back to article You've been Drudged! Malware-squirting ads appear on websites with 100+ million visitors

Internet lowlifes who used Yahoo! ads to infect potentially countless PCs with malware have struck again – using adverts on popular websites to reach millions more people. Security researchers at MalwareBytes this week discovered the crooks running another massive campaign of ads that use the Angler Exploit Kit to infiltrate …

  1. Anonymous Coward
    Devil

    All your eyes are belong to us

    "The popularity of ad blockers may really force the ad industry’s hand to change how they go about advertising."

    Or conversly they might try to get ad blockers outlawed. After all, they acquired rights to an audience in exchange for monetary support to the content providers. If the audience is allowed to avoid the advertiser while still having access to the content, that's stealing, innit? This sorely needed legislation would be much like digital copyright protection, a well-established necessity.

    1. Truth4u

      Re: All your eyes are belong to us

      an enjoyably obtuse perspective. of course they [adblockers] should be made mandatory to prevent malware and loss of GDP.

      1. Florida1920
        Holmes

        Re: All your eyes are belong to us

        an enjoyably obtuse perspective

        Or just damned good satire.

    2. Mark 85 Silver badge

      Re: All your eyes are belong to us

      Would this outlawing be considered the moral equivalent of watching commercial TV and forcing you to not go get a beer or make a bathroom run when a commercial comes on? Seems like it....

      So why is the legislation "sorely needed" to ban ad-blockers? Stealing? Really, do explain...

      1. Anonymous Coward
        Anonymous Coward

        Re: All your eyes are belong to us

        Stealing? Really, do explain...

        Next we'll be accused of stealing because some of us haven't turned a television on in several years.

        1. Old Used Programmer

          Re: All your eyes are belong to us

          Or haven't even owned a television in years....

          1. Anonymous Coward
            Anonymous Coward

            Re: All your eyes are belong to us

            Use 'Ad-Assassin' - a paid-for service. Users pay me to jet around the world (aka the US) with a sniper rifle.

            Edit: I'd have used the joke icon; but, you know, obviously I dislike misleading people.

        2. moiety

          Re: All your eyes are belong to us

          "Stealing? Really, do explain..."

          Might be a reference to some marketing bod a few months ago who equated not sitting there religiously watching adverts on advert-supported TV with theft of services.

          The general consensus in the comments -IIRC- was that he was an entitled twat who could go fuck himself.

          Can't remember the details, but he was a high-flyer with some TV company...Sky maybe?

          1. Mike Flugennock
            Coffee/keyboard

            Re: All your eyes are belong to us

            I don't know about your side of the pond, but I'm reminded of a TV ad-industry flack I saw fuming and bitching on the NBC "Today" Show back in '99 or so, saying that people who tape shows and skip the commercials were "thieves".

            Oh, how I laughed.

      2. Anonymous Coward
        Anonymous Coward

        Re: All your eyes are belong to us

        > "So why is the legislation "sorely needed" to ban ad-blockers?"

        It IS sorely needed, by the advertisers. Did you think I meant the audience?

      3. mrvco

        Wannabes

        Not participating in a shitty business model is stealing. Apparently.

    3. Mike Flugennock

      Re: All your eyes are belong to us

      Uhhhmmm... you're being sarcastic there, right? Right?

      It's hard to tell, as we Yanks don't do sarcasm very well.

      1. Anonymous Coward
        Anonymous Coward

        Re: All your eyes are belong to us

        > "It's hard to tell, as we Yanks don't do sarcasm very well."

        Quite true, all us Yanks are straight shooters who always say exactly what we're thinking.

        1. x 7

          Re: All your eyes are belong to us

          " all us Yanks are straight shooters who always say exactly what we're thinking."

          And that explains why Yanks are renowned worldwide for not saying a lot.

          1. moiety

            Re: All your eyes are belong to us

            It's the shooting part that has the rest of us worried...

          2. Anonymous Coward
            Anonymous Coward

            Re: All your eyes are belong to us

            Don't forget that 40% of us are illegal aliens, so we're scurrilous, sneaking toilet-cleaners, and when we do speak it's in some other language that has accordions playing in the background.

            1. x 7

              Re: All your eyes are belong to us

              "Don't forget that 40% of us are illegal aliens, so we're scurrilous, sneaking toilet-cleaners, and when we do speak it's in some other language that has accordions playing in the background."

              You've got that wrong, the Scots aren't classified as illegal aliens. Yet.

        2. GX5000
          Trollface

          Re: All your eyes are belong to us

          Bristol Palin, is that you ?

