All the malware that's fit to print

By Jake Edge
September 16, 2009

Some readers of the New York Times (NYT) web site were recently surprised to "learn" that their computers were infected with viruses. As it turns out, a rogue ad was responsible for the warning, and, as one would guess, anyone who downloaded the suggested fix for the virus problems was, instead, infected with malware. While the problem was fairly short-lived—and targeted Windows, not Linux or Mac OS X—it does point to a general problem for those who run web sites: how can one ensure that the ads running on the site don't contain anything objectionable, either because of the actual ad content, or because it contains malware?

Ad content is typically served by ad networks, and a web site operator includes a little blob of Javascript into the proper place in a web page. That Javascript is responsible for retrieving the ad content and adding it into the page. But there is nothing stopping it from doing other things, such as downloading Javascript from other sites. Because the script code was served with the page, it has all the rights that any other Javascript has in the context of that page. Essentially, the site owner has given their ad network a "free pass" to do whatever is needed to put up the ad.

In general, ad networks are careful to screen the ads they send to their partners—at least for malicious content—otherwise, those partners would switch to a different network. But, it is certainly possible, and has probably happened in the past, that a dodgy ad gets put into an ad network's rotation. That was the first guess for where the NYT problem was. But, as the paper itself reported, the ad actually came from elsewhere.

In addition to running ads from ad networks, web sites often directly sell ads to customers. In this case, the NYT believed it was selling an ad to VoIP provider Vonage. When the ads were placed, they at first displayed normal Vonage ads. At some point, though, whoever placed the ads (and provided the Javascript to the NYT) switched to serving virus warnings.

Obviously, in retrospect, the NYT should have been more careful to ensure that whoever they were dealing with was, in fact, representing Vonage. The ad content was not being served by vonage.com, but that's hardly surprising as many advertisers use other sites to serve their ads. Vetting advertisers can be rather difficult, though. There are multiple levels of both technical and administrative verification that need to be done, some of which is likely beyond the abilities of ad salespeople.

It is, in some ways, like the kind of vetting that needs to be—and often isn't—done for SSL certificates. There needs to be a real organization behind the ad, though what constitutes "real" is an open question. The code to be inserted needs to be inspected as well. An excellent dissection of the NYT malware gives a good view of just how the attack worked. Without somehow figuring out that tradenton.com was not a legitimate ad serving network, there is nothing particularly suspicious about the top-level code.

This is a problem we are likely to see more of over time. Because the ad networks want to be able to run code on the client, for geotargeting and other information gathering, sites must generally be willing to insert fairly opaque Javascript into their site. As the dissection shows, that can lead to bouncing around to multiple sites, grabbing code from each—even legitimate ad serving networks often have their own partners to whom the redirect requests. There is a sort of implicit web of trust that exists, but one that has the potential to be subverted.

Another aspect of the problem is that site owners often cannot see all of the ads that are currently being displayed on their site. If some small percentage of the ads—or those targeted at a different region—contain objectionable content of any sort, the site owner may very well be completely unaware of it until users complain. It's not just malware ads that are a problem, here, but any kind of ad that the owner might prefer not to run.

The NYT article mentions other similar incidents that have occurred in the past, but this attack, on a high-profile site, has, at least, served to raise the profile of the problem. Other than eliminating ad networks and customer-supplied Javascript from a site, there is very little defense against this type of subversion. By running other people's code in a site, one has, for all intents and purposes, turned over control of the site's content to third parties. It shouldn't be too surprising that attackers are taking advantage of that.

Index entries for this article
Security	Javascript

to post comments

All the malware that's fit to print

Posted Sep 17, 2009 5:16 UTC (Thu) by JoeBuck (guest, #2330) [Link] (1 responses)

Readers outside the US might not get the joke in the title: the New York Times' motto, which appears on the front page of their print edition, is "All the news that's fit to print".

All the malware that's fit to print

Posted Sep 17, 2009 7:30 UTC (Thu) by lacostej (guest, #2760) [Link]

Thanks for the explanation :)

Another good reason to disable JavaScript

Posted Sep 17, 2009 8:55 UTC (Thu) by anton (subscriber, #25547) [Link] (2 responses)

This article thoroughly debunks the claim that it's ok to enable JavaScript for trustworthy sites. I never bought that, because some black hat could break into the "trustworthy" site and then change the JavaScript to break into my system (through one of the many JavaScript vulnerabilities); but this article makes it clear that the black hats don't even need to break in, the "trustworthy" site actually includes their JavaScript voluntarily.

Another good reason to disable JavaScript

Posted Sep 17, 2009 16:22 UTC (Thu) by Cato (guest, #7643) [Link] (1 responses)

I doubt if the malware is actually hosted on the nytimes.com domain, so it's still somewhat safe to enable JavaScript for *.nytimes.com, I would hope. Running AdBlock is the other obvious way to stop this sort of attack - when combined with NoScript and FlashBlock, you are safe against a lot of the most obvious attacks.

