Blue Coat Labs

Labs Blog

Malnets and Malvertising

Malnets and Malvertising

Chris Larsen

Modern malvertising is nasty stuff, for several reasons:

  • The attacks typically involve no user interaction; you don't need to click on a malicious ad. (There may not even be a visible ad in association with the malicious reference.)
  • Most ad URLs these days are not simple "banner ad" images, but instead deliver javascript chunks (that eventually result in some sort of banner being displayed).
  • Those chunks are often encoded or obfuscated in some way, to protect the ad server's methodology and help control ad fraud. (They also enable sophisticated user tracking.)
  • Those chunks typically run in the "context" of the main (host) site, so if malware "shows up" as a result of an ad request, it appears to the world that the host page, or one of its frames/iframes, made the request.
  • Ad networks are complex webs of affiliate, partner, and subordinate providers.

On the positive side, malvertising attacks typically require significant planning and infrastructure to carry out, which means that malnets are the leading culprits, and we can track those....


One of the tools that Tim has built recently is a "Popular Site Monitor". This tool uses a list of the top thousand or so of the Web's most popular (high-traffic) sites, and counts the number of "references to malware" we see coming from each one. (In other words, somebody is headed to a malicious site -- in a malnet or otherwise -- when we stop the request, and look to see what site they're coming from.)

This list comes out several times a day for the Research Team to look at, and the Top Ten usually looks something like this one from yesterday afternoon:

  1. [a large porn site]
  3. [a large porn site]
  4. [a large porn site]
  6. (a big Chinese entertainment portal site)
  7. [a large porn site]
  8. (a big file host)
  9. [a large porn site]
  10. [a large porn site]

Besides being yet another piece of evidence for why we advise customers to block the Porn category as a standard defense against malware, this list also serves as a way to spot new malvertising attacks, for a couple of reasons:

- Generally, the sites that show up here have not been hacked, as typical "big site gets hacked" attacks include an iFrame or other injected link to a relay site, which then forwards the user on to the malware site. (And that extra layer of indirection would keep the big site off of this list, as this tool only monitors back one level, for simplicity. Unlike the SEP tool, for example, which traces back through multiple levels to find the original search engine site where an attack began.)

- Also, the nature of some sites on the list (e.g., may not indicate a malvertising attack because the site includes a lot of user-generated content that can include links to malware.


Although their order may change from day to day, the main members of the list are pretty constant. This means that any new site that suddenly appears is a good candidate to investigate for a breaking malvertising attack, and my intent is to do a few "quick looks" at such sites over the next month or so. These will be shorter blog posts, which can refer back to this post for general background, and concentrate on the specific ad networks being used in the attacks.