Network News

X My Profile
View More Activity

Banner Ad Trojan Served on MySpace, Photobucket

Several banner ads containing Trojan horse programs that can compromise a user's computer have been running on some high-traffic Web sites for the past several weeks, including and, Security Fix has learned.

Web security company ScanSafe said it first spotted the tainted banner ads on Aug. 8, and estimates that the hostile ads ran several million times for the next three weeks. Other sites that ran the ads included,, and, officials at ScanSafe said. All a visitor to one of these sites needed to do to infect their machines was to browse a page that featured the ads with a version of Internet Explorer that was not equipped with the latest security updates from Microsoft.

This is hardly the first time malicious software has shown up in banner ads. A little over a year ago, I wrote about a similar banner ad attack that installed spyware on machines of more than a million users. This latest attack won't be the last either: Hacked banner ads are a very efficient way to distribute malware because they end up running on sites that most people trust:

The banner ads in question were traced back to an ad network exchange run by a company called RightMedia, which was recently bought by Yahoo!. The ads were being delivered to RightMedia's network from a third-party ad server. According to ScanSafe, those third-party servers included in their rotation several malicious ads that used Macromedia Flash files to load an invisible "iFrame" (used to insert content from another Web site into the current Web page).

The malicious iFrame in turn pulled down code that leveraged a security hole in Microsoft's Internet Explorer browser flaw (one that Microsoft patched in February) to install a generic Trojan horse program.

A RightMedia spokesperson said the ads have been identified and banned from the exchange. "However, we cannot control what happens elsewhere on the Net. We continue to enhance our protective tools and are committed to finding ways of keeping this type of activity away from consumers and publishers."

RightMedia explains on its blog the processes it has in place for weeding out potentially hostile banner ads. The company's "MediaGuard" system runs each ad uploaded to its servers through a series of ten tests to determine whether the ad contains any malicious code. "Some of those tests are run through international proxy servers to imitate users outside of the US. If any malicious activity is detected, the creative is flagged and the advertiser notified."

But according to ScanSafe, the attackers code inserted into the hostile ads was designed to recognize the difference between one of their ads served to a regular Web site visitor and RightMedia's scanning servers. If the visitor was RightMedia, no malicious code would be served with the ad, said Dan Nadir, ScanSafe's vice president of product strategy.

Tools like the "noscript" add-on for Firefox can help users block powerful programming languages like Flash and Javascript from running automatically when a user visits a Web site. However, noscript may do little to prevent these types of attacks if the visitor has previously instructed "noscript" to trust the site permanently.

Another key takeaway here is the importance of Windows users keeping their systems up to date with the latest security patches, particularly those issued by Microsoft to plug holes in IE and other vital system components.

By Brian Krebs  |  September 9, 2007; 7:32 PM ET
Categories:  Latest Warnings  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: Apple iTunes Update and Patch Tuesday Preview
Next: Skype Users: Beware of Instant Message Worm


Maybe RightMedia should require advertisers to give them the source code to the ads rather than running ScanSafe's sketchy heuristics over the object code.

Posted by: Jesse Ruderman | September 10, 2007 2:01 PM | Report abuse

Yet another reason to block banner ads. If you have Firefox, get the Adblock and Filterset.G extensions. Or get Adblock Plus.

You can also use a customized HOSTS file. This works with all web browsers since it takes advantage of an existing part of Windows. A good one is at (search for "Hosts file").

The disadvantages of a HOSTS file is that you have to remember to manually download updated versions and install them. It's not automatic like the Firefox extensions.
And you will need to temporarily login with administrator rights to install HOSTS files.

Posted by: Ken L | September 10, 2007 4:18 PM | Report abuse

This doesn't appear to be an IE vulnerability as you describe. I followed the link you provided ( and according to that page, it's a vulnerability in "Microsoft Data Access Components."

Posted by: Hoopskier | September 10, 2007 7:56 PM | Report abuse

Layered defense is key period! It can NEVER be said enough!

Of course the basics first: firewall and antivirus

And as mentioned already:

Patch, patch, patch!

Use a blocking hosts file:

Finally most important!!!!!

Use a non-admin (limited user) account:

Posted by: TJ | September 10, 2007 8:58 PM | Report abuse

@Hoopskier -- Yes, it is a vulnerability in MDAC. But more importantly, it is an ActiveX flaw, meaning it's specific to Windows and Internet Explorer. Read the vulnerability details from the advisory:

"What causes the vulnerability?
The ADODB.Connection ActiveX control included in MDAC could, if passed unexpected data, cause Internet Explorer to fail in a way that could allow code execution."

Posted by: Bk | September 10, 2007 9:53 PM | Report abuse

Why is everyone putting up with this?

Why do I have to fix all my friend's computers who get infected with this garbage, all because an ad company doesn't want to spend time/resources to properly screen THIRD PARTY CODE.

Ugh. We need to the government to destroy these companies with lawsuits/fines.

My blog:

Posted by: Nicholas | September 10, 2007 10:34 PM | Report abuse

Running as a limited user is a great concept that often doesn't fly. The next best thing is a free program called DropMyRights. For more see:
Every Windows XP user should drop their rights

Posted by: Michael Horowitz | September 11, 2007 12:36 AM | Report abuse

I would also recommend not only the proactive protection of a non-Admin user account, but also checking ALL installed software for known vulnerabilities; and removing unnecessary software entirely, to arbitrarily eliminate potential "attack surface." Secunia has a free vulnerability checker for home users, available from

In addition to non-Admin user accounts, some versions of Windows can also use a powerful proactive control called "Software Restriction Policy." A bit of info I geared to moderately-technical audiences: This is power-user territory, but if you want to try it, it's easy to undo if it doesn't work out well for you.

Kudos to Brian Krebs for being one of the few bold souls who talks about low-rights operation, in a world addicted to Win95-era habits. Keep it up.

Microsoft MVP, Windows Shell/User

Posted by: mechBgon | September 11, 2007 3:32 AM | Report abuse

Posted by: ki | September 11, 2007 5:54 AM | Report abuse

"However, noscript may do little to prevent these types of attacks if the visitor has previously instructed "noscript" to trust the site permanently."

In the absence of an XSS attack, that's not a problem; the IFRAME is served up from a separate domain, not from myspace or bebo's servers, so will have its own separate allow-or-deny setting in NoScript that will be 'deny' by default.

Posted by: DaveK | September 11, 2007 12:51 PM | Report abuse

Gee, if only there were an operating system that was engineered with security in mind, rather than being a hacked-up kludge with security as an afterthought (or worse, handled by 3rd-parties).

It's called OSX. It's not invulnerable:

but its design makes it far more robust than the alternatives.

And now you see why Apple didn't include Flash on the iPhone. :-)

Posted by: Gus2000 | September 12, 2007 9:59 AM | Report abuse

Good site! I'll stay reading! Keep improving!

Posted by: George | November 10, 2007 7:03 AM | Report abuse

The comments to this entry are closed.

RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company