Join Us
Press  |  Investors
Contact  |  Content


Aggressive Malware Attack Threatened 150 Publishers.

Aggressive Malware Attack Threatened 150 Publishers.

Last week, in the early-morning hours, the Rubicon Project’s brand protection technology flagged an anomaly among a handful of the tens of thousands of ad tags we manage. After blocking those suspect tags to make sure they wouldn’t be permitted to serve on any sites, our analysis showed that they contained unusual code and would, under the right conditions, attempt to download Windows executable files — that is, not just images or animations or videos, but actual software programs.

Why would a display ad try to download a software program? Because it was being used as a vehicle for malicious advertising, or “malvertising,” which distributes dangerous software known as malware via an otherwise standard looking ad banner. But before the malicious ads could achieve their goal, REVV’s SiteScout malware protection technology prevented this malvertising attack from serving hundreds of thousands of impressions across more than 150 Websites while we got to the root of the issue.

How did we keep 150 publishers safe from a single, extremely prolific malware threat? SiteScout performs dynamic, behavioral scans of creative as they appear “in the wild” (on real websites, in real time). That means SiteScout actually renders ads in a browser, lets JavaScript and Flash execute, and generally behaves as a Website visitor would, in order to be exposed to the same threats as users would. This is proprietary technology that the Brand Protection & Security team at Rubicon manages and continually refines; we’re not relying on third-party security software, which may not be able to protect against the most dangerous kinds of threats, the so-called “zero-day” exploits that aren’t yet known to the anti-malware community.

Back to the story at hand: over the following days, SiteScout kept the affected ad tags — and indeed all ad tags from the affected ad network — in a quarantined state and continued its monitoring as more than three dozen of the tags began showing signs of infection. Some malvertising makes its presence obvious by popping up scary announcements proclaiming “Your computer is infected!” and demanding money for bogus “security” software. But this malware was invisible. Still, in our controlled malware-analysis environments, we could see it quietly worming its way onto machines. An ad would reach out to a server on a domain in India, download software that would superficially masquerade as an update to an Adobe product, and entrench itself on a target system.

So why do malware authors do this nasty stuff? Because if they can sneak a bit of unwanted code onto a computer, they can turn that computer into a virtual cash machine. In effect, the malware authors plant moles in PCs around the world. Their code can then do their bidding, whatever that may be on a given day, and users might never even be aware it’s there. Maybe the malware authors intend enlist the computers in a botnet that they can rent out to send spam or attack Web sites and extort ransom money to stop. Maybe their mothers didn’t give them enough positive reinforcement. Who knows — the possibilities are endless.

Here’s where it gets really scary. Neither the ad network nor the advertiser itself was acting maliciously. Instead, the ad network’s own servers had been hacked; the advertiser had no idea their otherwise high-quality ad creative had been hijacked. The malware authors managed to insert their unwanted code into ad tags, doubtless expecting that those tags would then serve on a wide swath of high-traffic Web sites. Except that SiteScout disabled the tags to prevent them from appearing on sites that rely on the REVV for publishers platform. Evildoers, foiled again.

How does an ad ops staff proactively monitor tens of thousands of tags running worldwide on a 24-by-7 basis for signs of invisible malware infections? They can’t. But with REVV, the first line of defense comes not from people but from our industrial-scale automated brand protection technology. It wasn’t people but technology that found those attacks in the middle of the night, because REVV has hundreds of machines continuously assessing tens of thousands of ad tags. Our platform performs upward of a million scans daily from dozens of geographic locations, and our technology carefully sifts the resulting data to identify any anomalous behavior — which in this case we observed from six locations in three countries (via our proxy system, which monitors traffic around the globe). When the automated system finds a suspect tag, it immediately shuts it off and shifts traffic to other tags, making sure that publishers continue to generate maximum revenue while remaining protected from threats. And when an incident occurs, REVV continues to monitor those disabled tags and our team works with affected ad networks to ensure that the problem gets corrected.

Although this incident was about malvertising, malicious ads are just one of the ad quality issues that our brand protection systems watch for on a continuous, automated basis. The systems also detect undesired behaviors like auto-play audio and unauthorized pop-ups — far more common than actual malvertising outbreaks, but still something that many publishers understandably object to and have set controls to prevent. And our creative harvesting systems, helix & VANTAGE, feed our crowd-sourced ad-classification engine, AdCheq, which identifies issues like potential channel conflicts and ad-quality guideline violations. We’re continually improving all these capabilities so REVV delivers a comprehensive, multi-layered approach to protecting publishers’ reputations, direct sales channels and the user experiences on their sites. I welcome feedback on what we can do to make them even better.