Trust but verify...

Monday, March 08, 2010

Jason Remillard


Cross posted from: SSM Blog

Much like Mr. Reagan, we need to trust but verify.

Very interestingly enough, in the past five or six days we have been detecting ad networks including Google Adsense, Adultadwords, and Adbrite allowing malware-laden ads on their networks.  We are not the only ones who have identified this issue, check out the following links for more information about them:

Google Adsense distributes malware - Google blocks own publisher!

 AdultAdWorld (AAW) -distributes malware - doesn't answer the phone

This highlights a major issue that we have been discussing for a long time with all of our customers -- that is, the need for ongoing Malware detection scanning. Your site might be nailed down. Your site might be clean from SQL injection, Apache flaws, cross site scripting, and the myriads of other issues associated with open source and custom developed software. However if you run any sort of ad network, widgets, or anything else that inserts code from other sites you are running a major risk. 

In these cases you are a very simple publisher. You trust your ad network since they are your partner. And now those lovely people are inserting Malware into your site.

 Looking further, although humorous but serious, Adsense itself inserted malicious ad code into a customer's website -- and then proceeded to ban them and slapped the nasty Malware alert window on this board buggers website.

Now, how are going to react in this sort of scenario?  I'd be interested in your comments, however at the end of the day you have to trust somebody and I like trusting by a verification -- and in this case we use several third parties for our validation services since I don't trust anyone on its own.

That is our commitment to you as a client of We bring the best of breed to you, from a solution perspective, from a resource perspective, from a research perspective.

Again, I am interested in any comments regarding this subject -- it is very unfortunate that the Malware purveyors have chosen to attack this vector to distribute their wares, but did you really expect them to stop? We certainly didn't.

Is Google Adsense a Trojan horse itself? 

Possibly Related Articles:
Viruses & Malware Security Awareness Privacy Vulnerabilities Webappsec->General
Google Privacy malware
Post Rating I Like this!
Pete Herzog Google Adsense is not a Trojan Horse any more than the Post Office is a terrorist organization for delivering a letter full of Anthrax to your door. Especially if that letter is from an employer who is paying your customers to receive any crap they send them and pass it on to their customers like some filthy, twisted Tupperware party. If your customer's business model is to do that then they need to take responsibility for what Adsense gives them and they pass on. Since the ads change and rotate, periodic scanning of their webserver won't do much good. Scanning and filtering each link would be slow and pointless because no AV software could keep up with mutations. So as they say in Wargames, the only way to win is not to play.

However this all brings up a great example of people doing what's easy and convenient to make more money without considering the consequences. Now you can argue the onus is on the end customer to protect themselves from this type of thing but that's no different than the grocer selling e-coli tainted apples from saying it's up to the customers to protect themselves against bacteria. That grocer may have a point, especially if he's not the source of the contamination, but that's not going to help with customer satisfaction. And I'm sure that scenario is a nightmare for any grocer. You see, profits don't come easier by losing customers. So accountability needs to be at every point the money is.
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.