Music Service Accidentally Displays Malware-Riddled Ads

Oops. European music-streaming service Spotify accidentally sent users malware hidden within banner ads that appear within the free version of its software. Spotify immediately turned off ads as it battled to find the errant banner, as it explained in a series of frantic tweets.

In so-called drive-by attacks, cybercriminals prepare otherwise innocent-looking advertisements that contain malware within their HTML code. They then buy advertising space on the sites (or adware) in question.

Ad-space vendors rigorously check the ads to ensure that the organization behind the ad is legitimate, but that clearly went wrong here. The cybercriminals were able to inject rogue Java programs onto some users’ computers via a vulnerability in Adobe Acrobat.

According to anti-malware firm Dasient, drive-by-downloads are among the most popular methods of malware distribution. Late last year, both Google and Microsoft served malware on their Christmas sites after a similar attack affected advertising giants DoubleClick and MSN. In that case, the cybercriminals claimed to be from a reputable business but the URL they supplied was one-letter away from what it should have been. Many other sites have fallen prey to similar drive-by schemes, including the New York Times, simply because they are unable to individually vet every single ad.

Avoiding falling victim to the majority of attacks is easy. First, ensure your browser, Internet plug-ins, and Adobe software (Flash, Adobe Reader, etc...) is up to date. The attacks usually exploit known weaknesses in such software.

Google Chrome users can type about:plugins in their address bar to see what plug-ins need updating, although users of most browsers can visit Mozilla's Plugin Check for a similar list. Internet Explorer users can also click the settings icon and select Manage Add-Ons.

Second, make sure that your antivirus software is up-to-date. The Spotify attack used known malware that should have been caught by most antivirus programs.

An additional solution will definitely block such attacks but it’s one that’s ethically questionable: Installing ad-blocking software. But bear in mind that sites like PCWorld are paid for by the money that comes in from advertising. It really is as simple as that. Looking at adverts is part of the deal of accessing commercial Web sites.

Spotify is an interesting case because the adverts were contained within its own program window, and not a browser. Therefore they wouldn’t have been affected by most ad blocking plug-ins.

It’s possible to manually edit the hosts file of your computer (located at C:\system32\drivers\etc\hosts) on your computer to map all advertising Web servers to the localhost address (127.0.0.1). This will mean any attempts to fetch ads by software will hit a brick wall.

For example, if ads were coming from http://ads.example.com, you could add a line like this to the bottom of the hosts file.

127.0.0.1 ads.example.com

To see what network connections are being made by a program to ad servers, you can use the TCPView program, offered free from Microsoft. But be warned that editing your hosts file is a pretty hard-core bit of hacking, and you should definitely make backups. Additionally, programs like Spotify serve ads from the same URL as they supply their streaming data, or use direct IP addresses, which are hard to block.

Alternatively, you could use proxy software like Privoxy. This invisibly sits between your Net connection and software, stripping out any objectionable content for any program that accesses the Internet. This includes but is not limited to adverts. However, using any kind of proxy software might cause problems for your firewall, and you might find some programs simply refuse to work correctly with a proxy.

All things considered, the safest and most ethical solution is simply not to use any software supported by adverts. Pay up for the ad-free version if possible, or try and find the same functionality elsewhere. For every Skype, for example, there’s free Voice over IP software that’s ad-free. And if you don’t want to use a music-streaming service like Spotify then tune-into an Internet radio station that relies on traditional (and much safer!) spoken advertisements.

Subscribe to the Security Watch Newsletter

Comments