more on compromised ad servers?

[David Farber <dave () farber net>]

Begin forwarded message:

From: Daniel Doman <ddoman () panix com>
Date: August 26, 2005 11:00:49 AM EDT
To: dave () farber net
Subject: [IP] compromised ad servers?


This isn't a case of compromised ad servers. It is a case of  
compromised ad content. It is actually pretty hard to compromise  
typical ad  server itself because they have limited function and it  
is completely unnecessary. The ad server serves up a piece of HTML as  
ad content and it is easy to put exploit code into the ad itself.  
This is a case of compromised or lax ad trafficking diligence. The ad  
serving company needs to be careful about whose ads they server up.  
Because it is so easy to serve up HTML that can contain an exploit  
that does bad things (drive by downloads and other nefarious deeds)  
the ad serving company really does have a responsibility to police  
its advertisers and profile the HTML content that they serve to  
user's browsers.

If you just let anyone willing to pay give you ad content and don't  
review the content you are asking for trouble.

Thats what happened here. Not a compromised server. A bad ad that  
contained an exploit.

 - daniel doman -
ddoman () panix com
dan () danieldoman com


Begin forwarded message:

> From: Esther Dyson <edyson () edventure com>
> Date: August 26, 2005 10:03:35 AM EDT
> To: Daniel Doman <ddoman () panix com>
> Subject: Fwd: [IP] compromised ad servers?
>
>
> an interesting thing to track down?
>
> Ehster
>
>
>
> > From: David Farber <dave () farber net>
> > Subject: [IP] compromised ad servers?
> > Date: Fri, 26 Aug 2005 07:17:27 -0400
> > To: Ip Ip <ip () v2 listbox com>
> >
> >
> > Begin forwarded message:
> >
> > From: Dave Wilson <dave () wilson net>
> > Date: August 25, 2005 6:59:40 PM EDT
> > To: dave () farber net
> > Subject: compromised ad servers?
> >
> >
> > I visited a mainstream Web site Wednesday and an infected ad server
> > apparently pushed down a bit of malware, asdf.exe. The file was
> > extremely small -- less than 1.6 K -- and appeared to be trying to
> > install some more complex bit of malware, presumably a keylogger.
> > What fascinated me was that this occured on a box with all standard
> > security measures in place: Windows XP system (all critical patches
> > installed)  using Mozilla Firefox 1.0.6 (latest version, "Allow Web
> > sites to install software" unchecked) and running Norton Antivirus
> > and Norton Firewall, also current and updated. Norton AV didn't even
> > recognize this thing as malovolent; I noticed it after it was inside
> > at c:\asdf.exe clawing frantically at my firewall trying to get back
> > out.. Even more amusing, I didn't actually do anything: Didn't click
> > on an advertisement, close a Windows, etc. One Web site that was
> > apparently serving up infected ads was The Onion (London's Observer
> > had a simlar problem last year). Because this malware is passed along
> > through a compromised ad server, not every visitor will get hit,
> > since the ads rotate each time the page is called up.
> >
> > Anyway, I've contacted AV vendors, but I'm worried about how
> > widespread this problem is. Google searchers turn up people puzzling
> > similar incidents starting three weeks ago. I'm wondering if IPers
> > can do a file search for "asdf.exe" and report back positive results?
> >
> > Thanks
> >
> > -dave
> >
> >
> >
> >
> > -------------------------------------
> > You are subscribed as edyson () edventure com
> > To manage your subscription, go to
> >  http://v2.listbox.com/member/?listname=ip
> >
> > Archives at: http://www.interesting-people.org/archives/ 
> > interesting-people/
>
>
>
> Esther Dyson              Always make new mistakes!
> Editor, Release 1.0
>
> CNET Networks
> 104 Fifth Avenue (at 16th Street)
> New York, NY 10011    USA
>
> +1 (212) 924-8800
>
>
> Personal Health Info Workshop, New York City, Sept 30: http:// 
> www.release1-0.com/events/
> current status (with pictures!) at http://www.flickr.com/photos/ 
> edyson/


-------------------------------------
You are subscribed as lists-ip () insecure org
To manage your subscription, go to
 http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/