I'VE RECENTLY NOTICED A disturbing, increasing trend in malware distribution. Rogue antispyware-malicious pro¬grams masquerading as anti¬spyware-is coming to you via ads you haven't even clicked.

I first encountered this on an Israeli newspaper's English-language Web site, Ynetnews.com. Inconsistently, after a few seconds of browsing Ynet's home page, my browser would be redirected to another site, its window shrunk to resem¬ble a dialog box (shown) with a typical rogue pop-up message implying that my system was infected. An obvious lure, and only a momentary distraction in a pop-up. But after being redirected, I found there was little I could do but use Windows Task Manager to close the browser. This is really your only recourse, too, should you get caught in the same situation.

In the interest of virus research, I let the site "scan" (ha!) my system and download a program, which Kaspersky Antivi¬rus identified as "not-virus.HoaxWin32. Renos.kd."
Rogue antispyware vendors are annoying and malicious, but not terribly interesting anymore. What interested me was the redirect. Did Ynet really do that? I doubted it, so I took a look at the home page's source code. And there's the problem: That code is ugly and com
plicated, practically begging for trouble. It contains ten iFrames, several of them on other domains. (An iFrame tells the browser to go to another site and read the HTML there.)
I found the compromise in one of the ad sections. A page on the adtraffcom domain gets executed. The page contains an invocation of a Flash movie; the movie is the key to the browser redirection. Several pages are involved, but the main redi¬rection happens on the blessedads.com domain, and it sends users to a variety of rogue security application sites. These guys are not news; the ad networks know
they're there and are trying to do something about them. But we all know closing a security hole isn't simple, especially when profit is involved.

Name: 98498.jpg Views: 45 Size: 48.9 KB

A large site like Ynet should be more careful. And now this particular attack is showing up elsewhere, at sites including The Wall Street Journal and the Boston Herald, as well as non-news sites and some promi¬nent advertising networks. There's a very interesting example described at(please pay careful attention to the warnings and don't click on the URLs!). Just as I was finishing up this column, I found another one on an even more sig¬nificant site: MLB.com, the site of Major League Baseball.

My thanks to independent security analyst Thor Larholm, who identified the Ynet redirect, and Adam Thomas of Sunbelt Software, who analyzed the Flash movie.