Malicious Google DoubleClick Advertisements Distributed Malware to Millions of Computers

[Matsuda]

Cyber criminals have exploited the power of two online advertising networks, Google's DoubleClickand popular Zedo advertising agency, to deliver malicious advertisements to millions of internet users that could install malware on a user's computer.

A recent report published by the researcher of the security vendor Malwarebytes suggests that the cyber criminals are exploiting a number of websites, including The Times of Israel, The Jerusalem Post and the Last.fm music streaming website, to serve malicious advertisements designed to spread the recently identified Zemot malware.

Malvertising is not any new tactic used by cybercriminals, but Jerome Segura, a senior security researcher with Malwarebytes, wrote in a blog post that his company “rarely see attacks on a large scale like this.”

"It was active but not too visible for a number of weeks until we started seeing popular sites getting flagged in our honeypots," Segura wrote. "That's when we thought, something is going on."

The first impressions came in late August, and by now millions of computers have likely been exposed to Zemot, although only those with outdated antivirus protection were actually infected.

According to Segura, the malicious advertisements lead users to websites containing Nuclear exploit kit, which looks for an unpatched version of Adobe Flash Player or Internet Explorer running on victim’s system. If found one, it downloads the Zemot malware, which then communicate it to a remote server and downloads a wave of other malicious applications.

However, by the time the malware was spotted, millions of computer machines may already have been exposed to Zemot, the researcher said, but at the mean time he also added that only those users with out-of-date antivirus software protection were actually infected by the malware.

The Zemot malware was identified by Microsoft earlier this month. According to Microsoft, Zemot is usually distributed not only by the Nuclear exploit kit but also by the Magnitude exploit kit and spambot malware Kuluoz. The malware focuses on computers running Windows XP, although it can also infect more modern operating systems running on x86 and 64 bit machines.

The malware can easily bypass the security softwares installed in the system before infecting computers with additional malware, therefore it is difficult to identify the attack it poses on a system.

A Google representative has confirmed the breach, and said that the team was aware of the breach and has since shut down all the affected servers which were redirecting malicious code, and have disabled the ads that delivered malware to user’s computers, reported The Verge.

Original Article

[CODYQX4]

Thankfully all the crap I have in Chrome makes sure this won't happen to me.

Can't infect me with a bad ad if I block them 5 different ways, after all.

[oliverjia]

Thankfully all the crap I have in Chrome makes sure this won't happen to me.

Can't infect me with a bad ad if I block them 5 different ways, after all.

Sounds impressive.

I only use ABP for Chrome. Could you please educate us what's your ways of blocking ads?

[Karlston]

I'm also very interested in the other ways, but can suggest one other than ABP.

I use my router's "Access Restriction" (running Tomato firmware) to block several ad-serving domains 24/7. Domains like doubleclick.com, doubleclick.net, adwords.com etc.

One huge benefit is that Wi-Fi connected devices also get much advertising blocked.

[Holmes]

Thankfully all the crap I have in Chrome makes sure this won't happen to me.

Can't infect me with a bad ad if I block them 5 different ways, after all.

Im with oliverjia and karlston what are you using in chrome to help block malicious software I use firefox with noscipt ghostery and adblockplus updated avast pro and malwarebytes anti-exploit premium. Noscript is like adblockplus its a godsend and I dont know what I do without it malwarebytes anti-exploit is the same way I almost forgot to mention keyscrambler premium. I also got rubotted two weeks ago and Im about to get bothunter with all of that cant go wrong really..

[darko999]

Thankfully all the crap I have in Chrome makes sure this won't happen to me.

Can't infect me with a bad ad if I block them 5 different ways, after all.

Sounds impressive.

I only use ABP for Chrome. Could you please educate us what's your ways of blocking ads?

He uses a wall of rock between the browser and hes eyes.

[CODYQX4]

Thankfully all the crap I have in Chrome makes sure this won't happen to me.

Can't infect me with a bad ad if I block them 5 different ways, after all.

Sounds impressive.

I only use ABP for Chrome. Could you please educate us what's your ways of blocking ads?

uBlock + HTTP Switchboard. The former has the cosmetic fixing for ads, and the latter is set up by me to block everything but CSS and Images by default. I can't get pwned by a bad DoubleClick ad if no site is allowed by HTTPSB to load JS from that site (because this is usually script kiddies with bad JS that redirect you to a site with an exploit kit, and then that exploit site can't run JS either anyway).

I only allow whatever JS is needed, on a domain basis, plus some common stuff for common things like Youtube videos. I am extra careful with CDNs. If a site uses something like AKAMAIHD (facebook does), I make sure to only allow the unique subdomains of that CDN, lest hacked JS be included via the same CDN and pass a root domain whitelist of that CDN (as in allow fbwhatever.akamaihd.net, instead of straight up akamaihd.net).

The extra tracker blocks I have are probably unneeded, because HTTPSB in Block All by Default config is like having NoScript and RequestPolicy on Firefox.

Be warned though with that setup, that basically all websites are broken by default, and sometimes you have to play detective to find out what stuff is broken, they you have to isolate that, because you probably temp allowed things until you found the fix.

[fredlaso]

Large malvertising campaign under way involving DoubleClick and Zedo

It is reported that this week Google has shut down malicious Web attacks which were originating from a compromised advertising network on Friday. This followed an investigative report by Malwarebytes that found the ad platform ‘Zedo’ was serving up ads that tried to infect the computers of visitors to some major websites.

read more here at source:

https://blog.malwarebytes.org/malvertising-2/2014/09/large-malvertising-campaign-under-way-involving-doubleclick-and-zedo/

One very useful ‘free weapon’ against unwanted ads is ‘Ad blocker’ browser extensions.. IMO Adblock in your browser is a security feature that one should consider installing.

If I could offer advice to Website owners who rely on ads for minimal revenue to help maintain their sites it would be to please do ‘not‘ use third party ad deliveries.