Google DoubleClick Caught Serving Malicious Ad

[Old...@noway.com]

DoubleClick, the Google-owned ad technology, has been distributing
malware in an online ad served through a number of websites, according
to the security researcher who says he discovered the attack.

The malware infects users who visit a page where an infected banner ad
is displayed. It’s installed as a drive-by download, meaning that
users don’t have to click on the ad to be infected, they just have to
visit a website when the ad appears on the page.

Wayne Huang, CTO of Armorize, says his company discovered the problem
Dec. 4 and notified DoubleClick.

The malicious advertisement, for gift cards, originates from a bogus
advertising agency called AdShufffle, with three f’s in the name. The
name appears to be playing off legitimate advertiser AdShuffle. The
malicious ad has appeared on sites for Runnersworld.com and
OrganicGardening.com, among other sites that are still being
determined. Runnersworld.com and OrganicGardening.com are published by
the Emmaus, Pennsylvania-based Rodale Inc. A company spokeswoman said
the ads have been taken down.

The banner ad hawks a gift card for retail giant Target.

Huang says it appears the attackers simply copied a legitimate banner
ad and inserted Javascript that exploits the user’s browser through
one of three vulnerabilities. If the user has any of the unpatched
vulnerabilities, a piece of software called “hdd plus” is quietly
installed on their computer. The Javascript also tries to force
browsers’ PDF plug-ins to open a PDF to deliver the software through
an Adobe exploit.

Once a user is infected, the “hdd plus” program causes a fake Windows
warning message to appear on the user’s screen indicating that their
machine is riddled with malware, and urging the user to purchase a
security program.

Huang says a backdoor is also installed on the user’s machines, but he
says researchers are still examining it to determine what it does.

It’s not known how many machines may have been infected by the
malicious ad or how man web sites have displayed it. Huang says the
infections appear to have begun no earlier than Dec. 4.

Google acknowledged the issue in a statement to Threat Level and said
it recently detected malware on its own through its DoubleClick Ad
Exchange filter but this malware was stopped and never got served
through its system to web sites. It’s not clear if the malware
Armorize found is the same malware Google detected or a different
attack.

“We can confirm that the DoubleClick Ad Exchange, which has automatic
malware filters, independently detected several creatives containing
malware, and blocked them instantly – within seconds,” a Google
spokesman wrote in an e-mail. “Our security team is in touch with
Armorize to help investigate and help remove any affected creatives
from any other ad platforms.”

The malicious ads were discovered by an Armorize program called Hack
Alert that scans web sites for malicious activity. Huang says that his
researchers tested the malware against multiple anti-virus products
and only 2 out of 42 vendors detected it.

It’s not the first time that DoubleClick has served up a malicious
program. In 2007, a legitimate German marketer was caught serving
malware through an ad. In that case, the malware caused a flood of
pop-up warnings to appear on the user’s desktop telling them their
machine was infected and urging them to purchase a security program.

DoubleClick said at the time that it had implemented a new security
monitoring system to filter ads for malware.

http://www.wired.com/threatlevel/2010/12/doubleclick/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+wired%2Findex+%28Wired%3A+Index+3+%28Top+Stories+2%29%29

[Littleguy]

Not
>
on my iMac -:)

--
Littleguy
The spiritual path - is simply the journey of living our lives.
Everyone is on a spiritual path; most people just don't know it. ~
Marianne Williamson

If you don't like it, go suck an egg. I couldn't care less"
CG, Liar & Coward

[Old...@noway.com]

On Sat, 11 Dec 2010 07:35:00 -0500, Just Judy
<JoodyJo...@comcast.net> wrote:

>On Sat, 11 Dec 2010 03:14:17 -0800, Old...@noway.com wrote:
>
>>
>>The malware infects users who visit a page where an infected banner ad
>>is displayed. It’s installed as a drive-by download, meaning that
>>users don’t have to click on the ad to be infected, they just have to
>>visit a website when the ad appears on the page.
>

> I'm curious, OS, and you're just the man to ask.
>
> If I visit a page that does display a banner (frequently at
>herald.com ... my hometown newspaper) but I have Adblock Plus running
>does that mean I am not at risk from the non-appearing banner which
>may, or may not, be infected?
>
> (How's that for a bunch of negatives in one sentence?)
>
>Thanks,

Really don't know, but since Adblock (I use it to) only blocks
pop ups, and not banners on one's Web page, I would say you could be
infected. I see ads all the time that's built into the Web page, but
don't pop ups.

[Old...@noway.com]

On Sat, 11 Dec 2010 11:23:20 -0500, WaIIy <WaIIy@(nft).invalid> wrote:

>On Sat, 11 Dec 2010 03:14:17 -0800, Old...@noway.com wrote:
>

>>DoubleClick, the Google-owned ad technology, has been distributing
>>malware in an online ad served through a number of websites, according
>>to the security researcher who says he discovered the attack.
>>
>>The malware infects users who visit a page where an infected banner ad
>>is displayed. It’s installed as a drive-by download, meaning that
>>users don’t have to click on the ad to be infected, they just have to
>>visit a website when the ad appears on the page.
>

>If you're not computer savvy these days, you're sunk. That would
>include most people.

