, registry, or any plain un-encrypted space. Your passwords are going to be the ONLY VALUABLE DATA you have left, and you'll have a small window of time to get them all changed. While if you have no backup, your initial time is going to be wasted reloading an OS. If you have a clone, your up in minutes replacing passwords.

INSTALL A FUCKING HARDWARE FIREWALL
Firewall / router
IPCop + Adv Proxy + URL filter

ADD a URL filter rule

Blacklist "iframe"

looks like on single line

iframe

Some others I like

iframe
eengine.js
down.css
"a.htm"
drsmartload.exe
load1.exe
"http://pages.tvunetworks.com/channels/pulloutad300x250.jsp"
adx.gif
8.txt
out.exe
adrtv.exe
ad2.exe
ntos.exe
audio.dll
video.dll
oembios.exe
twext.exe
local.ds
user.ds
sysproc86.sys
sysproc32.sys

About the iframe block
(sorry no more blogspot.com
posting, without a little work) Most iframe sites are shit anyway, but you can make an EXCEPTION for your favorite crappy coded iframe website. (While you might be able to pull this off with firefox plugins, there are other browsers eh... which is why we block this shit at the input, er well um in squid)

Clone Backup of OS. e.g. 750G drive to 750G drive.
(Clonezilla, Acronis)
You get hit, You roll back. Less than 20 Min.

Password Manager
(Cross Platform on USB - keepassx.org), you get hit, you replace your bank pass's first, your servers second, your blogs like /. third. Bla bla bla, all organized, now you are god.

Virtual Machines.
I always liked vmware, then I found SunVM, and then I heard about win7's vm exploit. So I am sticking with SUNVM. That said, create OS iso's for...

VM OS for dangerous browsing, let er rip, cause when we reboot it's new again, so lets see what happens. Let's learn.

VM OS for shopping.

VM OS for banking.

OTHER PROTECTION.
Obviously all the other security shit, Kaspersky (KIS), pop3 mail only, no webmail, no HTML mail, NoScript, ABP, TOR, ztree, HJT, spybot, process hacker, etc.

OF NOTABLE MENTION: Secunia's PSI http://secunia.com

Re:Yup....seen it. (2, Insightful)

ShadowRangerRIT (1301549) | more than 4 years ago | (#31583718)

Ouch. The two news sites I browse most often. Good thing I run AdBlock and NoScript, and I wrote myself a Greasemonkey script to rewrite all the internal links to point to the print-friendly (read: ad-free) versions of the articles.

Re:Yup....seen it. (1)

Hadlock (143607) | more than 4 years ago | (#31583732)

Hell, just last week (last Friday!) a flash ad on TechCrunch (linked to from Google News, no less!) opened a new tab in Google Chrome and downloaded a PDF to my desktop under XP SP3. That was an eye opening experience....

Re:Yup....seen it. (0)

Anonymous Coward | more than 4 years ago | (#31584014)

Frustrating, when large companies like this make work for you.

I remember when Yahoo mail (even Yahoo Mail Classic) was usable without Javashit activated.

About a year or two ago, about the time they integrated some sort of "chat" functionality into their webmail services, they broke the old webmail service. Today, if you try to check your inbox with Javshit disabled (even if you've opted for the "classic" mail, and even if you've deactivated the "chat" bullshit) , the screen auto-refreshes rapidly, and after a few moments, the the Y! servers protect themsevles against a perceived DOS, and lock the user out with a "999 error".

It's not just Yahoo's negligence in policing their ad networks, it's Yahoo's active maliciousness in turning even "old" or "classic" services that worked perfectly fine without Javashit, into ones that won't work unless the user compromises their own client's security.

first (-1, Offtopic)

Anonymous Coward | more than 4 years ago | (#31583250)

post

One lesson to learn (1)

courteaudotbiz (1191083) | more than 4 years ago | (#31583254)

Never ever click an ad!

Re:One lesson to learn (0)

Anonymous Coward | more than 4 years ago | (#31583296)

That won't save you.

You need to block the 3rd party ads, and their scripts cookies or flash.

Re:One lesson to learn (4, Informative)

Anonymusing (1450747) | more than 4 years ago | (#31583306)

FTA: "Users don't need to click on anything to get infected; a computer becomes infected after the ad is loaded by the browser."

Re:One lesson to learn (5, Funny)

oldspewey (1303305) | more than 4 years ago | (#31583546)

Indeed, and for people browsing Fox News, you don't even need a computer to be infected.

Re:One lesson to learn (-1, Flamebait)

commodore64_love (1445365) | more than 4 years ago | (#31583624)

Yep.

That's why I block-out FOX and only watch the Commune News Network and DNC-NBC and other pro-"let government run citizens' lives" news organizations. It helps me to vegetate and not think.

