Hackers delivering viruses via Web ads

Web ads are becoming a delivery system of choice for hackers seeking to distribute viruses over the Internet. In a development that could threaten the explosive growth of online advertising, hackers have started to exploit security holes to slip viruses into ads. Going to a site that shows such an ad can infect a computer.

In May, a virus in a banner ad on tomshardware.com automatically switched visitors to a Web site that downloaded “malware” — designed to attack a computer — onto the visitor’s computer. ScanSafe Inc., one of the first security firms to discover the virus, estimates the ad was on the site for at least 24 hours and infected 50,000 to 100,000 computers before Tom’s Hardware removed it.

A person familiar with the situation says that Tom’s Hardware was unaware of the threat and that ads on the site were supplied by an outside server and likely appeared on a number of other Web sites as well. Some people noted that their antivirus software had protected their computers and others lamented that a virus had been downloaded.

Clicking on ads that appear in the sponsored-link results section of Web search engines can be very dangerous. Web security firm McAfee Inc. found in May that 6.9 percent of sponsored links led to suspicious sites that might have downloaded malicious software.

“Not being able to offer a safe haven is one of the things that could stand in the way of reputable advertisers and dollars,” said Scott Howe, president of Internet ad network Drive Performance Media, a unit of Seattle-based aQuantive, which Microsoft Corp. recently agreed to buy for $6 billion. “That’s the single biggest fear that many advertisers have. … It has taken them a hundred years to build their brand, and it can be destroyed pretty quickly if they are not careful.”

The Internet has long been plagued with viruses, spyware and other troublesome software. In the past, though, consumers usually had to open a harmful attachment in an e-mail, download free software that contained malicious code or click on a link to another site. Technology underlying virus-filled ads is more insidious. Simply opening a Web page can expose a user to harm.

While the number of infected ads has been small compared to the trillions of ads populating the Internet, Web security experts say the phenomenon is growing, especially on sites that accept ads from advertising networks that lack secure safeguards. Eighty percent of malicious computer code is found in online ads, according to a recent study by computer security firm Finjan Inc.

“The online ad industry’s success is going to be dependent on not letting viruses through the walls. They’ve all got to get better and mobilize,” said Zack Rogers, vice president of revenue operations at CNET Networks Inc., which operates a number of Web sites, including CNET.com and TV.com.

Top-tier online ad companies and Web sites say they are refining their security systems to try to prevent harmful material from leaking onto the Internet. But security experts say the complex structure of business relationships makes it difficult for sites to block virus-laden ads. Sites often work with one group of ad firms to sell space and another group to ensure the ads appear when a Web surfer calls up a page. Yet other companies save the digital information that creates an online ad on a server and then delivers that data to the Web sites.