16 March 2016

Of Malware and Adware: Why Forbes Did Not Serve Me Malware

The topic of web-based advertising is always a hot topic for discussion, debate, and outright argument. One realizes that the Internet in which we've grown accustomed to is reliant on ads; after all, Google is an advertisement company.

In the recent past we've seen articles on malvertising targeted using Skype and more recently using the New York Times and BBC. Soon after, comparisons were made between these attacks and an incident I noted in January regarding Forbes.com. Those comparisons are ongoing, motivating me to write this post.

While Forbes did experience a malvertising event last year, these attacks are nowhere near the same as the event I posted in January. That people claim so shows a general lack of education, even among security practitioners, of malware vs adware vs PUP, and valid threats vs nuisances.

Forbes did not serve "malware" and cannot be compared to these incidents.

To explain this in detail, let's discuss how my event came to be.




Earlier this year Forbes.com LLC decided to test blocking browsers with ad-blockers, a move that split the discussion to its core. More and more of our online activity focuses on news articles, blog posts, and other write-ups. Everything I write on this blog takes considerable time and effort, sometimes weeks of development. But, as I have a day job, I do not need to host advertisements. Others, with greater use of words, try to eek out a salary based on the ads that frame their writing. I understand and empathize with this. As a published author I'm used to making no money from royalties while peers torrent the eBook right in front of me.

A mid-December gift of Fallout 4 for the PS4 was something that I greatly appreciated. Especially as it was a gift that I bought myself for my birthday. After having it sit for a few weeks while I was inundated with work, I opened it at New Years and tried early to find articles to give a quick leg-up at the beginning.

A search for early armor referred me to a Forbes article, One Of The Best Pieces Of Armor In 'Fallout 4' Isn't What You Think. Upon loading this page I received the dreaded message that's gone viral in the past few months:



Your mind freezes. Surprise turns to distrust, then pondering. As security people, we then begin to weigh the options. I don't like ads, and use AdBlock Plus to disable them everywhere I go. However, I also would like to access the information on that website. In response, I disabled my adblock for Forbes.com, continued to the article, and immediately had a pop-under window appear.








Well, that's disconcerting. I chuckle and take a screenshot. I then look over this page in detail. Some basic HTML, some JavaScript, with all notable scripts shared for perusal. Of note:


<script type="text/javascript">
    function doDownload()
    {
            trigger_dl(false, 21, 13526, 'True', 'setup.exe');
    } 
</script>
...
function trigger_dl(redirect, lpm_id, rotation_index, rotate, filename)

This was really interesting. So, I grabbed the resulting setup.exe, which saved as jre-8u25-windows-i586.exe. I took an MD5 hash of the file, 2CDD85286C5531557F3F20A7CAFA7291, and compared it to the known good hashes from Oracle. It was clean.

It's a bit baffling, It was simply a page serving up a legitimate copy of Java Runtime, albeit one that was over a year old.  Maybe the rotation_index in the JavaScript allowed for the site to be "enabled" at certain times and provide Java at all other times? Maybe they wanted to intentionally install old Java? There's no clear answer here.

I did not feel threatened. This was interesting and mildly funny.

While we have a growing population of researchers who tweet major vulnerabilities in real-time, proper threats should be taken up directly with the organization and not be made public. I do not consider this proper threat, so I posted it to Twitter without a care, which was a mistake.

It was a silly pop-up with a legitimate application. However, in my flippant tweet about the event, due to the space limitation of Twitter, I called it malware. I then followed up within seconds about what that meant, what the file was, and how it was really just a page for 'crapware'. I posted a trace, and had history data from my Chrome cache to review.


Here is what is clear:

The advertisement was not malware. 

Forbes is still whitelisted from my ad-blocker.


We have no evidence of what exactly created this pop-up.



The last point was frustrating to every party involved. It has not happened again, in months, on my original system. They were not able to find a trace of it on theirs.

Where the community responded


Forbes almost immediately reached out and we started a dialog. We shared logs, events, and descriptions of the ad. Though I had a valid "Referrer: forbes.com" in the web page, their breakdown of their ad system (which is actually a very complex and well thought out system) showed that it just couldn't exist. I had a page that said it came from Forbes, and Forbes had evidence that no page should have that referrer. We were stuck without any evidence.