      2. Doctor Syntax Silver badge

        Re: All your eyes are belong to us

        "To be fair, you need to use the '/sarcasm' tag next, Big John."

        I think the Devil's Advocate icon could have been a clue.

    4. Number6

      Re: All your eyes are belong to us

      I value my system security. All I'd get from an ad server who contaminated my machine is a "sorry", I very much doubt if they'd pay compensation for the cost (time and money) for fixing the problem. Ads should be small (seeing as they eat up my bandwidth), not involve flash, pop-ups or use of a scripting language. That would cut down on a lot of the malware attack surface. They should also not interfere with the page rendering process - having a page not load because it's waiting for a tardy ad server to cough up is not going to present a product in a good light.

      On second thoughts, I'll continue with the script and ad blockers because I don't trust any random third party to protect my system so a good first line of defence is not to let them have access.

    5. ecofeco Silver badge

      Re: All your eyes are belong to us

      I see most everyone missed Big John's sarcasm.

      To be fair, you need to use the '/sarcasm' tag next, Big John.

  2. VeganVegan

    What if

    AdSpirit & its ilk is held legally liable for damages by malware that they transmitted?

    1. Mark 85 Silver badge

      Re: What if

      I note that I'm seeing cookies and ads trying* to appear here on El Reg from Adspirit via Google. Let's be careful out there.....

      I have most ads automatically blocked and the 3rd party cookies "prompted" just for curiosity. It's surprising the amount of crap that tries to get through.

      1. Mike Flugennock

        Re: What if

        I have NoScript set to "Forbid Scripts Globally". You should see the amount of 3rd-party JavaScript in the NoScript pop-up menu; on many sites I've seen lists of domains so long that it makes the menu scroll.

        1. Anonymous Coward
          Anonymous Coward

          Re: What if

          I have NoScript set to "Forbid Scripts Globally". You should see the amount of 3rd-party JavaScript in the NoScript pop-up menu; on many sites I've seen lists of domains so long that it makes the menu scroll.

          Figuring out which ones need to be unblocked to make the page work is an exercise in frustration too.

          I can think of no good technical reason to do it. The risks however are obvious.

          1. Kiwi Silver badge
            WTF?

            Re: What if @ Stuart Longland

            Figuring out which ones need to be unblocked to make the page work is an exercise in frustration too.

            Simple process for me. If you're trying to sell me something, your page renders to a usable level without js.

            If I can't use your page without js I can't buy anything from you.

            Anything else may depend on how much I really want to see what may be hidden behind the js.

            I tend to get a good idea of what is what and ignore the advertising and tracking ones.

            Perhaps someone can help with one though.. In the last few days have seen a "panel html" coming up and noticed when I allowed that to see what it does, even the google search page refreshed. Doesn't google have enough crap on their visually minimal page? if I click on the "temporarily allow" I see the field change to "temporarily allow blur://panel.html". Can someone tell me wtf this is? (off to Google to search)

            (damn, that's everywhere! Just seen it in El Reg as well. Has my browser somehow been hijacked?)

            Edit: Ok, it seems to be part of the "blur" extension which was I recall "Do Not Track Me" some time back.. What comes of browsing on my windows machine which I seldom use for this. Now, to remove some extensions...

    2. Tom 13

      Re: What if

      Nice thought, won't happen. Too many international boundaries and too many people making money from it.

  3. This post has been deleted by its author

    1. Charles 9 Silver badge
      FAIL

      Not without losing access to sites that require Flash to operate, and some of them are either hosts to exclusive content or are business control sites that can't be ignored or replaced.

      1. Morrie Wyatt
        Thumb Down

        Safety induction sites anyone?

        They, even more than advertising, are one of the banes of my existence.

        They require flash, java, and a variety of other plugins such as ActiveX and every other malware magnet de-jour, just so you can answer normally blatantly obvious multi-guess questions to qualify online for access to a building site.

        Particularly with our good old Australian ADSL internet access, that streams the associated videos at 0.5 bits per millennium.

        All for the purposes of safety of course.

      2. channel extended

        I can ignore any site and not my job to replace them. Any site that finds it's viewers declining because they insist on flash will either be out of business or change. The only one I can't ignore is the tax man.

        1. Charles 9 Silver badge

          Then you're not working from the inside of an enterprise. Many enterprise units contain control sites that require Flash or other compromising features just to operate. And since these frontends are attached to highly-expensive, usually-still-being-amortized hardware, you're never gonna get the bean counters to put up for replacements.

