by   March 01 2011   
Advertisement servers that have distributed viruses should be monitored by the hosts. One of the easier ways to get a virus on your computer is from advertisement servers. This article will talk briefly about Hotmail.com and todays little exploit one of its ads attempted to launch. No visible method of reporting rouge ads on hotmail.com.

Advertisement servers that have distributed viruses should be monitored by the hosts.

One of the easier ways to get a virus on your computer is from advertisement servers. This article will talk briefly about Hotmail.com and todays little exploit one of its ads attempted to launch. No visible method of reporting rouge ads on hotmail.com.

Use this article to post links to known advertisement servers or content servers that your system detected as attempting to install any virus or application without warning.

It is important to understand that Pop ups as they are called are a invasion of your computer. Unless you actually click on a link you should never see any pop ups. Websites that still offer pop up, pop under, overlay etc should be avoided. It would be only a matter of time before one of those rouge viruses are distributed by these type of advertisements.

If you use websites that always pop over or pop up ads then install some type of ad blocker and link scanner to protect yourself. Never allow third party cookies to be saved which removes some of the tracking by third party advertisers.

Technical Notes: If you are here because you were alerted by your link scanner and your link scanner blocked the page http://kaghma.cz.cc/in.php?a=QQkFBg0MAwAFAgYAekcJBQYNADAMCAQQHDQ== or anything from kaghma.cz.cc and cvi3.co.cc you should be safe. But it would be good to run a full scan of your computer. Make sure you have your advanced settings properly configured to scan all files.

Sometime this week I will be using our virus machine to collect more information from the two sites listed above. The kaghma.cz.cc came from a Microsoft Advertisement server which will be investigated later.

The issue is content providers or advertisement server owners do not have a 24/7 reporting system and as we all know "They do their best" to keep viruses out of their ads.

But, when you have a website that hundreds of thousands of visitors browse each day you need to do more than just state in your policy page "We do our best".

Infecting computers, redirecting web browsers or installing applications without the permission of the computer owner is a violation of privacy and should be delt with as a criminal offense.

Out of country servers like to two listed above do not grant the in country (USA) anything other than an email stating "We are very sorry regarding your data loss. We at XYZ do our best to control our third party advertisers and regrettably at times some advertisers do not follow our policies..."

Lines from the corporate office do not pay for virus removal. But, because I have removed my share of these viruses and have reported time and time to website hosting services and website owners how to prevent these issues I've decided to set this as my dedication page to Advertisement Viruses.

Technical Notes: How to help prevent infection and redirects.

1. Set your web browser to "NOT" accept third party cookies.

2. Do not use In Private style browsing with tool bars disabled if you are using Link scanner applications.

3. Set your pop up blocker to block all pop ups.

4. When something slips by copy the URL address http://kaghma.cz.cc open your Internet Options and place that address in your blocked sites list. (I have hundreds which I will share soon.)

Internet Options, Security, Restricted Sites > Click on Sites and add all the sites that slip by your other means of blocking content.

5. Scan your computer daily with your favorite anti-virus. We will be offering a download with a disabled virus. This will be for testing only. The key is to have your AV stop the delivery package before it installs the virus application.

6. Firewalls! I can't say enough about a good firewall. Most times new Trojans can be found by looking in your firewall logs for outbound connection attempts.

7. Running processes: Checking your running processes and using applications like HiJackThis does help but many viruses using _ the underscore as a process hidden from view. You would need to know how to view these running applications to be able to identify a rouge application.

 I will keep the technical tips near the top due to the fact this will be one very long article.

Below in the Experience Story and Notes you'll find specific issues with advertisement viruses that I have experienced first hand.

Experience Story and Notes:

Starting: 2005  DigitalSpy.Com post. (I posted this one to help stop a virus from an infected advertisement server. )

ComputerUser.Com which is a very good place to read about computers also had issues with Advertisement viruses. You can read what I reported about my experience here.

deviantart.com has or had such a problem them offer links to report viruses in advertisements. The draw back is how many people will actually do as they ask and report the ad, page, etc. Here's a short write up about my experience with viruses from this site.

I have other sites but think it's time I say a few words and offer my disclaimer.

