backtop


Print 45 comment(s) - last by mindless1.. on Dec 16 at 3:54 AM


Google's DoubleClick and Microsoft's MSN were found to be offering up malicious ads.  (Source: Armorize)
Whoops, sorry guys... those ads were actually malware

Google's advertising subsidiary DoubleClick and Microsoft’s MSN ads service both have admitted to falling for a clever scheme by some nasty black hat hackers.  Malicious banner ads for both services were found to be trying to perform drive-by download exploitation and install malware on users' machines. 

As with many great (or terrible) episodes of computer crime, a key component was clever social engineering.  Hackers created a site called ADShufffle.com -- one letter away from ADShuffle.com, a major online advertising technology firm.  Apparently that was enough to get the ads through screeners at Microsoft and Google. 

Security firm Armorize appears to be the first to have noticed the attack.  Wayne Huang chief technology officer of Armorize details the unusual incident in a blog, writing:

Users visit websites that incorporate banner ads from DoubleClick or rad.msn.com, the malicious javascript is served from ADShufffle.com (notice the three f's), starts a drive-by download process and if successful, HDD Plus and other malware are installed into the victim's machine, without having the need to trick the victim into doing anything or clicking on anything. Simply visiting the page infects the visitors. 

Known sites affected: Sites that incorporate DoubleClick or rad.msn.com banners, including for example Scout.com (using DoubleClick), realestate.msn.com, msnbc.com (using both), and mail.live.com. We'd like to note here it's very possible that multiple exchanges, besides those listed here, have been serving the fake ADShufffle's ads.

For all its ingenuity, the attackers used pretty standard exploitation packages, including Neosploit and the Eleonore exploit kit.  Both kits are popular among black hat hackers, but also among security experts who purchase them to battle-test the security of corporate systems.

The latest attack used Javascript exploits to begin a download procedure, which was triggered when users visited a page that was serving the compromised banner ads.  The ad service would then request the code for the ad from the hackers' servers, initiating the attack.  

A Google spokesperson assured that the ads were only up for a very brief time and have since been terminated.  The company is now investigating the incident.  Microsoft did not release a statement, but likely is taking similar measures.

The incident is not Google's first brush with malware advertising.  Previously malicious hackers were found to be leveraging Google's AdWords service.  In that case, as well, the key to the criminals' success was using legitimate-looking links.



Comments     Threshold


This article is over a month old, voting and posting comments is disabled

RE: Meh
By Luticus on 12/13/2010 3:00:29 PM , Rating: 1
What on earth are you guys doing with technology that freaking old?

Pre win xp is 10+ years ago, if you've still got stuff kicking around from that long ago then your company isn't taking technology or keeping up with the times very seriously.

I know it's expensive and hard to get old software to work on newer platforms or rewrite and convert and such but my GOD... windows 3.x... Really?

If you're running software/hardware that old then you deserve what you get. Anything pre windows xp/2000 shouldn't even be "online" anymore in a corporate environment due to security concerns and the fact that it isn't supported anymore.

Companies like this should have been more proactive about coming up with solutions and upgrade paths for these things a LONG time ago. It's not ms's fault nor the fault of anyone else that they backed themselves into a tech hole.

I don't know what you solution is because i don't know the nature of your business and what your company requires, but what i can say is that someone should have been working on an upgrade path/solution a long time ago.


RE: Meh
By Solandri on 12/13/2010 4:04:31 PM , Rating: 2
quote:
Pre win xp is 10+ years ago, if you've still got stuff kicking around from that long ago then your company isn't taking technology or keeping up with the times very seriously.

I know it's expensive and hard to get old software to work on newer platforms or rewrite and convert and such but my GOD... windows 3.x... Really?

The purpose of a company is to conduct whatever business they run, not to keep their computers up to date. If the computer upgrade will help the business, then it happens. Otherwise, if an old computer/OS does what's needed, there's very little need to upgrade it other than security concerns. I've seen small businesses still using Win 3.1 and DOS systems to run crucial apps (usually tied to a piece of hardware which still does what they need just fine). I don't touch those. Maybe blow the dust out and see if I can find them some spares to keep on hand in case a memory chip dies or something.
quote:
Anything pre windows xp/2000 shouldn't even be "online" anymore in a corporate environment due to security concerns and the fact that it isn't supported anymore.