Re:One lesson to learn (-1, Troll)

Anonymous Coward | more than 4 years ago | (#31583808)

Yes becasue it is an established fact that Fox has no bias, and will free the vegetables watching alternate news sources. Your post is so stupid. Did you know there are such things as LESS biased news sources than Fox or MSNBC? (Notice I didn't try to claim news sources with NO bias. That would be impossible.) Try getting news about your country from various news sources OUTSIDE your country. Then see how funny you stupid little joke is. You will discover that the world is laughing at you.

Re:One lesson to learn (3, Insightful)

commodore64_love (1445365) | more than 4 years ago | (#31583956)

Yes becasue it is an established fact that Fox has no bias

STRAWMAN ARGUMENT. I never said that. What I said was that CNN, MSNBC, ABC, CBS, et cetera have a pro-government and anti-individual-liberty bias.

Point - They are ALL biased, therefore if you're going to attack FOX for bias, then you should be attacking all the TV media outlets for the same reason.

Re:One lesson to learn (1)

commodore64_love (1445365) | more than 4 years ago | (#31584000)

P.S.

Outside news sources? Like BBC? Also biased in a pro-government and pro-EU manner. There really is no such thing as an unbiased source, although I do enjoy watching Russia Today for its unique perspective.

Re:One lesson to learn (1)

L4t3r4lu5 (1216702) | more than 4 years ago | (#31583576)

I guess I'll start whitelisting advertising when they can stop drive-by malware infecting my computer.

AdBlock can stay enabled for the time being. Sorry, Ars.

google ads? (1)

pikine (771084) | more than 4 years ago | (#31583632)

I thought the text-only ads from Google will not allow an advertiser to embed Javascript. Not sure about their newer Flash ads which can embed ActionScript, but one would think Google will be more careful with that. Maybe it is possible that Google still unknowingly redirects you to a malware page after you click on an ad, but the pie chart in TFA does not show Google DoubleClick (probably an insignificant amount under Others). In addition, Google may use the automated method behind stopbadware.org to determine whether an ad is clean or not. I'd be surprised if they're not already doing that.

What is interesting is, although the chart does not show Google, the article still lumps Google Ads to their headline. Why? It's more catchy to sling mud on Google? What kind of irresponsible journalism is that?

Re:One lesson to learn (1)

alexhs (877055) | more than 4 years ago | (#31583810)

FTA: "Users don't need to click on anything to get infected; a computer becomes infected after the ad is loaded by the browser."

Which probably actually means :

Users don't need to click on anything to get infected; a Microsoft Windows OS becomes infected after the ad is loaded by Microsoft Internet Explorer.

Re:One lesson to learn (1)

Talderas (1212466) | more than 4 years ago | (#31583994)

Nope, I've had users get infected with this that solely use Firefox for web browsing. This is not a virus that exploits Windows, it's really targeted at exploiting Adobe vulnerabilities plus a few others.

Re:One lesson to learn (5, Informative)

julesh (229690) | more than 4 years ago | (#31583344)

Never ever click an ad!

Clicking not necessary. I was infected with malware earlier this month without any interaction after visiting the Pirate Bay. An advert used javascript to redirect me to an obscure URL ( http://uqwaaa.in/cgi-bin/gjj [uqwaaa.in] ), which proceded to use a Firefox flaw of some kind to infect me. 3.6 doesn't seem to be susceptible, but 3.5.7 which I was running at the time *was*. The exploit installed a Firefox extension that randomly redirects links from google, yahoo and bing to advertising pages.

Re:One lesson to learn (1, Insightful)

Anonymous Coward | more than 4 years ago | (#31583614)

Two pieces:

Ad blocking hosts file [mvps.org]

Flashblock [mozilla.org]

Web browsing just got a whole lot faster.

Re:One lesson to learn (1)

ShadowRangerRIT (1301549) | more than 4 years ago | (#31583774)

Last I checked, Flashblock isn't a security feature, it's a convenience feature. The Flash loads, but is quickly suspended and replaced in the DOM by the button. But it still has a brief window in which to do something malicious. If you want security, you need Adblock and/or NoScript (for blacklisting and whitelisting respectively). I personally run all three; untrusted sites are locked down by NoScript, and trusted sites are unlocked by NoScript, but have the Flash blocked for convenience/performance.

Re:One lesson to learn (1)

TheThiefMaster (992038) | more than 4 years ago | (#31583814)

Don't block using a hosts file, it's not for that. If you do, at least redirect to 0.0.0.0 (guaranteed invalid address) not 127.0.0.1 or 255.255.255.255.

For browsing adblock is better, for general blocks (like what a hosts file would give) use a damn firewall.

