Banner hijacking still going strong - Adrants now victim to uplothario campaign.

I've bored you with this before: Worst banner ad ever, System doctor takes over your browser and Hacking web banner networks sends banner ads from hated to feared. Well, that redirect trick is still appearing in flash banners on ad networks everywhere it seems - just a few days ago fellow adblogger had the misfortune of carrying one of those buggers. Steve's in good company, according to Wired's Hackers Use Banner Ads on Major Sites to Hijack Your PC article on December 17th, "The malware-spiked ads have been spotted on various legitimate websites, ranging from the British magazine The Economist to baseball's to the news portal."

Here's what one of these banner-hijacks looked like in action.

To be clear: the site you are redirected to does not actually scan your computer, it's just a fancy flash animation designed to scare the bejesus out of gullable people. I get the same generic windows scan as anyone else, and my mac has no .dll files or .exe files. Mmmkay? Don't panic.

Far more sinister is the fact that they ask you to download something, and either remove the "cancel" button or worse, make the cancel-button just read "cancel" but do the opposite. Windows people, use alt-f4 to close the dang window.

Once you've downloaded whatever it is they want you to download, you still have to install that stuff (unless your computer is set to do such things automatically and oh dear god, please fix that if that is the case!). Simply do not install anything from an untrusted site, ever. Don't run the .exe. Throw it away!

The banner on adrants, and sister site Marketingvox was fortunately caught very early in its run despite the holidays - Marketingvox posted about it here: Marketingvox snookered by Trojan horse. Also, the campaign ran with a cap of one impression per visitor which explains why no matter how hard I tried, I never managed to get hijacked again when I kept reloading hoping to find the banner ad that caused it. Steve and co saved the banner though and let me have it so I could open it up and see how it worked - unlucky for me the authors of the flash file had naturally run it through SWF Encrypt™ 4.0 (or similar) so all I got from the file was junk. (I tried flare, flasm, flash decompiler trillix, and Gordon if anyone has other suggestions).

I did see the banner in action though, and what it did to me was take me for this little ride (don't go to these links unless you know what you're doing).

1. Force redirect me to:

2. which then went to:

3. and presto - we're at the scanner2 site:

And that was the site that showed me a fancy flash animation about all the infected files I might have on my Windows Vista (hahaha!).

To a fellow over at Marketinvox it did a similar thing;
1. Forced redirect to:

2. The browser window is then closed, and another one is opened, leading to:

3. A popup also comes up with some "performance optimization"... spyware:

Interesting - so you're directed to different places seemingly randomly, but the campaign is called "uplothario".

How come ad banners networks let this happen?
They've been had, just like you. The flash banners look innocent and are usually made out as an ad for an innocent third party site (which is why I'm not mentioning which banner set this off, as they probably had nothing to do with it). When the ad banner network receives the banner and looks at it, it acts like it should, taking you to the correct (ie; advertisers) site when clicked on. It is only after a specific amount of viewings that the hijack kicks into gear, or in some cases it seems to react on IP#'s so it'll only show up for people who are in say, Europe, like me. These ad banners are often bought at the end of the month when ad sales people are eager to fill their quota as well so they may take advantage of the fact that people are simply in a hurry then. Also, this one seems to have been carefully timed to run over the holidays possibly hoping for a longer run due to people having time off. Little do they know that ad people never take time off. ;) But yes, ad banners networks who sell the banner-space need to have more scrutinized screening processes, this much is obvious. A simple cure would be to ban all flash files that have been encrypted or obfuscated so that the source can not be read. It's so obvious of a solution that nobody will do it. If you serve banners you should demand that your banner network do this as a service to you - after all it is your readers who get hijacked and they'll assume (kinda correctly) that it is your sites fault and might not return. Alternatively, refuse to serve flash based banners, only gif animations and text ads.

What can you, dear surfer, do to protect your computer from these banners?
The really easy way to make yourself immune is to uninstall Flash, but the web would be a lot less fun without it - here is How to uninstall the Adobe Flash Player plug-in and ActiveX control if you are so inclined though. You might also want to have a look at Flash Player security and privacy.

Firefox users - get the NoScript addon which guards the "trust boundaries" against cross-site scripting attacks (XSS). Also get Adblock. With both of these you can set some sites to be trusted (such as your bank, for instance) and not have them affected by the addons.

Internet Explorer, managing add-ons
Open up Internet Explorer and select Tools > Manage Add-ons.
Depending on your version of IE, the options might vary a bit.

Select the Shockwave Flash Object and set its status to disabled. Ok the boxes and restart Internet Explorer as required.

Internet Explorer add-ons: frequently asked questions

How to Configure Enhanced Security Features for Internet Explorer from Windows XP SP2

How to manage Internet Explorer add-ons in Windows XP Service Pack 2
You could also as mentioned before kill Flash forever on Windows - of course, if you do this, you'll have no flash at all.
How to stop an ActiveX control from running in Internet Explorer.
Use Flash kill
And you can use Spyware blaster.

Safari users
Mac Leopard users meet SafariPlus with it you have the options to decide if you want to not run flash at all, or only run flash from the domain you are actually visiting. Since Safari often hates flash anyway, I'm sure you'll like this new toy!
There's also adblockers like PithHelmet & Safari adblock.

Hang on a second, if I block all the ads, and all the flash aren't I "stealing content" like that daft Turner CEO said about TiVo?
Well, yes actually. Sites who make their living off ad banners in any way, by view or by click, won't be making any money if nobody sees or clicks the ads obviously. This is why it is really important that the ad banner networks who sell the ad space and approve the banners start implementing proper checks to prevent these nasty banners from appearing. I keep saying this, and you know its true. If every internet surfer ever blocked every ad ever (which is such a blissful way to surf mind you, give it a go!) the websites currently thriving on banners need to find a new way to generate income and fast. This isn't your problem though, is it?

So is this why you don't like embedding things like films and banners from third party sites?
Why, it is as if you've known me forever. Yes, allowing third-party embeds opens up a can of worms of security issues that I am not comfortable with. I'm a paranoid fucker. However the web has become a big mesh of embedding and fetching from all over so it would be rather strange if we didn't do it from time to time. Ce'st la vie.

Adland® is supported by your donations alone. You can help us out by buying us a Ko-Fi coffee.
Anonymous Adgrunt's picture
Files must be less than 1 MB.
Allowed file types: jpg jpeg gif png wav avi mpeg mpg mov rm flv wmv 3gp mp4 m4v.
tod.brody's picture

OK, well I installed SafariPlus, and it totally f'd up Safari for me. So I'll take my chances without it.

Dabitch's picture

Wow, yeah that was a dud unless you're running Leopard which you are not. Outdated.

Another option then is PithHelmet & Safari adblock. I'll fix the article since people are probably not on Leopard any longer.

tod.brody's picture

No worries. it was worth a try. I'll take a shot at these two and report back. :-)

kamari's picture

This is serious, if the ad banner networks don't protect against this it'll become the new SPAM and no site will be safe.

Also, what responsibility does Macromedia have in it? Their flash allows for such tricks. Can they prevent this by disabling such code? Should they?

Dabitch's picture

Since I couldn't read the code, I don't know how this is done exactly but I'm guessing there's some java built into the banner doing a 302 redirect at loading of said banner. Disabling something like that might not be good for Flash, since I expect Flash programmers might use it in creating sites. Putting all the blame on Flash is wrong, I think, since really it is the ad banner networks who should be screening the banners.

However, from what I gather Flash 8 (released a year or so ago) was released with a security vulnerability, and if that is the cause of the redirects, then by all means get mad at Macromedia. If I could read the code, we'd know if they were using that or not.

backwrite's picture

Ask, I love that you keep us updated on this stuff. THANK YOU.

Now, I want to make sure I've got this right. I've got Spybot and various AVG components. Do I still need Adblock?

John Backman

Dabitch's picture

My pleasure (kind of) John. I see many articles out there that spread FUD as they don't explain what is really going on or are so vague that they're easily misunderstood.

And yes, you'll need adblock anyway. While Spybot and various AVG's are very useful for other scenarios, like when you choose to download things off the web and/or when you receive files via email (which you download to your computer) such as .jpg's or whatever else people are attaching these days - these hijacks aren't really about the download.

These banners are on trusted sites where you might surf, and while they entice you to download their crap and more or less force you to, you don't have to do it and then even if you do, you don't have to install the crap that they made you download (this is where your AVG kicks in anyway). The "scan" they do on your computer is nothing but a flash animaton, they don't actually scan your computer. It's social engineering in that they convince you to click "agree" on a download button when in fact, you do not have to. Alt-f4 away from that baby.

But that redirect trick they pull on you is nasty in the first place, I mean there you are minding your own business going to read the baseball score when you're browser is suddenly nowhere to be seen and some kinky alert window yells at you that you have a virus with extra exclamation marks. Then your browser re-appears (after you click cancel or continue on that alert window) and it takes you straight to a site where they tell you to download this snake oil of theirs, and the site itself may even force a download on you. Like I said, you don't have to install anything you get, so you're still fine. But that hijacking thing is scary looking not to mention annoying as hell. Now you're no longer reading baseball scores which is all you wanted to do. It disrupts your surfing.

To avoid being hijacked you can:

- keep a constantly updated hosts file that prevents your computer from ever going to the hijackers sites. Since they change URL's like other people change underwear though, this would be a time consuming thing you'd probably have to update weekly, plus it won't stop you from being hijacked to unknown new URL's.

- Disable flash all together. No flash = no ad banners = no hijacking. But the web would be poorer for it. Overkill, really.

- Ad block every damn ad banner ever. No ad banners = no flash ad banners = no ad flash banners that hijack you. All good!

And yep, this will put a dent in the ad supported sites budgets but I think it is high time users kick back. Ad blockers aren't the smartest pieces of software out there sadly (recall we changed our URL as was constantly blocked) but it's a lot better than surfing unprotected.

If you use Adblock for Firefox there is an updated extra list called FiltersetG for it that will get you started off nicely blocking pretty much every ad on the internet today.

Dabitch's picture

More info. When I'm using Noscript with Firefox on Adland I keep finding small quirks (only now, after site upgrade) such as not seeing a commercial despite setting noscript to allow Adland. When I figure out why that happens and how I can fix it I'll let y'all know, but if you're seeing the same please let me know. Perhaps there is something I can do on the site to avoid that.

Imanaddy's picture

You're letting the sites off a little too easy I think with the "they've been had, just like you". They hired whatever advertising networks, all of varying reputation, levels of annoying-ness, etc? They negotiated the terms of the contract, which could have required vetting of ads by said network. They had the power to chose between text, GIF, and Flash based ads. They benefits financially from the presentation of those ads.

So, again tell me who is responsible for ME getting an infected PC visiting that website? If GM makes a car and the wheel falls off because Bob's Bolts sold them defective bolts, I can still sue GM for selling me a car on the reasonable assumption that GM would test bolts before putting them in a hundred thousand vehicles...and GM made the decision to buy from that particular supplier.

The way the world works is: I sue GM. GM then sues Bob's Bolts for damages (ie to reputation, the money they had to give me and spend on legal defense, cost of recall, etc.) Bob's Bolts then may sue Smith's Steel for selling them crappy steel.

Or, in this case: I sue The Economist for infecting my machine. The Economist turns around and sues Doubleclick or Adbrite or whatever network it was for providing malicous ads. Doubleclick may then turn around and sue the company that made the malicious ads, for violating the terms of contract with Doubleclick/adbrite/Whatever specifying no malicious content.

adlib's picture

I agree partly with what Imanaddy is saying. If "respectable sites" are showing these ads they are responsible. If I go to the Economist website, and my browser gets hijacked I damn well will hold the economist responsible for the hijack. Sites should take much more care in checking what kind of banners they are running. Like you say it is so easy to avoid. Don't run flash banners.

Dabitch's picture

Yeah, fair enough I see your points (though suits will be difficult, since every time someone figures out who placed the bad banner they seem to always find a full voice-mail box in Germany or Switzerland or something, so the trail to the culprit always seems to be a real dead end.) In the end the web publisher (economist, adrants, or whomever) should hold the ad banner network (adbrite, doubleclick, Openads, whomever) responsible for pissing off their readers and yes, I think they should drop the networks at once as I keep finding these ads, no matter what "security" the networks claim to have in place. If it happens once, cancel using that network.

Course, a few sites can't afford to cancel their ad support. Just saying.

But, since I keep running into the ads, and I don't use banner networks here (except google textads for non logged in users, never image ads, ever), I find myself on the user level, just being annoyed that when I google something up and go to a site I don't know my browser is hijacked almost every other day now. What can we do to protect ourselves from this trick that is so popular by now? Ban all ads. That's about it - never accepts anything called from openads or adbrite or whatever network. We don't know which network is carrying these banners, and since these banners look innocent to them, we can assume that all ad banner networks do at some point.

My Safari is the browser that I leave ads on it because sometimes I want to see the banners (I write about banners on occasion) but that's become a real pain as it is constantly hijacked. My main browser is Firefox and patched with adblock and noscript (which is a bit extra paranoid actually). I seldom use Flock, don't have Opera or IE. People who use those browsers and have a good way to lock it down please chime in as this post has been googled many times for information, most likely by people who want to prevent seeing these banners again.

Sport's picture

The malware-spiked ads have been spotted on various legitimate websites, ranging from the British magazine The Economist to baseball's to the news portal. Hackers are using deceptive practices and tricky Flash programming to get their ads onto legitimate sites by way of DoubleClick's DART program. Web publishers use the DoubleClick-hosted platform to manage advertising inventory.

Funny how websites are really quick to enforce their copyrights but when it comes to checking the crap they serve to their visitors such as banners they point the finger to the ad networks. And the ad networks say "we tightened security" and then it happens again and again and again. You speak the truth when you say that no ad network should accept any flash banner where the source can't be read there is no reason for any ad network to accept obfuscated action scripts! This has been going on for almost a year now, regular Joe websurfer needs to fight back. Install ad blockers. Stop surfing sites with flashing banners. Email the site publishers and tell them why. Power to the people.

Sport's picture

Oh and thanks Dabs for posting these articles from an advertisers point of view. Web sites dedicated to internet marketing are ignoring the big picture of these hijacks. If internet users ban all ads, there will be no ad revenue on the net, and you are right to warn about the danger of this happening.

Dabitch's picture

Headlines like this are probably great for getting readers - but they spread misunderstandings. Malware-Laced Banner Ads At MySpace, Excite. Malware-laced? Uhm, Okay, if that's what you want to call it. Look, the banners are flash + java + flash action script. No malware yet, unless suddenly a redirect is counted as "malware" and that ain't right. The banner does a redirect to another site and then begs you in all sorts of ways to download and install the malware. It's not "in" the banner. I guess you could say "malware-laced" if you really want to, but it's pretty clear that people misunderstand how the banners work and I think it is in large part due to headlines like that.

Sure sure, I called it "banner hijack" but I think hijacking is an appropriate term as the redirect takes you from the site you wanted to go, to a totally different site. That's hijacking, right?

anyway, I was just reading that to see that indeed, the banner hijack game is still active and now and search portal carried said bad banners.

According to analysis by malware researcher Adam Thomas at Sunbelt Software, malicious banner ads on MySpace are pushing down some of the most nefarious and difficult-to-remove adware and spyware around, including Virtumonde, WinFixer, and ClickSpring, as well as a bunch of Trojan horse programs that are very poorly identified and detected by anti-virus programs at the moment.

Imanaddy's picture

Update, we have a new office policy in place, Flash has been de-installed on all computers. This happened after our CEO got hijacked and downloaded the malware and installed it. The IT department aren't taking any chances with the rest of us. The only people who still have flash are the site designers but they have limited internet instead.

Dabitch's picture

Ouch, that's going a bit far isn't it? They could have achieved the same effect if they disabled all javascript instead. (Though both options make the web a lot less fun).

tod.brody's picture

If companies have to start deleting and disabling software every time a CEO has a problem with it, there's going to be a huge problem. Some companies will even be deleting Word and Excel.