In that time, the tweet became viral. I hate viral tweets. People focused on the word "malware" and ignored all of my follow-up clarifications. Suddenly my name and background was being leveraged as fodder for people's own battles. Just one example is below:


Things became heated on Twitter, but in the news it was fairly calm. Forbes published an article to delved into the ad-blocking debate and the infometrics it created: Inside Forbes: Our Ad Block Test Stirs Up Emotions, Then Brings Learnings and New Data.

Where Engadget pushed things downhill


On a Friday morning I had just walked out of a barber and was preparing to meet a coworker for lunch when I received an automated tweet. My Twitter handle was referenced in an Engadget article. I pulled up the article and my mouth dropped.

In an article titled You say advertising, I say block that malware, a writer for Engadget, Violet Blue, jumps to severe conclusions and grouped my incident in with ransomware, drive-bys, and zero-day attacks. This writer worked directly off my single tweet and willfully ignored all of the further details. They also did not reach out to me for comment or clarification. That article became the source for dozens of additional articles, with a current 6,693 shares, all berating Forbes for "serving malware". 

My initial response was to go onto the article and create a comment giving the rest of the story. It was immediately downvoted and currently sits at a -4 score. Similar reactions were received on Reddit and Slashdot.

A poorly resourced and written article by Engadget caused a minor issue to become a misunderstood stampede. Even weeks later, some Forbes writers were so outraged by that article that they were considering quitting their jobs. A letter written to Engadget in complaint of the article received no response or feedback.

And so that article sits, spewing misinformation, and providing fodder for continued comparisons to actual malvertising attacks.

The incident was overall very frustrating. I audited my extensions, software (it's a work Mac, almost no apps installed). I turned all ad blocking off for two weeks, and never saw a pop up again. To their end, I, again, never saw a pop up again with ad-blocking disabled.

After working with Forbes for a few weeks, and going over the data that they collected, it's been difficult to find where this ad came from. I found no trace of an agent on my system, and they found nothing in their logs. And that's where things ended. I did not claim they were infecting me, or hosting malware, or were negligent in their approach; yet, those words were attributed to me.

Lessons learned:


1. Don't trust the press.
2. What you consider a mild irritation can be misinterpreted as a major incident.
3. If something could be taken the wrong way, try to directly communicate with the organization.
4. No one reads the fine print. They only want the flashy title.
5. Don't trust your peers when they have their own ax to grind.
6. Choose your words wisely, especially when you have to choose shorter synonyms for Twitter.

3 comments:

  1. lesson 0: Lawyer up, delete Twitter, hit the gym.

    Seriously though - thanks for the historical correction.

    Reminds me why some people used to make the errata/corrections the first part of the newspaper they read. Back when people read newspapers.

    Today's corollary is usually the Reddit comments that debunk a sensationalist headline - which makes it extra disappointing that your classifying comments got downloaded to oblivion. "But but muh pitchforks!"

    ReplyDelete
  2. So, help me out here...

    The moment you turned off your ad blocking software and loaded a page from Forbes.com, you were served with a script that tried to install outdated (and vulnerable) "crapware". Your data says it came from Forbes. Forbes says it didn't come from them and showed you data that you state corresponds with their claim - so, essentially, after turning off your ad block, you had an outside attempt to install vulnerable software onto your PC that seems to have came from nowhere...

    ...How is this supposed to make anyone feel better about the idea of browsing the internet without ad blocking software and privacy scripts installed? :/

    ReplyDelete
    Replies
    1. Levels of grey.

      Yes. The moment the adblocking was turned off, a crapware page appeared. It was unwanted (by both parties) but it was a few distinct levels below "malware".

      Ad blocking is still a thing, and will always remain to be so. Each person has to choose their battles on which site they'll allow ads, based upon their usage. For most sites I'll never turn off ad blocking and, therefore, will just not visit them again. Others I still would like to read and am willing to whitelist. That selection will vary for everyone.

      Delete