CUSTOM HOSTS FILES ARE THE SUPERIOR ANSWER (-1, Troll)

Anonymous Coward | more than 4 years ago | (#31583826)

"Clicking not necessary." - by julesh (229690) on Tuesday March 23, @10:24AM (#31583344)

That's right... & here is an answer for you - CUSTOM HOSTS FILES and why/how they are SUPERIOR TO BROWSER ADDONS:

----

1.) HOSTS files eat no CPU cycles like browser addons do no less!

2.) HOSTS files are also NOT severely LIMITED TO 1 BROWSER FAMILY ONLY... browser addons, are. HOSTS files cover & protect (for security) and speed up (all apps that are webbound) any app you have that goes to the internet (specifically the web).

3.) HOSTS files allow you to bypass DNS Server requests logs (via hardcoding your favorite sites into them to avoid not only the TIME taken roundtrip to an external DNS server, but also for avoiding those logs OR a DNS server that has been compromised (see Dan Kaminsky online, on that note)).

4.) HOSTS files will allow you to get to sites you like, via hardcoding your favs into a HOSTS file, FAR faster than DNS servers can by FAR.

5.) HOSTS files also allow you to not worry about a DNS server being compromised, or downed (if either occurs, you STILL get to sites you hardcode in a HOSTS file anyhow in EITHER case).

6.) HOSTS files are EASILY user controlled, obtained (for reliable ones -> http://en.wikipedia.org/wiki/Hosts_file [wikipedia.org] ) & edited too.

7.) HOSTS files aren't as vulnerable to "bugs" either like programs/libs/extensions of that nature are, OR even DNS servers.

8.) HOSTS files are a solution which also globally extends to EVERY WEBBOUND APP YOU HAVE

9.) HOSTS files are also EASILY secured well, via write-protection "read-only" attributes set on them, or more radically, via ACL's even.

10.) ADBLOCK DOES NOT ALLOW A USER DIRECT EASILY EDITABLE CONTROL OVER WHAT IT BLOCKS & HOSTS do, via texteditors like notepad.exe (afaik, @ least - feel free to correct me IF I am in error here (thanks)).

11.) AND, LASTLY? SINCE MALWARE GENERALLY HAS TO OPERATE ON WHAT YOU YOURSELF CAN DO (running as limited class/least privlege user, hopefully, OR even as ADMIN/ROOT/SUPERUSER)? HOSTS "LOCK IN" malware too, vs. communicating "back to mama" for orders (provided they have name servers + C&C botnet servers listed in them, blocked off in your HOSTS that is) - you might think they use a hardcoded IP, which IS possible, but generally they do not & RECYCLE domain/host names they own, & this? This stops that cold, too! Bonus...

----

Want a GREAT HOSTS FILE, that's kept up to date, daily? See here:

http://hosts-file.net/?s=Download [hosts-file.net]

(Mine's actually BETTER than that too! (As I combine it with ALL THE KNOWN SOURCES for reliable HOSTS files -> http://en.wikipedia.org/wiki/Hosts_file [wikipedia.org] (and far more too, like Spybot S&D & other reliable/reputable sources NOT listed on the wikipedia page for HOSTS files))

I "integrate them" into my HOSTS file using a tool I wrote to do so... It currently parses & processes (removes repeated entries for a form of 1NF type "normalization" (sort of, this is NOT a database is why I note that much) & for 2NF normal form, I remove trailing blanks from entries PLUS I alphabetize them (for faster B-Tree inserts processing in the local diskcache, because odds are, it uses that (binary trees & binary searches ROCK for speed... Tri-E is even a bit better imo)).

It does almost 1 million KNOWN BAD SITES &/or SERVERS (Name servers & botnet C&C servers too) in about 1.1 hours time...

Which is NOT bad, considering its my "2nd round prototype" written in Borland Delphi 7.1x + Inlined Assembly code, for the FASTEST POSSIBLE STRING PROCESSING TIMES THERE ARE, bar-none (faster than MSVC++ @ least even)) & considering I don't have a thing like Access' "JET ENGINE" doing indexing on it either... it works, & so do HOSTS (for speed online (by "hardcoding in" your fav. sites but you may have to periodically alter this, as sites seek diff. hosting providers (rare though usually)) AND ESPECIALLY FOR SECURITY!

Enjoy, hope you find the info., useful.

APK

P.S.=> Per my subject-line above? Chrome doesn't NEED addons to do the job, as a HOSTS file already can blockout anything you like, AND SPEED YOU UP to your fav. sites too... "too, Too, TOO EASY" & all from 1 single more efficient + less "bug prone" file! However, laying in BOTH addons for browsers AND a HOSTS file is a good idea for the concept of "layered security"... apk

Re:One lesson to learn (1)

stony3k (709718) | more than 4 years ago | (#31583830)

Use Noscript - it warns you when a URL hijack attempt occurs

Re:One lesson to learn (0)

Anonymous Coward | more than 4 years ago | (#31583350)

From the article:

Users don't need to click on anything to get infected; a computer becomes infected after the ad is loaded by the browser, Avast said.

