OFFICIAL SECURITY BLOG

Oh, the Sites You Will Never See

May 20, 2013 | BY

Staying safe online requires more than just avoiding web-sites that look untrustworthy. These days, you might be redirected and/or infected with malware by the advertisement banner showing on a legitimate webpage.  To counter this kind of threat, we at Malwarebytes tend to block entire advertiser networks in an effort to prevent our users from being a victim of malicious advertisements or malvertising.  The purpose of this blog post is to explain exactly why you might see pop-ups from our Website Blocking function on a site that you thought you trusted.

IPBlocking

What you would see

Before we get into malicious advertisements and Ad networks, let us talk about how and when you might come across a blocked advertisement.  First, if you have been using Malwarebytes Anti-Malware PRO for a while, then you might have seen a notice. like the one above, appear while you were surfing legitimate web-sites.  If you were confused or frightened by this, don’t worry, it doesn’t mean that the web-site you are on is malicious.  What it means is that just the advertisements inserted into the web-site might be malicious.

Take for example:

  • You navigate to your favorite website CoolStuffFeed.com to check out the latest news
  • When your page loads up, you see a notice from Malwarebytes Anti-Malware informing you that it is blocking a potentially malicious website
  • You freak out and never visit CoolStuffFeed.com again

What actually happened here is that while you navigated to CoolStuffFeed.com when the notice appeared, it was actually the advertisement provider used by CoolStuffFeed.com that is being blocked for malicious content.  Malwarebytes detected the IP address of the Ad network and its association with malicious ads circulating through websites of its customers. Let us call the advertisement network “BadAd Network.”  Therefore:

  • CoolStuffFeed.com hired BadAd Network to provide advertisements to the sites main page to make some money
  • BadAd network is known by Malwarebytes to host malicious advertisements so our product blocked any advertisement traffic from our users
  • You, the customer, will see a notice from us about something malicious happening on CoolStuffFeed.com
  • In reality, we are blocking advertisements from BadAd Network that are trying to show up in your browser when you visit CoolStuffFeed.com.
  • You will not be blocked from viewing CoolStuffFeed.com at all and should have no problems reaching the content that you want to see, sans some of the advertisements.

Malicious code from Ad networks might be present in pop-ups or advertisement banners. When the banners attempt to load or the pop-up attempts to navigate to the malicious website, we block it before it has a chance to cause any damage to your system.

Malvertisements

Advertisements that not only look legitimate but also contain malicious code in an effort to infect systems with malware are known as a malvertisements. Cyber-criminals use malvertisements to try to spread their malware to a greater audience of users by submitting them to online advertisement networks that will show the malicious ad on numerous trusted websites.  The ad networks are usually not aware of the cyber criminal’s intent and approve non-malicious ads submitted by the criminals initially.  Once the ad is approved, however, the cyber criminals switch out the legitimate ad for the malicious one, right under the noses of the ad networks.

The networks fail to check modifications made to the advertisements and therefore allow the Malvertisments to be shown on their customers’ webpages. The ad networks also quickly cycle through different advertisements with each view of the customer web-page. The dynamic scrolling of ads makes it difficult not only to flag the existence of a malvertisement circulating on a network but also identifying which advertisement is the culprit!

So now that you know what malvertisements are, you may ask, why doesn’t Malwarebytes Anti-Malware just block the URL of the malicious code rather than the actual ad network? Well, we do, but sometimes that is not enough, because malicious ads have a tendency to change often to avoid detection and use different URLs in the operation of their attacks.

We flag networks that are known by us to host Malvertisments (intentionally or not) as malicious because of their unsafe practices of not doing regular quality assurance checks on the advertisements they are circulating. This, in combination with finding numerous malicious advertisements circulating on their networks and spreading malware, forces us to block not only the malicious advertisements but also the advertisement networks entirely.

Why we block

In order to ensure our users are protected from drive-by advertisement malware, we sometimes block advertisement networks that have a history of allowing malvertisements on their networks.  We, of course, stay in constant communication with the ad networks and inform them of the malicious ads, and sometimes they do something about it; other times they do not.

So since we are blocking the ad network, we are most likely going to be blocking legitimate ads that are in circulation, and as a user of our website-blocking feature in Malwarebytes Anti-Malware PRO, you might see something like the notice above show up from time to time, even when visiting a legitimate web-site. Don’t worry: every time you see that, it doesn’t necessarily mean that the website you are on is malicious, it might just be using an Ad network we don’t find safe for our users.

