HTTP Trojan Mebroot Request served through AdSense?
my users are complaining about a trojan
4:13 pm on Apr 26, 2010 (gmt 0)
Is anybody else seeing this?
A bunch of users on my forum say they are getting warnings from their antivirus programs. Is it a false positive or is some advertiser trying to spread infected flash ads?
5:17 pm on Apr 26, 2010 (gmt 0)
We had this happen a few months back. Turns out it was a problem with our banner ad network (TribalFusion). They told us one of their IP addresses got on the virus list by mistake. They told us it would be fixed in the next update of the user's anti-virus software.
We said that was not acceptable. We suggested they swap that IP out. They offered no other solution and just kept telling us to re-install their code. We dropped them. It was making us look pretty bad, like we had a virus on our site.
Turns out we make more by running an Adsense image banner there than we did with their ads, so it was a net gain for us, and a big net loss for Tribal... ;-)
5:32 pm on Apr 26, 2010 (gmt 0)
After searching a bit, I saw some references to the "Real Media" network.
It looks like one of Google's ad partners.
If there is a way to confirm this, then we could simply block that network in the AdSense settings.
5:32 pm on Apr 26, 2010 (gmt 0)
maximillianos, I agree. This makes my site look really bad. People think that we are somehow spreading the trojan or that the forum is infected.
6:00 pm on Apr 26, 2010 (gmt 0)
YES! I've been getting the same reports from my visitors since Friday 4/23. I have seen very little about this, so it appears Google isn't aware of the issue. So I have blocked all 3rd party networds on Adsense for now (102 of them!). I don't know yet if this will temporarily solve the issue.
I'd sure like to hear directly from Google on what they're doing about this, and an ETA when it will be fixed.
6:51 pm on Apr 26, 2010 (gmt 0)
I just blocked all networks. Wonder how much time it takes to go into effect.
On a side note, I was wondering what it would do to my ecpm. I wanted to try blocking them all and run this test for a while. I guess now is a good opportunity to try it.
7:13 pm on Apr 26, 2010 (gmt 0)
I'll take the temporary hit in ecpm. I can't afford to have visitors think MY site is delivering viruses!
7:58 pm on Apr 26, 2010 (gmt 0)
Every time I've seen this happen before it's turned out to be some weird thing with the AV program. I used to see it from time to time with Trend Micro. Then they'd issue another update, and it would go away.
8:03 pm on Apr 26, 2010 (gmt 0)
I initially thought that too, unfortunately this is coming from visitors with different AV programs (Avast, Norton, McCafee, etc)...all at the same time. It's extremely unlikely all the AV programs have the same problem at the same time.
9:55 pm on Apr 26, 2010 (gmt 0)
Same here. Different AV vendors. So either they pull signature databases from each other or there really is an infected ad somewhere on the ad network.
9:02 pm on Apr 27, 2010 (gmt 0)
It's been 24hrs and I've seen no drop in my ecpm. In fact, I noticed an increase. Go figure!
Still no word on the viruses, but I have found more threads elsewhere reporting various viruses being spread via adsense.
I've had no reports of viruses since removing those networks.
11:46 pm on Apr 27, 2010 (gmt 0)
Same here. I see a lot fewer flash ads. So most of them probably came from other networks. ECPM is the same so far, but it's too early to tell.
And yes, no more reports of a virus from the users.
I might actually keep the settings this way.
3:26 pm on May 29, 2010 (gmt 0)
Well, I'm getting reports from users again.
7:03 pm on May 31, 2010 (gmt 0)
Not me (so far), but I am concerned about the effect this could have on the Adsense program. Have you reported it to Google? There is an Adwords feedback form at [adwords.google.com...] but it seems to be mainly for reporting offensive ads, not ads with malware.