MAD Monday

Posted by on Sep 26, 2011 in Mad Monday

Introducing MAD Monday, the day of the week where I will post details about a questionable ad that has surfaced during my testing/research.

Infected from an Ad on nytimes.com

Enter the first post, an ad on the New York Time’s Web site leading to a Landing Page offering a binary which has infected my computer. For the sake of clarity, and because I’m prone to using a lot of the nomenclature adopted by the advertising community, I am quickly going to clarify some of the entities involved in delivering ads on the Web of today:

The Advertiser: responsible for configuring creative (an ad) which leads to a Landing Page (a Web site — typically their own) when clicked by a consumer. The creative is registered with an Ad Network.

The Ad Network: responsible for helping the advertiser get their message out there. The ad network has a list of properties (Web sites) that have agreed to publish their ads.

The Publisher: the owner of a Web site or property, a publisher registers with an ad network in a bid to publish/display the ads of the ad network’s advertisers.

The Consumer: typically visitors to the properties belonging to a publisher, these are somewhat anonymous entities that are the targets of advertisers and ad networks.

In the MAD Monday instance that follows, it is imperative to understand which entities are involved and who they are:

The Advertiser: WiseDownloads
The Ad Network: Google
The Publisher: The New York Times
The Consumer: You

So how does one get infected from an ad when visiting the New York Times?

  • Using your favourite browser, load up nytimes.com. The ads you see sprinkled on the front page, usually the ones with flashy animations or big friendly images, are referred to as Display Ads. These are a little different to the type of ad we will concentrate on today: contextual ads
  • In the search bar, do a search for: 7-zip
  • In the screenshot below, we see the result of the search. All of the contextual ads are highlighted in red. The scenario thus far captures a consumer that has visited the property of a publisher and has been shown ads which when clicked lead to the landing page of an advertiser

  • The ad we are interested in is this one:
  • When you click on this ad, the URL is configured to redirect your browser to the ad network that delivered it. This makes sense because the ad network can then register that a user has clicked on the ad. After they’ve done this they redirect your browser to the landing page of the advertiser. For auditing purposes (not intended for you to click on), the URL provided for the ad in question is here. The landing page of the advertiser is http://wisedownloads.com/go/7zip/
  • The screenshot below shows the landing page of WiseDownloads. They are offering a free download of the popular 7-zip program. Please note that 7-zip is available for download (without a virus and also for free) here. I tried to find a link from WiseDownloads to the official 7-zip site, but I couldn’t find one on this page.

This is the point in our scenario where things start to get interesting. When you download 7-zip from WiseDownloads you may be getting it, but you will also be getting whatever else WiseDownloads or any of its affiliates has in store for you. This could be a number of things. What’s essential to point out is that none of them are listed on the page in question and it still just looks like a site (possibly the official site) for downloading 7-zip.

One of the binaries you may get from WiseDownloads is this one. The virus report from VirusTotal is available for this binary here, keep in mind that 8 virus scanners have a problem with this binary. I say “may get” in the previous sentence because WiseDownloads seems to be deploying a different binary everytime a user clicks on download. I know this because I generated a SHA256 hash of the contents of the binary downloaded every time. A SHA256 hash is a signature unique to the binary in question. No other binary in the universe can have the same signature. So whilst each binary downloaded came from the same site and was of the same size every time, strangely enough it had a different hash.

In the table below, I list each of the binaries downloaded, their SHA256 hash as well as a link to the applicable VirusTotal report:

7Zip_Setup VirusTotal Report 8802725e1955ae7ee6852b01a7f5f6232a7f99e7b1b6865cfef8620af5b12952

7Zip_Setup VirusTotal Report def18ffe10c8d52f277ccc35f30ca0059087b8454e4551d8633281d7bcd0723c

7Zip_Setup VirusTotal Report 266241e08a4e26b3fd6ce42d81b559007d51200de8a3b47827c6dcaad2559a20

7Zip_Setup Virus Total Report b2f50e45b0e375af64da13975d39756f6161951de96df511e49ca2292fb7cc42

7Zip_Setup VirusTotal Report 8b39a2e370b36a6281db014b9e121fb6fe0795a9ff035a28039ef95ec4aac977

7Zip_Setup VirusTotal Report 3d5e56c22c25ea83537e3b478675debde58a04a841572442cdb4c59cb5d65235

Note that in the VirusTotal report of the fourth binary, one scanner didn’t pick up what it did in other scans. As a result of this, I think what may be happening here is that WiseDownloads is using a form of encryption to hide what the eventual payload of their binary may be. This is referred to as polymorphic code:

 This technique is sometimes used by computer viruses, shellcodes and computer worms to hide their presence

Putting this aside though, I decided to install whatever it is that WiseDownload had in store for me. I then zipped up the contents of the new directories added  to the “Program Files” folder as a result of this install (more than just 7-zip was deployed) and sent this off to VirusTotal for a scan. The report:

The attentive reader has noticed not just one issue here, but two:

  1. The report generated as a result of executing and installing the binary is very different to that of just the binary downloaded. Perhaps the authors of this binary do have something to hide?
  2. The link above to the content of the directories added is named iBryte.zip. Who is this new entity that has just been introduced?

The authors of this binary are employing a technology known as a digitial signature:

A digital signature or digital signature scheme is a mathematical scheme for demonstrating the authenticity of a digital message or document. A valid digital signature gives a recipient reason to believe that the message was created by a known sender, and that it was not altered in transit

Basically, digital signatures in this context allows the author to connect an identity to every binary that they create and sign. Using Windows, right click on any of the binaries downloaded from WiseDownloads, click properties and then Digital Signatures:

Each of the binaries has been signed by iBryte. A quick search for them on the Web, leads you to ibryte.com. I downloaded one of the binaries there, it too had the same digital signature as each of the previous binaries downloaded. Not surprisingly, the hash of each binary downloaded changed for every download (despite it being the result of clicking on the same link each time). A report for the lotto genie binary downloaded from here is available from VirusTotal here.

