One of our readers, Walter, wrote to us today with a request to owners of websites:  please block any third-party advertisements that contain scripts or any form of mobile code.

Why?  Well, consider this scenario:

1) Sleazy vendor (or rogue affiliate) "rents" compromised home computers from a bot-farmer

2) Sleazy vendor submits to an adserver an innocent-looking ad for some legitimate-looking product, totally unrelated to the malware.

3) The innocent-looking ad contains javascript that re-directs the browser to a compromised bot, which in turn re-directs the browser to the final malware page.  Thus, a website blocking any ads linking to systemdoctor.com or winfixer won't help.  The user is re-directed to one of millions of compromised bots, and the bot re-directs to the malware page.

An example of malware-via-adserver is detailed at
http://msmvps.com/blogs/spywaresucks/archive/2007/02/18/591493.aspx

This is not a new problem.  We covered cases like this in the past where an entire ad server gets compromised and the advertisements it is generating contain malware that gets injected via an iframe.  The correct solution is to only accept images from advertisers that are linked to another website, and no mobile code.  You clearly can't control what happens on that web site, but at least no mobile code is injected into your user's browsers just because they visited you.

UPDATE:
One of our readers reminded us that Mozilla has a plug-in that allows Firefox readers to reject ads.  Also, I should have plugged a solution I've been using on my own computers for a few years - modifying your hosts.txt file to point all of the known ad servers at 127.0.0.1.  Details are on MVPS.

Marcus H. Sachs
Director, SANS Internet Storm Center