Google DoubleClick Unknowingly Served Up Malicious Ad

JavaScript-based drive-by attack automatically infected website visitors with fake antivirus

By Kelly Jackson Higgins
DarkreadingOriginal Article

Major online ad network Google DoubleClick this month inadvertently posted a malicious advertisement on websites that infected users visiting sites running the ad.

This was no typical malvertising campaign attack, says Wayne Huang, CTO and researcher at Armorize, who discovered the threat. The ad automatically installs a rogue antivirus program on the victim’s computer and holds it for ransom until the user purchases software to “fix” it.

“It’s a JavaScript program that tries to exploit multiple vulnerabilities in your browser. It will succeed and then a malicious program is installed without the website or malicious ad tricking you to” install it,” Huang says.

The malicious program includes both a backdoor Trojan and the fake AV. “It’s a real Windows program, and if you try to execute another program, it won’t let you do anything. It tells you your hard disk is failing,” he says.

The malware in question is HDD Plus, which has been mysteriously spreading around the Internet during the past few days, including via, according to Armorize. “A lot of people were talking about it, but no one said one of the means it was spreading was through DoubleClick,” Huang says.

The attackers used a name similar to the legitimate AdShuffle online ad firm, but with an extra letter “f,” just enough to fool DoubleClick into posting the ad on websites. The ads first appeared around Dec. 4, and DoubleClick had caught and removed the malicious ad, which featured greeting cards as well as other items, by Dec. 8, according to Huang, who says he doesn’t know how many users might have been infected.

The malware targets Internet Explorer, but it also uses exploits that go after PDF plug-in flaws in other types of browsers. Huang says most AV packages should detect the malware now. The attack demonstrates just how easy malvertising attacks can be executed, he says.

“You don’t need to compromise a website, just submit an ad on an exchange,” he says. “It’s as easy as registering a similar domain name as an existing advertiser.”

Jonathan: This is exactly the reason why every computer needs a good anti-virus program installed.  More than that, it illustrates the importance of having all Windows Updates performed along with regular application maintenance.

While no security system is completely hacker-proof, having an updated anti-virus program is at least a line of defense.  The days where you had to visit a “bad” site to get a virus are gone.  Viruses don’t just come from adult sites or sites with questionable content anymore.   At Greyhound, we’ve received similar reports in the past where users were browsing reputable news sites or sites relevant to their business and ended up with viruses on their PCs.

Consider this: the average amount of time it takes to remediate a virus attack is in the neighborhood of 4-6 hours.  It can be less, or more depending on the virus and the severity.  During that time, that employee cannot complete their work.  Also consider the rate of recurrence on many of these viruses.   Compare that productivity loss and repair cost with a regular maintenance cycle.  A little prevention goes a long way.

Comments are closed.