Re:One lesson to learn (1)

ygthb (84559) | more than 4 years ago | (#31583376)

So who says they clicked, it could be auto delivered. I have seen many arenas where they mandate anti-virus (usually crap) and do nothing about malware.

Not many know about locking down host files, using ad-aware, spybot s&d, or the like. I still use javacools stuff.

Re:One lesson to learn (0)

Anonymous Coward | more than 4 years ago | (#31583748)

At least when using Windows.

I guarantee 100% of the malware being delivered is Windows only.

Surprise! Oh, wait... (2, Insightful)

bhamlin (986048) | more than 4 years ago | (#31583256)

Really, who is surprised by this? What's the cost of an ad and fake credentials compared to getting a chance to infect millions of computers?

Re:Surprise! Oh, wait... (1)

HungryHobo (1314109) | more than 4 years ago | (#31583300)

as far as I know the margins on selling infections aren't that fantastic.
I depends on who you're infecting though.

Say No To Flash (1, Interesting)

Anonymous Coward | more than 4 years ago | (#31583258)

The number one reason to avoid Flash is the advertisements. The numerous exploits means that it is just a matter of displaying the ad, and voila, you have most injected visitors.

JavaScript based ads are not much better, but they're at least not as easy to exploit as Flash based ads.

Re:Say No To Flash (4, Insightful)

somersault (912633) | more than 4 years ago | (#31583282)

Say no to unsolicited content altogether! Adblockers ftw.

Re:Say No To Flash (1)

jimicus (737525) | more than 4 years ago | (#31583556)

Doesn't really help in a business environment - few adblockers allow you to deploy and manage them centrally. Frankly, it would make more sense to block ads at the firewall.

Actually, now I think of it, that's a damn good idea. It'd mess up the page layout for a lot of things but if you served up a blank JPEG of the relevant size that shouldn't matter too much...

Re:Say No To Flash (1)

somersault (912633) | more than 4 years ago | (#31583692)

We do actually have that option in the content filter on our firewall. When I enabled it before I got complaints from one of the directors because they actually click on ads -.-

Privoxy (3, Informative)

John Hasler (414242) | more than 4 years ago | (#31583912)

> Doesn't really help in a business environment - few adblockers allow you to
> deploy and manage them centrally. Frankly, it would make more sense to block
> ads at the firewall.

Privoxy does exactly that.

Re:Say No To Flash (1)

L4t3r4lu5 (1216702) | more than 4 years ago | (#31583600)

I just re-enabled AdBlock. I disabled it after the Ars Technica article regarding advertisement supported websites.

I'm happy to have unobtrusive text advertising, even images. Moving images and flash irritate me, but drive-by malware?

AdBlock stays on.

Re:Say No To Flash (1)

commodore64_love (1445365) | more than 4 years ago | (#31583878)

Or how about GIFs and PNGs? Back in the 90s and early 2000s that's what ads were, and it worked just fine. There's no need to waste bandwidth on a 1000 kilobyte or more Flash ad when a ~100 kilobyte animated GIF can do the same job.

Re:Say No To Flash (1)

commodore64_love (1445365) | more than 4 years ago | (#31583848)

That's one of the things I like about Opera Turbo -
- it blocks flash ads by default and displays a giant |> play button.
More browsers should do that.

What I don't like about Opera is how many websites refuse to serve it with javascript, and instead serve a broken nonfunctional page. I get a little frustrated with constantly right-clicking and choosing "mask as firefox" or "mask as explorer" to get a page to load properly. That isn't Opera's fault of course but it would be a lot easier if they had a global "mask" setting, so I wouldn't have to do one page at a time.

Re:Say No To Flash (0)

Anonymous Coward | more than 4 years ago | (#31583348)

But..but...but...Flash Video Porn!

Stop ...sp....looking to porn?

I thought it was the safe way instead of MP3s?!?

On the contrary! (1)

Errol backfiring (1280012) | more than 4 years ago | (#31583758)

Watch an ad and you're f*cked automatically!

Good thing (1)

Jaysyn (203771) | more than 4 years ago | (#31583316)

Good thing the combo of AdBlock, NoScript & FlashBlock will basically prevent these kinds of attacks.

Re:Good thing (2, Informative)

bunratty (545641) | more than 4 years ago | (#31583490)

In addition, you can also use the Plugin Check [mozilla.com] to make sure you have the most recent versions of plugins to decrease the risk of attack. And don't forget to turn on DEP [microsoft.com] for all programs and services on Windows.

Re:Good thing (1)

Bearhouse (1034238) | more than 4 years ago | (#31583492)

Mod up, mod up...
How many times do we have to repeat this?
For those without Firefox and those extensions you point out, do your 'hosts' file:
http://en.wikipedia.org/wiki/Hosts_file [wikipedia.org]
Good for Chrome lovers and, of course, non-Windows platforms.
Yes - Apple and *Nix users are vunerable too...especially if in a mixed network with Windows boxen.

