
Google DoubleClick Caught Serving Malicious Ad - jeremyjarvis
http://www.wired.com/threatlevel/2010/12/doubleclick/
======
dminor
Someone in our office got hit by this - nod32 didn't stop it. In addition to
hdd plus, the tdss rootkit was installed.

------
throwaway47891
To all of the the websites which have maliciously targeted users of NoScript
and/or AdBlock Plus (Ars Tecnica, I'm looking at you), _now_ do you understand
why there is a segment of your readership which uses such software?!?

Pfft, I doubt you care. Once you serve an add, the consequences of your
actions are safely ensconced in a Not My Problem field...

~~~
rradu
The business model of many companies is still advertising. You can't blame
them for not being too happy they aren't making money off visitors.

I actually had several visitors on my site email me saying they got a virus
from my site. I immediately ruled out the Google ads thinking there was no way
it could come from there. Still, I felt terrible having having allowed my
users be subjected to those ads, and I viewed it as bad business practice too
--so it definitely didn't fall into a "not my problem" field

~~~
gregpilling
I have had two of my office computers get hit by this in the past year. At
first I thought the office assistant was going to sites that she shouldn't
have, until I got hit by it while on Autoblog.com which is an AOL site. At
that point noscript and adblock got installed. But there are definitely
badthings coming from ad networks. They are subtle - it may only try to send
the payload every 10 or 20 screen refreshes - but they do send it. It took 10
screen refreshes on Autoblog, for example. This was some months ago, so I
don't know if there is still a problem. The payload for me was the real
looking Windows box that pops up and tells you that you have 20 viruses and to
fix it just send $29.95 to this site and it will all go away.

------
nphase
Nothing new here: this sort of malware slips into ad networks on a regular
basis. This time it just didn't get caught soon enough.

------
alain94040
I'm surprised that running an ad includes the option of including free-form
scripts. What's wrong with animated GIFs, as least these should be safe.

~~~
wan23
The display ad ecosystem these days is very complicated. Displaying one ad
might involve a call to a publisher ad server, an advertiser ad server, an ad
exchange, and a third party ad network. There's no way for the ad servers to
know what kinds of other things need to be called and with what parameters, so
they serve scripts which load scripts that eventually load a creative.

Here's a diagram of what the market looks like right now.
[http://mediamemo.allthingsd.com/files/2010/09/LUMA-
display-a...](http://mediamemo.allthingsd.com/files/2010/09/LUMA-display-ad-
map.jpg)

------
invisible
Is it funny to anyone else that Wired uses DoubleClick ads in this context?
(And a page was blocked from popping up from another network?)

What I do know is that IE/FF/Chrome all have bugs that can be exploited by
this malware - I see it regularly. While it may also be Adobe's fault at some
junctures, I think with how much of a problem it is the browsers should at
least TRY to detect dubious scripts/PDFs. Mozilla/Google can make their
browser warn of an infected site but they cannot do a quick on PDF contents
before initiating Reader?

------
cosgroveb
Something similar may have happened to reddit almost a month ago:
[http://www.reddit.com/r/announcements/comments/e7988/a_numbe...](http://www.reddit.com/r/announcements/comments/e7988/a_number_of_reddit_users_have_reported_finding/)

~~~
georgemcbay
Malware ads from Google hit quartertothree.com's forums at least twice over
the past year and a half (the first time was in Jun 2009). Based on searching
around when this happened, lots of forums that only serve Google ads have had
the same experience. I'm surprised anyone is surprised Google is serving up
bad ads because this has been going on for so long.

They do eventually remove the offending ads when you complain about them, but
you'd expect a company of their stature to have better safeguards in place so
this doesn't happen in the first place, but don't hold your breath because
they seem unable or unwilling to fix this.

------
mcav
Two of my housemates got hit by this. But both of them run Chrome regularly.

------
ams6110
doubleclick.net and its brethren are all routed to 127.0.0.1 in my /etc/hosts.

~~~
jackowayed
care to share the whole list?

~~~
ams6110
I just use the hosts file from MVPS.

<http://www.mvps.org/winhelp2002/hosts.txt>

The site is windows-oriented, but it works fine on my Macs and I'd imagine any
*nix platforms as well.

EDIT: note that if you use this as-is, google ads will stop working for you,
you may want to selectively comment-out any ad sites you actually find useful.

~~~
jessor
Also note that it may break the functionality of some sites, e.g. paypal,
since they route login/logout functionality through mediaplex (which I'm still
shocked about).

------
jrockway
Why do browsers not block ads by default?

~~~
tomjen3
Chrome is Goggles browser, FireFox gets money from Goggle and Microsoft would
risk an anti-trust law suit.

~~~
chrisbroadfoot

      s/Goggle/Google/
    

I wouldn't want my browser to block _anything_ by default. There are plugins
for this, if you want it.

~~~
jrockway
They already block invalid SSL certificates and phishing/malware sites. Why
not ads, too?

