Malvertising Quick Look: Adcash.com
The next in our periodic looks at malvertising on popular sites is a different animal. This one looks like a case of a legitimate ad provider who simply made a bad choice about which clients to accept ads from...
Adcash.com is a European ad network that just debuted on Tim's Popular Site Monitor yesterday morning, as #10 on our list of the biggest referrers to malware among the Web's popular sites. (104 referrals to malware in the previous 24 hour period.) It stayed on the list until this morning, when its traffic dropped to just 82 malware links in the preceding 24 hours.
Adcash.com has simply been rated as "Web Advertisements" in our database since it was created a little over two years ago; it provides ads to hundreds of different clients, as shown in our logs; and the vast majority of its ads do not raise alerts there. However, among the ads that it is now serving are ads that lead to a site named dleasy.net -- and this is where the trouble began.
Dleasy.net was automatically added to our database of bad sites well over a year ago, in the Fall of 2011, when it appeared as part of a malicious network. It was confirmed to be shady by one of our analysts when we were asked about it a couple of months later (still in 2011), and again on a re-check by another analyst this Summer. We were asked about it again just last month, and a third analyst confirmed the rating, and included a Virustotal link showing 13 of the engines there flagging the sample download as evil. (I just re-checked, and the count on Virustotal is now up to 21 hits for that binary. So four out of four Blue Coat analysts agree, don't download that software, kids!)
Conclusion: We are treating adcash.com as innocent, but we will of course continue to block individual ads to malicious sites.
[Update: Thanks to @StopMalvertisin for some quick feedback on adcash.com. Kimberly points out that I let Adcash off the hook too easily; they have a bit of a track record when it comes to running ads from shady sites: examples here (from her) and here, from Malekal, who has encountered them quite a few times...]
[Update #2: I got an e-mail this morning from Arnaud Granal, CTO of Adcash.com, who informed me that they check two blacklists before running ads for a site, and that dleasy.net was not on either one, but that they have removed its ads based on our blog post.]