Peerblock is worth a look too...
http://www.peerblock.com/releases [peerblock.com]

Re:Good thing (1)

gzipped_tar (1151931) | more than 4 years ago | (#31583762)

Using hosts file to re-route malicious domain is an ugly hack and should never be used. There are more efficient and maintainable firewalling tools. The hosts file should tell facts instead of lies.

Re:Good thing (1)

NatasRevol (731260) | more than 4 years ago | (#31583782)

How exactly are Mac an *nix users vulnerable?

All of the malware being delivered only runs on Windows.

Re:Good thing (1)

0ld_d0g (923931) | more than 4 years ago | (#31583554)

Unfortunately, that makes the web unusable for many people. Most people commenting here aren't the kind who get infected by malware.

Re:Good thing (1)

ShadowRangerRIT (1301549) | more than 4 years ago | (#31583892)

Well, AdBlock and Flashblock don't cause a problem for most people in my experience. NoScript drives them crazy though. And given that Flashblock (last I checked) doesn't provide real security (the Flash is loaded briefly before being replaced in the DOM, so the window of vulnerability remains), you're stuck with hoping the AdBlock filters are up to date. It's better than letting them browse on unprotected IE6, but without NoScript you're still vulnerable to exploits served from very new hosts (too new to show up in the AdBlock filters).

Re:Good thing (0)

Anonymous Coward | more than 4 years ago | (#31584084)

So will running any OS but Windows. This malware only runs on Windows.

Adblockers anyone (4, Insightful)

Galestar (1473827) | more than 4 years ago | (#31583330)

Yet another reason to use ad blockers. I'm starting to think Firefox should come with it out of the box.

Re:Adblockers anyone (0)

Anonymous Coward | more than 4 years ago | (#31583396)

I don't think that's going to happen. Firefox has gained too big a marketshare to be able to do this without getting massive pressure from various sides.

Re:Adblockers anyone (3, Insightful)

Monkeedude1212 (1560403) | more than 4 years ago | (#31583572)

The problem is that a large amount of money on the internet is made through advertisements. If Firefox gains marketshare, and starts with adblocking, thats tons of revenue stream being cut off. Google makes a lot of money through advertising, and they seem to be the only ones pushing for progress right now. I don't know if I'd want to go and reduce their income.

In Alberta - it's illegal to have a billboard on a Highway. Based solely on the idea that it causes more accidents because billboards are distracting. This isn't a direct attack on the speed limit, a major factor, or Alchohol, another major factor. Because attempting to control those other 2 factors would cause a huge upset.

Same with internet advertising, you can't just stop it all and make the world a better place.

Re:Adblockers anyone (1)

rtaylor (70602) | more than 4 years ago | (#31583694)

You might want to double check FireFox's revenue streams before suggesting they implement adblocking by default.

Much more profitable than click-throughs... (1, Interesting)

Anonymous Coward | more than 4 years ago | (#31583332)

1) Flash-based Banner Ad
2) JRE Exploit (CVE-2008-5353)
3) Adobe Reader Exploit
4) Profit?

Re:Much more profitable than click-throughs... (2, Insightful)

julesh (229690) | more than 4 years ago | (#31583474)

1) Flash-based Banner Ad
2) JRE Exploit (CVE-2008-5353)
3) Adobe Reader Exploit
4) Profit?

From what I saw when this happened to me:

1) Javascript-based banner ad
2) MFSA2010-01 [mozilla.org] (or something similar that was present in Firefox 3.5.7)
3) Mozilla extension to redirect links from google, yahoo and bing to a site of your choice
4) Site that serves large numbers of per-impression banners for dubious porn sites
5) Profit.

Adblocker (4, Insightful)

wisnoskij (1206448) | more than 4 years ago | (#31583460)

I would like to support sites by viewing their ads but if it leaves you more open to viruses even on high-profile sites then it is not worth the risk.

Re:Adblocker (2, Interesting)

jedidiah (1196) | more than 4 years ago | (#31583670)

Yes. This goes way beyond being "merely annoyed". If it becomes a security issue then ads need to go in general.

This is another example of how "outsourcing" leads to loss of quality and control. If you are going to spam someone then you need to be in control of the relevant content. You need to take responsibility for it. That seems to be the real problem here. You end up needing to whitelist 10 or 20 scripting hosts for the average "legitimate" website.

Make the Ads Safe (4, Insightful)

The Angry Mick (632931) | more than 4 years ago | (#31583714)

I would like to support sites by viewing their ads but if it leaves you more open to viruses even on high-profile sites then it is not worth the risk.

Very good point, especially in light of Ars Technica's recent plea [arstechnica.com] to users to stop blocking ads.