  4. Henry Wertz 1 Gold badge

    How this usually happens

    There's three ways this usually happens.

    Dodgy sites, you have dodgy ad brokers that'll just put up whatever ad. You know the ones I'm talking about, they'll usually have incredible numbers of popups and popunders too.

    Sites that are not dodgy will deal with some reputable ad brokers, but they may deal with some other ad brokers, those may deal with some, usually when these get a dodgy ad slipped in it's 4 or 5 layers deep down that chain. Typically the ad brokers stop doing business with the offending broker (and one "further up the chain" may stop doing business with the one that passed the ad to them, and so on.)

    Third method, tampered javascript. The javascript served by one of the ad brokers to do the actual ad brokering is tampered with, the ad broker's ads are clean but the tampered javascript loads dodgy content instead of (or in addition to) loading the legit ad.

  5. VinceH Silver badge

    Optional

    "The popularity of ad blockers may really force the ad industry’s hand to change how they go about advertising."

    Wouldn't it be nice if they did just that, and concluded that people find unobtrusive, static adverts acceptable - say, just PNGs used for banners, with no Javascript required to display them, just an <img...>, and everyone in the ad industry started presenting their adverts that way.

    The more likely outcome is that they'll look for a way to get around the ad blockers - and make their adverts even more obtrusive to boot. (Or see Big John's comment at the top for an alternative hypothetical road ahead.)

    1. Anonymous Coward
      Anonymous Coward

      Re: Optional

      "The more likely outcome is that they'll look for a way to get around the ad blockers"

      The Grauniad now has a pop-up effectively saying "You are using an Ad Blocker - please click here to find another way to support us". Don't know if a third party on that page could do the same to give a malware redirection.

    2. Wade Burchette Silver badge

      Re: Optional

      I use NoScript + Ghostery in my Firefox browser. I will cease using these if advertisers follow these simple rules:

      (1) Absolutely no tracking, no exception. Which websites I go to, which items I click on, what I do is none of your business. (2) No javascript in the ad, no exception. (3) No autoplay videos ads except before a video in which I chose to watch. (4) No IP location ads, no exception. These are the ads that say "Shocking secret [your city name] man discovers". (5) The ad may not cover part of all of a web page at any time.

      In short, I use allow advertisements again when they return to the way they were at the beginning of the world wide web.

  6. Anonymous Coward
    Anonymous Coward

    "[...] or setting the plugin into "click-to-play" mode will slash the risk of attack. "

    Can't see such an option going via Control Panel - Flash icon on W7. Browser is FireFox - can't see an option in Plug-ins - Shockwave Flash.

    The Daily Telegraph annoys me when its video inserts start playing automatically.

    Can someone point me to the "click-to-play" option page please.

    1. EddieD

      It's in the addons panel - go to the plugins menu, you'll see shockwave flash, and on the extreme right, a wee drop down that gives the click to activate options.

      The BBC is another sinner in the autoplay stakes.

      1. Anonymous Coward
        Anonymous Coward

        "It's in the addons panel - go to the plugins men [...]"

        Thanks for that. However the resulting functionality is not what I wanted. It just gives a grey image with the icon to request to activate it. That means I have no way of knowing what the video is going to be if I allow it to run. All I wanted was to be able to default to "no auto play".

        The thought occurs to me. Does the malware need the Flash video to actually start playing - or is just loading it into Flash without it starting enough to do the damage?

  7. Doctor Syntax Silver badge

    Liability

    If the industry wants the income it must be prepared to accept the liability. Given that the user's point of contact is with the site rather than the broker the liability should fall on the site. The site itself might then push the liability onto the broker. Otherwise you're saying that in order to read the content the user must may a ransom to some scumbag.

  8. Hud Dunlap
    Gimp

    Angler Exploit Kit to infiltrate Windows PCs

    Snicker

  9. Mike Flugennock
    Gimp

    Interesting to see that "Drudged" has become a verb...

    ...to describe the act of having malware inflicted on your system by a skeezy Web ad. I don't know all the sordid details, so I won't say that Drudge Report deliberately serves up skanky ads, but I've always had the distinct impression that Drudge sure as hell doesn't care what kind of ads are served there.

    I read Drudge Report regularly -- only for cheap laffs, of course -- and I noticed very early on that it was Skeezy Web Ad Central, notorious for the infamous wildly-flashing phony "Virus Alert" banners made up to look like a Windows alert box, along with other varieties of nasty-looking, tacky animated banner ads.