You've never run a business, have you? If you buy something, you plan for it lasting a certain number of years. But if after that time it's still working without giving you problems, you keep right on using it. Paying to replace equipment which is still doing its job just fine is a needless waste of money. That "it isn't supported anymore" isn't even a factor. You plan for its failure and replacement, but you don't pull the trigger until you need to or it becomes advantageous to do so.

Yes up-to-date software is always desired by IT staff. But the IT staff exists to help the company conduct its business, not the other way around. The rapid upgrade cycle of software is more a consequence of computer hardware improving so quickly, rarely because of older software failing, or newly needed or desired capability being added to the software. Security is probably the main (sometimes only) reason to upgrade, and I'd bet most businesses out there would just prefer it if software companies would support their old releases for longer, instead of pumping out new releases with more features more quickly.


RE: Meh
By Luticus on 12/13/2010 4:35:35 PM , Rating: 2
quote:
The purpose of a company is to conduct whatever business they run, not to keep their computers up to date...
Then as i stated before, "they deserve what they get".

quote:
Paying to replace equipment which is still doing its job just fine is a needless waste of money. That "it isn't supported anymore" isn't even a factor.
This logic right here is a fine example of why there are so many viruses plaguing out internet. I'm not suggesting you run out an buy new stuff the second it comes out, but come on... once something is pushing 10 years old i think it's time to consider an update. Sure something (like printers) can last forever, but if it forces you to keep computers that are still on 98/95 around it's worth the money to upgrade because a network is only as secure as it's least secure system. Besides, any company with a sizable amount of computers should be on a 3 year LEASE! You cycle 1/3rd of your computer inventory every year. This way you mitigate costs and still have hardware that's at most 3 years old. Everywhere I've ever worked (with more than 200 machines) has done it this way.

quote:
and I'd bet most businesses out there would just prefer it if software companies would support their old releases for longer

There are two issues i have with this statement. First is that software companies need to make money too. They do this by releasing new software every-so-often. Second, sometimes improved security requires a heavy architecture change to the software which would require a near complete rewrite (hence xp -> vista growing pains). Changing the entire architectural design of your software requires a new release because software engineers need to be paid to do that kind of heavy modification. it's easy to simply say that software company should lengthen support cycles but in a lot of ways it highly impractical to do this and not just because of corporate greed. MS has a 10 year support cycle for god sakes. How long is too long... where's the line?

You can say whatever you want about how hard and impractical it is too keep up with technology all you want. All I'll do is say they get what they deserve. it's expensive to do engine maintenance on a car but if i let the timing chain break what's the mechanic going to say... "you get what you deserve" sounds about right to me.

quote:
Yes up-to-date software is always desired by IT staff.

For good reason too... perhaps if IT was heard network security would be top notch and nothing would ever break. we wouldn't have down time because "the stupid computers not working again" or "the server's are all from the stone age so they're slow". The vast majority of the business world is all done via computers these days. Logic should dictate that you'd want to keep them top notch so as to not loose valuable time fixing them when crap inevitably hits the fan.

My $0.02


RE: Meh
By angryplayer on 12/14/2010 12:34:29 AM , Rating: 2
Your budget is X. IT wants Y, sales wants Z. If Y+Z > X, subtract W from Y+Z so that X = Y+Z. Now which department do you think is going to have to subtract W? Financially speaking, Sales brings in money and IT departments just consume resources. The ROI of computers and networks is the intangible concept of productivity. Everyone tries to assign numbers to productivity, but how do you really measure productivity gained? So the people with the purse strings loosen them just enough so that IT's budget is typically on the border between screaming and grumbling, then just plug their ears.

This is why we can't have nice things. Most ITers like you don't know to just scream louder or straight up lie (Project A is impossible without more budget). The smallest hint of 'not impossible' and the purse strings tighten and are sealed in a locked box. And guarded with tasers and other painful things.


RE: Meh
By Luticus on 12/14/2010 10:05:52 AM , Rating: 2
quote:
The smallest hint of 'not impossible' and the purse strings tighten and are sealed in a locked box. And guarded with tasers and other painful things.
LOL, this couldn't be more true!


RE: Meh
By Solandri on 12/14/2010 5:02:31 AM , Rating: 2
quote:
This logic right here is a fine example of why there are so many viruses plaguing out internet.

Viruses plague the Internet because users don't care enough about security. Most of the companies I've seen using old computer hardware know it's a weak spot, and do what they can to isolate it and shield it. But they can't control a night security guard deciding to use it to browse the web instead of doing his rounds.

quote:
I'm not suggesting you run out an buy new stuff the second it comes out, but come on... once something is pushing 10 years old i think it's time to consider an update.

