Active Banner Ads

Published: 2007-06-22
Last Updated: 2007-06-23 02:03:21 UTC
by Marcus Sachs (Version: 2)
0 comment(s)

One of our readers, Walter, wrote to us today with a request to owners of websites:  please block any third-party advertisements that contain scripts or any form of mobile code.

Why?  Well, consider this scenario:

1) Sleazy vendor (or rogue affiliate) "rents" compromised home computers from a bot-farmer

2) Sleazy vendor submits to an adserver an innocent-looking ad for some legitimate-looking product, totally unrelated to the malware.

3) The innocent-looking ad contains javascript that re-directs the browser to a compromised bot, which in turn re-directs the browser to the final malware page.  Thus, a website blocking any ads linking to systemdoctor.com or winfixer won't help.  The user is re-directed to one of millions of compromised bots, and the bot re-directs to the malware page.

An example of malware-via-adserver is detailed at
http://msmvps.com/blogs/spywaresucks/archive/2007/02/18/591493.aspx

This is not a new problem.  We covered cases like this in the past where an entire ad server gets compromised and the advertisements it is generating contain malware that gets injected via an iframe.  The correct solution is to only accept images from advertisers that are linked to another website, and no mobile code.  You clearly can't control what happens on that web site, but at least no mobile code is injected into your user's browsers just because they visited you.

UPDATE:
One of our readers reminded us that Mozilla has a plug-in that allows Firefox readers to reject ads.  Also, I should have plugged a solution I've been using on my own computers for a few years - modifying your hosts.txt file to point all of the known ad servers at 127.0.0.1.  Details are on MVPS.

Marcus H. Sachs
Director, SANS Internet Storm Center

Keywords:
0 comment(s)

Hacking Harry

Published: 2007-06-22
Last Updated: 2007-06-22 23:00:40 UTC
by Marcus Sachs (Version: 1)
0 comment(s)

Well, it was bound to happen.  The "research" chat rooms and mailing lists are all buzzing about the clever hack that somebody claims to have pulled off.  We'll know for sure when the book comes out and we confirm or deny what's going on.  We're not going to reveal the supposed ending for those who enjoy reading the series about the young wizard but there's plenty of web sites that are already spoiling the fun.  So if you know somebody who is a Harry Potter fan and doesn't want to be spoiled, warn them about the supposed leak.

If it's true, then the way the bandit pulled of the heist should be noted by anybody responsible for protecting "secrets" whether they are national secrets, homeland security secrets (ahem!), or intellectual property secrets.  According to anonymous posts on a popular mailing list, a "usual milw0rm downloaded exploit" was delivered by targeting email to employees of the publishing company.  One or more employees clicked on the link, a browser opened, and they clicked on an animated icon.  The malware in the animated icon then opened up a reverse shell and it was game over.  Apparently there were plenty of draft copies laying around inside the company's harddrives so downloading a personal copy was easy.  I suppose if you watched The Devil Wears Prada last year you are thinking "yes, that's probably true." 

Note to CIOs:  you must recognize targeted attacks as a serious threat to the protection of your organization's intellectual property.  This is no longer just a theory or academic exercise.

Marcus H. Sachs
Director, SANS Internet Storm Center

Keywords:
0 comment(s)

Fake Adobe Shockwave Player download page

Published: 2007-06-22
Last Updated: 2007-06-22 13:00:25 UTC
by Bojan Zdrnja (Version: 1)
0 comment(s)

Jason Frisvold wrote to us about a suspicious web page. One of his users visited the web page he submitted and subsequently got infected with a Trojan horse.

When we get reports of web pages like this one, I typically first download the web page with wget (faking the User Agent field, of course, so the target site thinks I’m using Internet Explorer). In almost 100% of cases the bad guys lately just insert hidden iframe links which point to web sites hosting various exploits.

However, the web site submitted by Jason didn’t have any such elements and I actually forgot about it until we heard again from Jason who managed to find out what happened here.

Shortly, it’s pure social engineering – the user is actually encouraged to install the malware himself. How does this work you might think?

When visited, the web page in question (a game site related to RuneScape) shows couple of broken icons and all links just point to another web page that conveniently inform the user that his version of Macromedia Flash Player needs to be updated. After this notice, the user is redirected to a web site hosting a complete replica of the Shockwave Player Download Center, as you can see below:

Fake Shockwave Download Center

All the links on this web page lead to Adobe’s web site except for one (I’m pretty sure you can guess which one).

Besides creating a really nice replica of Adobe’s web site, the bad guys also added this little JavaScript to it:

var message="";
///////////////////////////////////
function clickIE() {if (document.all) {(message);return false;}}
function clickNS(e) {if
(document.layers||(document.getElementById&&!document.all)) {
if (e.which==2||e.which==3) {(message);return false;}}}
if (document.layers)
{document.captureEvents(Event.MOUSEDOWN);document.onmousedown=clickNS;}
else{document.onmouseup=clickNS;document.oncontextmenu=clickIE;}

document.oncontextmenu=new Function("return false")

This JavaScript disables right click so you can’t use this context menu for any actions.

The downloaded malware contains a full installer that, when tested on VirusTotal, had very low detection.

Technically this attack wasn’t even worth the diary, however, the appearance could probably fool a lot of users. Although it’s extremely easy to see the fake web site (the URL was visible in the Address bar), the question is how many users would really do this. Would SSL help here? Yes, but again only if users pay attention and in this case they would first have to be trained to check for it when downloading files, and that’s another story.

Keywords:
0 comment(s)

Comments

What's this all about ..?
password reveal .
<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure:

<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.

<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
https://thehomestore.com.pk/
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
https://defineprogramming.com/
https://defineprogramming.com/
Enter comment here... a fake TeamViewer page, and that page led to a different type of malware. This week's infection involved a downloaded JavaScript (.js) file that led to Microsoft Installer packages (.msi files) containing other script that used free or open source programs.
distribute malware. Even if the URL listed on the ad shows a legitimate website, subsequent ad traffic can easily lead to a fake page. Different types of malware are distributed in this manner. I've seen IcedID (Bokbot), Gozi/ISFB, and various information stealers distributed through fake software websites that were provided through Google ad traffic. I submitted malicious files from this example to VirusTotal and found a low rate of detection, with some files not showing as malware at all. Additionally, domains associated with this infection frequently change. That might make it hard to detect.
https://clickercounter.org/
Enter corthrthmment here...

Diary Archives