    Mind you, it's been ages since I've seen one of those, as I've been AdBlocking, FlashBlocking and NoScripting like a sonofabitch for as long as that technology's been available.

    Of course, I've also used only Macs for the past thirty years, so that helps, though I've never bought into the idea of "security through obscurity". Still, every time I read in the Reg about the latest Windows malware scourge, I think "there but for the grace of Steve go I..."

    1. Anonymous Coward
      Anonymous Coward

      Re: Interesting to see that "Drudged" has become a verb...

      "Interesting to see that "Drudged" has become a verb to describe the act of having malware inflicted on your system by a skeezy Web ad"

      I think it's simply a pun on Judge Dredd where judges would say "You have been judged" just before passing sentence. Often a very unpleasant sentence.

      1. x 7

        Re: Interesting to see that "Drudged" has become a verb...

        "drudged" is a verb which describes how your hot young girlfriend, once you've married her, rapidly metamorphoses into a fat boring unattractive furry-slipper wearing bingo-playing hausfrau

  10. Infernoz Bronze badge
    Holmes

    It sites want to use adverts, keep the content safe or watch revenue fall off a cliff.

    My suggestion is that all major sites and advert funded sites must only support secure HTTPS requests, and browsers must only support secure HTTPS requests in/from HTTPS pages, including via redirects; that way safe-site white-lists can be enforced in depth via HTTPS certificate management, so hopefully make hijack or redirect exploits much less effective.

    Obviously any browser plugin version which does not abide by the above suggested browser HTTPS page restrictions should also be blocked by the browser, including possibly Flash, Java and Silverlight.

    Oh course I use content white-lists extensions, plugin etc., only naive, lazy or stupid people don't, including for corporate intranet sites with WTF active requests to external internet sites and/or use of Flash!

    1. Mike Flugennock

      Re: It sites want to use adverts, keep the content safe or watch revenue fall off a cliff.

      Hell, I can't remember the last time I had Java enabled in any browser I've ever used, as it could pretty much be counted on to slow page loads to a crawl, if not flat-out locking up and crashing the browser.

      They call those little turd nuggets "crapplets" for a reason, y'know...

      1. Medixstiff

        Re: It sites want to use adverts, keep the content safe or watch revenue fall off a cliff.

        "Hell, I can't remember the last time I had Java enabled in any browser" If it wasn't for Oracle, you can bet Java would not be on any machine in our network.

  11. thexfile
    Mushroom

    Only a 'tool' would go to Drudge Report.

    1. Anonymous Coward
      Anonymous Coward

      I'm not sure you can really question the information. It's all factual.

  12. ecofeco Silver badge

    There's something poetic about all this

    Not sure what it is, but it does seem as if the websites chosen have a mostly stupid-as-fucking-hell audience and provide nothing of real importance.

  13. bex

    child

    The drudge report has a front page that looks like it's coded by a child so no surprise here.

  14. John Brown (no body) Silver badge
    Facepalm

    Isn't it about time...

    ...these websites and/or ad-slingers installed some AV software to check their own sites and what they are serving to their visitors? Surely it's not beyond the wit of webmasters, especially of these big, popular sites, to, at the very least, set up a PC with AV software/malware blocker to keep loading their own web pages via an external source and then email them a warning if it picks up one of these bad ads from their own site. Ideally they should be passing all the externally generated "content" through a scanner before passing it on to us users which would mean NOT just blindly including links/re-directs/javascript/whatever.

    1. Charles 9 Silver badge

      Re: Isn't it about time...

      Many malware are now VM-aware and are likely AV-aware (or worse, AV-sabotaging) to avoid honeypots, so they won't react to such a scan. And the give and take has an unintended consequence as well. Soon, malware researchers will eventually have to develop honeypots that mimic humans to the point they can pass a Turing Test. Once that happens, the malware writers will usurp the research and create malware attacks indistinguishable at the endpoints from humans...

  15. Proteus
    Joke

    I Think I'm Infected

    I must have been infected by one of these ads. I keep getting pop-up messages advising me to upgrade to Windows 10. Definitely some kind of malware. I can't imagine how else I could have been infected.

    Oh, wait. I visited Windows Update. My fault then, really. Never mind.

    1. Anonymous Coward
      Unhappy

      Re: I Think I'm Infected

      Must be the "Sucker Punch" virus. Its home base is spoofed to look like Windows Update, to a casual inspection. Don't be fooled, this one is nasty. You might have to do a full-wipe/re-install.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019