<<< Date Index >>>     <<< Thread Index >>>

[IP] more on compromised ad servers?



Begin forwarded message:

From: Daniel Doman <ddoman@xxxxxxxxx>
Date: August 26, 2005 11:00:49 AM EDT
To: dave@xxxxxxxxxx
Subject: [IP] compromised ad servers?
This isn't a case of compromised ad servers. It is a case of compromised ad content. It is actually pretty hard to compromise typical ad server itself because they have limited function and it is completely unnecessary. The ad server serves up a piece of HTML as ad content and it is easy to put exploit code into the ad itself. This is a case of compromised or lax ad trafficking diligence. The ad serving company needs to be careful about whose ads they server up. Because it is so easy to serve up HTML that can contain an exploit that does bad things (drive by downloads and other nefarious deeds) the ad serving company really does have a responsibility to police its advertisers and profile the HTML content that they serve to user's browsers.
If you just let anyone willing to pay give you ad content and don't review the content you are asking for trouble.
Thats what happened here. Not a compromised server. A bad ad that contained an exploit. 

 - daniel doman -
ddoman@xxxxxxxxx
dan@xxxxxxxxxxxxxxx


Begin forwarded message:


From: Esther Dyson <edyson@xxxxxxxxxxxxx>
Date: August 26, 2005 10:03:35 AM EDT
To: Daniel Doman <ddoman@xxxxxxxxx>
Subject: Fwd: [IP] compromised ad servers?


an interesting thing to track down?

Ehster




From: David Farber <dave@xxxxxxxxxx>
Subject: [IP] compromised ad servers?
Date: Fri, 26 Aug 2005 07:17:27 -0400
To: Ip Ip <ip@xxxxxxxxxxxxxx>


Begin forwarded message:

From: Dave Wilson <dave@xxxxxxxxxx>
Date: August 25, 2005 6:59:40 PM EDT
To: dave@xxxxxxxxxx
Subject: compromised ad servers?


I visited a mainstream Web site Wednesday and an infected ad server
apparently pushed down a bit of malware, asdf.exe. The file was
extremely small -- less than 1.6 K -- and appeared to be trying to
install some more complex bit of malware, presumably a keylogger.
What fascinated me was that this occured on a box with all standard
security measures in place: Windows XP system (all critical patches
installed)  using Mozilla Firefox 1.0.6 (latest version, "Allow Web
sites to install software" unchecked) and running Norton Antivirus
and Norton Firewall, also current and updated. Norton AV didn't even
recognize this thing as malovolent; I noticed it after it was inside
at c:\asdf.exe clawing frantically at my firewall trying to get back
out.. Even more amusing, I didn't actually do anything: Didn't click
on an advertisement, close a Windows, etc. One Web site that was
apparently serving up infected ads was The Onion (London's Observer
had a simlar problem last year). Because this malware is passed along
through a compromised ad server, not every visitor will get hit,
since the ads rotate each time the page is called up.

Anyway, I've contacted AV vendors, but I'm worried about how
widespread this problem is. Google searchers turn up people puzzling
similar incidents starting three weeks ago. I'm wondering if IPers
can do a file search for "asdf.exe" and report back positive results?

Thanks

-dave




-------------------------------------
You are subscribed as edyson@xxxxxxxxxxxxx
To manage your subscription, go to
 http://v2.listbox.com/member/?listname=ip
Archives at: http://www.interesting-people.org/archives/ interesting-people/ 





Esther Dyson              Always make new mistakes!
Editor, Release 1.0

CNET Networks
104 Fifth Avenue (at 16th Street)
New York, NY 10011    USA

+1 (212) 924-8800
Personal Health Info Workshop, New York City, Sept 30: http:// www.release1-0.com/events/ current status (with pictures!) at http://www.flickr.com/photos/ edyson/ 








-------------------------------------
You are subscribed as roessler@xxxxxxxxxxxxxxxxxx
To manage your subscription, go to
 http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/