Introducing MAD Monday, the day of the week where I will post details about a questionable ad that has surfaced during my testing/research.
Enter the first post, an ad on the New York Time’s Web site leading to a Landing Page offering a binary which has infected my computer. For the sake of clarity, and because I’m prone to using a lot of the nomenclature adopted by the advertising community, I am quickly going to clarify some of the entities involved in delivering ads on the Web of today:
The Advertiser: responsible for configuring creative (an ad) which leads to a Landing Page (a Web site — typically their own) when clicked by a consumer. The creative is registered with an Ad Network.
The Ad Network: responsible for helping the advertiser get their message out there. The ad network has a list of properties (Web sites) that have agreed to publish their ads.
The Publisher: the owner of a Web site or property, a publisher registers with an ad network in a bid to publish/display the ads of the ad network’s advertisers.
The Consumer: typically visitors to the properties belonging to a publisher, these are somewhat anonymous entities that are the targets of advertisers and ad networks.
In the MAD Monday instance that follows, it is imperative to understand which entities are involved and who they are:
|The Ad Network:|
|The Publisher:||The New York Times|
So how does one get infected from an ad when visiting the New York Times?
- Using your favourite browser, load up nytimes.com. The ads you see sprinkled on the front page, usually the ones with flashy animations or big friendly images, are referred to as Display Ads. These are a little different to the type of ad we will concentrate on today: contextual ads
- In the search bar, do a search for: 7-zip
- In the screenshot below, we see the result of the search. All of the contextual ads are highlighted in red. The scenario thus far captures a consumer that has visited the property of a publisher and has been shown ads which when clicked lead to the landing page of an advertiser
- The ad we are interested in is this one:
- When you click on this ad, the URL is configured to redirect your browser to the ad network that delivered it. This makes sense because the ad network can then register that a user has clicked on the ad. After they’ve done this they redirect your browser to the landing page of the advertiser. For auditing purposes (not intended for you to click on), the URL provided for the ad in question is here. The landing page of the advertiser is http://wisedownloads.com/go/7zip/
- The screenshot below shows the landing page of WiseDownloads. They are offering a free download of the popular 7-zip program. Please note that 7-zip is available for download (without a virus and also for free) here. I tried to find a link from WiseDownloads to the official 7-zip site, but I couldn’t find one on this page.
This is the point in our scenario where things start to get interesting. When you download 7-zip from WiseDownloads you may be getting it, but you will also be getting whatever else WiseDownloads or any of its affiliates has in store for you. This could be a number of things. What’s essential to point out is that none of them are listed on the page in question and it still just looks like a site (possibly the official site) for downloading 7-zip.
One of the binaries you may get from WiseDownloads is this one. The virus report from VirusTotal is available for this binary here, keep in mind that 8 virus scanners have a problem with this binary. I say “may get” in the previous sentence because WiseDownloads seems to be deploying a different binary everytime a user clicks on download. I know this because I generated a SHA256 hash of the contents of the binary downloaded every time. A SHA256 hash is a signature unique to the binary in question. No other binary in the universe can have the same signature. So whilst each binary downloaded came from the same site and was of the same size every time, strangely enough it had a different hash.
In the table below, I list each of the binaries downloaded, their SHA256 hash as well as a link to the applicable VirusTotal report:
Note that in the VirusTotal report of the fourth binary, one scanner didn’t pick up what it did in other scans. As a result of this, I think what may be happening here is that WiseDownloads is using a form of encryption to hide what the eventual payload of their binary may be. This is referred to as polymorphic code:
Putting this aside though, I decided to install whatever it is that WiseDownload had in store for me. I then zipped up the contents of the new directories added to the “Program Files” folder as a result of this install (more than just 7-zip was deployed) and sent this off to VirusTotal for a scan. The report:
The attentive reader has noticed not just one issue here, but two:
- The report generated as a result of executing and installing the binary is very different to that of just the binary downloaded. Perhaps the authors of this binary do have something to hide?
- The link above to the content of the directories added is named iBryte.zip. Who is this new entity that has just been introduced?
