How does a rogue ad network function?

It’s a well known fact that a considerable chunk of Internet traffic is bogus, made by infected computers that visit sites and click on adverts chosen by malicious actors.

Malwarebytes’ researchers have recently analyzed the workings of one ad network that has obviously been set up to earn its handlers money in two different way: bogus ad-clicking, and by delivering malware. The researchers call this approach “double dipping.”

This particular ad network – Aadserver (“Australian Ad Sever”) – promises quality advertising placement, but its website should raise a few warning flags: poor spelling, some of the text has been copied from Wikipedia, contact email accounts are all opened with free webmail providers, etc.

Nevertheless, some people fall for it, and pay them to place their ads. Unfortunately for them, these ads will be clicked on mostly by infected computers and seen by too few actual users, i.e. potential customers.

The ad network and the owners of the sites that use it will earn a commission for leading a potential customer to a business – or for appearing to do so.

But the owners of the ad network also use it to propagate malware. Sometimes it is their own, and sometimes they are paid to deliver malware that will be used by others.

In order to lead users to the malware, they use Flash ads that contain malicious javascript code that redirects users to a page hosting the RIG exploit kit. The kit tries to detect Flash or Silverlight vulnerabilities on the visitor’s computer and exploit them. If successful, it drops a malicious binary.

Of course, this scheme would be easy to detect and stop were it not for the fact that the ad network’s owners use some clever techniques to keep these actions hidden from security researchers.

For one, the redirection code in the Flash ad is not malicious, per se. Also, the redirection only occurs once per IP address, making it more difficult for researchers to replay the attack. Finally, they also employ checks that detect if the visitor’s computer is incompatible with the malware they serve or if a debugger is running on it, and don’t redirect the user if that’s the case.

“At the end of the day, this is yet another case of malvertising. This particular ad may have been placed on a number of websites, big and small and leading to several thousand infections,” says Segura, and advises users to protect themselves from this type of threats by either disabling Flash or by using an extension that will block executable content from untrusted domains or altogether.

Don't miss