That is my point. You're arguing for an update merely because of age. If the computer still does its job well after 10 years, its age is not going to be adequate reason for a company to want to update it. Every company I've worked for has been short of money. Not going bankrupt mind you, but the number of projects and teams asking for money far exceeds the amount of money that's available. You do not spend money on upgrading something that is working just fine just because it's old. You spend the money upgrading because it gives you a measurable advantage over the old system.

quote:
There are two issues i have with this statement. First is that software companies need to make money too. They do this by releasing new software every-so-often.

Just because you need to make money doesn't mean you can or should. You make money by offering a product the customer thinks they need, not by forcing them to take what you think they need. If the customer only needs software updates once every 5 years, then that is what the market should bear. Forcing them to upgrade every 3 years with premature obsolescence is shady and IMHO downright unethical. It's like those printer ink cartridges which are programmed to stop working after you print x pages even though there's still plenty of ink left in them.

quote:
Second, sometimes improved security requires a heavy architecture change to the software which would require a near complete rewrite (hence xp -> vista growing pains). Changing the entire architectural design of your software requires a new release because software engineers need to be paid to do that kind of heavy modification. it's easy to simply say that software company should lengthen support cycles but in a lot of ways it highly impractical to do this and not just because of corporate greed.

I grew up working with Unix systems, so I'm a bit unsympathetic to Microsoft's growing pains. A lot of stuff which Unix got right from the beginning, Microsoft decided wasn't important enough to use in DOS or early versions of Windows. And they got burned by those decisions.

If the software company screwed up, why should their customers have to pay for it? The pain from screwing up is what teaches a company not to screw up like that again in the future. Completely shifting that pain to the customers and in fact using it as a money-making opportunity is not conducive to market growth and technological progress.

quote:
For good reason too... perhaps if IT was heard network security would be top notch and nothing would ever break.

That's a very narrow and IT-centric view of how to run a business. As I said before, when you run a business, you have competing demands for a limited supply of money. Everyone would like to get enough funding so that the departments they run would be top notch and nothing would ever break. But if you gave each department enough money to do that, your product would have to be priced so high to recoup those costs that everyone will buy your competitors' products, and you'll go out of business.

Business is about getting the most you can out of the least amount of money. The narrow gap between spending just enough money that things don't go to hell, but not spending enough money that the job becomes easy enough that you can kick back and relax - that gap is where you generate the most productivity for least cost. You need to aim for that gap if you become a successful, competitive business.

quote:
The vast majority of the business world is all done via computers these days. Logic should dictate that you'd want to keep them top notch so as to not loose valuable time fixing them when crap inevitably hits the fan.

No, logic dictates you design the computer system so no worker is reliant on a single computer. If someone's computer goes down, you immediately swap in a replacement so they can get back to work with little to no downtime. IT then deals with the broken computer, either fixing it or salvaging usable parts from it to fix other broken computers.

Your server is where you spend the big bucks to maintain 99.999%+ uptime.


RE: Meh
By Luticus on 12/14/2010 9:59:40 AM , Rating: 2
quote:
But they can't control a night security guard deciding to use it to browse the web instead of doing his rounds.
with group policy and computer security techniques, yes they absolutely can.

quote:
You're arguing for an update merely because of age.
First, I'm not arguing for an update at all. I'm merely saying that if you get hit by a virus or drive by malware when an updated technology/version of the software your running would have prevented it then that's your fault. That's all I'm saying. I simply think that people should do a better job of keeping up (to some degree) with technology. But I'm not actually suggesting anything as far a purchases go. Basically it boils down to: you cant blame software vendors because your stuff is out of date.

quote:
If the customer only needs software updates once every 5 years, then that is what the market should bear.
see you're assuming that everyone needs the same thing. Software companies have to cater to a lot of different people with many different needs. Personally i like the progression of technology.

quote:
I grew up working with Unix systems, so I'm a bit unsympathetic to Microsoft's growing pains...

