Dismantling Common Internet Services for Ad-Malware Detection

TL;DR

This study evaluates how different Internet services detect ad-malware, revealing inconsistencies and highlighting the need for a unified definition and improved detection methods for safer online advertising.

Contribution

It provides an empirical analysis of ad-malware detection by comparing responses from DNS providers and VirusTotal, exposing discrepancies and proposing future research directions.

Findings

Up to 0.47% of domains labeled suspicious by DNS providers.

Up to 8.8% of domains labeled suspicious by VirusTotal.

Only 0.7% to 3.2% of suspicious domains are categorized as ad-malware.

Abstract

Online advertising represents a main instrument for publishers to fund content on the World Wide Web. Unfortunately, a significant number of online advertisements often accommodates potentially malicious content, such as cryptojacking hidden in web banners - even on reputable websites. In order to protect Internet users from such online threats, the thorough detection of ad-malware campaigns plays a crucial role for a safe Web. Today, common Internet services like VirusTotal can label suspicious content based on feedback from contributors and from the entire Web community. However, it is open to which extent ad-malware is actually taken into account and whether the results of these services are consistent. In this pre-study, we evaluate who defines ad-malware on the Internet. In a first step, we crawl a vast set of websites and fetch all HTTP requests (particularly to online advertisements) within these websites. Then we query these requests both against popular filtered DNS providers and VirusTotal. The idea is to validate, how much content is labeled as a potential threat. The results show that up to 0.47% of the domains found during crawling are labeled as suspicious by DNS providers and up to 8.8% by VirusTotal. Moreover, only about 0.7% to 3.2% of these domains are categorized as ad-malware. The overall responses from the used Internet services paint a divergent picture: All considered services have different understandings to the definition of suspicious content. Thus, we outline potential research efforts to the automated detection of ad-malware. We further bring up the open question of a common definition of ad-malware to the Web community.