A big batch of malware-infected ads are circulating on a slew of popular sites including MLB.com, NHL.com and the Australian site, www.whitepages.com.au.

The ads were apparently bought and paid for by rogue antivirus software sellers, who posed as legitimate advertisers. They typically paid for the ad space with wire transfers or credit cards, according to Alex Eckelberry of Sunbelt Software.

The likely distributor of the malware, Eckelberry suspects, is AdTraff a shady "online marketing" outfit that is believed to have ties to the Russian Business Network, a notorious ethically-challenged Internet Service Provider.

Eckelberry adds that although the malware is indeed malicious – it will hijack your computer and bully you until you pony up the $40 to buy the antivirus software – it's not "going to steal your data or kill your dog. It's extortion. You have to imagine that you're dealing with people who have absolutely no morals. We've even seen these guys make up their own viruses," Eckelberry says.

DoubleClick unwittingly distributed the ads through its DART program. (DART is an online ad platform used by publishers to manage and track ads.) In the meantime, DoubleClick has implemented a new security monitoring system that has thus far captured and disabled

100 ads. Says Sean Harvey, senior product manager at DoubleClick DART:

This is an industry-wide challenge; unfortunately, there are bad actors who misrepresent themselves and purchase advertising as an avenue to distribute malware. This has the potential to affect all businesses and consumers in the online environment.

If you've seen any of the ads, you may have experienced something like this: You're on a regular web site that you may have visited many times before. Your browser window closes down. A new browser window comes up, redirecting you to an anti-virus site and a dialog box comes up that suggests your computer has been infected and your hard drive is being scanned. The malware tries to download software to your computer and scans your hard drive again. (See the below demonstration on YouTube.)

The malware is apparently being disguised as a Flash file that has a redirect function encrypted in the file, so that when publishers upload the ad file the malware is not detectable. Once deployed on a site, the Flash file launches the malicious redirects, perhaps triggered at certain times or in certain locations.

www.youtube.com/watch?v=&rel=1

Photo: Flickr/Bruno Biagioni