Sign in with
Sign up | Sign in
Your question

Malware infected advertiser?

Tags:
  • Malware
  • Tom's Hardware
  • Tom's Guide
Last response: in Site Feedback
Share
July 6, 2014 7:42:00 AM

I've been having issues with the main Tom's HArdware site, and some news pages from Tom's Guide, where the page will repeatedly reload, but just fill up the history with the same site. It does this about twice per second, which is quite annoying.

I finally tracked it down today. I use ScriptSafe to block malware installation attempts. I have many sites listed to trust for the main contest, left a few off for avoiding obnoxious advertisements, and have a few thousand specifically distrusted because they're sources of malware. A javascript from one of your advertisers is trying to run a script from a specifically distrusted site, and it results in the page being reloaded, possibly with an attempt to run a malware installer.

I would suggest that the admins run some checks on your advertisers to check which is doing this.

More about : malware infected advertiser

July 6, 2014 9:06:32 AM

It would be useful if you can check which ad or ad supplier is distrusted.

Also, note that often people distrust sites purely for giving you tracking cookies, which is debatable as to whether it's malware.

Installing actual malware using JS is likely quite difficult; I don't think there are any known vulnerabilities that let you do it on current browsers. I'm fairly certain it's not in the spec.
July 6, 2014 12:30:09 PM

The main reason I started using ScriptSafe was because I got infected with a piece of malware, a clock set program that also sent the writer my internet tracking history, through a banner ad on a web comic site that used a javascript vulnerability. I know is quite possible, and used frequently. In my case, it was by a "legitimate" advertising company. They didn't have the intent of stealing passwords or robbing people or companies, but they didn't disclose the full nature of the program and used a javascript vulnerability to install it on people's systems without permission. Another particularly insidious part was that the javascript vulnerability didn't even require a click. The user just had to have their mouse pass over the banner, and it would trigger. I don't remember the name of the program or the company as this was back in 2004 some time, but once discovered, many web sites quit using that advertising company , and they eventually went out of business.

I also happen to know that the old "XP Anti-virus" fake anti-virus extortionware was also frequently installed using javascript vulnerabilities as well as flash vulnerabilities. That program and all its variants was a nightmare for me when I was working desktop support. I do all I can to avoid that these days.

I did find this article that you guys might find interesting:
http://www.infosecstuff.com/how-hackers-use-javascript-...

All a hacker has to do is get into an advertiser's site and insert a few lines calling their own script, and whenever that particular banner is served up, it has a chance to infect a system. All it takes is a click, or even a mouseover in some cases, and the system gets infected.

I can't tell which advertiser it is, as I am not a programmer. I am not capable of tracking through the lines of code to find the particulars, plus it refreshes twice per second, so the listing for the script that triggers it disappears too quickly to even get listed in ScriptSafe for approval. The ScriptSafe list closes ever time the page closes and requires another click to open it every time the page refreshes, which makes it quite difficult to track this one. I think they did that on purpose to avoid detection. I'm just letting you know what's happening. It's up to you and your investigators to figure out the particulars, and hopefully disclose that info to the police for an arrest.
Related resources
July 6, 2014 7:50:14 PM

Facepalm. None of that is JS vulnerability; that's working as designed. Uses JS to load a third party page, which is how every advertiser works, as well as about half the layout on our site and pretty much anything interactive.

Said third party page then pushes a download at you. You accepting the download is the vulnerability.

I think you'll find it's a false positive that someone has flagged for the heinous crime of pushing tracking cookies.
July 7, 2014 5:09:59 AM

Are actually you trying to deny this?

I can certainly say that I never accepted any download when that "clock set" malware hit me. There have been dozens of javascript vulnerabilities in all three browsers over the years that allow for remote code execution. They've been using it for over a decade to get malware on people's systems. Granted, Flash and Adobe Acrobat have both been more popular targets than javascript, but it does get used. That's specifically why AMD came up with the noexecute flag on their processors. Unfortunately, that only fixes part of the problem, because software developers actually have to use it.
July 8, 2014 6:48:06 AM

If you are able to narrow it down, we can certainly investigate the matter. We're pretty responsive when it comes to this type of thing, and we only go with trusted ad partners.
-JP
July 8, 2014 6:41:06 PM

Someone Somewhere said:
Facepalm. None of that is JS vulnerability; that's working as designed. Uses JS to load a third party page, which is how every advertiser works, as well as about half the layout on our site and pretty much anything interactive.

Said third party page then pushes a download at you. You accepting the download is the vulnerability.

I think you'll find it's a false positive that someone has flagged for the heinous crime of pushing tracking cookies.


He's not necessarily wrong.

There were an enormous number of vulnerabilities in early versions of Windows XP (pre SP2 where Data Execution Prevention was introduced) and its early browsers which could allow an attacker to run arbitrary code simply by getting a user to load a particular resource. I can think of one vulnerability in an image decoding library in Windows XP which when loading a malformed image in the browser would allow for not only arbitrary code execution but also privilege escalation. Simply having a particular malicious advertisement show up on a website was enough to infect a computer and render it useless.
That was well over a decade ago, and while such vulnerabilities are extremely rare now they do creep up from time to time. I believe that there was a major Internet Explorer vulnerability discovered only a month or two ago.
July 8, 2014 10:46:32 PM

However, there is no scriptsafe available for IE, and chrome is sandboxed to hell.
July 9, 2014 12:38:25 AM

Someone Somewhere said:
However, there is no scriptsafe available for IE, and chrome is sandboxed to hell.


Yeah that's definitely one of the drawbacks of IE. It has an incredibly powerful security engine but it's designed to be used in combination with an Active Directory domain and a group policy framework. It's far too difficult for a layman to use.

The example that I used though didn't involve any scripting in the browser at all though. I'm not sure if even sandboxing would have helped (although DEP was designed to prevent exploits like that), I'd need to know a bit more about how Chrome works.
July 10, 2014 3:10:46 PM

I've been blocking javascript for over a decade. At least partly because of that horrible advertising that underlines a random word, and if you mouse over it, it pops up this huge window that blocks the article, and clicking on it in anyway takes me away from what I'm reading. However, mostly, I've been blocking because of vulnerabilities I kept reading about and a few I actually encountered.

Sandboxed or not, Chrome has come up with some serious security vulnerabilities, and some having to do with javascript. I've heard about problems with Firefox as well. Are you saying it's safe now?
July 15, 2014 1:16:17 PM

I found the script call that keeps triggering the reload, and it is calling something from gigya.com, specifically comments.us1.gigya.com.
July 15, 2014 11:06:45 PM

Yup, someone's added it because it's tracking, not because it's malware...

I'm pretty sure they're one of our ad providers.
!