Wednesday, November 14, 2007

Rogue ads pushing malware -- how it works

On Monday, eWeek wrote an article about DoubleClick displaying ads that promoted rogue antispyware. The article quoted our work.

To clarify — it wasn’t DoubleClick that was spawning the ads (well, it was, but it wasn’t). DoubleClick sells a system called DART, which websites (called “publishers” in the world of advertising) use to manage their advertising. So if you’re looking at the URL in a packet capture, it looks like it’s coming from DoubleClick . You can see this in a video that Roger Thompson made:


There will be more on this story later today, but quickly, here’s what’s been going on:


  • The slimeballs at Adtraff have gone out and registered buckets of sites.

  • They contact ad sales people at various websites (like the Economist, mlb.com, etc.) and buy advertising — always using wire transfer or credit cards. They play tricks, like buying ad space at the end of the month, when ad sales people are hungry for deals.

  • After the ad space is booked, they send the creative, which is always a .swf (Flash) file. It’s innocuous. In the case of the stuff that happened over the weekend, it was some ad for eMusic:

  • Emusci123812378

    (There’s a live sample still up — curious researchers can download it here: m1(dot)2mdn.net/1622576/199485_1194389307_numbers-count-728x90.swf.)

  • The SWF files vary: Sandi Hardmier observed one recently for an airline auction site.

  • Inside that Flash file are encrypted redirects to whatever site that Adtraff is pushing (like this malware ad that is in Roger’s video above).

  • The redirect data in the Flash file does not show itself when the creative people at the website upload it. The redirects are triggered by times, geo location, etc.

  • In the case of DoubleClick, many publishers use DoubleClick’s DART system, which allows them to manage the ads. The ads are uploaded into the DART system, which hosts ads on DoubleClick’s servers. Then, websites can track how many people view the ad, generate reports, etc.

    So in the case of what we saw over the weekend, it looked to researchers like the ads were coming from DoubleClick — and they were — sort of. But it was the websites themselves that were uploading the ads onto the DoubleClick system. (DoubleClick is no longer in the ad network business — meaning, they are no longer in the business of placing ads on websites, with the exception of their Performics subsidiary).

  • DoubleClick itself is trying to filter these malicious ads, and is working on improved filters to better detect them.

This is not a trivial problem, and the most important thing for publishers to do is to be extremely careful when accepting new advertisers (and be wary of tricks these people use, like giving fake references), and then keep a close eye on the advertising as it’s running (and hopefully some good tools can be developed for publishers to use to check the content of ads for malicious redirects before posting).


Alex Eckelberry