A US Senator trying to eradicate the Internet scourge known as malvertising is proposing that all federal agencies block ads delivered to worker computers unless advertisers can ensure their networks are free of content that contains malicious code.

In a letter sent today, Oregon Senator Ron Wyden asked White House Cybersecurity Coordinator Rob Joyce to begin discussions with advertising industry officials to ensure ads displayed on websites can't be used to infect US government computers. If, after 180 days, Joyce isn't "completely confident" the industry has curbed the problem, Wyden asked that Joyce direct the US Department of Homeland Security to issue a directive "requiring federal agencies to block the delivery to employees' computers of all Internet ads containing executable code."

"Malware is increasingly delivered through code embedded in seemingly innocuous advertisements online," Wyden wrote. "Individuals do not even need to click on ads to get infected: this malicious software, including ransomware, is delivered without any interaction by the user."

Sen. Wyden continued:

While the online advertising industry plays a vital role in the economics of the Internet ecosystem, the threat posed by ad-delivered malware cannot be ignored. Indeed, several federal agencies have already recognized the serious nature of this cyber threat and, as a result, instituted network-based ad blocking.

Over the past decade, ads displayed on legitimate and often popular websites have emerged as a key way criminals infect the computers of unsuspecting computer users. In some cases, the ads contain malicious code that exploits unpatched vulnerabilities in browsers or browser plug-ins, such as Adobe's Flash Player. Such ads have the ability to install ransomware, keyloggers, and other types of malware when users do nothing more than visit a site hosting the malicious link. Other types of malware meticulously disguise themselves as legitimate operating system or application updates in an attempt to trick visitors into clicking on links that will install the malicious wares.

In March 2016, researchers from multiple security companies documented a malvertising campaign that attempted to install ransomware on computers visiting mainstream sites , including The New York Times, the BBC, MSN, and AOL. One of the ads analyzed contained more than 12,000 lines of heavily obfuscated code that listed security products and tools the malware avoided in an attempt to remain undetected. Nine months later, researchers documented a similar campaign that exposed millions of people to a novel form of malicious ad that embedded attack code in individual pixels of the banners.

Wyden's letter didn't say how Sen. Wyden wanted federal agencies to block ads in the event advertising industry officials are unable to ensure their content is free of malicious code. One way would be to include ad blockers in browsers. A more efficient method would probably involve the agencies blocking ads at the network level.

Wyden's letter didn't identify the agencies that are already doing network-based ad blocking, and a spokesman declined to name them. A spokeswoman with the Department of Homeland Security said that, for the last five years, the agency has blocked ads based on "the vendor categorization type of 'Web ads/analytics' for urls that are in certain categories." Wyden's language singling out ads containing executable code suggests text-only ads might still be permissible, but anything containing the nearly ubiquitous JavaScript coding found in most ads today presumably would be covered.