Endpoint
5/18/2010
03:40 PM
Connect Directly
RSS
E-Mail
50%
50%

Upstart Takes Aim At Malvertising Attacks

Dasient provides telemetry on infected Web ads, unveils new service to shorten life of malvertisements

When The New York Times started serving up infected ads from its website late last year, the security industry dubbed the new attack "malvertising" and added it to the list of threats faced by users.

Despite the attention, however, the attacks didn't stop. Gizmodo, TechCrunch, and WhitePages.com are just some of the publishers that have been hit since last year, and many ad networks and other experts say they aren't sure how widespread the problem has become -- or how to stop it.

An emerging security company now says it has answers on both fronts. In an announcement issued today, Dasient offered details on the scope of the malvertising problem, as well as a new service designed to help publishers and ad networks reduce the damage done by infected ads.

Dasient says it has built a "telemetry" system that uses behavioral-based technology to detect and monitor malvertising on the Web. The service helps ad networks and publishers pinpoint the sources of the infections, enabling them to shorten the life of bad ads on the Web.

"We can identify when a malvertisement is being served, and when we do detect it, we can provide a full trace of all the places that the ad traversed," says Neil Daswani, one of Dasient's three founders. The publisher or the ad network can then decide whether to immediately shut off traffic from the network that is serving the ad or take the time to identify the offending ads and eliminate them, he says.

Perhaps just as important, the Dasient technology provides a window to help the industry view the scope of the problem. The company estimates that approximately 1.3 million malicious ads are viewed per day, and that the average life of a malvertisement is about 7.3 days.

Fifty-nine percent of malvertising attacks are manifested as drive-by downloads that the user never sees, according to Ameet Ranadive, another one of Dasient's founders. The other 41 percent are expressed as scareware -- fake security messages that pop up on the user's screen and encourage the person to download new software to fight a detected infection.

Malvertisements are introduced in one of two fashions, according to the two founders. In one scenario, the attacker opens a new advertising account using valid names and credit information stolen from a company or individual and then replaces vetted ads with infected ads after the account is active. In the other scenario, an attacker breaks into the account of a current advertiser and then uses its credentials to introduce infected ads.

"A big part of the problem is the scope and complexity of the way online ads are distributed," Daswani says. "There are so many new ads being posted all the time, there's no way for the ad networks to manage all of them, so the advertisers themselves often are given the ability to post new creative themselves.

"Once the ad is posted, there is a lot of complexity in the way publishers and ad networks interact to ensure that every ad slot gets filled," Daswani observes. Some publishers contract with multiple ad networks, and many ad networks contract with other ad networks to optimize ad distribution and maximize revenue, he notes.

These complex interactions between advertisers, publishers, and ad networks can make finding an infected ad "like finding a needle in a haystack," Daswani says. Dasient's service is designed to track the bad ads as they cross a variety of domains, making it easier to identify them and stop the stream.

"The average lifetime of a malvertisement is 7.3 days," Ranadive says. "What we're trying to do is bring that number down, which reduces the threat and makes it less attractive for the bad guys."

The new service could also help ad networks and law enforcement to identify the source that uploaded the malvertisement in the first place, Daswani says. "Some networks, like Google, have a zero-tolerance policy that allows them to take an advertiser out of the network if they introduce an infected ad," he notes.

The service is available now and can be combined with Dasient's Web anti-malware service (WAM), which was introduced earlier this year.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message. Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-0103
Published: 2014-07-29
WebAccess in Zarafa before 7.1.10 and WebApp before 1.6 stores credentials in cleartext, which allows local Apache users to obtain sensitive information by reading the PHP session files.

CVE-2014-0475
Published: 2014-07-29
Multiple directory traversal vulnerabilities in GNU C Library (aka glibc or libc6) before 2.20 allow context-dependent attackers to bypass ForceCommand restrictions and possibly have other unspecified impact via a .. (dot dot) in a (1) LC_*, (2) LANG, or other locale environment variable.

CVE-2014-0889
Published: 2014-07-29
Multiple cross-site scripting (XSS) vulnerabilities in IBM Atlas Suite (aka Atlas Policy Suite), as used in Atlas eDiscovery Process Management through 6.0.3, Disposal and Governance Management for IT through 6.0.3, and Global Retention Policy and Schedule Management through 6.0.3, allow remote atta...

CVE-2014-2226
Published: 2014-07-29
Ubiquiti UniFi Controller before 3.2.1 logs the administrative password hash in syslog messages, which allows man-in-the-middle attackers to obtains sensitive information via unspecified vectors.

CVE-2014-3020
Published: 2014-07-29
install.sh in the Embedded WebSphere Application Server (eWAS) 7.0 before FP33 in IBM Tivoli Integrated Portal (TIP) 2.1 and 2.2 sets world-writable permissions for the installRoot directory tree, which allows local users to gain privileges via a Trojan horse program.

Best of the Web
Dark Reading Radio