Block Lists Are Bandaids in the War Against Malware Attacks


bandaid_smallADOTAS – One of our industry’s most valuable assets — customer trust — is under threat from malware. Malicious code in display advertising continues to grow at an alarming rate; more than 1 million ad impressions per day are infected. Overall, 1.3 million websites host malware, and third-party advertising is one of the top ways sites get hacked. Industry experts now believe that more malware is being developed than legitimate software at this point.

Some networks, exchanges and publishers think they can protect their businesses from malware by purchasing a block list, which tracks sites that have served malware in the past. While a block list is better than nothing, it offers little beyond a false sense of security.

To begin with, lists work too slowly. Most malicious codes created by malware criminals are designed to become obsolete in 24 hours. By the time a site containing malware has been identified and added to the list, the damage has been done.

The other problem with block-lists is that they can identify sites that are not intentionally offering malware. Oftentimes, legitimate sites are victims in the cycle, prey to hackers or creative criminals looking to steal data. In fact, malware criminals are getting so creative that they’ve taken to creating fake agencies and then enlisting legitimate enterprises to help them serve the damaging ads. So while block lists prevent networks and exchanges from serving ads on these sites, the publishers themselves may be receiving unjust penalizations.

In a recent article in MediaPost, Julia Casale-Amorim did an excellent job documenting how malware criminals set up fake agencies to distribute ads embedded with code designed to steal site viewers’ personal information for financial gain. No block list can stop a fake agency from running such ads, and Casale-Amorim gives great advice for spotting potential scammers.

But identifying entities like this is a fairly labor-intensive process, and a good criminal can still slip by you. The only real solution for eliminating malware is the proactive testing of ads and applications for malware before they go live. This way networks, exchanges and sites can expose infected ads coming from any source.

Proactive testing looks for behaviors an online ad exhibits in a virtual environment. Each ad tag needs to be tested by simulating user and computer behavior in a safe, virtual environment to help mitigate infections. This virtual environment duplicates various IP, plug in, browser, ad server and OS configurations for testing purposes. This testing is done in a real-time setting and identifies actions that are key identifiers of infected ads, such as launching:

  • PDF exploit files Malicious ad banners redirect users to infected PDF documents. Upon opening the malicious PDF document, users would get infected by the embedded malware.
  • Invisible pixels – Criminal hackers exploit users by building iFrames into pages that are one pixel by one pixel—invisible to the user. Inside that iFrame they can stash executable code stored at another site that infects the user’s computer.
  • Keyloggers – Malware criminals can record personal information related to financial accounts by installing a program that tracks (or logs) the keys struck on a keyboard, typically in a covert manner so that the person using the keyboard is unaware.
  • DLL hijacking – Malware criminals can exploit this by sending the target user a link to a network share containing a file they perceive as safe. The file actually contains malicious payloads for stealing information stored on the computer, without the person’s knowledge.
  • DLL injections – Malware criminals can force a process to load a dynamic-link library. This can then influence the behavior of a program in a way its authors did not anticipate or intend. For example, it can run a password capture program.

Identifying these potential malware infections early in the process also prevents any suspect ads from ever publishing, which is another solid advantage over block lists. Again, block lists only identify malicious code once it is live, and the odds are that by the time the problem is located, the malware criminals have already moved on to the next target.

Real-time detection and prevention of malware isn’t just the right thing to do, it’s good business as well. A top ad network recently decided to fight back against malware criminals by proactively screening ads exhibiting suspicious behaviors. Dramatically reducing the amount of malware on their network contributed to helping this company grow from the 30th rated network to breaking into the Top 10 and being able to raise its CPMs significantly. The cost of ad screening was minimal and saved the network considerable time and effort by not having to deal with the potential malware attacks and allowing them to focus on selling ads.

Malware is an industry problem that hurts everyone in our business. We are all responsible for providing a safe environment for the loyal viewers who consider the web part of their daily lives. Until we can find a better solution, proactive screening for malware is the only way for our industry to maintain the trust of the people who pay the bills — our audience.


Please enter your comment!
Please enter your name here