Exploits and malware – sometimes even highly advanced ones – are distributed via ad networks and hacked websites. And while you can’t control the latter even if you have a whitelist policy on your web proxy, you can control which ads are seen in your network.
The term means serving malware via ad networks. Recent news reports have proof of malware being served even on Youtube via AdSense (Google). If even Google can’t control what its ad network is showing to your employees, isn’t it time to do something about it yourself?
From my experience at least 30% of all malware incidents in a company are generated from malicious ads. If you can decrease the malicious incidents at your company by 30% just via blocking ad networks you should.
Not to mention an added benefit: better browsing experience, less tracking for your users, better privacy and last but not least – less bandwidth utilization, by as much as 5-10%!
Blocking ads via browser extensions
Browsers cannot block ads on their own as they can’t distinguish advertising from non-advertising elements and in order to block ads in your browser you will need an extension (which should also be easy to distribute in corporate environments, just follow your browsers manual).
Many are already using ad blocking extensions on personal devices – it is time to convince management and IT to start adopting it across the board.
https://adblockplus.org is readily available for most browsers out there. So far it has been the most widely adopted and the most effective measure against ads and malvertising. AdBlock, however, has a little ‘issue’ – some people say it has signed contracts with major advertising networks in order to ‘whitelist’ their ads for a certain payment… They don’t advertise this fact on their project’s website, but for me personally that means a red sign. Even though AdBlock is effective, I would use uBlock.
As an alternative (some say it is much better) – you could try out https://github.com/gorhill/uBlock/wiki/%C2%B5Block-vs.-ABP:-efficiency-compared
uBlock for Firefox can be found here: https://addons.mozilla.org/firefox/addon/ublock-origin/
uBlock for Chrome can be found here: https://chrome.google.com/webstore/detail/ublock-origin/cjpalhdlnbpafiamejdnhcphjbkeiagm
An un-official port for the Safari browser can be found here: https://chrismatic.io/ublock/
Advertising networks are getting smarter, just as malware writers got smarter with time – and the blacklist approach really starts to lag behind, but we should continue doing our best. Even though AV detection rates are diminishing we must use antiviruses at work. The same applies to blocking ads – even though there might be new and unknown delivery hosts every day, we should and must use ad blocking techniques all the time to prevent at least the most widely used ad distribution networks and prevent malicious code distribution in this way.
Blocking ads via a HOSTS file
On Linux and Windows (as well as FeeBSD, Mac OS and other operating systems) you can block ads by redirecting ad network domains to localhost.
You can read more about this extremely effective technique at https://github.com/StevenBlack/hosts
Use a different browser?
Many of you have not heard of it, because it is produced by a Chinese company – the 360 Safe Browser. It has ad blocking built-in, besides having 3 browsing engines inside and full compatibility with Chrome extensions. One added benefit is the usage of their intelligence network and blocking known phishing / malicious websites. With 500+ million hosts as their client base the detection rate is not bad.
Often malicious scripts redirect the user from a legitimate website (hacked or not) to malicious websites using 302 redirects. This type of a redirect is crucial to the operation of the Web, but since it is not always critical to your users, I would say go ahead and disable them.
I have not yet found a way to block redirects in the Chrome browser, but on my Firefox browser I use the following extension: https://addons.mozilla.org/en-US/firefox/addon/noredirect/
It works well, I am happy with it and recommend it.
If you must deploy a solution for this across the enterprise, just block 302 redirects on your web proxy appliance, as that would take care of the problem company-wide.
Talk to your corporate proxy administrator
Your web proxy appliance (or your handy proxy admin) can should be able to block ad networks without you having to modify yours or every computer on the network. This has the added benefit of centralized management and easy troubleshooting, in case some domain needs to be unblocked.
Block ads at the gateway level
There is a really nice tutorial on http://www.bsdnow.tv/tutorials/dnsmasq on blocking ads using DNSMasq & Pixelserv. The setup takes less than 30 minutes and can be performed on any gateway provided they run an OS capable of running these packages. Pixelserv is used to serve 1×1 gif pixels to prevent 404 errors from the blocked ads and to enhance the user experience – otherwise you will see all kinds of nasty rendering bugs on your web pages. Note: this method does not block text ads and it is still recommended that you use some of the browser add-ons mentioned above.
Besides blocking malware there are other benefits to blocking ads – less traffic and faster, safer browsing experience. After all, why would you want to load a 10 second clip of someone selling you stuff you don’t want, thousands of times per day for every single employee of your company?