I know a lot of yall here visit myspace regularly. You need to check this out!
http://blog.washingtonpost.com/securityfix/2006/07/myspace_ad_served_adware_to_mo.html
Hacked Ad Seen on MySpace Served Spyware to a Million
An online banner advertisement that ran on MySpace.com and other sites over the past week used a Windows security flaw to infect more than a million users with spyware when people merely browsed the sites with unpatched versions of Windows, according to data collected by iDefense, a Verisign company.
Michael La Pilla, an iDefense "malcode" analyst, said he first spotted the attack Sunday while browsing MySpace on a Linux-based machine. When he browsed a page headed with an ad for DeckOutYourDeck.com, his browser asked him whether he wanted to open a file called exp.wmf. Microsoft released a patch in January to fix a serious security flaw in the way Windows renders WMF (Windows Metafile) images, and online criminal groups have been using the flaw to install adware, keystroke loggers and all manner of invasive software for the past seven months.
The Deckoutyourdeck ad launching the WMF exploit. (Courtesy of Michael La Pilla) Internet Explorer users who visited a Web page containing this ad and whose IE was not equipped with the WMF patch would not get that warning. Rather, their machines would silently download a Trojan horse program that installs junk software in the PurityScan/ClickSpring family of adware. This stuff bombards the user with pop-up ads and tracks their Web usage. Only a little more than half of the anti-virus programs used at anti-virus testing service AV-Test.org flagged the various programs that the Trojan tried to download as malicious or suspicious.
Pop-up ads generated by ClickSpring adware. (Courtesy of Michael La Pilla) Using software that captures and analyzes Web traffic, La Pilla found that the installation program contacted a Russian-language Web server in Turkey that tracks how many times the program was installed, presumably because most of this adware is installed by third parties who get paid for each installation. The data there indicate that the adware was installed on 1.07 million computers, La Pilla said, adding that all seven of the Internet addresses contacted by the downloader Trojan appear to be inactive at this time.
The Turkish Web site that counts installations. (Courtesy of Michael La Pilla) La Pilla said he also spotted the ad trying to serve up adware on Webshots.com, a popular photo-sharing site. It's not clear when this particular campaign started, he said, but an anonymous user at the invaluable CastleCops security forum posted information about a similar attack spotted on MySpace on July 12. Users at this online gaming forum apparently spotted the same WMF exploit being served via the DeckOutYourDeck ad as early as July 8.
A WHOIS database search for Deckoutyourdeck.com listed a fax machine as a contact phone number, but also contained an e-mail contact at RedTurtleInvestments.com. A WHOIS search on that domain turned up an address at Springfusion.com, which appears to be a fairly new online-affiliate marketing company. Springfusion.com is registered to a guy in Seattle, who -- when I contacted him via e-mail -- replied that he was not connected with any of the sites I looked up.
Springfusion.com's home page. What is clear from this attack is that there are plenty of people who still haven't installed this security update from Microsoft. It's also fairly obvious that scammers and online criminals are targeting high-traffic Web sites. Alexa currently rates MySpace as the sixth most-visited site on the Web (Webshots.com earned a distant 137th most-visited ranking).
I left a message with Webshots and with MySpace's media hotline, and will update this post if I hear anything from either of them.
Update, 2:50 p.m. ET:A Webshots vice president called back to say the company didn't have any information on the attack, but that it was investigating. Also, I changed the text above to reflect a clarification from La Pilla, who said while the counter page was written in Russian, the site itself is hosted in Turkey.
http://blog.washingtonpost.com/securityfix/2006/07/myspace_ad_served_adware_to_mo.html
Hacked Ad Seen on MySpace Served Spyware to a Million
An online banner advertisement that ran on MySpace.com and other sites over the past week used a Windows security flaw to infect more than a million users with spyware when people merely browsed the sites with unpatched versions of Windows, according to data collected by iDefense, a Verisign company.
Michael La Pilla, an iDefense "malcode" analyst, said he first spotted the attack Sunday while browsing MySpace on a Linux-based machine. When he browsed a page headed with an ad for DeckOutYourDeck.com, his browser asked him whether he wanted to open a file called exp.wmf. Microsoft released a patch in January to fix a serious security flaw in the way Windows renders WMF (Windows Metafile) images, and online criminal groups have been using the flaw to install adware, keystroke loggers and all manner of invasive software for the past seven months.
The Deckoutyourdeck ad launching the WMF exploit. (Courtesy of Michael La Pilla) Internet Explorer users who visited a Web page containing this ad and whose IE was not equipped with the WMF patch would not get that warning. Rather, their machines would silently download a Trojan horse program that installs junk software in the PurityScan/ClickSpring family of adware. This stuff bombards the user with pop-up ads and tracks their Web usage. Only a little more than half of the anti-virus programs used at anti-virus testing service AV-Test.org flagged the various programs that the Trojan tried to download as malicious or suspicious.
Pop-up ads generated by ClickSpring adware. (Courtesy of Michael La Pilla) Using software that captures and analyzes Web traffic, La Pilla found that the installation program contacted a Russian-language Web server in Turkey that tracks how many times the program was installed, presumably because most of this adware is installed by third parties who get paid for each installation. The data there indicate that the adware was installed on 1.07 million computers, La Pilla said, adding that all seven of the Internet addresses contacted by the downloader Trojan appear to be inactive at this time.
The Turkish Web site that counts installations. (Courtesy of Michael La Pilla) La Pilla said he also spotted the ad trying to serve up adware on Webshots.com, a popular photo-sharing site. It's not clear when this particular campaign started, he said, but an anonymous user at the invaluable CastleCops security forum posted information about a similar attack spotted on MySpace on July 12. Users at this online gaming forum apparently spotted the same WMF exploit being served via the DeckOutYourDeck ad as early as July 8.
A WHOIS database search for Deckoutyourdeck.com listed a fax machine as a contact phone number, but also contained an e-mail contact at RedTurtleInvestments.com. A WHOIS search on that domain turned up an address at Springfusion.com, which appears to be a fairly new online-affiliate marketing company. Springfusion.com is registered to a guy in Seattle, who -- when I contacted him via e-mail -- replied that he was not connected with any of the sites I looked up.
Springfusion.com's home page. What is clear from this attack is that there are plenty of people who still haven't installed this security update from Microsoft. It's also fairly obvious that scammers and online criminals are targeting high-traffic Web sites. Alexa currently rates MySpace as the sixth most-visited site on the Web (Webshots.com earned a distant 137th most-visited ranking).
I left a message with Webshots and with MySpace's media hotline, and will update this post if I hear anything from either of them.
Update, 2:50 p.m. ET:A Webshots vice president called back to say the company didn't have any information on the attack, but that it was investigating. Also, I changed the text above to reflect a clarification from La Pilla, who said while the counter page was written in Russian, the site itself is hosted in Turkey.
