Malicious banner advertisements ... where do we go from here?
Let's play whack-a-mole!!
The big advertising networks are getting better at avoiding malicious advertisements, which is good and protects potentially millions of people from malicious banner advertisements, but now we are seeing signs that there is a shift in activity from infilitrating large networks to selling malicious advertisements direct to victim sites (cite the recent Sensis outbreak, the defsounds outbreak, and every other site that was hosting malicious advertisements within their own infrastructure).
I had a very interesting phone chat tonight about malicious banner advertisements and what not - and one of the facets that came up was a question of how long the malicious advertisements have been around.
We know that MSN was hit around February 2007, and AOL maybe a month later... but what do we know of earlier examples? I'm sure the behaviour has been around for a long time, but the question is, have I documented it? Let's have a look.
Well, back in March 2006 I wrote about Winfixer related advertisements that hit ActiveNetwork, but the important point is that you had to click on the advert - it wasn't an automatic redirect.
So, when did I first document an actual redirect? Well, we have December 2006.
Actually, let's go back to April 2006, and a bit later, July 2006.
So, we can safely say that I saw the redirects happening in April 2006, a good 10 months before they hit MSN, and then AOL. If we go purely on what I have documented on this blog, the winfixer guys made the shift to adverrtisements with hostile code that triggers automatic redirects somewhere between March and April 2006.
I remember that Winfixer type advertisements were so problematic for the advertising network behind the Messenger Plus Sponsor Program thats the advertising network that supplied the content for Patchou's Messenger Plus Sponsor Program, and Patchou, decided to edit MP users' HOSTS file to map winfixer type domains to localhost and thereby avoid the malicious advertisement - an effective measure, but only ever a stopgap.
That reminds me, I really should install the Sponsor Program on a sacrificial lamb and check out what sort of advertising content is being offered nowadays. The only problem is, I can remember from times past that for whatever reason, the SP would not show pop-up advertisements unless the user was actively surfing. Oh well, IE7Pro with it's auto refresh should be sufficient to convince the Sponsor Program that there is somebody actually sitting at the computer...
Also, nowadays we have to deal with geo-fencing, which means I'll need to set up a sacrificial lamb in my DMZ so that I can easy switch between proxies without having to screw around with my network defences too much. I did give Privoxy (spelling?) a go a while back, but it doesn't play nice my firewalls and I wasn't comfortable with punching too many holes in same to get it to work - my (lack of) knowledge about such stuff is sure to lead to my leaving my network's rear end hanging out in the fresh air all ready to be whipped by whatever bad guy happens past.
A sacrificial box in the DMZ is definitely the best alternative. Sadly, though, I've suffered some hardware losses recently - stuff just gets old and dies - so I need to try and find a cheap (if that is even possible) small form factor PC that can be nice and unobtrusive and sit in my DMZ ticking away happily. I don't like using virtual machines - it needs to be a real box sitting surfing the 'real' internet.
I admit, my greatest concern at the moment is the new routine I am seeing where malicious advertisements are sold direct to web sites, thereby bypassing the big advertising networks and their checks and balances. I contemplate the enormity of the chore that we face, educating who knows how many hundreds of thousands of webmasters about the reality of malicious advertisements and fake "letters of mandate" or commentation or authority, and I feel exhausted at the thought.
Anyway, onward and upward. We may not win the war via this humble little blog, but I sure as heck will have a fantastic time scoring some direct hits against the bad guys when I can, and if we manage to isolate mal-networks like adtraff and its kin so that nobody in their right mind will buy their wares, then that's good - that's a win for us.
Realistically though, the best thing the security-professional-on-the-street and web site owner can do is blog his story when he is fooled into displaying malicious advertisements. Tell us what happened and about the networks involved. At least then if somebody does undertake a Web search to research whatever advertising network they will have the chance of being forewarned.