I, too, would be than more willing to disable the protective measures I've got in place, but as long as these sites rely on third party advertisers that are more concerned with eyeball collection than system security, we have a stalemate. If sites want me to see their ads, they have the burden of making sure the ads are safe (less annoying, would also be good). If I lower my guard out of "friendship" for a site, only to get a drive by download as a reward, I'm going to take it as a major breech of trust.

Re:Adblocker (1)

ajs (35943) | more than 4 years ago | (#31583964)

You could always whitelist ads on sites that you want to support while turning off JavaScript (e.g. using noscript). Most ads will still display (unless they're flash, and then it really was their choice, wasn't it?)

That's what I do. I even leave Slashdot's ad opt-out checkbox unchecked.

So at what point does Adobe become liable? (0)

Anonymous Coward | more than 4 years ago | (#31583484)

Since the attact vector isn't Flash itself, but the implementation that 99.9999999% of people have installed.

The real defense line (4, Interesting)

geegel (1587009) | more than 4 years ago | (#31583498)

The way I see it, no browser should be designed to require admin rights. All that it needs is a sandboxed environment for temporary files. When this mantra gets in the developers' heads, such exploits will no longer be possible. Of course, by that time, other type of exploits will be invented, but we'll cross that bridge when we reach it.

Re:The real defense line (1)

FlyingBishop (1293238) | more than 4 years ago | (#31583674)

Designing a browser not to require admin rights will never prevent users from running it as admin.

Re:The real defense line (1)

geegel (1587009) | more than 4 years ago | (#31583728)

Most users follow the path of minimal resistance (i.e. they will most likely go with default settings). If these settings mean security by design, most of these problems would disappear.

Re:The real defense line (2, Interesting)

Neil Watson (60859) | more than 4 years ago | (#31583686)

In UNIX one might try running the browser as another user via 'su'. That user could be isolated with no useful data or access. Probably some X permissions will have change to allow the browser to display on an X server owned by another user.

Could this be accomplished with Windows?

Re:The real defense line (1)

geegel (1587009) | more than 4 years ago | (#31583840)

Basically yes. What's to stop a developer to code a browser with an emulator type architecture? You load the environment and in that environment you load the browser, while restricting its rights to the bare minimum.

Re:The real defense line (1)

Culture20 (968837) | more than 4 years ago | (#31583700)

The way I see it, no browser should be designed to require admin rights. All that it needs is a sandboxed environment for temporary files. When this mantra gets in the developers' heads, such exploits will no longer be possible. Of course, by that time, other type of exploits will be invented, but we'll cross that bridge when we reach it.

The way I see it, no browser updates should be designed to require admin rights. Back in the day, FF installers for windows didn't require admin rights; anywhere a user could install was fair game. I don't know if that's still true. But, what if the core executables were owned by root, but updates could be owned by various users? i.e. on opening, browser checks web for updates, if it finds some, it downloads the updated exe or dll to local user dir, and then restarts itself using the new version. If no updates are found on the web, it checks local user dir to see if there were updates previously downloaded, and restarts using the latest downloaded update. Then every user can update their browser.

Even better: Make the command line browser updater work _only_ on the command line so that sysadmins can update hundreds of machines at a time. Why do command line browser updaters need to open a GUI for a progress bar?

Re:The real defense line (0)

Anonymous Coward | more than 4 years ago | (#31583780)

Even without admin rights malware can still cause you tremendous grief. The real problem is two fold:

1. Automatic download and execution without the user's knowledge or consent.
2. User education / trust

Fix the first issue and you solve a big chunk of the problem; Microsoft is getting better at it, but it still happens.
The second issue is harder. Even today we STILL read about people who siphon all their life savings off to some Nigerian scumbag. You think these same people wouldn't click through some dialogs to download and run "Fuck.Up.My.Pc.exe"? I think most people just don't understand enough about how computers work to know any better.

Re:The real defense line (1)

The MAZZTer (911996) | more than 4 years ago | (#31584036)

Huh? AFAIK none of the major players require admin rights. In addition Chrome (on XP/Vista/7) and IE8 (on Vista/7, not XP) both sandbox themselves and have been doing so for over a year now...

Ars Technica (5, Insightful)

Anonymous Coward | more than 4 years ago | (#31583500)

And Ars Technica says I shouldn't block ads.

I repeatedly told their staff that I don't block Ars Technica, but I do block ad servers. If they want to send me ads let them server them from their own domain.

Sites resposible for ad-vectored infections should be hit with hundreds of small claims court lawsuits to recoup the costs to clean up the infections.

Maybe then they'll learn.

'careless web activity' (3, Insightful)

John Hasler (414242) | more than 4 years ago | (#31583506)

> I usually suspect the users of 'careless web activity' when I delouse a PC...

