Infogressive, Inc.

Are you getting tired of advertising saturating the Internet?  Tired of the flashy vegas-esque slot machine inspired web portals of today?  Pop-ups, loud, obnoxious flash movies everywhere and over-animated nonsense.  There is more than meets the eye to this annoying evolution, read on.

While this isn’t a cutting edge technique to protect machines from malware, it is a very under-utilized method so I figure it qualifies as blog worthy.

Sites like yahoo, msn, facebook, cnn, local newspapers, etc. all integrate third party advertising sources into their content.  So a majority of those flashy little ads come from servers outside of the site owners’ control.  So imagine the exposure of an ad from a huge player like doubleclick.net.  One of their ads could appear on all the sites previously mentioned simultaneously.

Big shocker, the bad guys figured this out pretty quickly, so what did they do?  They attack the ad servers at their source vs. attacking one site at a time, thereby reaching a much larger audience with less effort.  The goal once they gain control is to replace benign content with their malicious content.  Then unsuspecting visitors go to their trusted sites with their vulnerable applications (Flash player, Internet Explorer, Firefox, Safari, Quicktime, etc) while the evil guys sit back and take control of one machine after another (millions).

So what is the answer to this annoying threat? 127.0.0.1!

When you type in a website into your browser, the default action of your machine is to check the local host file.  It’s nothing more than a flat text file containing hostnames and IP addresses.  It checks this file first and if a “hostname” appears in the local file it never will do a DNS (Domain Name Server) lookup.  If it doesn’t find it in the local host file, then it will query a DNS path to resolve the website.  So why not use this functionality to our advantage?  What if we could download a host file that contains a list of the most popular advertising sources and points them all to a blackhole?  Good news, we can!

http://www.mvps.org/winhelp2002/hosts.htm

If you replace the host file on your machine(s) with the one mvps.org provides, every time your machine attempts to get an image/movie/file from any source contained in the file, it will attempt to get it from 127.0.0.1 (your local host) instead of going out to the Internet to actually retrieve the file.  The file from mvps also contains some known malware sites, so it not only helps with ads but will help with security as well.  Woohooo! No more slot machine in my browser!

A question for businesses to ask themselves, why would you want your employees to be receiving ads at work?  Why put your organization at more risk from “drive-by” attacks?  Unless you specifically work in the Internet advertising space or marketing space, I would think the answer would be clear.

This isn’t a complete solution, but it is another layer of improvement.  Below are some advantages and disadvantages that come to mind with this technique.

Advantages

• Free
• Easy to implement
• Low overhead (memory/CPU)

Disadvantages

• User Experience: ads will be replaced with connection reset windows (only a cosmetic problem)
• Slows down page loading (temporary while DNS cache is replaced with 127.0.0.1)
• Manageability (can be pushed out via Active Directory)
• Doesn’t catch everything (but it’s better than nothing)

Illustration of expected user experience