Once again, this is where things get interesting. Who are the people behind iBryte? I looked up who registered the iBryte.com domain:

Registrant:
Director TechOps
4600 Madison
Kansas City, MO 64151
United States

Registered through: GoDaddy.com, Inc. (http://www.godaddy.com)
Domain Name: IBRYTE.COM
Created on: 09-Mar-08
Expires on: 09-Mar-16
Last Updated on: 03-Feb-11

Administrative Contact:
TechOps, Director sysadmin@ak-networks.com
4600 Madison
Kansas City, MO 64151
United States
+1.8169311771

Technical Contact:
TechOps, Director sysadmin@ak-networks.com
4600 Madison
Kansas City, MO 64151
United States
+1.8169311771

Domain servers in listed order:
NS1.AK-NETWORKS.COM
NS2.AK-NETWORKS.COM

Registry Status: clientDeleteProhibited
Registry Status: clientRenewProhibited
Registry Status: clientTransferProhibited
Registry Status: clientUpdateProhibited

Some quick searches on ak-networks lead me to an article on techcrunch, and eventually the homepage of AdKeeper (*updated 9/27/2011* – the connection betweek ak-networks and AdKeeper is incorrect, see end of post for details):

The red scribble in the screenshot is me. I did this because I want to emphasize that I clicked on an ad on The New York Times which infected my computer (where our story started). The entity at the end of Mad Monday’s paper trail was featured on The New York Times, not as an ad, but as an article here. One quote which stood out for me was from Thad McIlroy who declared AdKeeper:

The Dumbest Publishing Startup of 2010

Regardless of whether or not AdKeeper is the dumbest startup though, the facts are:

  • I clicked on an ad on NYTimes that lead to wisedownloads.com
  • There were no references to the official 7-zip binary on this page. My intent was to install 7-zip, the landing page originally presented to me promised this
  • Whilst this is completely subjective, I understood from the advertiser’s page in question that I was downloading the 7-zip binary for free
  • The download itself lit up on virus scanners
  • The packages deployed  (which have nothing to do to with 7-zip) after executing the download lit up on virus scanners
  • The binaries were signed using digital signatures

The last point is the most important, for the ad network could have a simple mechanism in place to protect the consumer from advertisers and binaries of this nature. It doesn’t matter if the binaries keep changing, the bottom line is that they are consistently being signed by the same entity (for whom different binaries, also signed on other sites, light up other virus scanners). If the ad network in question did have the consumer’s interests as their highest priority, i.e., if they were monitoring the landing pages of the advertisers that they are steering the users of their publishers to, then we wouldn’t have MAD Monday and I wouldn’t be infected as a result of clicking ads displayed on The New York Times.

updated 9/27/2011 – My sincere apologies to the folks at AdKeeper, I affiliated them with ak-networks and iBryte based solely upon an article on techcrunch and I was wrong. They reached out to me and insisted that they are in no way affiliated with these entities. Due diligence on my side should have pushed me to do just a little bit more digging. Note that a whois on ak-networks doesn’t mention adkeeper at all. Furthermore, neither iBryte nor ak-networks.com comes up in the list of partners on AdKeeper’s web site here (thanks Victoria)

« »

4 Comments

  1. Thad McIlroy
    September 26, 2011

    Very thorough investigative work. Have you notified The New York Times, Google, WiseDownloads, and AdKeeper?

    Their responses would be very interesting: who has the liability here? Who the the RESPONSIBILITY in a distributed advertising network?

  2. wesleyb
    September 26, 2011

    Thanks Thad. I have not contacted WiseDownloads and AdKeeper. I notified Google last week but received no response. Obviously the advertiser in question was not taken down. New York Times has just been notified, hopefully they can convince Google not to deliver this ad on their Web site. Regarding who has the responsibility in a distributed network of this nature, this is a very good question. Please keep in mind that this is not third party advertising, i.e., the ad network has a direct relationship with the advertiser in question. In review, the chain of events is as follows:

    – NYTimes gets a visitor
    – The visitor’s browser loads their page
    – The page includes an ad tag (script) that links to an ad network
    – The browser makes a call to the ad network
    – The ad network pulls from its local inventory and serves the ad

    There is no fallback to a third party. At least, if there is it is happening inside Google’s network, and not on the visitor’s browser (this is very rare — I’ve yet to see it). Since it’s not a third party scenario and the ad network has a relationship with the advertiser, they are in a position to monitor the landing page of the advertiser, regardless of how good their relationship may be. So who has the responsibility? I believe it is the responsiblity of the network to monitor the landing pages of their advertisers, always. To quote Ronald Reagan: “Trust, but verify”

  3. Victoria Bianchini
    September 27, 2011

    Hi, Wesley

    First let me say that I work at AdKeeper and I have verified that we do not own the domain ak-networks.com, nor does AdKeeper have any affiliation with this domain. Moreover, AdKeeper is all about user first and their ability to use and control their advertising experience. Those who would deploy malicious code via advertising or any means damage the entire Internet ecosystem from users to ISPs, including advertisers as well.

    It would be wonderful if you would correct your mistake. I’m available at your convenience to discuss this further.

    Thank you!
    Victoria

  4. wesleyb
    September 27, 2011

    Fixed. My apologies to the folks at AdKeeper, I should have done more homework on making the connection between ak-networks and adkeeper.