Technical Tidbits™

Posts Tagged ‘doubleclick’

I know, an odd title, isn’t it? But you’ll see why soon.

I must also add a caveat: This post does contain adult language!

Did you see the movie ‘Network‘? The one where the new anchor loses it on the air, throws his television out the window, and screams, “I’m mad as hell and I’m not going to take it anymore!” Yeah, THAT movie!

Well, I know how the Anchorman feels.

Yesterday, while researching this continuing Botnet issue, I came across a very interesting press release on DoubleClick’s web site. But before I share I that with you, let me digress for a moment.

Remember the big to-do about Google partnering with Yahoo? Remember Microsoft (M$) whinning and complaining about the ’supposed unfair advantage and monopoly’ a partnership between Google and Yahoo would create? Whaa, whaa, whaa! Poor Microsoft!

Then recently, the headlines hit the blogosphere that Google was hours away from being named a monopoly by the U.S. Department of Justice when Google backed off.

Now that I’ve refreshed your memory, fast forward to my noting a press release on DoubleClick’s web site yesterday.

Pop Quiz!

1. Who owns DoubleClick?
2. Who owns and created Silverlight?
3. Who is serving video ads to Silverlight?

Answer Key:

1. Who owns DoubleClick?  Google
2. Who owns and created Silverlight?  Microsoft
3. Who is serving video ads to Silverlight?  Google owned DoubleClick

Now, doesn’t that seem like someone is sleeping with the enemy?

Read it yourself here: http://www.doubleclick.com/about/news_details.aspx?id=1406&linkidentifier=id&itemid=1406

You see folks, what I’ve come to realize is that all this media spin and “woe is me” from Microsoft is nothing more than Microsoft crying wolf. And why? $$$MONEY$$$

What’s that saying? “Money talks, bulls#&t walks?”

It’s okay for Microsoft Silverlight to run Google-owned DoubleClick ads because Microsoft is making money!

It’s NOT okay for Google to partner with Yahoo because Microsoft ISN’T making money!

And why won’t Google, DoubleClick, Yahoo, Right Media, and all the rest of the online advertising companies do something about malware being pushed through their ads? Because they are COLLECTING  MONEY from the advertisers! And because to put a procedure in place to screen those ads and protect visitors, would COST  them MONEY!

Small companies like ours make nothing on the research we do, and practically nothing on the small amount of ads we do run on our site.

Hell, the top day of our Google adsense at the peak of this botnet issue earned us a whopping 27 cents! Whoo Hoo! I’ll take that to the bank as soon as Google decides it adds up to $100 in any given month – READ: I won’t hold my breath waiting.

The truth of the matter is my friends, that we are being fed a HUGE plate of Corporate BS with a side of lies.

Microsoft cares less about Google’s unfair competition with Yahoo. It wants Yahoo for the ad generating revenue it can earn under Yahoo’s name. And why? Because Microsoft’s name can’t earn it!

I could find better search results reading the sediment in my septic tank (like tea leaf reading only grosser) than find anything from Live or MSN Search.

Microsoft knows their search is useless! So they want Yahoo’s name to hide behind so they can rake in the advertising dough.

And if I’m right with my prediction about the upcoming botnet from hell, all the advertising companies will make a fortune from it!

Think about it!

They’ll collect revenue from the advertisers wanting to push the malware. (What better way to deliver an Internet Weapon of Mass Destruction (IWMD) then through ads that are on nearly every single web site!)

Then, they’ll collect a fortune off the adwords related to this new malware and the fix being searched for as millions of broken, infected PCs go online to search for help.

And the botnet creators will make a fortune off the information it gets from every single infected computer and compromised corporate network! (And if you have yet to read the report about this underground economy, please pick up the report here: The Online Shadow Economy.  My paranoia is based on real facts!)

The only people not getting rich off this whole scam are the poor shmucks at the bottom of this food chain. The small companies, small bloggers, and the average Internet users. The very same ones who have to pay for the damage because Corporate A**holes don’t give a s#&t about us!

It’s days like this that I wonder why the h@ll I even bother!

But then, I get an additional reader, or a new subscriber. Perhaps a few new comments posted, and I have hope again. I have hope that there are others like me still out there that are paying attention. Vigilantly watching to maintain the integrity of the Internet.

And YOU make it all worthwhile!

