Sunday, 15 November 2015


These days, malware is a business.

20 years ago, when I was in the antivirus business, viruses were written by kids having fun. I even met some of them; some after they were arrested, one at a show (he came up to me and identified himself).

But its all changed. Now, the way that Bad Things are spread, isn't via viruses (self-replicating programs), it's via trojans. The way a trojan works is: bang, gotcha.

So how do trojans arrive on your computer? There's two main routes. One is via email, and I've been discussing this a lot recently. The other is via the web.

We all know that visiting the web site could rapidly lead to big problems; sensible people avoid the less salubrious parts of the internet. But some parts of the internet come to you, whether you want them to or not. I'm talking about advertisements.

The advertising ecology of the web looks like this. You have a blog, which is attracting a thousand times more people than this one (my typical post gets a dozen readers, two dozen if it's lucky). And it occurs to you that you might make some money out of this. By accepting adverts. But you have no idea who might be interested in paying you to show ads, so you go to an internet ad broker.

On the other end, you're a nifty entrepreneur with a great product or service to sell, and you want to advertise it, but you don't want to contact hundreds of web sites to negotiate rates and conditions. So you go to an internet ad broker.

And that's why, when you're viewing some site with interesting content, annoying, intrusive and irrelevant adverts keep popping up, occupying your screen and irritating the hell out of you.

Enter the Bad People. They want you to run something malicious. A good choice would be some javascript, that accesses a remote server and downloads something really nasty that takes over your computer, and now your computer can be rented out by a third party, to fourth parties who want to send out spam, or attack other computers ... and it's your computer that gets the blame. And since a computer is just a machine, it's you that gets the blame.

So they buy an ad from the broker. This ad includes the javascript, which is checked against VirusTotal so that it passes as clean when checked by 55 different scanners, and for the first 100 accesses, or for the first few days, it does nothing, so that anything that's testing it, will pass it as OK. And then it goes live, working it's evil badness. If your computer runs javascript, you're vulnerable - by default, your computer will be running javascript. And if you don't run javascript, you're going to get so many web sites telling you that javascript is needed for their site, that eventually you'll give in and allow javascript.

I use Noscript. This blocks javascript, java, flash amd other plugins, unless I specifically allow it for that site, on that occasion. I consider this to be a security issue. I also use uBlock Origin (I used to use adblock), because until one day in the future all advertising is certified as malware-free, why would I allow it on my systems? And they don't (and probably can't) certify it as malware-free.

I also use a hosts file. What that does, is resolve a long list of sites such as (I kid you not, and I haven't visited the site, so I don't know what it does) to of to which is where really is. You see, means "this computer". So for any domain on the long long list that you can get here, if my computer is told to get something from that domain, it doesn't. As a nice site effect, loading web pages is much faster, because of all the junk that I'm not downloading.

You can set up a hosts file for Linux (you edit /etc/hosts), Windows (look in C:\Windows\System32\drivers\etc) or Android.  If you can do it for iPhone or iPads, I don't know how. I suspect you can't, unless you "jailbreak" it, which many people are unwilling to do.

So you too can avoid malvertising.

No comments:

Post a Comment