When it comes to the Net, it's good to be paranoid, since they
are out to get you.

[Old...@noway.com]

On Sat, 11 Dec 2010 13:05:43 -0700, °cg°
<cgrams7@{removethis}yahoo.com> wrote:

>I have Adblock Plus. It blocks banners. I wouldn't be surprised to
>find out Adblock does as well if set up to do that.

Ok what do you mean by "banners"? The Target Gift Card ad is
part of the Web page and I think it would show. Never mind, just
check my settings with Adblock, and you are right it should block
banner ads.

[Old...@noway.com]

On Sat, 11 Dec 2010 21:24:28 -0500, WaIIy <WaIIy@(nft).invalid> wrote:

>Fuckers.

Took the word right out of my mouth. Can't do anything any
more on the Net with out looking over your shoulder/screen before you
click the mouse.

[Rick]

On Sat, 11 Dec 2010 21:24:28 -0500, WaIIy wrote:

> I bring up Task Manager and kill the browser to get out of it.

Isn't there an equivalent to "ForceQuit" in Windows?

--
Rick - Support real change- term limits!

[Rick]

On Sun, 12 Dec 2010 06:34:46 -0700, °cg° wrote:

> What does "ForceQuit" do?

It forces the application to quit without using any of the application's
controls. For instance when you get one of those pop ups that overtake
control of the browser leaving you with only the pop ups choices to click
on, you can force the browser to quit.

[Rick]

On Sun, 12 Dec 2010 07:15:57 -0700, °cg° wrote:

> What Wally did is the ForceQuit's equivalent in that it forced the
> application to exit the CPU and memory. Subsequent use of that
> appication would require the application to be invoked again.

However, because IE and to some extent, Firefox is intergrated into the
OS through the use of shared DLLs and the like, you risk crashing the
entire system by doing it that way. Less so after XP, but I believe that
is what Wally is using.
Without going into the programming details, it is not equivalent at all,
though the results may make it appear that way.

[Jane]

"Just Judy" <JoodyJo...@comcast.net> a écrit dans le message de news:
o0i9g6hc424o17icg...@4ax.com...
| On Sun, 12 Dec 2010 01:50:56 -0500, WaIIy <WaIIy@(nft).invalid> wrote:
|
| >
| >I didn't have NoScript and got it.
|
| Same here; I'm just following your lead.
|
| I noted on the download that the developer would appreciate
| your support and the recommended amount is $15. I thought suggesting
| an amount was tacky, but, if I like the add-on, I'll send him $5 ...
| just to be ornery ... and cheap.

LOL. Judith, that's even funnier than learning that Hemingway wrote Moby Dick
and that Animal Farm was too sci-fi for you. Bwahahaha........

Jane

[Dave K]

On Sun, 12 Dec 2010 06:56:48 -0600, Rick <nom...@for.mee> wrote:

>On Sat, 11 Dec 2010 21:24:28 -0500, WaIIy wrote:
>
>> I bring up Task Manager and kill the browser to get out of it.
>
>Isn't there an equivalent to "ForceQuit" in Windows?

Yes. "End"
--

Cheers! :)

[Old...@noway.com]

On Sun, 12 Dec 2010 08:05:12 -0500, Just Judy
<JoodyJo...@comcast.net> wrote:

>On Sun, 12 Dec 2010 01:50:56 -0500, WaIIy <WaIIy@(nft).invalid> wrote:
>
>>
>>I didn't have NoScript and got it.
>
> Same here; I'm just following your lead.

Me To <AOL>

[Old...@noway.com]

On Sun, 12 Dec 2010 02:31:10 -0700, °cg°
<cgrams7@{removethis}yahoo.com> wrote:

>I'm fairly careful about keeping Firefox and IE updated. Between the
>frequent security updates, NoScript, AdBlockPro, Avast and Ad-Aware
>I've just not had any issues (knock on wood).
>
>Topping that off with seeing very few ads, I can't complain.

Same here, but add Spybot to that list. As well as Symantec
Endpoint Protection.

[Old...@noway.com]

On Sun, 12 Dec 2010 11:21:13 -0500, WaIIy <WaIIy@(nft).invalid> wrote:

>I just end the process in Task Manager. I've done that a lot of times
>on different programs and never crashed anything.

Same here.

[Old...@noway.com]

On Sun, 12 Dec 2010 15:50:05 -0700, °cg°
<cgrams7@{removethis}yahoo.com> wrote:

>I don't know squat about Endpoint Protection.

It's a pro version for companies.

[Old...@noway.com]

On Sun, 12 Dec 2010 17:11:39 -0700, °cg°
<cgrams7@{removethis}yahoo.com> wrote:

>It looks like OS, you and I are armed to the teeth. ;-))

And I have only gotten one virus in the last 10 years, and
dealt with swiftly.

[Old...@noway.com]

On Mon, 13 Dec 2010 11:04:51 -0500, WaIIy <WaIIy@(nft).invalid> wrote:

>Ps - With Fifrefox, I'd also suggest "Better Privacy" for LSO cookies.

Just got it, now I got to go though them all to see if any
contain passwords, don't want to remove them, but most of the 270+ I
got am sure they don't