The authors of this binary are employing a technology known as a digitial signature:
A digital signature or digital signature scheme is a mathematical scheme for demonstrating the authenticity of a digital message or document. A valid digital signature gives a recipient reason to believe that the message was created by a known sender, and that it was not altered in transit
Basically, digital signatures in this context allows the author to connect an identity to every binary that they create and sign. Using Windows, right click on any of the binaries downloaded from WiseDownloads, click properties and then Digital Signatures:
Each of the binaries has been signed by iBryte. A quick search for them on the Web, leads you to ibryte.com. I downloaded one of the binaries there, it too had the same digital signature as each of the previous binaries downloaded. Not surprisingly, the hash of each binary downloaded changed for every download (despite it being the result of clicking on the same link each time). A report for the lotto genie binary downloaded from here is available from VirusTotal here.
Once again, this is where things get interesting. Who are the people behind iBryte? I looked up who registered the iBryte.com domain:
Registrant: Director TechOps 4600 Madison Kansas City, MO 64151 United States Registered through: GoDaddy.com, Inc. (http://www.godaddy.com) Domain Name: IBRYTE.COM Created on: 09-Mar-08 Expires on: 09-Mar-16 Last Updated on: 03-Feb-11 Administrative Contact: TechOps, Director email@example.com 4600 Madison Kansas City, MO 64151 United States +1.8169311771 Technical Contact: TechOps, Director firstname.lastname@example.org 4600 Madison Kansas City, MO 64151 United States +1.8169311771 Domain servers in listed order: NS1.AK-NETWORKS.COM NS2.AK-NETWORKS.COM Registry Status: clientDeleteProhibited Registry Status: clientRenewProhibited Registry Status: clientTransferProhibited Registry Status: clientUpdateProhibited
Some quick searches on ak-networks lead me to an article on techcrunch, and eventually the homepage of AdKeeper (*updated 9/27/2011* – the connection betweek ak-networks and AdKeeper is incorrect, see end of post for details):
The red scribble in the screenshot is me. I did this because I want to emphasize that I clicked on an ad on The New York Times which infected my computer (where our story started). The entity at the end of Mad Monday’s paper trail was featured on The New York Times, not as an ad, but as an article here. One quote which stood out for me was from Thad McIlroy who declared AdKeeper:
The Dumbest Publishing Startup of 2010
Regardless of whether or not AdKeeper is the dumbest startup though, the facts are:
- I clicked on an ad on NYTimes that lead to wisedownloads.com
- There were no references to the official 7-zip binary on this page. My intent was to install 7-zip, the landing page originally presented to me promised this
- Whilst this is completely subjective, I understood from the advertiser’s page in question that I was downloading the 7-zip binary for free
- The download itself lit up on virus scanners
- The packages deployed (which have nothing to do to with 7-zip) after executing the download lit up on virus scanners
- The binaries were signed using digital signatures
The last point is the most important, for the ad network could have a simple mechanism in place to protect the consumer from advertisers and binaries of this nature. It doesn’t matter if the binaries keep changing, the bottom line is that they are consistently being signed by the same entity (for whom different binaries, also signed on other sites, light up other virus scanners). If the ad network in question did have the consumer’s interests as their highest priority, i.e., if they were monitoring the landing pages of the advertisers that they are steering the users of their publishers to, then we wouldn’t have MAD Monday and I wouldn’t be infected as a result of clicking ads displayed on The New York Times.
updated 9/27/2011 – My sincere apologies to the folks at AdKeeper, I affiliated them with ak-networks and iBryte based solely upon an article on techcrunch and I was wrong. They reached out to me and insisted that they are in no way affiliated with these entities. Due diligence on my side should have pushed me to do just a little bit more digging. Note that a whois on ak-networks doesn’t mention adkeeper at all. Furthermore, neither iBryte nor ak-networks.com comes up in the list of partners on AdKeeper’s web site here (thanks Victoria)« Welcome to the world of MADvertisingConsumers Consumers Consumers »