Most malware advertisements come from third party servers which the website owner, domain owner of the site you are visiting have nothing to do with and have zero control over. Many sites earn revenue from advertisements and it's important for many to keep this revenue flowing. If they didn't have advertisements they most likely wouldn't be a free site or be online at all. So we don't want to work on blocking the income of site owners but at the same time we want to protect our systems from rouge viruses.

Taking the DeviantArt.Com support page information as your reading assignment for today will help you better understand how many website owners work to prevent these rouge viruses. I have seen several sites stop all advertisements until the infected advertisement was removed from the ad server.

How Advertisements are submitted to ad servers.

Ads are submitted to ad servers and scanned by a computer to make sure things are setup correctly. One of the first issues was iframes which allow the advertiser the option to display different content once the advertisement was approved. Today most iframe ads like in the DigitalSpy.Com post are or have been removed.

But now, java variables are the normal method of delivering viruses or redirecting web browsers to virus download servers. It's easy to scan for known issues but what about the unknown? You have to either guess or learn from experience. In my case I guess while I'm learning and normally have a solution to a problem within a day. I've already called my business customers to stay off of hotmail.com today until I have the opportunity to investigate this issue.

The following information is paraphrased from deviantART, which by the way is one of the very best and very few websites that offer information on this subject and offer advice on how to report issues. I have emailed them in the past and know they are serious about removing bad advertisements. 

How ad networks function, the advertiser contacts an ad network and submits an advertisement. The ad is approved or declined by an automated system. If approved the advertisement goes live on the ad servers network. From that point it is distributed to websites that you may visit.

I do want to point out a one issue with their instructions: " For non-flash ads, all this takes is right-clicking the ad, selecting "Copy Image Location", and pasting the URL into the email. For Flash ads, this is a little more difficult."

 Non-flash advertisements are typically your non animated ads. If you copy the image location you only see the image location. Most times it's not the same as the popup code or virus code location. This is explained in the DigitalSpy.com post and I offered the 3 locations which 1 was the image, 1 was the code and 1 was the virus. It's better to view the source code and helpful that you know the image name so you can search in the source code for the advertisement placement location. (Getting complicated yet?)

Visit your reading assignment page and then return before you continue. I do not think using firebug is going to help in all cases unless you just happen to want to look for the advertisement in question like I do. Most people in my opinion will just disregard the alert warning and visit another site, which is good practice but reporting is still something we all need to think about when it comes to the internet as a community.

Exploits: Exploits are fragments or pieces of malware that can infect your computer. The industry calls these drive-by, or hidden, download delivery systems. This is very related to this article of advertisement viruses. Most times you will never know you are infected especially if you do not use some type of link scanning application or active anti virus. Just because you see the icon near your clock doesn't mean you are protected. These exploits infiltrate software applications mostly your SYSTEM folders and wreak havoc on your computer. Fact is these are the most common methods of getting a virus and the average virus count for drive-by exploits is about 29 infections according to my virus removal log.


While checking my email at hotmail.com my AVG LinkScanner AKA LinkAdvisor popped up and warned me about a possible redirect exploit.

The issue happened as I deleted my junk mail then clicked on my inbox link. That's when the alerts flash and blocked the page from loading.

Now, like any good technician when a virus attempts to infect one of your own computers you really want to track this down.

http:// kagh ma.cz.cc /in. php?a= QQkFBg0MAwAFA gYAekcJBQYNADAM CAQQHDQ==

That is the blocked link. Seems to run with the same method of another known redirect exploit link.

cvi3. co. cc/index .php?ty= ae6 3b0732f49eaa2 ....

This redirect came directly from the MSN website Hotmail.com. Because Microsoft handles all the advertisement media for Live.com, MSN.com and Hotmail.com I looked to see if I could report to them they had a rouge advertisement.

I didn't find any such link but will take this time to STRONGLY RECOMMEND all media content advertisers offer such a reporting link. It would allow us to offer you support to protect those you are trying to market to.

I've reported on similar issues like this in the past.

Advertisement servers that have distributed viruses should be monitored by the hosts. One of the easier ways to get a virus on your computer is from advertisement servers. This article will talk briefly about Hotmail.com and todays little exploit one of its ads attempted to launch. No visible method of reporting rouge ads on hotmail.com.