Examples

Here are a few examples of malvertisements in action:

July 2010: TweetMeme.com

  • Malicious Advertisements targeted site visitors after a rogue advertiser spread a malicious advert through y5-media.com.  The result was users redirected to drive-by attack sites that installed fake antivirus malware

April 2010: Facebook Farm Town Game

  • An advertisement served on a popular Facebook game was delivering Rogue AV software, claiming that the users system had been infected with malware and their product could help them

May 2012: Malvertisements found on Blogger Website

  • Adverting network, Clicksor, was found serving malicious advertisements to users of a Blogger website leading to the BlackHole Exploit Kit

As you can see, Malvertising happens all the time; and while the effort from the community to fight these attacks has advanced greatly over the last few years, the threat is far from gone.

Am I protected

If you are one of the many users of Malwarebytes Anti-Malware PRO, then you are likely already protected with our product. To double-check if you are, though, simply right click on the Malwarebytes Anti-Malware icon in your notification icon bar (opposite from your Start Menu button) and look for Website Blocking.

Menu

If you observe that the option for Website Blocking is already checked, you are good to go. If you do not, I HIGHLY recommend that you select it in order to activate that protection feature. We are very strict and prudent when we decide to blacklist a certain website so that our users are protected without blocking their access to the Internet.

Extra protection

Even if you do not use Malwarebytes Anti-Malware PRO and therefore are not receiving the benefit of our website blocking protection, there are other ways to keep you safe. One of these ways is to use ad-blocking software for your browser. This software will ensure that no advertisements reach you, regardless of where they come from.  This is a great way to not only fend off potential malvertisement attacks but also to help you avoid clicking on things like fake download buttons or “special offers.” These types of scams exist in mass amounts and are generally delivered to the user through advertisements and pop-ups.

A little while ago, we posted two blogs that discuss the threats behind advertisements. The first one, “Pick a Download, Any Download”, examines advertisements that display false download buttons on download pages. The second blog “PDAD: Part 2” , goes into detail to explain various methods of installing ad blocking software for your browsers to keep yourself safe from those scams.

Conclusion

In my opinion, malicious advertisements are the most dangerous threat online right now, mainly because you can do everything right as far as safe surfing, but they still might find you.  The best defense is always to arm yourself with as much protection as you can.  Updating Java (or disabling Java in your browser), Flash, your browser and operating system are all great ways to stay ahead of the curve: however, for everything else, using antivirus or anti-malware applications as well as ad-blocking software can keep you well protected against the waves of cyber-attacks headed your way every single day.  Thanks for reading, and stay safe!


  • http://www.facebook.com/bill.mcdowell.18 Bill McDowell

    When right clicked on icon. Website Blocking not checked. When try to click to check Website Blocking – box disappears. How do I do it?

  • jay d.

    I like Malwarebytes and have the free edition. I got it because my AV service recommended it. So, after awhile I signed up for a trial with the paid Pro version. Unfortunately, MBytes and ESET AV are not compatible. I had all sorts of problems and had to uninstall and reset lots of settings, and I’m not sure even now I got them all. If Malwarebytes ever comes up with a compatible version, I’ll try again as I really like MB.

  • Cecile Nguyen

    Hi Jay, there is no conflict between the two programs. Here’s a link on how to make exclusions if you need to: http://forums.malwarebytes.org/index.php?showtopic=119429

  • https://www.facebook.com/sonalee.singhs Sonali Singh

    I tried with Malwarebytes and i liked it. But since few months i am using TotalWebSecurity Web Protection Tool. This is very Useful web protection tool and tws Scans your website at regular intervals to determine if hackers have injected malicious code on your site. If anything suspicious found this will detect the malware even before Google knows about it and backlists your site.

    http://www.totalwebsecurity.com

  • justgary

    My issue with web site blocking is that there is no ability to excluse a single website or a list of wensites. So, because the program believes the website may contain malicious material, it will not let me use it. In my case, I use a website in a legitimate fashion that I know does not download malicious material but Malwarebytes wants to block it. The only way for me to use the site is to uncheck the web protection box. By doing so, I unchecked it for all sites. I would appreciate it if Malwarebytes allows the users to have a list of sites the user deems safe to use so that they can protect from other sites but be free to use the sites they want.

  • Pingback: Malvertising and the joys of online advertising | Malwarebytes Unpacked

  • Pingback: Beware of Risky Ads on Tumblr | Malwarebytes Unpacked