Active Banner Ads

Published: 2007-06-22
Last Updated: 2007-06-23 02:03:21 UTC
by Marcus Sachs (Version: 2)
0 comment(s)

One of our readers, Walter, wrote to us today with a request to owners of websites:  please block any third-party advertisements that contain scripts or any form of mobile code.

Why?  Well, consider this scenario:

1) Sleazy vendor (or rogue affiliate) "rents" compromised home computers from a bot-farmer

2) Sleazy vendor submits to an adserver an innocent-looking ad for some legitimate-looking product, totally unrelated to the malware.

3) The innocent-looking ad contains javascript that re-directs the browser to a compromised bot, which in turn re-directs the browser to the final malware page.  Thus, a website blocking any ads linking to or winfixer won't help.  The user is re-directed to one of millions of compromised bots, and the bot re-directs to the malware page.

An example of malware-via-adserver is detailed at

This is not a new problem.  We covered cases like this in the past where an entire ad server gets compromised and the advertisements it is generating contain malware that gets injected via an iframe.  The correct solution is to only accept images from advertisers that are linked to another website, and no mobile code.  You clearly can't control what happens on that web site, but at least no mobile code is injected into your user's browsers just because they visited you.

One of our readers reminded us that Mozilla has a plug-in that allows Firefox readers to reject ads.  Also, I should have plugged a solution I've been using on my own computers for a few years - modifying your hosts.txt file to point all of the known ad servers at  Details are on MVPS.

Marcus H. Sachs
Director, SANS Internet Storm Center

0 comment(s)

Hacking Harry

Published: 2007-06-22
Last Updated: 2007-06-22 23:00:40 UTC
by Marcus Sachs (Version: 1)
0 comment(s)

Well, it was bound to happen.  The "research" chat rooms and mailing lists are all buzzing about the clever hack that somebody claims to have pulled off.  We'll know for sure when the book comes out and we confirm or deny what's going on.  We're not going to reveal the supposed ending for those who enjoy reading the series about the young wizard but there's plenty of web sites that are already spoiling the fun.  So if you know somebody who is a Harry Potter fan and doesn't want to be spoiled, warn them about the supposed leak.

If it's true, then the way the bandit pulled of the heist should be noted by anybody responsible for protecting "secrets" whether they are national secrets, homeland security secrets (ahem!), or intellectual property secrets.  According to anonymous posts on a popular mailing list, a "usual milw0rm downloaded exploit" was delivered by targeting email to employees of the publishing company.  One or more employees clicked on the link, a browser opened, and they clicked on an animated icon.  The malware in the animated icon then opened up a reverse shell and it was game over.  Apparently there were plenty of draft copies laying around inside the company's harddrives so downloading a personal copy was easy.  I suppose if you watched The Devil Wears Prada last year you are thinking "yes, that's probably true." 

Note to CIOs:  you must recognize targeted attacks as a serious threat to the protection of your organization's intellectual property.  This is no longer just a theory or academic exercise.

Marcus H. Sachs
Director, SANS Internet Storm Center

0 comment(s)

Fake Adobe Shockwave Player download page

Published: 2007-06-22
Last Updated: 2007-06-22 13:00:25 UTC
by Bojan Zdrnja (Version: 1)
0 comment(s)

Jason Frisvold wrote to us about a suspicious web page. One of his users visited the web page he submitted and subsequently got infected with a Trojan horse.

When we get reports of web pages like this one, I typically first download the web page with wget (faking the User Agent field, of course, so the target site thinks I’m using Internet Explorer). In almost 100% of cases the bad guys lately just insert hidden iframe links which point to web sites hosting various exploits.

However, the web site submitted by Jason didn’t have any such elements and I actually forgot about it until we heard again from Jason who managed to find out what happened here.

Shortly, it’s pure social engineering – the user is actually encouraged to install the malware himself. How does this work you might think?

When visited, the web page in question (a game site related to RuneScape) shows couple of broken icons and all links just point to another web page that conveniently inform the user that his version of Macromedia Flash Player needs to be updated. After this notice, the user is redirected to a web site hosting a complete replica of the Shockwave Player Download Center, as you can see below:

Fake Shockwave Download Center

All the links on this web page lead to Adobe’s web site except for one (I’m pretty sure you can guess which one).

Besides creating a really nice replica of Adobe’s web site, the bad guys also added this little JavaScript to it:

var message="";
function clickIE() {if (document.all) {(message);return false;}}
function clickNS(e) {if
(document.layers||(document.getElementById&&!document.all)) {
if (e.which==2||e.which==3) {(message);return false;}}}
if (document.layers)

document.oncontextmenu=new Function("return false")

This JavaScript disables right click so you can’t use this context menu for any actions.

The downloaded malware contains a full installer that, when tested on VirusTotal, had very low detection.

Technically this attack wasn’t even worth the diary, however, the appearance could probably fool a lot of users. Although it’s extremely easy to see the fake web site (the URL was visible in the Address bar), the question is how many users would really do this. Would SSL help here? Yes, but again only if users pay attention and in this case they would first have to be trained to check for it when downloading files, and that’s another story.

0 comment(s)
Diary Archives