So, for those of you – like me – who want to prepare for what might be coming, I’m going to teach you over the next several posts how to prepare to protect yourself. I think we might be able to avoid the impending damage if we cover our assets, so to speak.

Tomorrow, we will learn how to block the ad servers. Yes, I know, I’m cutting off my 27 cents in revenue by teaching you how to do this. But you never know. If I’m correct in my line of thinking and research, we just might get a legitimate sponsor for this blog! Or maybe someone will donate or buy something from us! You never know! It could happen!

So tune in tomorrow! We’re going to play Medieval Europe and secure the castles!

It doesn’t matter what OS or what browser you’re using. We’ll cover them all!

Oh! I should note however, that so far, our research is showing the Ubuntu (Linux) has not been affected by any of this!

Last night I updated my Flash files and I was still getting notices as per my added notice on the post: A Possible Answer to the RUBotted Pop-ups?

However, this morning – upon boot – I’ve yet to receive one.  I also went directly to the main file disclosed in the previous post that was serving up the ad and I did not receive the pop-up.

At this point, I can only conclude that the flash was the vulnerability and it is NOT a glitch or bug in RUBotted.

Anthony Valente, my partner from Network Defense Solutions is working with the Flash file I sent him this morning to find out what it was in the file that might have been doing this. Only by understanding how the malware providers are pushing this crap on us, can we understand how to protect ourselves.

Stay tuned for more disturbing news about the ad servers from hell! You are not going to be happy when you hear what Anthony has uncovered through my initial research with the Antivirus 2009!

In the meantime, go update your flash players PLEASE!

This situation has been driving me crazy for days now. I had to find an answer.

Well, here goes!

I opened up the code source for about three different web pages that were causing the pop-ups. (View Source and saved as a text file.)

I opened all three in my Textpad editor and started taking out the normal code that doesn’t do anything dangerous. That left me with nothing but Javascript on all three sites!

Okay, I know Javascript is not the culprit because I use it here, and I have visited other sites that use with no pop-up. So by deduction, javascript itself in a page is not the culprit. BUT! What is inside the Javascripts?

So, the wonderful thing about Textpad is I can highlight a bit of code that has a URL in it, right mouse click and it will give me the option to open the link in the browser. This delivered me every single .js file there was on all the pages.

Remember I said that this was related to ads? Well, I’m correct. But there’s something specific in the ads that are affecting the RUBotted.

In the many, many, many Javascript files I opened this morning and afternoon, there is a common denominator – FLASH.

These ads and the related JavaScript has gotten very complex. There is a javascript reference inside a javascript reference – sometimes going 3 levels deep!

On the Tarot.com page I saved that had given me the pop-up, I found this:

The code points to a source:
SRC="http://ad.doubleclick.net/adj/vsn.tarot/other;tile=10;sz=160x600;ord='+ord+'?"

When I went to the URL, it downloaded a file with no extention – named: other;tile=10;sz=160×600;ord=’+ord+’ – that I opened in TextPad also.  (To access the file yourself: othertitle.zip)

Here’s what was found that’s relevant. There is code inside here that points to the actual flash file and another Javascript file. AND! When I downloaded both, I got the pop-up. Here’s the images and I’ll explain what I don’t like about this.

Now here’s the code inside the file labeled flashwrite1_2.js.

What is this file trying to write to my flash application?

Now the reason I’m calling this into question is that I received a US-CERT Cyber Security Bulletin as I’m typing this up and investigating it.

There is a disclosed vulnerability in Adobe Flash player disclosed on November 17th just 3 days before I started reporting the pop-ups.

http://web.nvd.nist.gov/view/vuln/detail;jsessionid=02544ed65bc300e67b8695238afe?execution=e1s1

I’m going to update my Flash player and revisit these links and see if I still get the RUBotted pop-ups.

Then I need to get to some work that makes me some money since I’ve spent a lot of time on this. However, if you’d like to buy me a cup of coffee for my troubles, you can send me a tip through the tip jar on the right side or PayPal here.  

Hopefully, the problem is solved.

Debbie

NOTE ADDED 5:10 PM CDT: The Flash Update didn’t workat fixing the problem! Still getting the pop-up message! But that does not dismiss the fact that these ad codes are trying to write our Flash application. Anyone know JavaScript and know how or what it’s writing??

I was also going to reverse engineer the flash file mentioned in here but my flash version is too old. (Upgrade costs $199.00) By taking apart the flash file, we might be able to see if there’s something malicious besides the java code?