Drive By Download Hits MSN, DoubleClick

It isn't clear who coordinated the release of the malware, but it was someone who wanted to get users to pay by putting software on their computers that makes it appear as though there is a problem, when in fact it is the downloaded software that is causing the system to malfunction, says Wayne Huang, chief technology officer at Armorize Technologies, a web security firm.

Drive by downloads are bits of software delivered to a computer that visits a web site, usually through the banner ads. When a banner ad is displayed, the user's browser calls back to the server to render the ad. Ordinarily, the ad would run a JavaScript to render the animation. In this case, the JavaScript deposits malicious code on the user's PC. The user doesn't have to click on anything or do anything to trigger the download.

Outside of disabling JavaScript - an option on most browsers - there aren't too many ways to protect oneself, Huang says. Disabling Java has the unfortunate effect of disabling many web sites - many still use it to animate images, for example. Huang says he runs a virtual machine on his PC - essentially moving the browser off of the system - but that is not an option for most users at home. The vulnerability is inherent in a number of programs in common use, such as Adobe's PDF reader.

The malware was one that caused an error message to appear at random on the PC. The error message would suggest downloading a program called HDD Plus to fix it. In fact, all that would happen was the user would be redirected to a web site that harvested credit card information and a payment.

This kind of malware doesn't tend to do lasting damage to a machine, Huang said, because the criminals using it want to control the computer, and in order for it to reach their web site it has to be working. The malware underscores something that Huang says more advertising networks, such as DoubleClick and Microsoft, should be wary of.

The malvertising was from a site called adshufffle.com. The name of the site was similar to adshuffle.com, which DoubleClick had worked with before and s in fact a legitimate purveyor of advertisements. Huang says it isn't hard to automate a check on the domain name registration date. Adshufffle.com was only registered a few days before the attacks started.

A domain name that is registered too recently - which also bears a suspicious resemblance to one that an ad network already uses - is a red flag, he says. Another good tactic would be equipping PCs with virus protection that focuses on the behavior of code, rather than trying to pick out a recognizeable file from a list.

Both Microsoft and DoubleClick, which is owned by Google, said their own malware detection systems picked up the intrusion in a short time.  

Microsoft immediately identified the attack on our network and took action to remove the malware. We remain vigilant in protecting consumers, advertisers and our network from fake online insertion orders and are working directly with our agency media partners to verify and confirm any suspicious orders, said a Microsoft spokesperson in an emailed statement.

We can confirm that the DoubleClick Ad Exchange, which has automatic malware filters, independently detected several creatives containing malware, and blocked them instantly -- within seconds. Our security team is in touch with Armorize to help investigate and help remove any affected creatives from any other ad platforms, wrote a spokesperson for Google.

Huang wrote in a blog post outlining the technical details of the threat that he contacted DoubleClick on Dec. 9; about a week after other security firms had also detected a problem. Once DoubleClick was alerted to the impersonation, Huang said, he was impressed with the speed with which they dealt with the problem.

He added that while this kind of attack is geared to PCs, Macintosh users shouldn't be complacent. The only reason it isn't common on Macs is that they are less popular, Huang says.