Interesting People mailing list archives
more on compromised ad servers?
From: David Farber <dave () farber net>
Date: Fri, 26 Aug 2005 13:55:08 -0400
Begin forwarded message: From: Daniel Doman <ddoman () panix com> Date: August 26, 2005 11:00:49 AM EDT To: dave () farber net Subject: [IP] compromised ad servers?This isn't a case of compromised ad servers. It is a case of compromised ad content. It is actually pretty hard to compromise typical ad server itself because they have limited function and it is completely unnecessary. The ad server serves up a piece of HTML as ad content and it is easy to put exploit code into the ad itself. This is a case of compromised or lax ad trafficking diligence. The ad serving company needs to be careful about whose ads they server up. Because it is so easy to serve up HTML that can contain an exploit that does bad things (drive by downloads and other nefarious deeds) the ad serving company really does have a responsibility to police its advertisers and profile the HTML content that they serve to user's browsers.
If you just let anyone willing to pay give you ad content and don't review the content you are asking for trouble.
Thats what happened here. Not a compromised server. A bad ad that contained an exploit.
- daniel doman - ddoman () panix com dan () danieldoman com Begin forwarded message:
From: Esther Dyson <edyson () edventure com> Date: August 26, 2005 10:03:35 AM EDT To: Daniel Doman <ddoman () panix com> Subject: Fwd: [IP] compromised ad servers? an interesting thing to track down? EhsterFrom: David Farber <dave () farber net> Subject: [IP] compromised ad servers? Date: Fri, 26 Aug 2005 07:17:27 -0400 To: Ip Ip <ip () v2 listbox com> Begin forwarded message: From: Dave Wilson <dave () wilson net> Date: August 25, 2005 6:59:40 PM EDT To: dave () farber net Subject: compromised ad servers? I visited a mainstream Web site Wednesday and an infected ad server apparently pushed down a bit of malware, asdf.exe. The file was extremely small -- less than 1.6 K -- and appeared to be trying to install some more complex bit of malware, presumably a keylogger. What fascinated me was that this occured on a box with all standard security measures in place: Windows XP system (all critical patches installed) using Mozilla Firefox 1.0.6 (latest version, "Allow Web sites to install software" unchecked) and running Norton Antivirus and Norton Firewall, also current and updated. Norton AV didn't even recognize this thing as malovolent; I noticed it after it was inside at c:\asdf.exe clawing frantically at my firewall trying to get back out.. Even more amusing, I didn't actually do anything: Didn't click on an advertisement, close a Windows, etc. One Web site that was apparently serving up infected ads was The Onion (London's Observer had a simlar problem last year). Because this malware is passed along through a compromised ad server, not every visitor will get hit, since the ads rotate each time the page is called up. Anyway, I've contacted AV vendors, but I'm worried about how widespread this problem is. Google searchers turn up people puzzling similar incidents starting three weeks ago. I'm wondering if IPers can do a file search for "asdf.exe" and report back positive results? Thanks -dave ------------------------------------- You are subscribed as edyson () edventure com To manage your subscription, go to http://v2.listbox.com/member/?listname=ipArchives at: http://www.interesting-people.org/archives/ interesting-people/Esther Dyson Always make new mistakes! Editor, Release 1.0 CNET Networks 104 Fifth Avenue (at 16th Street) New York, NY 10011 USA +1 (212) 924-8800Personal Health Info Workshop, New York City, Sept 30: http:// www.release1-0.com/events/ current status (with pictures!) at http://www.flickr.com/photos/ edyson/
------------------------------------- You are subscribed as lists-ip () insecure org To manage your subscription, go to http://v2.listbox.com/member/?listname=ip Archives at: http://www.interesting-people.org/archives/interesting-people/
Current thread:
- more on compromised ad servers? David Farber (Aug 26)
- <Possible follow-ups>
- more on compromised ad servers? David Farber (Aug 26)