Incident Response, TDR

Malicious “ransomware” banner ads go undetected

Updated Wednesday, Aug. 20 at 2:12 p.m. EST

Security researchers believe a legitimate toolkit used to create Flash animation is also helping cybercriminals fashion malicious banner advertisements that scare users into believing their machines are infected with malware.

Sandi Hardmeier, author of the Spyware Sucks blog, said Sunday that some malicious ads created using Fuse Kit are able to evade detection scans run by websites or third-party ad networks. She said is the latest trusted website to unknowingly host a "malvertizement."

Simply visiting a page on the Newsweek site that contains the ad will cause a warning screen to appear that falsely tells users their machine is overrun by viruses. They are prompted to pay for and install a bogus anti-virus solution.

A Newsweek spokesman told on Tuesday that the affected ads have been taken down.

"They are going to hit every site that they can, as often as they can, for as long as they can," Hardmeier wrote on her blog. "It worries me that I am seeing complaints about malvertizing-like symptoms all over the net implicating not only Newsweek but at other big names like MSNBC, Facebook,, Hotmail, MySpace and Yahoo."

Alex Eckelberry, president of security vendor Sunbelt Software, told on Monday that the free Fuse Kit product is a helpful tool for Flash designers and developers but it is also finding its way into most of these malicious ads.

But Moses Gunesch, Fuse project director, told in an email Monday that Fuse is an open-source utility that contains no networking code and is not responsible for the animation people use it to produce.

"Fuse has nothing to do with the content people produce with it," he said. "It's just a motion tool. That would be like blaming paint for an ugly painting. There is nothing in Fuse Kit that can be exploited for malicious purposes -- all it handles is animation."

Eckelberry said often the rogue ads are built so that, all of a sudden, they begin serving malicious content – much to the surprise of the websites on which they are hosted.

"It's like a time bomb," he said. "It just sits there and then – boom. I think it's a very serious issue. I think the ad networks need to start taking a very close look at who their advertisers are."

Larger websites typically sell ads themselves. Hardmeier said these sites must also vet their clients.

"Websites simply must increase their due diligence checks with any new advertiser," she wrote. "It is going to take time, and it is going to cost money, but what alternative do websites have if they want to protect and keep their readership, and if they want to avoid the inevitable end result of malvertizing, which is that more and more visitors to their sites are going to block all advertising."

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.