They are guilty of 'careless web activity': not blocking ads.

i'd rather have a malware infested web with ads (-1, Troll)

circletimessquare (444983) | more than 4 years ago | (#31583646)

rather than a poor pathetic web, because there's no money to be made, because everyone blocks ads

so go ahead and block ads if you like, but shut up about it. there's no joy in boastfully "advertising" the practice. only a less vibrant web for everyone

Re:i'd rather have a malware infested web with ads (0)

Anonymous Coward | more than 4 years ago | (#31583910)

ONE small claims court victory for PC cleanup costs a month would pur a serious hurt an any site's revenue.

Serve the ads yourself and take responsibility for them, every other media format does.

Re:'careless web activity' (2, Informative)

FlyingBishop (1293238) | more than 4 years ago | (#31583690)

Don't block ads. Use NoScript. Blacklists are easily compromised. Whitelists are much more difficult.

Re:'careless web activity' (1)

John Hasler (414242) | more than 4 years ago | (#31583824)

> Don't block ads. Use NoScript.

I use NoScript to block scripts. I use Privoxy to block ads.

> Blacklists are easily compromised. Whitelists are much more difficult.

Nothing gets through and I can selectively allow scripts.

Scary (0)

Anonymous Coward | more than 4 years ago | (#31583508)

I recently loaded the website of a local paintball facility in Firefox 3.5.7 with NoScript and the site somehow added itself to the NoScript allowed sites and attempted to install one of the Antivirus XP 2010 type pieces of crapware. This was on Vista and the installation went nowhere; testing on an XP machine yielded full and complete installation with no user interaction beyond opening the original web site. Pretty scary.

ORLY? (2, Interesting)

SpicyBrownMustard (1105799) | more than 4 years ago | (#31583528)

Let's see here... an anti-malvertising/malware firm reporting lots and lots of malicious "bad things" being served up by those terrible pesky Internet ads... no agenda here. The report failed to follow-through and dig into the real problem with malicious payloads associated with online ads, the ad network daisy-chain. If network-A has no impression for you, you're handed off to network-B, which may have no impression and then gives you to network-C... and so on. As your impression traverses the daisy chain, the likelihood of hitting a low-tier ad network that allows any wanker with a (stolen) credit card to order millions of impressions increases... where the malware begins. We scan our ad tags daily, using two methods -- a dozens-of-times-an-hour service, and our own script on a minimally-protected PC. We've never seen malware from a advertising assets delivered by a top-tier ad network... when we see malware, it's ALWAYS from a provider down the daisy-chain.

Re:ORLY? (2, Insightful)

John Hasler (414242) | more than 4 years ago | (#31583874)

Why don't you think that the top tier services should be held responsible for the results of their daisy-chaining? They got paid for handing you off.

Disable JavaScript (0)

Anonymous Coward | more than 4 years ago | (#31583536)

Disable JavaScript and 3rd party cookies.
Obviously, don't use IE and configure it at the highest possible internet security options to stop accidental use by users or other programs hard coded to use it.

Not just that... (1)

naplam33 (1751266) | more than 4 years ago | (#31583544)

And not just malware, scam shops and all kinds of shady stuff. You want to know what's the best part? Google, Yahoo, and so on don't give a f*ck about it, I've reported such ads several times and I've never seen any action taken. As long as the criminals pay for the ads, nobody cares.

Who Pays for These Ads? (0)

Anonymous Coward | more than 4 years ago | (#31583552)

Seems like it should be easy to track and either immediately shut down the compromised accounts used or decapitate the morons responsible. If it's not easy then the payment systems need to be completely re-engineered such that it is. There's no excuse in this privacy-impaired online global society for not being able to track down where the money comes from. Heck, just ask the fraking RIAA for help if you can't figure out it's really a 70 year old grandmother without a computer who is placing these ads.

OK, if the ad networks won't police this (2, Interesting)

WCMI92 (592436) | more than 4 years ago | (#31583616)

Then we should start blocking the ad networks from our networks.

If lots of people started doing that, I wonder how quick Google, Yahoo, et all would start screening advertisers for malware?

Makes it hard to meet them halfway (3, Insightful)

MikeRT (947531) | more than 4 years ago | (#31583722)

They complain about advertising revenues while they are serving up ads that contain malware. To someone who hates ads to begin with, that's like saying "we know you don't enjoy crawling over broken glass, so how about crawling over glass mixed with AIDS-infected blood and barbed wire?"

malvertising? (3, Funny)

Anonymous Coward | more than 4 years ago | (#31583736)

how about badvertising?

Say NO to active content. (4, Interesting)

Anonymous Coward | more than 4 years ago | (#31583746)

That's why I am so pissed at site designers who go "lalala I can't hear you" whenever I request they make their site accessible without "active content" (i.e. Javascript, Flash, Java or even worse things).

