Video Screencast Help
Security Response

Ban Bad Banner Ads

Created: 31 Jan 2008 08:00:00 GMT • Updated: 23 Jan 2014 18:42:41 GMT
Candid Wueest's picture
0 0 Votes
Login to vote

Many people don’t like flashy advertisementbanners on Web pages. But ads are a necessary thing for some pages tokeep them free and help the owners pay their hosting fees. That mighthave been one of the reasons the bad guys thought of when usingmalicious banner ads as an attack vector. I’m not talking about theannoying banners that will overlay half of your screen so that you haveto click them away manually. I’m talking about malicious ads, sometimesreferred to as "malvertisement" or "badvertisement," which contain amalicious script or a hidden redirector. Most of the time it’s a flashobject that contains an obfuscated action script which redirects theuser to a malicious site after performing some user client checks. Ifthe IP address of the requester falls into the desired geographiclocation and the IP address was not yet served, then it will beredirected to the bad site. This site can then either use one of thewell known Web attacking toolkits to exploit a vulnerability in thevisitor's browser, or it could try to annoy the user with persistentpop-ups and social engineering tricks to get the user to install amisleading application or Trojan. Rogue antispyware tools seem to be avery popular thing that are pushed out using these methods at themoment.

The malicious ads are not a new phenomenon. In 2006 a popular socialnetworking site was hit by a big wave and several other big namesfollowed. Furthermore, the attacks are not only targeting Englishlanguage Web sites since there have been several cases already in otherlanguages, such as German. This is another good example of howlegitimate and trusted Web sites can unknowingly serve malware to you.

The criminals often make the effort to appear as legitimate smalladvertisement companies and then they buy hosting space at otheradvertisement companies to host their banners. The ads are sometimesjust copies of official ads with the malicious script injected. Mostcompanies do try to thoroughly check the content of the ads, but as thesituations show, they do not always succeed. Some malicious ads mayeven have an internal start date and will behave innocently until thistime has come.

What can you do to protect yourself and your computer? Besides theobvious running of a good antivirus suite you can also blockadvertisements in your browser. Some have built in methods to do so andsome use external add-ons or extensions, such as the NoScript orFlashBlock extensions for Firefox.