Malware in Advertising
One of the more interesting attacks or hacks coming out the hacker’s world is the idea of malware embedded in advertising. There has been a lot of that lately to distribute bad BitTorrent clients, to infesting a computer with malware based on advertising that is sold on the major advertising exchanges.
Even MySpace has seen something similar, as hackers improve their methods of delivery; most of us are familiar with the standard refrain not to open up many types of files in mail systems, and be careful where you surf. No one expects an attack to come from selling an ad on anyone of the major advertising networks. However, this is becoming a highly preferred method to getting malware on your box.
While patching takes care of some of it, and Anti-virus and anti-spyware software takes care of some of it. There is still the old Achilles heel of has to found by signature, and as those signatures change, AV/ASW is behind the times, the damage has been done long before those software systems catch up with what the malware folks are doing.
To make people afraid of the advertising systems found on every web site at this point is generally not something that people think about. No one is afraid of ads, and if they became afraid of ads, entire companies like Google, Yahoo, Adbrite, Adengage and others would simply crumble overnight as clicks stop, revenue stops, and the entire model becomes compromised.
No one is going to teach anyone not to click on an ad.
There has to be some quality control to the systems, but there are some diametrically opposed opposites here. While the ad agencies need clicks to make money, they do have to make sure that those same ads they make money off of do not compromise clients. While new accounts have a waiting time of days, if the hackers grab onto an existing account, it can take minutes to set up a new malware delivery system using ads.
With the sheer profusion of systems, web sites, and ads seen on a regular basis, ensuring that each ad in th network is safe is not going to be easy without some form of automated system. We are not aware of those systems at this time, but have seen Google doing good things to make sure that their reputation is not compromised.
We need to see more of this kind of work, so that the whole system does not crumble under the weight of attacks via advertising. This would make an excellent PR coup for any advertiser to promote safe advertising, with demonstrative tools or standards to keep malware infested ads from their systems, and off their customers computers.
At this time though all anyone can do is suggest caution, keep your computer patched, and always think twice before going to any site that is generally evil.