Notice: This blog is no longer updated. You may find a broken link or two

You can follow my new adventures @mikeonwine

So while reading my blog reader this morning I realized there were quite a large # of posts about malicious ads (aka Errorsafe) coming through. All this new media attention to the problem is good, but saddening that people still see so clueless. Perhaps even worse is the fact that industry folks don’t have a good grasp on the problem yet.

Take this eweek article on malicious ads. Lets look at some of their findings:

There is, in fact, a scourge of so-called “badvertising” infiltrating legitimate sites. Since Sept. 22, the ads have been finding their way into the servers of the advertising industry’s biggest players, such as DoubleClick.

Wow… these guys are really up to date. I created my “Errorsafe” page on March 22nd of 2007, and that’s after many months of frustration with malicious flash banner ads. The first “major” infiltration I know of dates to the summer of 2006 when Myspace served a malicious ad to its users. The tools & technology haven’t changed — the code might be more obfuscated, but it’s still the same type of flash ad executing similar javascript. Oh, and Myspace used DoubleClick for hosting back then.

If only it were so simple. In fact, there is no such anti-spyware that could be built into an ad-serving platform such as DoubleClick. The buyers who are purchasing advertising space on sites and then swapping in malicious ads are far too sophisticated to code their malicious code with something so crude as to be picked up by anti-spyware software.

Of course it’s possible to detect these ads, it just takes a little bit of work. Right Media has such a system. I’m also aware of at least two different companies that are looking to develop similar automated testing tools.

“The big issues that security researchers who deal with Web exploits and downloaders on Web pages struggle with every day are the different ways you can make JavaScript do different things. As long as you accept Flash and it has ActionScript, there’s no way to rule out a repeat of this fiasco.”

Not true. I proposed a fix in this post that should be fairly trivial to implement. Instead of assuming that actionscript is safe, everyone should assume that it’s unsafe. Then, the few ads that require special permissions (such as complex rich media ads) can go through a manual review and receive explicit permission to execute script.

So here’s my proposal — What if the industry giants got together and created one central repository of “safe ads”. This non-profit central body would do a manual audit of all the action-script within all ads and certify them as safe to run. Then, instead of emailing creatives around buyers would send an ID or link to the ad in the central repository. It’s a lot of work, but considering how much money is on the line, I’m sure it’d be fairly easy to get some funding together to do this.

Yahoo, Google, Microsoft — somebody up for setting this up? I’ll help =).

Related Posts:

  • Ben


    I believe that admonsters has an ongoing project to institute something like a Safe creative repository that you have mentioned. You can see it at

    In addition there has been talk in the IAB about such a thing coming from that body

    The key will be to have the agencies and advertisers fully buy in. The publishing communities will be able to reap the benefits of such a system almost immediately, but the workflow for the agencies will have to change and it is diffacult for the publishers to “not” accept creative directly.

    There is also a need for a notification system that notifies all parties when creatives are switched out behind third party tags. Much of the malware conundrum is a result of creative that was changed mid-flight behind a tag.

  • Sandi

    :o ) Do I sense a little frustration in your post? I’ve been saying pretty much the same thing:

    The problem isn’t new, but what is new is the big name sites that have been hit. In the past the problem has been most prevalent on small sites that use cheap advertising.

    In the past couple of weeks I’ve worked on outbreaks that have hit ok-magazine,, the Sensis network (that was a biggy) and tonight I have received word that National Geographic has been hit. Then there are the outbreaks that I haven’t had personal experience with that I heard of that have allegedly hit The Economist, Groups MSN and a couple of other big names.

    It’s getting to the stage where the industry as a whole will have no choice but to make the changes that you suggest – it is that or audit every single advertisement that comes through – it’ll be cheaper and easier to follow your actionscript suggestion.

    Note, I haven’t caught a redirect at National Geographic yet, but it’s only a matter of time.

  • B. Nones

    Strange that you mention this, as we’re about to launch what could very likely be a safe repository of malware-free ads:

    Mike, email me if you get a chance. I’ve not been able to find a way to get in contact with you, and didn’t know how often you checked this blog.

  • Rob Leathern

    I have overseen the review of thousands of ads using Right Media’s system, with daily incremental reviews. The problem is, though, if you’re daisy-chaining with various ad networks and are accepting third-party tags, other creative can be swapped in … and in fact we sometimes found that in the evenings some of the “safe” ads we saw got switched for non-family safe adult ads. Of course, spyware-launchers and other types of ads showed up less frequently after all our precautions, but they were still not 100% eradicated. I agree the industry needs to do more to set some standards here if it display is to continue to grow and improve.

  • Frank

    This problem might me more difficult than the ordinary eye can see. Meaning what prevents these dubious people from tweaking the action scripts to do something else right after it has been certified by this central body?
    For example one can instruct the script to provoke a legitimate action from a 3rd party server(which the central body will ok) and then change that action to something else after the creative has been approved.

  • Mike

    Hi Frank,

    First off — the auditing team would have to extract and analyze the actionscript of every creative. 99% of all flash files have totally innocuous and standard actionscript — easily identified by a normal person with a tiny bit of training. The other 1% would then pass through further inspection — For creatives that rely on third party servers, certain could be “certified” (eg pointroll for rich-media), and all other creatives would be thrown out.

    Because the flash will be hosted by the repository, there will be no way of altering the action-script and if only approved third party servers are allowed then no malicious ads should be able to sneak in.


  • Frank

    I agree with you and Rob! The only way this problem can be fully annihilated is with a system that allows for only a pre-approved set of third party servers.

  • Jeremy


    I am glad you were as upset as I was with that article, the next big thing they are doing is rotating the ads via iframes, so you can’t catch them as easily since they are making the ad decision at the backend and you never see the correct creative until its already hit the sites and you have the complaints.

    Ad Operations is a thankless job and that E-week story implied that we didn’t even know about these things until now.. How lame

  • Infecting the Ad Pool – Tim Howgego

    [...] Malicious Ads getting More Attention — People Still Clueless – Common misunderstandings. Tim Howgego, 12th July 2008. Related topics: Advertising, El, Malvertising, Uncategorized. [...]

  • zip recover

    Very very nice. Great article. Thanks