Scary malware sneaks in on advertising

Malvertising evades most anti-virus protection, according to an Auckland expert. Photo / Supplied

You may think you're on top of security. You don't click through on pop-up IQ tests. You ignore invitations from svelte Svetlana to look at her .ru site. You don't open .zip or .exe attachments from unknown sources. Your anti-virus software is up to date.

Your computer may still be infected. Even now someone may be trawling your hard drive for passwords, bank account numbers, interesting documents.

The latest threat for internet users is malvertising, the use of ad networks for distributing malicious software.

Russell Fulton, Auckland University's information security officer, says the latest product of the botnet scientists is designed to run on mainstream websites, slipping under the guard of the major ad agencies who place the banner ads and pop-ups.

"We are taking this threat very seriously. The fact is you can go to any website and get attacked simply because it is carrying ads from one of the major agencies," Fulton says.

What's scary is this new class of malware may require no interaction from the user. Instead it attacks the latest bugs in Adobe or Java, places even well-run corporate IT departments may not pick up.

The malvertisers are using the good name of the website or ad agency to point browsers at their servers, which load up the malware concealed in PDF, Flash, Java or similar files.

"The banner could include a single pixel iframe [tag] which has a malicious PDF which, if the machine is like most Outlook set-ups, will automatically be opened by Acrobat, and it's all over," Fulton says.

The machine then joins a botnet.

"What we are doing here is watching for these machines when they call home," he says.

The university gets an alarm when one of the 15,000 computers on its network sends out a call to the IP address of a known malicious site, and it can then identify and disinfect that client.

While the malware probably traces back to Russia, the machines sending the message could be anywhere.

The ad placing algorithms means New Zealand IP addresses may not get sent many of the maladvertisements, but some are getting through.

Fulton says unless the botnets are used for something overt such as spamming or denial of service attacks, most networks won't pick up the infection.

The PCs can also be loaded up with keyboard loggers to capture passwords and banking credentials which the botnet operators then sell to other criminals, or malware which sends out documents.

Fulton says the malware evades most anti-virus protection.

"If the user has administration rights on the machine, the AV is almost certainly disabled as soon as the malware goes in.

"The software changes by the day, probably by the hour."

Fulton says the best protection is as always to patch and patch and patch.

Users should switch to Firefox rather than Internet Explorer, and make use of their preference panels so the browser does not automatically open PDFs.

* * *

Some feedback from Paul Brislen, head of corporate communications for Vodafone NZ, who's keen to correct what he calls "a few inaccuracies" in last week's column on mobile termination rates, starting with the claim: "The result of this lack of competition is that two-thirds of mobile customers pay some of the highest rates in the OECD."

Brislen: Not sure where he [Gifford] got that from but it's quite untrue. NZ retail rates (according to the OECD) are among the best in the world and have been for the past couple of years.

[Gifford] also says in his final paragraph that foreign investors will avoid New Zealand. This is clearly rubbish as there are three networks in New Zealand built by foreign-owned companies (Telecom, Vodafone, 2degrees). If anything, the opposite is true - unwarranted Government regulation drives investors to look elsewhere.

* * *

I stand corrected. Going back to Commerce Commissioner Anita Mazzoleni's dissenting opinion on regulating mobile termination access rates, what she actually wrote was "currently more than two-thirds of New Zealanders pay some of the highest mobile prices in the OECD".

Obviously Vodafone was so pleased commissioner Ross Patterson rolled over to have his belly tickled it didn't read the dissent to letting Vodafone and Telecom maintain closed network pricing for a further five years.

Brislen says Vodafone disputes how Mazzoleni arrives at her calculations, believing she cherrypicks rates then extrapolates.

Such disputes over benchmarking are inevitable given how New Zealand's mobile market has, in the absence of regulation, evolved differently from the rest of the OECD so we are never comparing apples with apples. As for foreign investment, the taxpayers built Telecom's most important network - its copper landline. Vodafone bought its network from BellSouth, and because of Telecom's poor technology choices, has enjoyed a near monopoly in many regional markets, such as Auckland.

2degrees was only able to attract the foreign investment it needed to build its network after the 2006 Telecommunications Act increased the prospects of regulation - prospects the regulator has now turned his back on.