OFFICIAL SECURITY BLOG
May 20, 2013 | BY Adam Kujawa
Staying safe online requires more than just avoiding websites that look untrustworthy. These days, you might be redirected and/or infected with malware by the advertisement banner showing on a legitimate webpage. To counter this kind of threat, we at Malwarebytes tend to block entire advertiser networks in an effort to prevent our users from being a victim of malicious advertisements or Malvertising. The purpose of this blog post is to explain exactly why you might see pop-ups from our Website Blocking function on a site that you thought you trusted.
Before we get into malicious advertisements and Ad networks, let us talk about how and when you might come across a blocked advertisement. First, if you have been using Malwarebytes Anti-Malware Premium for a while, then you might have seen a notice, like the one above, appear while you were surfing what you believed to be a legitimate website. If you were confused or frightened by this, don’t worry, it doesn’t necessarily mean that the website you were on is malicious; rather the advertisements inserted into the webpage might have been.
Take for example:
What actually happened here is that while you navigated to CoolStuffFeed.com when the notice appeared, it was actually the advertisement provider used by CoolStuffFeed.com that is being blocked due to the association with malicious content. Malwarebytes detected the IP address of the Ad network as being involved with the distribution of malicious ads. Let us call the advertisement network “BadAd Network.” Therefore:
Malicious code from Ad networks might be present in pop-ups or advertisement banners. When the banners attempt to load or the pop-up attempts to navigate to the malicious website, we block it before it has a chance to cause any damage to your system.
Advertisements that not only look legitimate but also contain malicious code in an effort to infect systems are known as a Malvertisements. Cyber-criminals use Malvertisements to try to spread their malware to a greater audience of users by submitting malicious ads to online advertisement networks. The ad networks are usually not aware of the cyber criminal’s intent and approve non-malicious ads, initially submitted by the criminals. Once the ad is approved the cyber criminals switch out the legitimate ad for the malicious one, right under the noses of the ad networks.
The networks fail to check modifications made to the advertisements and therefore allow the Malvertisments to be shown on their customers’ webpages. The ad networks also quickly cycle through different advertisements with each view of the customer web-page. The dynamic scrolling of ads makes it difficult not only to flag the existence of a Malvertisement circulating on a network but also identifying which advertisement is the culprit!
So now that you know what Malvertisements are, you may ask, why doesn’t Malwarebytes Anti-Malware just block the URL of the malicious code rather than the actual ad network? Well, we do, but sometimes that is not enough, because malicious ads have a tendency to change often to avoid detection and use different URLs in the operation of their attacks.
We flag networks that are known by us to host Malvertisments (intentionally or not) as malicious because of their unsafe practices of not doing regular quality assurance checks on the advertisements they are circulating. This, in combination with finding numerous malicious advertisements circulating on their networks and spreading malware, forces us to block not only the malicious advertisements but also the advertisement networks entirely.
Here are a few examples of Malvertisements in action:
July 2010: TweetMeme.com
April 2010: Facebook Farm Town Game
May 2012: Malvertisements found on Blogger Website
As you can see, Malvertising happens all the time; and while the effort from the community to fight these attacks has advanced greatly over the last few years, the threat is far from gone.
If you are one of the many users of Malwarebytes Anti-Malware Premium, then you are likely already protected. To double-check if you are, though, simply right-click on the Malwarebytes Anti-Malware icon in your notification icon bar (opposite from your Start Menu button) and look for Malicious Website Protection.
If you notice that the option for Malicious Website Protection is already checked, you are good to go. If not, I HIGHLY recommend that you select it in order to activate the web protection feature. We are very strict and prudent when we decide to blacklist a certain website so that our users are protected without blocking their access to the internet.
Even if you do not use Malwarebytes Anti-Malware Premium and therefore are not receiving the benefit of our website blocking protection, there are other ways to keep you safe. One of these ways is to use ad-blocking software for your browser. This software will ensure that no advertisements reach you, regardless of where they come from. This is a great way to not only fend off potential Malvertisement attacks but also to help you avoid clicking on things like fake download buttons or “special offers.” These types of scams exist in mass amounts and are generally delivered to the user through advertisements and pop-ups.
Another useful protection feature for your browser is Malwarebytes Anti-Exploit, which utilized a one of a kind technology to block drive by exploits, like the ones used by Malvertisements, before they can infect your system. The free version of Anti-Exploit will protect your browser as long as you have it running in the background.
A little while ago, we posted two blogs that discuss the threats behind advertisements. The first one, “Pick a Download, Any Download”, examines advertisements that display false download buttons on download pages. The second blog “PDAD: Part 2” , goes into detail to explain various methods of installing ad blocking software for your browsers to keep yourself safe from those scams. Finally, our blog post introducing Malwarebytes Anti-Exploit can give you an idea of how Anti-Exploit is used and what it does to protect your system.
In my opinion, malicious advertisements are one of the most dangerous threats online right now, mainly because you can do everything right as far as safe surfing, but they still might find you. The best defense is always to arm yourself with as much protection as you can. Updating Java (or disabling Java in your browser), Flash, your browser and operating system are all great ways to stay ahead of the curve. However, using antivirus, anti-malware and anti-exploit applications along with ad-blocking software can keep you well protected against waves of cyber-attacks. Thanks for reading, and stay safe!