How likely are you to get hit with malware from an ad, even if you don't surf piracy or porn sites? Not very, but still more likely than you might think.
In "The Dark Alleys of Madison Avenue: Understanding Malicious Advertisements," co-author Apostolis Zarras and other researchers from Ruhr-University Bochum, UC Santa Barbara, and University College London examined the degree to which casual Web browsing exposes a user to malware delivered through advertising. As discussed in a blog post by malware detection company Lastline, the team processed more than 670,000 ads using a custom-built system employing the Wepawet Web-based threat analyzer. Of that batch, 1 percent "show[ed] a malicious behavior." (The post has since been removed.)
The research paper also found that malvertising distributors didn't seem to care which kinds of sites were used as a vector. Adult sites, which conventional wisdom associates with malware-infected advertising, were only 10 percent of the total number of sites delivering infected ads, while mainstream news and entertainment sites together constituted 29 percent.
Aside from hackers buying ad impressions outright, some of the problems with malware in advertising networks can be attributed to issues like ad arbitration, wherein slots for ads get resold without the knowledge of the publisher. By the time an ad reaches a user, it might have passed through so many hands that few people would be aware it contained any malicious elements.
Whatever the exact mechanism, plenty of historical precedent shows that malware-delivering ads can sneak in nearly anywhere. Back in January, researchers warned that the ads.yahoo.com domain was serving malware-infected ads that targeted vulnerabilities in Java, a common exploit vector. As of this September, DoubleClick and Zedo were found by security researchers at Malwarebytes to be delivering malware as well. Lastline determined that DoubleClick was one of the cleanest ad networks, with a 99.6 percent "benign" rating, although it's easy to see where some of the remaining 0.4 percent came from.
Update: The original article has been amended.