Another good reason to disable JavaScript

Posted Sep 18, 2009 4:01 UTC (Fri) by njs (subscriber, #40338) [Link]

The malware itself is not hosted on nytimes.com, but the javascript that loads it is. A quick look at the current source for the nytimes.com frontpage shows what's clearly some code provided by a 3rd party and then pasted into the source. The one I see uses document.write to insert a <script> tag pointing at a 3rd party page, but it could just as well fetch the source code and call eval() to really get around any javascript security limitations.

Of course, they won't bother because malware writers are after the general population, and the general population doesn't write site-by-site javascript security rules. Of course, if you're willing to rely on that fact, then there's no much point in worrying in the first place, because the general population doesn't run Linux and most (though not all) malware that breaks security through technical means is going to rely on some windows-specific stack-smashing code.

Sort of fascinating actually how much info they include in the source, actually -- search for "ADXINFO".

All the malware that's fit to print

Posted Sep 17, 2009 10:15 UTC (Thu) by nix (subscriber, #2304) [Link]

that can lead to bouncing around to multiple sites, grabbing code from eacheven legitimate ad serving networks often have their own partners to whom the redirect requests

And then they wonder why people disable showing ads everywhere they possibly can. The extra latency this introduces, even on high-bandwidth links, can fairly often lead to pages taking half a minute to start rendering, especially if the text is meant to be flowed around the ad.

All the malware that's fit to print

Posted Sep 17, 2009 19:58 UTC (Thu) by pspinler (subscriber, #2922) [Link]

The noscript extension for firefox can help, here, but only partially. Nonetheless, it's been worth it.

-- Pat

All the malware that's fit to print

Posted Sep 18, 2009 0:31 UTC (Fri) by jamienk (guest, #1144) [Link] (1 responses)

Why do the ad networks want website operators to run a script? Why not just give an image link like [img src="adnetwork.com/adimage.php?client_id=123456"]? What advantages does the javascript have for either party?

All the malware that's fit to print

Posted Sep 21, 2009 6:30 UTC (Mon) by man_ls (guest, #15091) [Link]

It makes the monkey bounce more gracefully when you try to hit it with the banana.

All the malware that's fit to print

Posted Sep 19, 2009 14:50 UTC (Sat) by jeremiah (subscriber, #1221) [Link] (2 responses)

When we built the ad system that our site uses we took the google approach and limited things to
text only. No Script, No Images. This was done be because we didn't want to offend our clients nor
our users, but still be able to deliver useful targeted ads. The security issues were a large concern
as well. Every ad that gets posted get read by our staff to determine if it is on topic and
grammatically correct. we don't want our advertisers embarrassing themselves either. We also don't
allow anyone to modify the content of an ad w/o going through the approval process again.
Although a lot of this limits us in the kind of advertising we can serve, it keeps us out of trouble,
and makes the ads useful pieces of information.

All the malware that's fit to print

Posted Sep 21, 2009 1:59 UTC (Mon) by jlokier (guest, #52227) [Link] (1 responses)

> we took the google approach and limited things to text only. No Script

Note that Google ads on non-Google sites do use a script, and therefore are theoretically vulnerable to the sort of attack covered in the article.

All the malware that's fit to print

Posted Sep 21, 2009 4:25 UTC (Mon) by jeremiah (subscriber, #1221) [Link]

That's it! I give up....

</me>

All the malware that's fit to print

Posted Sep 24, 2009 2:33 UTC (Thu) by realnc (guest, #60393) [Link] (2 responses)

The problem has nothing to do with the technicalities, but rather with the carelessness of the user. If you see a totally out of context message on a website telling you to "click here to clean your system", and you click, then with all due respect you're too stupid to use a computer :P

All the malware that's fit to print

Posted Sep 24, 2009 12:23 UTC (Thu) by nye (subscriber, #51576) [Link] (1 responses)

We get this kind of thing a lot at work. The problem is that they don't know it's the website doing it; so far as the user is concerned a popup has just appeared, which happens all the time (Windows applications seem to have a particular tendency to pop up dialog boxes frequently).

Most users can't tell the difference between a window and an image of a window, even if they have different visual styles. Many users don't (and apparently can't) understand the *concept* of a window, but they still need to be able to use the machine to do their job.

All the malware that's fit to print

Posted Sep 24, 2009 13:44 UTC (Thu) by basdebakker (guest, #60977) [Link]

I like to think I know a lot about computers, but every time Firefox asks for my master password, I wonder whether it's really Firefox or a Javascript dialog from the web page (or one of the web pages) I'm visiting. How do I tell?