Google Adsense Serving Up Malware?

May 28th, 2009 by Stephen Cronin (Please wait) [Shortlink]

Tonight I was browsing the Internet, when my virus software notified me of a potential threat from openstat.ws. None of the websites open in Firefox had a link to this site in the source. After some investigation, it appears that the potentially malicious site is called by Google Adsense.

Avast Anti-virus Warning Message

I use Avast Antivirus on my computer and tonight it gave the following warning message while I was browsing the Internet:

Sign of "HTML:Iframe-inf" has been found in "http://openstat.ws/top.php\{gzip}" file

The inclusion of a URL made me suspect that one of the sites I was browsing was linking to a dodgy website (ie openstat.ws).

The obvious thing to do was to check the source of the sites open in Firefox, to see which one was the culprit. However, openstat.ws did not appear in the source of any of the pages. Not to be put off, I used the Web Developer toolbar to examine the generated source. Still nothing.

Google Says Openstat.ws Is Suspicious

Next stop, a Google search for openstat.ws. The number one result was the Google Safe Browsing diagnostic page for openstat.ws page. Because the nature of this page is that it may change often, I’ve grabbed a screenshot of what it’s showing tonight:

Google Safe Browsing - openstat.ws

Okay, so Google are saying:

Site is listed as suspicious – visiting this web site may harm your computer.

They say the site was only listed for suspicious activity once in the last 90 days, but they also say:

Of the 6 pages we tested on the site over the past 90 days, 3 page(s) resulted in malicious software being downloaded and installed without user consent.

I’m not a security expert and I may be reading this wrong (please let me know if I am), but that seems to be indicating that there’s a 50% chance of malicious software being installed from openstat.ws.

Norton Say Openstat.ws Is A Threat

The third result in the Google search was Norton Safe Web’s page on openstat.ws. Let’s see what they say about openstat.ws:

Norton says openstat.ws is a threat

Norton are saying that there are two threats found on openstat.ws, one of which is:

Threat Name: Direct link to HTTP Malicious Toolkit Variant Activity

Location: http://openstat.ws/top.htm

The file Avast picked up on my computer is top.php, but top.htm is pretty close. HTTP Malicious Toolkit Variant Activity sounds pretty nasty. Norton say:

Severity: High

This attack could pose a serious security threat. You should take immediate action to stop any damage or prevent further damage from happening.

Okay, I’m convinced now that I don’t want openstat.ws being called on my computer. But how can I stop it where I can’t find where it’s being called from.

Looking Under Firefox’s Hood – Sessionstore.js

If openstat.ws wasn’t being called by the websites I was visiting, perhaps it was being called by Firefox itself. I started thinking that Firefox or one of the extensions I run must have been compromised. I started looking through the Firefox files – admittedly without much of an idea of what I was looking for.

I started by looking in the \Documents and Settings\[username]\ Application Data\Mozilla\Firefox\Profiles\[profilename] folder. I ordered the files in date order and started going through the most recently modified files.

I soon came to sessionstore.js. It gave me the answer, although it wasn’t the answer I was expecting. Sessionstore.js seems to store the current session, presumably so it can be restored in the case of Firefox crashing. I’m not sure if this is default behaviour or part of the Session Manager extension.

It consists of a series of entries tags, one for each tab that’s open. In examining this, I found the following:

EDIT: Due to Syntax Highlighter performance issues, I’ve moved the sessionstore.js snippet into a text file.

That’s not particularly readable, but it’s saying that I’ve got Ozh’s Handling Plugins Options in WordPress 2.8 with register_setting() post open. Inside that there is a child URL open (http://googleads.g.doubleclick.net/etc) which is a Google Adsense ad. Inside that, there are some further children, down until we come to one for http://openstat.ws/top.php, which is our suspicious site.

At this point we are still inside the Google Adsense child, meaning that the site that Google lists as suspicious is actually being served through Adsense. This is a little worrying to say the least!

Note: There is absolutely nothing wrong with Ozh’s site apart from the fact that he is running Adsense – as do I and hundreds of thousands of other sites.

Final Thoughts

As I said, I’m not a security expert, so I’d love some feedback from some more knowledgable. I’d also love to hear if anyone else out there has come across this problem.

Like this article? Plus One it!

Tags: , , ,

There are 17 reponses to this article. Visit the comments page.

Leave a Reply

Anti-Spam Quiz:


Stephen Cronin

is Manager of Online Service Delivery at a Queensland Government department & has been a freelance WordPress developer/consultant since 2007
*Content on this site is my own and is not related to my employer

Hire me - I'm expensive, but I'm very good!

WordPress Plugins

Want a Custom WordPress plugin? See my Services page.

Greasemonkey Scripts

Visit my home page at Userscripts.org.