Doubleclick and MSN serve up malware

Two of the Internet’s biggest advertising networks – DoubleClick and MSN – were delivering malware to customers last week.

Writing in his bog, insecurity expert Wayne Huang, of Armorize, claimed a group of attackers was able to trick the networks into displaying their ads by impersonating an online advertising provider.

The cunning plan involved registering a domain that was one letter away from that of, an online advertising technology firm.

The attackers then used to dupe the advertising networks into serving their malicious banner ads. If a user clicked on the ads, they would install malware on victims’ PCs through drive-by downloads.

It was not long before the ad networks got wise to the hack, but Huang points out that the incident shows how difficult the drive-by download problem can be to fix.

Users visit websites that incorporate banner ads from DoubleClick or, the malicious javascript is served from This starts a drive-by download process and if successful, HDD Plus and other malware are installed into the victim’s machine.

The victim does not have to be tricked and just visiting the page infects the visitors.

The sites that were affected included those with DoubleClick or banners, including for example,,, and

It is possible that multiple exchanges, besides those listed here, have been serving the fake ADShufffle’s ads, he warned.

The attackers used the Eleonore exploit pack and the Neosploit package to accomplish the drive-by downloads. These both serve up a smorgasbord of attacks hoping to find a vulnerability.

While we have seen small scale drive by attacks, this is the first time that we have seen the broad reach of the legitimate ad networks being used to carry out the attacks.

Huang said he was really impressed at the speed that DoubleClick took to deal with the problem. Armorize warned them about the problem, had a meeting within a few hours and DoubleClick fixed it.

Google, which owns DoubleClick, told the IDG News Service that the malicious ads were only being served for a short amount of time. It seems that its own security filters had detected the hack.