Shhh, I’m a banner ad

Pob’s blog post yesterday got me thinking about online ads, and the problems (or at least complications) they can sometimes cause. Recent issues can be summarised quite simply – choosing to display ads sourced from some third party equates to implicitly trusting the content they provide. When the source of the ads is poisoned or compromised, the sites that digest the ads will likely end up exposing users to malicious code [1,2].

There are a number of ways in which adverts may be provided from the third party. Commonly they are served up via HTML tags (iframes or scripts) which are added to the host page. Subsequently, when the browser parses these tags and the ad content is loaded, it can be scanned, and potentially blocked if malicious. In the case of the issue seen this week, the legitimate script tags received from the ad-provider had been appended with a malicious script (detected as Mal/ObfJS-BI).

It is not a trivial task to distinguish between clean and malicious content from an ad provider. In fact, this problem is exacerbated by some of the tricks used by the providers to hide their adds (from the various plug-ins and blockers out there that strip ad-content). Below I describe one such example, where there are several layers of obfuscation used to hide the ads.

I first noticed this when analysing a report of Sus/Iframe-G being detected on a web site hosting movie clips from a popular television show. Retrieving the page in question, a mildly obfuscated embedded JavaScript is apparent:


Unescaping the string written to the page, we can see the purpose of this script is to simply write an iframe to the page. But note the src attribute within the iframe tag – the actual target of the iframe is mildly obfuscated:


The iframe loads another page from the host domain, which contains another obfuscated script.


Unescaping again, we can see this drops another iframe, again, with the target URL mildly obfuscated.


Following this link we finally get to the purpose of this whole mess. This final iframe loads a page which contains multiple iframes that load the advertising content from the 3rd party marketing company.

This case provides a perfect example of how adopting evasion tactics in order to evade ad-blockers can actually blur the line between legitimate and malicious content.