Monday, June 25, 2007 8:35 AM
SANS Internet Storm Center - Active Banner Ads
Active Banner Ads
Last Updated: 2007-06-23 02:03:21 UTC
by Marcus Sachs (Version: 2)
One of our readers, Walter, wrote to us today with a request to owners of websites: please block any third-party advertisements that contain scripts or any form of mobile code.
Why? Well, consider this scenario:
1) Sleazy vendor (or rogue affiliate) "rents" compromised home computers from a bot-farmer
2) Sleazy vendor submits to an adserver an innocent-looking ad for some legitimate-looking product, totally unrelated to the malware.
An example of malware-via-adserver is detailed at
This is not a new problem. We covered cases like this in the past where an entire ad server gets compromised and the advertisements it is generating contain malware that gets injected via an iframe. The correct solution is to only accept images from advertisers that are linked to another website, and no mobile code. You clearly can't control what happens on that web site, but at least no mobile code is injected into your user's browsers just because they visited you.
One of our readers reminded us that Mozilla has a plug-in that allows Firefox readers to reject ads. Also, I should have plugged a solution I've been using on my own computers for a few years - modifying your hosts.txt file to point all of the known ad servers at 127.0.0.1. Details are on MVPS.
Marcus H. Sachs
Director, SANS Internet Storm Center
Source: SANS Internet Storm Center; Cooperative Network Security Community - Internet Security - isc
Filed under: Internet Hacks, Spam\Phishing