SWITCH Security-Blog

SWITCH-CERT IT-Security Blog

Attack of the killer Ads


By Daniel Stirnimann and Serge Droz

Recently I was quoted saying “… .ch and .li are the most secure (top-level) domains!”. In the same meeting, Security Rock Star Mikko Hyppönen claimed, “Surfing the Web with your laptop is the most dangerous thing you can do in the Internet.”  So what is true, what is false? Rather than speculate about obscure statistics I’d like to illustrate one of the big problems we face in .ch today, namely using ads as a back door to reach victims through reputable sites.

Ads: enter through the hallway

Malware distributors have one goal: spreading their stuff as widely as possible. This is achieved through different means. Malware was traditionally distributed – and still is – through e-mail attachments. This was the case, for example, with the Retefe malware. Alternatively, web pages can be hacked and used to spread malware by exploiting browser bugs. SWITCH has been very active, through its Safer Internet initiative, in working to reduce this infection vector. In fact, we’ve been so successful, that drive-by is very scarce in Switzerland, hence the statement that ” … .ch is one of the most secure ccTLDs”. Drive-by websites are always hacked, but in most cases they are not very popular websites, since popular websites are typically well protected. Many of the later ones offer a backdoor tough: ads! News sites in particular make most of their revenue by selling on line ads, which explains the “ad-war” arms race between ad-blockers an news agencies (see our Security Report on anti-anti-ad features). A very common way is malvertising, a term coined by William Salusky. Salusky found ads that were in fact carrying malicious payloads. Let’s look at a slightly different scenario, namely a legitimate but compromised ad server. While technically a different scenario it has the same effect on the end user.

Most people would think that visiting a website just serves you content from that site but this is not true for most of the large sites, in particular news sites. They import contents such as videos, trackers, counters, scripts and especially ads from third-party sites. These are not controlled by the original site, and often import content themselves from yet another site. Thus, a well maintained site with high security standards will often import stuff from sites with lower security. Think of it as sitting in a highly rated restaurant that has one bad food supplier.

The image below shows all the external sites involved whenever you visit three popular news sites.


Ohne Addon

The above example shows what happens when you visit three popular Swiss newspapers. Triangles denote third-party sites from which content is imported when you visit the respective news site. The visualisation was done using the Mozilla addon LightBeam

Using ads to distribute malware

Let’s now recap the recent campaign to show what is happening in detail. Keen to read the latest news an unsuspecting user visits http://www.meine-zeitung.ch (original URL changed). One of the many sites loaded in is a javascript from  hxxp://files.zeitung-adserver.ch/

This javascript already had a problem, albeit a well hidden one. Appended at the end of the file are some more, obfuscated javascript functions. Based on the user agent this code loads more code from the domain zeitung-adserver.net. Note, that the domain has now changed from .ch to .net. zeitung-adserver.ch is owned by the original news paper. It was registered in 2007. In contrast zeitung-adserver.net was registered just a few days ago on 27 January 2016 in Bulgaria. So it seems that the original ad server is compromised.

The malicious javascript continuously loads code and ads iframes to the original webpage, eventually ending up on a site linked to the Nuclear exploit kit. Nuclear made security news last late year because it started spreading Cryptowall 4.0. However, in this case, as before in Switzerland, the payload was Gozi ISFB, a banking Trojan.

Attack chain

1. A user surfs to the Meine Zeitung page. 2. The page loads the ads from the hacked ad server. 3-5 The included javascript creates more javascript which in turn creates an iframe, which then finally redirects to a Nuclear EK site. Step 3 only does this if the correct user agent is present. 6. Nuclear the works its EK magic, checking for a vulnerability it can exploit to serve malware. The whole attack takes less then 10 seconds. Note that all domains but the original one have been registered within the past few days.


It’s difficult for end users to protect themselves against such attacks. Having an up-to-date system will help. Other than that, an ad blocker will prevent any ads from loading, including malicious ones. Obviously, news sites won’t like this advice, but we have seen in the past that distributing malware through ads (be this malvertising or something else) can cause a lot of damage. SWITCH analyses dozens of web pages every day to detect drive-by code but the ad servers are good at hiding behind complex news sites, and they deliver their payload only sporadically. Detecting this is hard. Nevertheless, several large sites have reported high infection rates that could be traced back to this infection vector. The use of adblockers is highly debated, and we don’t want to lead that discussion here, there are good comments found elsewhere.

Similarly useful is Ghostery, a plugin that disables the various trackers websites deploy.

Screen Shot 2016-02-04 at 17.45.48

The same news sites when visited with Ghostery and AdBlocker enabled. Much less third-party code is included.

The taste of a bad meal

So, how bad are these ads? As mentioned a successful infection leads to an infection with the banking trojan Gozi ISFB. As in any modern trojan the configuration is dynamically loaded in once the malicious code is executed. In this case we were lucky: We were given access to the logs of a server delivering a crucial component of the config. The result was a daunting 1500 infections per day across Switzerland. So one bad ingredient spoils the lunch of a great many people.

The distribution of Gozi infection originating from surfing a hacked ad-server.

The distribution of Gozi infection originating from surfing a hacked ad-server for one day.


Ads continue to be problematic from a security point of view as they allow attackers to smuggle malicious content  into seemingly reputable sites. Too often we have heard that website owners cannot take responsibility for the third-party feeds.  That couldn’t be more wrong: much more scrutiny is needed by webmasters in monitoring the quality of the third-party feeds they serve to their visitors. Its the original websites’ responsibility to ensure quality and a safe experience to their visitors.

As any decent restaurant pays attention to hygiene, the internet community must start taking internet hygiene more serious, for all their suppliers.



2 thoughts on “Attack of the killer Ads

  1. Auch bei der BaZ (Basler Zeitung) habe ich schon Ungeziefer eingefangen, durch simples Überfahren von Werbung mit der Maus!
    Das hat mich einige Stunden an Aufräumarbeiten gekostet und einen “netten” Brief von Cablecom, mit der Drohung meinen Anschluss zu kappen!

    Leider hat es bei der BaZ niemand für nötig befunden mir auf unzählige E-Mails zu antworten, geschweige denn sich zu entschuldigen!