It's nifty and all, but nowadays it's the main malware distribution mechanism. And you can't tell users "just switch off Javascript", because suddenly, half of the Web won't work (I do switch of Javascript: no, not NoScript. Just The Real Thing -- and for most, I'm even glad *this* half of the Web doesn't work -- but I can't tell a regular user to do the same). Heck, those $@#%! web designers even do regular links with javascript snippets for reasons inscrutable to me. Disgusting.

Advertisers? Do you hear me? I'll look at pngs, jpegs and gifs, even animated. I'll read text. but I won't even see your Javascript/Flash/whatever stuff.

There. Had to be said.

Ban Javascript! (1)

tedhiltonhead (654502) | more than 4 years ago | (#31583788)

Ad networks should not enable their clients to include Javascript, Flash, Java, or other active content in the first place. If they have a compelling business case for doing so, all code should be "whitelist" filtered before being distributed. The ad network's reputation is on the line every time they serve an impression.

Ars Says (1)

JackSpratts (660957) | more than 4 years ago | (#31583832)

It's a small price to pay for not using AdBlock. So remember: don't use it.

Are you kidding me? (1)

malp (108885) | more than 4 years ago | (#31583854)

The simple act of browsing the web should never under any circumstances infect your computer. The web browser is simply a viewer. It should only have permission to save bookmarks, cookies, and maybe a few other things to disk. If your operating system allows the web browser to infect your computer or to modify itself without prompting you first, someone seriously dropped the ball when designing your OS. Relying on anti-virus protection or only visiting reputable web-sites is like piling sandbags in front of your house when you shouldn't have built in a flood-plane in the first place.

What? Me Worry? (0)

Anonymous Coward | more than 4 years ago | (#31583904)

For the past 10+ years I've had no worries about clicking on any ad or link I see. Never picked up anything from doing so, despite being warned for the past decade that my days of worry-free browsing will soon come to an end. It's been over 10 years now and I'm still waiting. I run no A/V, never have, and my firewall is gathering dust. (I assume it works but I've never turned it on.) Mod this post into oblivion all you want, but I'm just here to tell ya, there really is a better way.

I don't need to tell you what OS I'm using. That should be obvious.

Adblock and Noscript (1)

erroneus (253617) | more than 4 years ago | (#31583936)

Once again, we cannot trust advertising that does not come directly from the web site being contacted. No surprise there. Further, there are times when we cannot trust advertising that DOES come from the site being contacted.

The only safe content, so far, is based on simple text and pictures.

Are you listening advertisers? TRUST the people you are advertising through to host and deliver your ads appropriately. RESPECT your audience enough to avoid using flash and other nonsense. Do this and people will not block your ads so much. People block not only because it is annoying, it is a risk to do otherwise.

You can't tell the enemy from your friends... (4, Interesting)

rickb928 (945187) | more than 4 years ago | (#31583960)

I have a running dialogue with a webmaster of a celebrity paps site (ok, sue me) about the various bits of malware that are being served up by her various advertisers. This began a few months ago, and it took a while before I figured out they could not be expected to know this was happening. She has tracked down the source of these adverts to an agency that offered her triple the usual rate. Now she knows, among other things, that if it's too good to be true, there is a reason why.

But, she and I have synched clocks so she can know to the few seconds what I got. She has to report back precise details to get her advertisers to figure out what happened, cause most of her direct advertisers are contracting out ads to other agencies, and they sell other ads, and the chain gets long and obscure in no time at all.

So far, she is helpful, but last week I sent her a screenshot of a nasty one installing that 2010 antivirus onto one of my virtual machines, and it turned out to be her oldest and most loyal sponsor, and an entirely legitimate ad that had gotten hijacked on the way to her server. Yup, her server is compromised, and some ads are being re-written on the fly from other sources. Makes sense to me, just another vector. This is not good - even honest webmasters are vulnerable, though she called in a team/favor to fix up her server, which is supposed to be monitored for this stuff. Oh well.

Is there any defense? I'm using VPC2007 to run browsers just to be able to look at the nasty stuff being inflicted on me (not the celebs, thank you) and I can't imagine the fun of doing this from my desktop. Ewww.

When the NYT is being used, we are past blaming the source.

Not to mention the waiting time I see for ad servers. I want the damned content I asked for, thank you, perhaps webmasters need to find a way to ditch slow ads and let us see what we wanted to in the first place, ok? Thanks!

Twice from Slashdot (1)

Alistair Hutton (889794) | more than 4 years ago | (#31583970)

I've been hit twice in two weeks with attempted installs of trojans/fake anti-spyware just from visiting pages linked to from Slahsdot stories. Not amusing.

I sure am glad... (1)

NewbieProgrammerMan (558327) | more than 4 years ago | (#31584070)

...that I never removed DoubleClick from the list of sites that aren't allowed to deliver content to my browser.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?