Slashdot Mirror
Worm Exploit Distributed by Advertising Network
Zocalo writes "Given that a lot of Slashdot readers also check The Register, it's important to note that their Internet advertising provider, Falk AG, was compromised by the BOFRA exploit yesterday. The Falk AG service has been suspended by The Register and a statement from Falk AG is due on Monday. The upshot is that if you visited the Register yesterday morning and use IE as your browser, then you probably need to run a full virus scan with up to date data files. Of course, those of us running other browsers and something like AdBlock have nothing to worry about. Again." You're OK for now if you're running SP2. There's also a good security writeup about the problem.
LOL. Yet another reason to not use IE!
Firefox user gets first post.
This is a really big problem. Okay, so its Register and they realized this and stopped it. But we visit so many other websites - how are we to know which one of those ad providers are infected and which are not?
Sheesh, where is accountability? Blame the sysadmins, blame the software, pity the customer. Lather, rinse repeat.
Is Fist Fuck.
Maybe site owners will start moving or demanding text-based ads (like Google's)?
Rock that crushes, Paper & Scissors that don't matter.
.. falkag.net are the second entry in my ad filter, right after doubleclick
We all know that The Register is as anti-Microsoft as they come.
So they deliberately spread a worm to push the point home.
Big deal.
how many ie users have switched to sp2 ,yet ?
Trolling using another account since 2005.
You're OK for now if you're running SP2.
Ummm... My Win machine is running SP4. Oh, you mean XP SP2. Not on my machines, man... The highest I'll go on my personal machines is 2k.
Aside, you left out another browser of very worthy note. Oh, well, make that two.
I'm not a prophet or a stone-age man,
I'm just a mortal with potential of a super man.
Sad thing was the company was based in the Netherlands so it wasn't even worth pursuing legally... but if you are on the net, you aren't safe. MS products are more insecure, but you should always take steps to protect yourself, like keep the OS and applications up to date, etc etc
Agile Artisans
Don't you mean no IE users?
Why was it necessary to praise AdBlock in the writeup considering it would not have made a difference if the user had it installed or not? Even if AdBlock were responsible for preventing a user from getting a virus this time, that's hardly enough to make up for the theft of services and fraud that people who use it commit every day.
Web pages like slashdot are available to you on the following basis: load our advertisements which bring us revenue that allow us to pay for bandwidth, salaries, etc., and we will also make available to your our content, free of charge. Extensions and programs like AdBlock are tantamount to theft; you are acquiring the content but not "paying" for it by loading the advertisements.
If you find a site's ads to be so intrusive as to make the page unviewable, don't go back. I doubt anyone forced you to go there in the first place.
audioLibre - freedom of music
What's with all this "Microsoft should patch this", "Microsoft should patch that". I am NOT a pro Microsoft person, but they made SP2 for a reason. If SP2 fixes it, why in the hell should they go back and patch an older version? If you don't like SP2 that's your problem, but if you want to actually get the latest updates, use it. Don't complain if sticking with SP1 (or no SP) is going to stop you from getting any security fixes.
WASTE - The Secure P2P
I wonder what the Fud Factory spin will be on that then?
At least they will have some activists in the neck...
Miles Angaard
So if your XP machine is up to date you're ok?
That's kool, because all I do is download new browsers for security and never run windows update. That would make too much sense...
If you may have visited The Register between 6am and 12.30pm GMT on Saturday, Nov 20 using any Windows platform bar XP SP2 we strongly advise you to check your machine with up to date anti-virus software, to install SP2 if you are running Windows XP, and to strongly consider running an alternative browser, at least until Microsoft deals with the issue.
I just wanted to make this comment. One of the SP2 versions trashed my computer so bad when I ran it. And I'm still suffering from the effects. Such effects include freezing on websites for minutes at a time. Installing it also took my computer like 10 minutes to boot if I remember correctly.
If you can get an anti-virus program, do it. It's better than nothing.
I hate third party ads. www.tvtome.com serves one malicious ad, unless they took care of it already. If I remember correctly, the "ad" kept asking me to do something, in which I had to end up killing the IE6 process to stop it. But I run an ad blocking program most of the time. I really hope websites switch to text ads, like Google does.
Comment removed based on user account deletion
The Register is targetted at an audience of IT professionals. Any IT professional who's dumb enough to still be using Internet Explorer in November 2004 deserves whatever he gets.
The subject says it all.
This worm gives new meaning to the term "viral marketing"...
-Valen
Windows update has fixes for more than just holes in IE. Remember the Sasser worm that came out in March? That bastard propogated through a security hole in windoze...it didn't matter whether you had ie or mozilla or whatever. People who got the patch were fine. Those who didn't suffered.