Yes unix did do a lot right but they also did a lot wrong. This is why unix is universally regarded as significantly harder to use than windows systems and there is some truth to that. A lot of linux distributions today are rectifying this situation some but linux/unix systems are still a far cry from windows on the customer friendly front. This is why a lot of people actually like osx, because it brings a unix-esque system to the table and mixes it with easy. Unfortunately they also castrated one of unix/linux's best features, it's customization capabilities. And they introduced a little tyranny to the mix as well.

quote:
That's a very narrow and IT-centric view of how to run a business.
I'm not suggesting that companies hang on the every word of what some nerd in their back room is preaching. I'm simply saying that if companies worked with their IT staff to heed some of the warnings and deploy things that are "future ready" or get on a good upgrade path then things would be better.

quote:
The narrow gap between spending just enough money that things don't go to hell
if you're still running win 3.1 or even 95/98 it's fairly safe to say that you've missed this "gap". Again I'm not saying that everyone gets on the newest tech the day it comes out or even that they upgrade every other year. I'm saying plan out an upgrade path and take steps to keep your companies technology at least in the same decade.

quote:
If someone's computer goes down, you immediately swap in a replacement so they can get back to work with little to no downtime. IT then deals with the broken computer, either fixing it or salvaging usable parts from it to fix other broken computers.
There's a little bit of truth to this but it's not entirely accurate. Tech departments typically do keep reserve systems and streamlined image processes so that they can quickly deploy new systems to prevent downtime but the systems they reclaim are either shipped off under warranty or they are disposed of because they are out of warranty. on a 3 year lease system everything is constantly under warranty and when something goes out of warranty it's automatically scheduled to be replaced in the refresh anyway. So yes, you do drop in new systems (even new stuff can break) but there is no scavenging for parts. Everything is shipped back to the company it came from and a replacement is sent back.

This is the way the county government does it, this is the way every other company I've worked for did it, this is the way colleges do it, and if I were running my own company it's the way I'd do it. I recommend nothing less.

Now don't get me wrong, I'm not suggesting that every company do this as not all companies are the same or have the same needs. What I'm saying is that if you get burned because you're running on technology from the 90's that's your fault and you're to blame. That's all.

Well I must say this has been a fun and interesting debate. I've enjoyed myself.

quote:
Your server is where you spend the big bucks to maintain 99.999%+ uptime.
agreed.


RE: Meh
By knedle on 12/14/2010 4:08:08 AM , Rating: 2
It may be surprising for you, but most ATMs run on Windows NT 4.0, or Windows 2000. Even in many banks they still use those "outdated and bad technologies", (meaning OS/2 Warp, Windows NT, or 2000) because they are more secure than anything new. And security isn't only about "hey it's shiny and cool, even can run apps in Windows 3.1 mode, it must be secure then".


RE: Meh
By Luticus on 12/14/2010 8:21:52 PM , Rating: 2
Since when do you surf the internet on an ATM? Most ATM's have fairly limited input which are, for the most part, closed systems. The operating systems they run are all stripped down "embedded" versions anyway. it's not exactly the same.


RE: Meh
By mindless1 on 12/16/2010 3:54:57 AM , Rating: 2
"What on earth are you guys doing with technology that freaking old?"

Because it's retarded to change something that still works just because someone else (who doesn't know your business) suggests you *Must* benefit more from doing what they feel is best for them personally.

You are incorrect in thinking it is not "serious" to do what works. Quite a few tasks do not require whatever buzzwords that tech geeks like to throw around.

If you have a system set up for a particular task and it does the task fine on Win3, it is senseless, counterproductive, expensive, and often harmful (downtime) to switch it over for no reason. You *suppose* there are reasons, but in reality the company knows their business, knows newer OS exist, knows best whether they benefit from switching things around or staying with what they have, if it works ok for them.

Actually, fewer WinME and older system exploits are targeted today than XP and newer, and you should note that nowhere was it mentioned that these systems need to be used to surf websites. A Win98 box that doesn't have anything but it's required ports open, behind a corporate firewall, is far more secure than anything (including Linux, Win7, you name it) used as a general purpose all in one entertainment system on the web.

Nobody is backing themselves into a tech hole. You fail to realize that when a box is deployed it is necessarily made secure and once it is, there is no need to change it.

By implying it needs changed, you are conceding that you don't think they can be secure, acknowledging that you were running insecure boxes the whole time other people weren't until you switched to the next magically secure OS, which you later found insecure, so you switched to the next magical OS, which again you find insecure, so switch to the next and so on.

Time to get off the treadmill and learn how to do security. And manage an IT budget.


"If you mod me down, I will become more insightful than you can possibly imagine." -- Slashdot

Related Articles













botimage
Copyright 2014 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki