Malware delivered by Yahoo, Fox, Google ads

Researchers at Avast are pointing fingers at large ad delivery platforms for serving up infected ads in new "malvertising" trend.

Elinor Mills Former Staff Writer
Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service and the Associated Press.
Elinor Mills
3 min read
These charts show incidences of malware distributed by a number of ad delivery platforms over a six-day period last month that were detected by Avast. Yahoo and Fox have the highest counts. Avast

Malware that exploits holes in popular applications is being delivered by big ad delivery platforms including those run by Yahoo, Fox, and Google, according to Prague-based antivirus firm Avast.

Viruses and other malware were found to be lurking in ads last year on high-profile sites like The New York Times and conservative news aggregator Drudge Report.com, and this year on Drudge, TechCrunch and WhitePages.com. The practice has been dubbed "malvertising."

Now, researchers at Avast are pointing fingers at some large ad delivery platforms including Yahoo's Yield Manager and Fox Audience Network's Fimserve.com, which together cover more than 50 percent of online ads, and to a much smaller degree Google's DoubleClick. In addition, some of the malicious ads ended up on Yahoo and Google sites, Avast claims.

"It's not just the small players but the ad servers connected with Google and Yahoo have been infected and served up bad ads," said Lyle Frink, public relations manager for Avast.

The most compromised ad delivery platforms were Yield Manager and Fimserve, but a number of smaller ad systems, including Myspace, were also found to be delivering malware on a lesser scale, Avast Virus Labs said.

Found in ads delivered from those networks was JavaScript code that Avast dubbed "JS:Prontexi," which Avast researcher Jiri Sejtko said is a Trojan in script form that targets the Windows operating system. It looks for vulnerabilities in Adobe Reader and Acrobat, Java, QuickTime, and Flash and launches fake antivirus warnings, Sejtko said.

Users don't need to click on anything to get infected; a computer becomes infected after the ad is loaded by the browser, Avast said.

Since the malware started spreading in late December, Avast has registered more than 2.6 million instances of it on customer computers. Nearly 530,000 of those were from Yield Manager and more than 16,300 from DoubleClick, Sejtko said.

"The Google portion of JS:Prontexi is quite small and has gotten visibly even smaller as they have taken steps to improve the situation," Sejtko said. "That is not the case with Yahoo and Fox."

Representatives from Fox and MySpace declined to comment.

A Yahoo representative confirmed the report and said it was investigating the situation, but didn't provide much information. "We have identified the creatives in question and are working to make sure they been deactivated in our system," the company said in a statement.

"Yahoo is deeply committed to providing a high-quality experience for users, advertisers, and publishers. We expect our members to support and abide by our standards and guidelines around acceptable ad content and behavior," the statement said. "On the rare occasion that an ad is served that is in conflict with our expectations and guidelines we take action to remove it as quickly as possible."

A Google spokesman said the company had discovered malware in ads from DoubleClick on its own and halted them. "In this case, we stopped several of the ads in question on the same day, independent of this report," he said.

"When our automated system is able to identify a problem, we immediately stop serving the affected ads, and then work to refine our security measures to help capture and disable similar ads for all DoubleClick publishers and advertisers," the company said in a statement.

"DoubleClick's ad serving products maintain a security monitoring system that screens ads and is constantly adapting to respond to new developments, yet publishers are in control of what ads they serve when using DoubleClick services," the Google statement said. "We encourage publishers to maintain good quality processes, especially in terms of the networks and advertisers they deal with, and we provide tips and tricks at http://anti-malvertising.com/tips-for-publishers."

However, the Google spokesman said it was highly unlikely that malware was served on Google, adding that DoubleClick ads do not run on Google search.