Microsoft, Google Spread Malware Hidden in Holiday Ads

Microsoft and Google were handing out cheery holiday advertisements laced with poison in the form of drive-by-download malware. Web-based malware has doubled since last year, infecting more than 1.2 million websites last quarter.

According to a third-quarter report from anti-malware firm Dasient, drive-by-downloads and rogue anti-virus schemes are the most popular methods of malware distribution. More than 1.2 million websites were infected with malware last quarter, doubling the malware infection rate of the same quarter a year ago. A great example of this occurred last week when Microsoft and Google were handing out cheery holiday advertisements laced with poison in the form of drive-by-download malware.

Cybercriminals managed to trick the world's two largest ad serving platforms, DoubleClick and MSN (rad.msn.com), into serving malware via drive-by download exploits. According to Armorize Technologies, a security solutions firm, the cybercriminals registered a domain that was one letter off from the legitimate ADShuffle.com, and then duped the advertising networks into serving their malicious banner ads.

A victim did not need to click on a malicious ad to become infected, since the attackers took advantage of known Windows, Adobe and JavaScript software vulnerabilities to start a drive-by-download process on the victim's PC. If the download was successful, the attacker had control of the victim's computer. A message would pop up claiming the computer was filled with malicious software and informing the victim to purchase a license for HDD Plus to fix the problems. Even if a user rebooted, it was too late for the infected PC. Initial detection rates by antivirus vendors were very low, 2 of 42, Armorize wrote in a blog post.

The malicious ads first appeared on Dec. 3 through Google-owned DoubleClick, but ADShufffle kept changing the malware types. On Dec. 10, Armorize confirmed that Microsoft's Hotmail service was serving malicious ads through rad.msn.com. Microsoft's adCenter network, formerly known as MSN adCenter, is the division of MSN responsible for MSN's advertising services. Known Microsoft sites that were affected with the malvertising attack included mail.live.com, msnbc.com and realestate.msn.com. Target gift card banner ads are an example of the targeted ads that cybercriminals tainted with malware for drive-by-download attacks.

Armorize Chief Technology Officer Wayne Huang warned, "Users visit websites that incorporate banner ads from DoubleClick or rad.msn.com, the malicious JavaScript is served from ADShufffle.com (notice the three f's), starts a drive-by download process and if successful, HDD Plus and other malware are installed into the victim's machine, without having the need to trick the victim into doing anything or clicking on anything. Simply visiting the page infects the visitors."

Huang said, "We reached out to DoubleClick and in less than a few hours time they arranged a meeting with a group of their experts on anti-malvertising and incidence response. We were very surprised and impressed with the speed that DoubleClick acted. We provided details, and DoubleClick said they were already on top of the issue."

"At the same time, our CEO Caleb Sima received a private email indicating that mail.live.msn, together with other big websites, were serving drive-by downloads via malvertising. We started to investigate other ad exchanges, because it was apparent that ADShufffle.com was able to trick multiple ad exchanges into serving their malicious javascript," Huang added.

Microsoft did not respond to my questions before the posting of this article.

Since cybercriminals were able to dupe the two largest and well-respected ad serving platforms to accomplish the drive-by downloads, it shows how fast the security ecosystem can be poisoned. Attackers used the Eleonore exploit pack and the Neosploit package on known vulnerabilities on high profile sites. Although the DoubleClick and Microsoft malvertising episode is over, cybercriminals are registering more domains. Armorize suspects that cybercriminals will probably attack other networks as well.

Image Credits: In-Depth Research posted on Armorize Blog

Like this? Check out these other posts:

• All of today's Microsoft news and blogs
• FBI Spied and Lied, Misled Justice Department on Improper Surveillance of Peace Groups
• EFF Warns of Untrustworthy SSL, Undetectable Surveillance
• Traveler to TSA: If you touch my junk, I'll have you arrested
• TSA: Show Us Your Body Or We'll Feel You Up
• ACLU Report: Spying on Free Speech Nearly At Cold War Level
• Full-Body X-Ray Scanners Driving Down A Street Near You?
• Police State of Wiretapping the Web: Who Do THEY Want to Watch?
• BLADE: Software Weapon to Cut the Wicked Heart out of Drive-by Malware
• 
  Scary: Police State Comes to Walmart via DHS Videos

Follow me on Twitter @PrivacyFanatic

• Microsoft

• Security

• Cybercrime

• Armorize

• DoubleClick

• drive-by malware

• drive-by-downloads

• Google

• HotMail

• live.com

• malvertising

• malware

• Microsoft