Oh, the sites you will never see - Malwarebytes Labs | Malwarebytes Labs
Oh, the Sites You Will Never See
Posted: May 20, 2013 by Adam Kujawa
Last updated: April 1, 2016
Staying safe online requires more than just avoiding websites that look untrustworthy. These days, you might be redirected and/or infected with malware by the advertisement banner showing on a legitimate webpage. To counter this kind of threat, we at Malwarebytes tend to block entire advertiser networks in an effort to prevent our users from being a victim of malicious advertisements or Malvertising. The purpose of this blog post is to explain exactly why you might see pop-ups from our Website Blocking function on a site that you thought you trusted.
What you would see
Before we get into malicious advertisements and Ad networks, let us talk about how and when you might come across a blocked advertisement. First, if you have been using Malwarebytes Anti-Malware Premium for a while, then you might have seen a notice, like the one above, appear while you were surfing what you believed to be a legitimate website. If you were confused or frightened by this, don’t worry, it doesn’t necessarily mean that the website you were on is malicious; rather the advertisements inserted into the webpage might have been.
Take for example:
You navigate to your favorite website CoolStuffFeed.com to check out the latest news
When your page loads up, you see a notice from Malwarebytes Anti-Malware informing you that it is blocking a potentially malicious website
You freak out and never visit CoolStuffFeed.com again
What actually happened here is that while you navigated to CoolStuffFeed.com when the notice appeared, it was actually the advertisement provider used by CoolStuffFeed.com that is being blocked due to the association with malicious content. Malwarebytes detected the IP address of the Ad network as being involved with the distribution of malicious ads. Let us call the advertisement network “BadAd Network.” Therefore:
CoolStuffFeed.com hired BadAd Network to provide advertisements to the sites main. This is done to bring in possible revenue from every visit to the website.
BadAd network is known by Malwarebytes to host malicious advertisements so our product blocked any advertisement traffic from appearing in the browsers of our users.
You, the customer, will see a notice from us about something malicious happening on CoolStuffFeed.com.
In reality, we are blocking advertisements from BadAd Network that are trying to show up in your browser when you visit CoolStuffFeed.com.
You will not be blocked from viewing CoolStuffFeed.com at all and should have no problems reaching the content that you want to see, sans some of the advertisements.
Malicious code from Ad networks might be present in pop-ups or advertisement banners. When the banners attempt to load or the pop-up attempts to navigate to the malicious website, we block it before it has a chance to cause any damage to your system.
Advertisements that not only look legitimate but also contain malicious code in an effort to infect systems are known as a Malvertisements. Cyber-criminals use Malvertisements to try to spread their malware to a greater audience of users by submitting malicious ads to online advertisement networks. The ad networks are usually not aware of the cyber criminal’s intent and approve non-malicious ads, initially submitted by the criminals. Once the ad is approved the cyber criminals switch out the legitimate ad for the malicious one, right under the noses of the ad networks.
The networks fail to check modifications made to the advertisements and therefore allow the Malvertisments to be shown on their customers’ webpages. The ad networks also quickly cycle through different advertisements with each view of the customer web-page. The dynamic scrolling of ads makes it difficult not only to flag the existence of a Malvertisement circulating on a network but also identifying which advertisement is the culprit!
So now that you know what Malvertisements are, you may ask, why doesn’t Malwarebytes Anti-Malware just block the URL of the malicious code rather than the actual ad network? Well, we do, but sometimes that is not enough, because malicious ads have a tendency to change often to avoid detection and use different URLs in the operation of their attacks.
We flag networks that are known by us to host Malvertisments (intentionally or not) as malicious because of their unsafe practices of not doing regular quality assurance checks on the advertisements they are circulating. This, in combination with finding numerous malicious advertisements circulating on their networks and spreading malware, forces us to block not only the malicious advertisements but also the advertisement networks entirely.
Here are a few examples of Malvertisements in action:
July 2010: TweetMeme.com
Malicious Advertisements targeted site visitors after a rogue advertiser spread a malicious advert through y5-media.com. The result was users redirected to drive-by attack sites that installed fake antivirus malware
April 2010: Facebook Farm Town Game
An advertisement served on a popular Facebook game was delivering Rogue AV software, claiming that the user’s system had been infected with malware and their product could help them
May 2012: Malvertisements found on Blogger Website
Adverting network, Clicksor, was found serving malicious advertisements to users of a Blogger website leading to the BlackHole Exploit Kit
As you can see, Malvertising happens all the time; and while the effort from the community to fight these attacks has advanced greatly over the last few years, the threat is far from gone.
Am I protected?
If you are one of the many users of Malwarebytes Anti-Malware Premium, then you are likely already protected. To double-check if you are, though, simply right-click on the Malwarebytes Anti-Malware icon in your notification icon bar (opposite from your Start Menu button) and look for Malicious Website Protection.
If you notice that the option for Malicious Website Protection is already checked, you are good to go. If not, I HIGHLY recommend that you select it in order to activate the web protection feature. We are very strict and prudent when we decide to blacklist a certain website so that our users are protected without blocking their access to the internet.
Even if you do not use Malwarebytes Anti-Malware Premium and therefore are not receiving the benefit of our website blocking protection, there are other ways to keep you safe. One of these ways is to use ad-blocking software for your browser. This software will ensure that no advertisements reach you, regardless of where they come from. This is a great way to not only fend off potential Malvertisement attacks but also to help you avoid clicking on things like fake download buttons or “special offers.” These types of scams exist in mass amounts and are generally delivered to the user through advertisements and pop-ups.
Another useful protection feature for your browser is Malwarebytes Anti-Exploit, which utilized a one of a kind technology to block drive by exploits, like the ones used by Malvertisements, before they can infect your system. The free version of Anti-Exploit will protect your browser as long as you have it running in the background.
A little while ago, we posted two blogs that discuss the threats behind advertisements. The first one, “Pick a Download, Any Download”, examines advertisements that display false download buttons on download pages. The second blog “PDAD: Part 2” , goes into detail to explain various methods of installing ad blocking software for your browsers to keep yourself safe from those scams. Finally, our blog post introducing Malwarebytes Anti-Exploit can give you an idea of how Anti-Exploit is used and what it does to protect your system.
In my opinion, malicious advertisements are one of the most dangerous threats online right now, mainly because you can do everything right as far as safe surfing, but they still might find you. The best defense is always to arm yourself with as much protection as you can. Updating Java (or disabling Java in your browser), Flash, your browser and operating system are all great ways to stay ahead of the curve. However, using antivirus, anti-malware and anti-exploit applications along with ad-blocking software can keep you well protected against waves of cyber-attacks. Thanks for reading, and stay safe!