Web advertisements - a significant spreading vector for malware
Introduction
Website advertising is an expanding industry. Several of the websites, which we visit each and every day - for leisure or as part of our work - have advertisements as a major part of their owner's income. Suffice to mention online newspapers and other magazines, search engines, information resources of other kinds and more. Unfortunately website advertising is also a substantial spreading vector for malicious software.
Website advertising in general
The most common technique used in website advertising is that the advertisement seen on a web site, is placed on a server managed by another company. This company may be the owner of the product/service that the ad attempts to sell, or it may be a company that specializes in providing advertisements - an "ad broker".
What is relevant seen from this article's point of view is that the advertisement is not placed on the web server(s) where it is displayed. To be able to display such an advertisement, the owner of the web site where the advertisement is supposed to appear, must therefore normally allow for third-party items (the ad itself) to appear.
Exactly how this is accomplished may vary and is not the topic for this article. The point we will make here is that the organization/person who is responsible for a web site must allow content from another source.
Potential vulnerabilities outside one's control
The result of this is of course the general one: A chain is only as strong as its weakest link.
No matter how secure a web site is and regardless of the mechanisms the security responsible may invoke to secure "his own" web, if an object available from that web is compromised, visitors to the "secure" web may be in danger.
Malicious advertisements may appear in various forms. Some examples are:
- Flash advertisements that exploit vulnerabilities in unpatched versions of browser plug-ins for Flash,
- Banner images that link to malicious web sites (pretending to be legitimate),
- Banner images that download malicious software when clicked.
Third-party web sites providing malware
These may be separated into two different groups.
Malicious sites by intent
This is the rare version. An advertisement provider that by intent sets up a system that places malicious advertisements on legitimate web sites will not stay in the business for long.
This type is probably relevant for some kind of time limited targeted attacks only.
Compromised (innocent) sites
It is in this group that the majority of the malicious advertisements have their origin. If a person with malicious intent has managed to compromise a server, she may at her own will be able to change the content of the advertisements as well as the links from the ads. The more sneaky one will probably display the legitimate advertisement to start with (for example during testing and verification), and then later on substitute it with her malicious version.
Countermeasures
Those responsible for web sites have some steps that may be useful in order to avoid being a victim of malicious advertisements as discussed above:
- Stop offering advertising space from the web site, which is not a viable option in most cases.
- Testing the advertisements thoroughly may reveal some attempts to place malicious advertisements
- Only accepting advertisements from companies and organizations that have a trusted security systems, will make a web site less vulnerable.
In general, however, accepting third party web objects to be available from your own web site is a security risk.
The average web users may use blockers of advertisements or/and scripts to improve the overall security, including being the innocent victim of malicious advertisements placed on compromised web sites.
