Two Viruses, Ten Creatives, and an Automated Creative Tester
August 2nd, 2006
On Wednesday July 26th there were two different viruses that hit ad networks around the world. I was the one lucky enough here at Right Media to be responsible for ensuring the safety of our marketplace and tracking down the responsible parties. Here’s a transcript of my day.
| 9:00 AM | CT email alert: Virus detected on two different creatives |
| 9:05 AM | A little digging shows that two distinct Yield Manager network clients are working with an external network called Exit Exchange. |
| 9:10 AM | Further investigation reveals redirects to software.adgate.info and sports.adgate.info which in turn redirects to a Trojan - adgate.info/pre.exe (DO NOT CLICK THAT LINK!). |
| 9:15 AM | Deactivate both creatives to prevent the virus from running on the Right Media Exchange. Inform account managers so they can communicate this to their clients. |
| 9:30 AM | CT email alert: Second virus detected. Time to get some coffee as clearly this is going to be a long day. |
| 9:40 AM | This time it’s a Windows Media Player exploit (See Microsoft’s Security bulletin). The offending virus was found at http://proffy209.com/adv/096/xpl.wmf (DO NOT CLICK THAT LINK!). |
| 9:45 AM | Deactivate all offending creatives and contact account managers. |
| 10:00 AM | Two emails and one phone call later, I still don’t have any information about adgate.info from their domain registrar Moniker. |
| 10:10 AM | Reach out to my contacts to find a person I can reach at Exit Exchange. |
| 10:15 AM | Investigation into proffy209.com shows that redirect is coming from Seed Corn Media, yet another ad broker. |
| 10:20 AM | CT email alert: Third instance of Proffy209 detected. |
| 10:35 AM | Since all the Seed Corn Media ads are running through Zedo tags, I call the main line to explain the situation. I am given the email address for the VP of Engineering. |
| 10:40 AM | Sent email detailing the situation to the VP of Engineering at Zedo. For good measure, I give Moniker another call asking why I haven’t received any response from them. |
| 10:45 AM | Tell CT team to add both adgate.info and proffy209.com as text flags. This means for all subsequent automated tests any creative that redirects through either of those domains, whether or not they load a virus, will be flagged for further human inspection. |
| 11:00 AM | Time for some meetings, I put the hunt for viruses aside for now.Since all the affected creatives in the exchange have been deactivated, the immediate threat is neutralized. |
| 12:30 PM | Someone over on Business Development forwards me to this blog posting. It seems the blogosphere has picked up on the Trojan from proffy209.com. |
| 1:30 PM | Finally get in touch with Exit Exchange and warn them of adgate.info virus that they are spreading. They were not aware of the situation and immediately shut down any campaigns that they had running for that domain name. When I probed for information on which party was responsible they said it was placed through an individual who had paid them via Paypal. He offered the contact info but I declined. |
| 2:30 PM | Right Media COO, Christine Hunsicker, comes running to declare a state of emergency - viruses are being distributed throughout the internet via networks. I assure her that all instances of offending creatives throughout the exchange were shut down in the morning and that I’m tracking down the responsible parties. |
| 2:45 PM | CT email alert: Another Seed Corn creative with the WMP exploit. |
| 2:50 PM | Haven’t heard from Seed Corn Media or Zedo yet so I put out some feelers in the office. Brian, Right Media’s CTO, gets me the number of someone who gets me the number of someone at Zedo. |
| 3:00 PM | In a matter of minutes I’m on the phone with someone at Zedo. I inform him of the situation and within 15 minutes all offending creatives are shut down. |
| 3:15 PM | Check CT tests. This confirms that both the Seed Corn and Exit Exchange creatives stop testing positive for viruses. Two disasters averted. |
| 4:00 PM | Get a call from Andrew Stern, CEO of Seed Corn Media. He immediately claims innocence and promises to solve the issue. Andrew also immediately put blame on a company called Terp-517, yet another broker in the online advertising industry. He passes along the contact information of Robert Ser, the owner of Terp-517. |
At this point, I decide that the threats have been neutralized and that there is not much that I can do. As mentioned in the blog article, the domain name from the proffy209 virus was registered in Russia and, even after repeated attempts, Moniker was less then helpful and seems fixated on protecting their customers, even if they are spreading viruses around the Internet. And while this isn’t a typical day by any means, we did win the fight against two individual viruses. Sadly, nothing has been solved to address the real problem. There are so many different ad brokers out there that a single creative might enter the Right Media Exchange through 10 different networks. Therein lies the first problem. This means that to truly shut off a bad ad, we really have to go to the source. This leads to the second problem: there is no reliable way to hold the parties that distribute malicious content accountable. So what are publishers and networks to do? Right Media has developed Creative Tester, an automated creative auditing solution, specifically to help us prevent malicious creatives from running through the exchange. Production capacity will allow us to test all third party tags in our system several times an hour. Although this doesn’t prevent people from distributing viruses on the Internet, it does prevent them from running on the Right Media Exchange.
