Well OT

John Rumm wrote in news: snipped-for-privacy@brightview.co.uk:

AVAST - Threat Detected.

You might like this one if you're into geography.

Over 1000 books in my hard copy library and a;l;l of thise have been read more than once

Quite a small one, then. We have ~ 4000 at last count. Excluding the continuous run of Analog (under various names) since about 1943.

well I gave up collecting and started discarding some years back. So many books are read once and chuck.

Avast is a piece of shit.

Oh, we've done that too. Easier to do once we built the catalogue.

On 09 Apr 2014, The Natural Philosopher grunted:

Actually I was on about the time you've spent playing this game... :)

Malware that compromises ad servers is usually smart enough to only poison a very small number of ads served - so on a typically site it might only hit every 1000th visitor etc. It keeps the detection rate much lower, since there is a very small chance a AV company will sample the site at just the right moment.

That doesn't work. There's also a much smaller chance of infecting anyone.

(think about it - say every 1000th hit is the AV company, and they infect 1 in ten. After 500 hits they've infected 50, and been detected. If they went for everyone it would only take 50 hits to infect the 50 people, and be detected)

Slower infection also means there is more chance that the on-server AV will detect it, or that their exploits will be fixed.

Andy

Its common practice, so some folks obviously think it worthwhile.

Precisely, and that is exactly why they do it. If most people who visit a site get served a "safe" ad, then the site does not acquire a reputation for serving malware, and does not draw attention to itself. However over time, they will still infect large numbers of visitors.

I would anticipate that AV companies will pay more attention to sites that draw lots of reports from users than those that don't.

Remember though that this is a compromised ad server we are talking about - so even if they go for a regular "1 in n" approach to serving malign ads (rather than a more randomised approach), the ads will be distributed over a number of web sites dictated by who is using the ad server. So infection attempts will not necessarily correlate well with visits to a particular site.

(And if the AV company is getting reports of problems from lots of users / honeypots for a particular site then they will obviously increase their scrutiny of that site).

Surprisingly few web servers also run their own AV sadly... However in this case its not the web server itself that is compromised, its the ad server they are sourcing ads from.

You should go to more parties- if you get any invites....:-)

Jim K

Just got "Guessed right one more time - I know who you are thinking of and I believe it's not for children"

Well that's rich considering it guessed my last character correctly ie John Holmes and it now finds out that Duke Nukem is not for children.

It guessed Rachel Riley far too easily.

By coincidence I came across this talk by a former spyware software developer, that touches on some of these things - this is the second part of a three part talk he gave at DEFCON 18:

Makes for quite entertaining viewing.