Put yourself in a bad guy’s shoes:
You have a piece of software that logs usernames and passwords to banking sites. It can do a number of other things, like propagate itself to other computers that share drives with the victims and open address books and email itself to every email address it finds - so that it can log usernames and passwords from even more sites!
It just needs to hit one system, really, to propagate. But as the guy or gal trying to get this software out and productively returning good banking credentials, if you had the chance to propagate more and better, why wouldn’t you? How would you easily infiltrate as many computers as possible, and computers used by people who actually might have something in their bank accounts to reliably pilfer? You might want to take a look at something networked, something that gets propagated to a large number of mainstream sites. Because you may be found out quickly, you’re looking for somewhere you might slip in surreptitiously, across a large number of trusted mainstream web sites simultaneously…
Ad networks. It’s a pretty sweet attack vector, really. Massive, instantaneous, worldwide reach. Immediate impact. Solid customer base. Bi-partisan, even! Simultaneously force malware on readers of MSNBC and DrudgeReport and Salon, Washington Post, and CNN and more? Score!
A few weeks ago, the New York Times got hit with such an attack…and it wasn’t stopped for at least 12 hours.
What can you do to protect yourself against drive-by ad attacks like this? Other than not check the news - because I’ll be honest, I am going to read the Drudge Report no matter what, daily. Malware will not keep me away.
First thing: Don’t install anything when prompted unless you yourself prompted the install and you know what you’re installing. A virus scan initiated by a Web site you just hit? Close the window, don’t click OK! And don’t ever enter your password or allow the some unbidden installer elevated privileges!
Second thing: As much as it hurts the newspapers and advertisers right now, you can choose not to have the ads served using a few different methods. We’ll talk about two quick and dirty methods today.
Ad Block Plus plug-in for Firefox
The AdBlock Plus plug-in blocks ads automatically. It blocks and hides ads from view. To install it:
- In Firefox, select Tools > Add-ons.
- Select Get Add-Ons, enter “Adblock” in the search window, and press Enter.
- Select AdBlock Plus and click Add to Firefox.
- Click Install Now and restart Firefox when prompted.
When Firefox restarts, you should see a red Stop sign icon in your Navigation toolbar &mdash you can use this to make modifications to ad blockage.
Modify your hosts files so that all ad-based URLs redirect to your local system and *not* to the ad site!
Dan Pollock @ SomeoneWhoCares.org maintains a hosts file of known ad servers. You can replace the hosts file on your system with his list, so that whenever a web page requests an ad server, it redirects to your own system instead. Note that it doesn’t hide the spots where the ads should be the way AdBlock Plus does — you’ll see either whatever your local web server serves, or a failed to connect error if you aren’t running a local web server. Basically — whatever you see at http://127.0.0.1 is what you’ll see in the ad view boxes.
Copy his list at http://someonewhocares.org/hosts/ (or your own list, if you’ve been keeping score) and paste it into your own system’s host file (note that you need to be root or Administrator to do this). In Linux, add the data from Dan’s list to /etc/hosts. In Windows NT, 2000, XP, and Vista, add it to c:\Windows\system32\drivers\etc\hosts. In Windows 95⁄98 and ME, add it to C:\Windows\hosts.