interesting-people message

Subject: [IP] more on compromised ad servers?

From: David Farber <dave@farber.net>
To: Ip Ip <ip@v2.listbox.com>
Date: Fri, 26 Aug 2005 13:55:08 -0400



Begin forwarded message:

From: Daniel Doman <ddoman@panix.com>
Date: August 26, 2005 11:00:49 AM EDT
To: dave@farber.net
Subject: [IP] compromised ad servers?

This isn't a case of compromised ad servers. It is a case ofcompromised ad content. It is actually pretty hard to compromisetypical ad server itself because they have limited function and itis completely unnecessary. The ad server serves up a piece of HTML asad content and it is easy to put exploit code into the ad itself.This is a case of compromised or lax ad trafficking diligence. The adserving company needs to be careful about whose ads they server up.Because it is so easy to serve up HTML that can contain an exploitthat does bad things (drive by downloads and other nefarious deeds)the ad serving company really does have a responsibility to policeits advertisers and profile the HTML content that they serve touser's browsers.

If you just let anyone willing to pay give you ad content and don'treview the content you are asking for trouble.

Thats what happened here. Not a compromised server. A bad ad thatcontained an exploit.


 - daniel doman -
ddoman@panix.com
dan@danieldoman.com


Begin forwarded message:

From: Esther Dyson <edyson@edventure.com>
Date: August 26, 2005 10:03:35 AM EDT
To: Daniel Doman <ddoman@panix.com>
Subject: Fwd: [IP] compromised ad servers?


an interesting thing to track down?

Ehster

From: David Farber <dave@farber.net>
Subject: [IP] compromised ad servers?
Date: Fri, 26 Aug 2005 07:17:27 -0400
To: Ip Ip <ip@v2.listbox.com>

Begin forwarded message:

From: Dave Wilson <dave@wilson.net>
Date: August 25, 2005 6:59:40 PM EDT
To: dave@farber.net
Subject: compromised ad servers?

I visited a mainstream Web site Wednesday and an infected ad server
apparently pushed down a bit of malware, asdf.exe. The file was
extremely small -- less than 1.6 K -- and appeared to be trying to
install some more complex bit of malware, presumably a keylogger.
What fascinated me was that this occured on a box with all standard
security measures in place: Windows XP system (all critical patches
installed)  using Mozilla Firefox 1.0.6 (latest version, "Allow Web
sites to install software" unchecked) and running Norton Antivirus
and Norton Firewall, also current and updated. Norton AV didn't even
recognize this thing as malovolent; I noticed it after it was inside
at c:\asdf.exe clawing frantically at my firewall trying to get back
out.. Even more amusing, I didn't actually do anything: Didn't click
on an advertisement, close a Windows, etc. One Web site that was
apparently serving up infected ads was The Onion (London's Observer
had a simlar problem last year). Because this malware is passed along
through a compromised ad server, not every visitor will get hit,
since the ads rotate each time the page is called up.

Anyway, I've contacted AV vendors, but I'm worried about how
widespread this problem is. Google searchers turn up people puzzling
similar incidents starting three weeks ago. I'm wondering if IPers
can do a file search for "asdf.exe" and report back positive results?

Thanks

-dave

-------------------------------------
You are subscribed as edyson@edventure.com
To manage your subscription, go to
 http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/




Esther Dyson              Always make new mistakes!
Editor, Release 1.0

CNET Networks
104 Fifth Avenue (at 16th Street)
New York, NY 10011    USA

+1 (212) 924-8800

Personal Health Info Workshop, New York City, Sept 30: http://www.release1-0.com/events/current status (with pictures!) at http://www.flickr.com/photos/edyson/



-------------------------------------
To manage your subscription, go to
 http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/