 Many people use a pop-up blocker to prevent unwanted ads from opening in their Web browser, but most pop-up blockers aren’t designed to handle one of the rising trends in malware—malicious ads. And because many pop-ups, banners, and other forms of online advertisements install Flash-based or JavaScript programs (software that generates the animation or sound on an ad), malicious ads have the power to redirect your Web browser to a malicious Web site without you ever clicking the ad. Once your PC is infected with the attacker’s malicious code, the intruder may be able to scan your computer’s hard drive or spy on information sent over your network, such as any of the usernames and passwords you enter.
Another factor that makes banner, pop-up, and pop-under ads especially dangerous is that malicious ads have hit popular Web sites that most people consider trustworthy. For instance, last November, many visitors to the Major League Baseball and National Hockey League Web sites had their Web browsers hijacked by banner ads. The ads sent the sports enthusiasts to a Web site that prompted users to download ineffective antivirus software, which featured its own malicious infections.
To help you prevent malicious ads from taking over your PC, we’ll cover how to tell if your system is being affected by advertising, show you how to purge your system of the ads, and examine ways you can prevent the poisonous pop-ups.
 Exposure Level | 
Beware of ads that prompt you to download Flash-based, ActiveX, or JavaScript software. |
According to Roger Thompson, chief research officer of AVG Technologies, “New malicious ads seem to pop up every other day, and although malicious ads are not a new method of delivery, it’s a malicious attack that’s catching on.”
In the last year, malware-filled ads have been encountered on many popular Web sites, including Expedia, Rhapsody, and National Geographic, among others. We should note that neither the Web site nor the ad network publishing the pop-ups typically know the ads contain malware. According to Thompson, “Sometimes those who provide the ad use a bait and switch technique, so the ad will be innocent when the network publisher agrees to the ad, and later on, the ad provider substitutes the innocent content with malicious software.”
How Malicious Ads Gain Control
Typically, malicious ads work one of two ways: The ads may pop up over a Web site and automatically redirect you to a Web page filled with malicious software, or the ad attempts to entice you to click a link, resulting in the loading of a malicious Web site. Either way, opening a malicious site may leave your computer open to any number of Trojan horses, worms, rootkits, spyware, or additional browser hijackers. Ads that automatically redirect your Web browser often use Flash technology (a common browser plug-in that lets your Web browser produce animations and sound). In most cases, Flash ads are harmless. But when the Flash technology is repurposed with malicious intent, the programs can force malicious content onto your computer.
Alternatively, ads that require you to initiate the attack through a mouse click generally use JavaScript or ActiveX software to create a pop-up applet with various clickable options. Interstitials (ads that load in front of the page you’ve opened and require you to click a link or watch the entire advertisement before it will close) are a popular malicious ad tool, because clicking the ad—even to close it—may allow the attacker to load a malicious code and use a vulnerability in your OS (operating system) or Web browser to access data on your PC.
Identify & Stop Attacks | 
From Internet Explorer’s Manage Add-ons screen, you can disable add-ons that may be opening pop-ups on your Web browser. |
You’ll know your system is being affected by a malicious ad if your Web browser is automatically redirected to a site that’s not the Web page you intended to visit. Additionally, the new Web site will likely prompt you to download an application from the Web site. Although some Flash-based ads have the ability to generate an attack without your intervention, you’ll typically need to click a link in the ad to “allow” the malicious code to install software on your computer. Therefore, one of the best ways to avoid malicious ads from infecting your PC is to close the ad by pressing CTRL-W on your keyboard. Clicking a button labeled “Close” or “No Thanks” on the ad may actually trigger the installation of the malicious software. If your browser is being hijacked, you can also press CTRL-W to close your Web browser.
Get Rid Of Infiltrators
Because malicious ads use JavaScript and Flash-based applications to infect your PC, the pop-up blocker, firewall, and anti-malware programs on your computer may not be designed to prevent the rogue application from installing additional malicious software on your PC. Therefore, it’s essential you use antivirus and antispyware programs to scan your computer for malware. For more information on programs to identify malware and clean out your PC, read our antivirus software overview titled “Big Medicine” on page 63 and our antispyware software overview titled “Avoid Virtual Spies” on page 66. No matter which program you choose, remember that you’ll need to keep your antivirus and antispyware software up-to-date for the security applications to be effective.
Excessive pop-up ads may also be the result of existing malware on your PC. For example, spyware installed on your computer may keep track of the Web sites you visit, and when you’re surfing the Web, the spyware may open pop-ups related to your Web habits, hijack your Web browser, or change your home page settings. If you’ve scanned your computer with up-to-date anti-malware software and continue to see malicious ads, you may have installed a malicious add-on program in your Web browser. The Internet Explorer Add-on Manager allows you to enable or disable the add-ons you’ve downloaded. Click the Tools menu, select Manage Add-ons, and choose Enable Or Disable Add-ons. To disable an add-on, select the program you want to stop, and under the Settings area, click the Disable radio button.
Final Thoughts
If your Web browser is being hijacked, then the simplest solution is to close the browser as quickly as possible. Because the hijacked browser may be programmed to open a number of Web sites, you may need to close several windows. (To learn more about browser hijackers, see “How To Get Rid Of . . . Browser Hijackers” on page 57.) To be safe, we also recommend running a scan with your antivirus and antispyware software to catch any programs that may have found a way inside your computer’s defenses.
by Nathan Lake
Prevention Tips
According to Roger Thompson, chief research officer of AVG Technologies, “The best thing you can do is keep your computer up-to-date with the latest security patches, because if your computer isn’t patched, the malicious ad can use known exploits in the operating system to enter your PC without your knowledge.” Additionally, Windows patches may not cover all of the newest malicious threats, so you may want to invest in security software that features the ability to monitor and block malicious code from Web pages. For instance, LinkScanner Pro ($19.95; www.explabs.com) scans Web sites in real time as they download to your computer, and if the application identifies a known exploit, the malicious code is blocked from opening on your Web browser.
It’s also possible for you to turn off Flash-based, JavaScript, and ActiveX controls in your Web browser. To disable these exploit routes, open Internet Explorer 7, click the Tools menu, select Internet Options, and choose the Security tab. Select the Internet zone and click the Custom Level button to access the variety of browser security controls. However, doing so will significantly reduce effectiveness of Web sites with audio and video, so you may not be able to watch videos on YouTube or listen to Internet podcasts. Additionally, disabling JavaScript can degrade the functionality of some Web sites. Therefore, we recommend increasing your Web browser’s security, rather than reducing the functionality of your Web browser. |
|
Email This
Print This