Banner hijacking still going strong - Adrants now victim to uplothario campaign.

I've bored you with this before: Worst banner ad ever, System doctor takes over your browser and Hacking web banner networks sends banner ads from hated to feared. Well, that redirect trick is still appearing in flash banners on ad networks everywhere it seems - just a few days ago fellow adblogger Adrants.com had the misfortune of carrying one of those buggers. Steve's in good company, according to Wired's Hackers Use Banner Ads on Major Sites to Hijack Your PC article on December 17th, "The malware-spiked ads have been spotted on various legitimate websites, ranging from the British magazine The Economist to baseball's MLB.com to the Canada.com news portal."

Here's what one of these banner-hijacks looked like in action.


To be clear: the site you are redirected to does not actually scan your computer, it's just a fancy flash animation designed to scare the bejesus out of gullable people. I get the same generic windows scan as anyone else, and my mac has no .dll files or .exe files. Mmmkay? Don't panic.


Far more sinister is the fact that they ask you to download something, and either remove the "cancel" button or worse, make the cancel-button just read "cancel" but do the opposite. Windows people, use alt-f4 to close the dang window.


Once you've downloaded whatever it is they want you to download, you still have to install that stuff (unless your computer is set to do such things automatically and oh dear god, please fix that if that is the case!). Simply do not install anything from an untrusted site, ever. Don't run the .exe. Throw it away!


The banner on adrants, and sister site Marketingvox was fortunately caught very early in its run despite the holidays - Marketingvox posted about it here: Marketingvox snookered by Trojan horse. Also, the campaign ran with a cap of one impression per visitor which explains why no matter how hard I tried, I never managed to get hijacked again when I kept reloading hoping to find the banner ad that caused it. Steve and co saved the banner though and let me have it so I could open it up and see how it worked - unlucky for me the authors of the flash file had naturally run it through SWF Encrypt™ 4.0 (or similar) so all I got from the file was junk. (I tried flare, flasm, flash decompiler trillix, and Gordon if anyone has other suggestions).

I did see the banner in action though, and what it did to me was take me for this little ride (don't go to these links unless you know what you're doing).

1. Force redirect me to:
https://akamahi.net/statsg.php?u=1198490153&campaign=uplothario

2. which then went to:
https://blessedads.com/?cmpid=uplothario&adid=728

3. and presto - we're at the scanner2 site:
https://scanner2.malware-scan.com/3_swp/scan.php?tmn=null&aid=&lid=&affi...
uplothario_ma3_mb1&lid=728&affid=&ax=1&ed=2&mt_info=3958_0_11471

And that was the site that showed me a fancy flash animation about all the infected files I might have on my Windows Vista (hahaha!).

To a fellow over at Marketinvox it did a similar thing;
1. Forced redirect to: https://akamahi.net/statsg.php?u=1198490153&campaign=uplothario

2. The browser window is then closed, and another one is opened, leading to:
https://performanceoptimizer.com/.landing/index.php?4656530f4c135e594c59...
b3d535d480a0a4246090d0d510401144256025450054507444d6d4a55414351450d0b081e00480b0b57
47405b070905145a0e0f07

3. A popup also comes up with some "performance optimization"... spyware:
https://www.symantec.com/security_response/writeup.jsp?docid=2007-101013...


Interesting - so you're directed to different places seemingly randomly, but the campaign is called "uplothario".


How come ad banners networks let this happen?
They've been had, just like you. The flash banners look innocent and are usually made out as an ad for an innocent third party site (which is why I'm not mentioning which banner set this off, as they probably had nothing to do with it). When the ad banner network receives the banner and looks at it, it acts like it should, taking you to the correct (ie; advertisers) site when clicked on. It is only after a specific amount of viewings that the hijack kicks into gear, or in some cases it seems to react on IP#'s so it'll only show up for people who are in say, Europe, like me. These ad banners are often bought at the end of the month when ad sales people are eager to fill their quota as well so they may take advantage of the fact that people are simply in a hurry then. Also, this one seems to have been carefully timed to run over the holidays possibly hoping for a longer run due to people having time off. Little do they know that ad people never take time off. ;) But yes, ad banners networks who sell the banner-space need to have more scrutinized screening processes, this much is obvious. A simple cure would be to ban all flash files that have been encrypted or obfuscated so that the source can not be read. It's so obvious of a solution that nobody will do it. If you serve banners you should demand that your banner network do this as a service to you - after all it is your readers who get hijacked and they'll assume (kinda correctly) that it is your sites fault and might not return. Alternatively, refuse to serve flash based banners, only gif animations and text ads.


What can you, dear surfer, do to protect your computer from these banners?
The really easy way to make yourself immune is to uninstall Flash, but the web would be a lot less fun without it - here is How to uninstall the Adobe Flash Player plug-in and ActiveX control if you are so inclined though. You might also want to have a look at Flash Player security and privacy.


Firefox users - get the NoScript addon which guards the "trust boundaries" against cross-site scripting attacks (XSS). Also get Adblock. With both of these you can set some sites to be trusted (such as your bank, for instance) and not have them affected by the addons.


Internet Explorer, managing add-ons
Open up Internet Explorer and select Tools > Manage Add-ons.
Depending on your version of IE, the options might vary a bit.

Select the Shockwave Flash Object and set its status to disabled. Ok the boxes and restart Internet Explorer as required.

Internet Explorer add-ons: frequently asked questions

How to Configure Enhanced Security Features for Internet Explorer from Windows XP SP2

How to manage Internet Explorer add-ons in Windows XP Service Pack 2
You could also as mentioned before kill Flash forever on Windows - of course, if you do this, you'll have no flash at all.
How to stop an ActiveX control from running in Internet Explorer.
Use Flash kill
And you can use Spyware blaster.


Safari users
Mac Leopard users meet SafariPlus with it you have the options to decide if you want to not run flash at all, or only run flash from the domain you are actually visiting. Since Safari often hates flash anyway, I'm sure you'll like this new toy!
There's also adblockers like PithHelmet & Safari adblock.


Hang on a second, if I block all the ads, and all the flash aren't I "stealing content" like that daft Turner CEO said about TiVo?
Well, yes actually. Sites who make their living off ad banners in any way, by view or by click, won't be making any money if nobody sees or clicks the ads obviously. This is why it is really important that the ad banner networks who sell the ad space and approve the banners start implementing proper checks to prevent these nasty banners from appearing. I keep saying this, and you know its true. If every internet surfer ever blocked every ad ever (which is such a blissful way to surf mind you, give it a go!) the websites currently thriving on banners need to find a new way to generate income and fast. This isn't your problem though, is it?

So is this why you don't like embedding things like films and banners from third party sites?
Why, it is as if you've known me forever. Yes, allowing third-party embeds opens up a can of worms of security issues that I am not comfortable with. I'm a paranoid fucker. However the web has become a big mesh of embedding and fetching from all over so it would be rather strange if we didn't do it from time to time. Ce'st la vie.

Comments (17)

Leave a comment

about the author

Dabitch Creative Director, CEO, hell-raising sweetheart and editor of Adland. Globetrotting Swede who has lived and worked in New York, London, San Francisco, Amsterdam, Copenhagen and Stockholm.