And before anyone starts knocking ms for having such a "crappy os", you try finding every hole in millions of lines of code. I'm impressed that ms gets updates out as fast as they do.
Don't take life so seriously. No one makes it out alive.
It's not the first time this has happened either, see this article relating to an incident that happened back in September with Falk AG.
Never email donotemail@WeAreSpammers.com
"Would it kill you to put down the toilet seat?" -- Maya Angelou
Well, still waiting for that Windows build of Konqueror to get rid of my explorer.exe shell... Hehehe...
And IE worms are the gift that keeps on giving...
What would Groucho do?
Please clarify. Did you mean what you said (i.e., that we need to meet both conditions), or did you mean:
"those of us running other browsers or something like AdBlock"; or
"those of us running other browsers and those of us running something like AdBlock" ?
Some days I really hate the English language.
There are alternates to explorer.exe, you know.
In that case, feel free to use this version that uses "0.0.0.0" instead.
Comment removed based on user account deletion
But all I got was ebola.
Interesting... the majority of business desktops are still Windows, so I suspect a majority of business users and admins are still using Windows on some level. And WTF do you get off saying, "he". There are a few female IT professionals.
The ISC has more details here and here.
Interesting. Adblock still shows this blockable item when I visit theregister.co.uk :
s
http://f.as-eu.falkag.net/dat/cjf/00/15/57/05.j
So much for suspending ad service from that company...
If people were reading The Register over the weekend, they were probably doing it from home.
This really helps add credibility to the claim that blocking ads can help aid security, giving ad blocking credibility outside of the "I don't want to look at irritating banners" department.
How long until anti-virus software has built-in pop-up and ad blocking? It's past due.
~/ssh slashdot.org ssh: connect to host slashdot.org port 22: too many beers
I consider this to be a troll in a way but I'd like to see what others think about it just the same:
What if this advertiser wasn't actually exploited? What if this was all just plausible deniability and really an intentional way of getting more spyware and crap out there? We have no way of measuring the ethical standards of these essentially unknown parties but we do know there are people out there willing to make a buck while invading the computer systems of private individuals.
"Oh, we're sorry... we were hacked and now there's all these victims... we're sorry..." Should we really believe it?
The write up for the attack is incorrect. The correct sequence of events is at http://www.finlandforum.org/bb/viewtopic.php?t=768 5. I know because I noticed it at The Register first and contacted Falk AG. Thanks for the aknowledgement too Slashdot, NOT.
Last time I read about the Microsoft's buffer overflow protection implementation in Windows PX Service Pack 2, they were talking about the NX bit present in page entries when the PAE mode was active in AMD x86-64 processors. Even though that protection exists in the new AMD x86-64 processors' MMUs, Intel P4 as well as older AMD processors do not yet support that bit, which means that processes running over them do not get any page-based protection against code execution, even while running SP2.
However I see many people trusting their lives on SP2's protection even without processor support, and I don't see Microsoft willing to clarify this issue either, so I'm starting to believe that probably there is something else that I am not aware of in SP2 which simulates the same kind of protection on processors without hardware support.
Is SP2 really protecting against stack smashing (for example) on processors without hardware support for non-executable pages? Or is it just general ignorance that Microsoft exploits for their own profit?
Looks like yet another reason for people to be using real operating systems. Such as Linux, BSD, MacOS X. Heck even SCO's UnixWare is probably more secure than the mess of code and goto statements that is Windows.
...Mozilla need not support firefox 0.9.3 for two very good reasons. First, it is a pre-release piece of software (or preview if you prefer), second the cost of "entry" to obtain Firefox 1.0 is merely a 4-7 MB download.
If Microsoft say they will support older operating systems (i.e. Windows 2000) then they need to support it 100% (not 90%, for the extra 10% upgrade to XP that they are now). Lots of people paid good money for Windows 2000 and were led to expect full support, including security updates, for a substantial period. This period has not passed and as such Microsoft is re-negging their side of things.
I am NaN
I definitely read that post as "Not to mention the activation issues that make XP not run at all after installing SP2. Microsoft should have fixed those long before releasing SP2 because they screw over-paying customers."
Upon realizing my mistake, I'm actually not sure which reading is more accurate.
And WTF do you get off saying, "he". There are a few female IT professionals.
Take your faux sensitivity and stow it. It won't help you get any chicks.
I consider Adblock as more of my vote against which ads are appropriate and which are not. Bright flashing image ads, flash ads, etc, will be blocked. However, I will not block a Google ad, because text is not nearly as obnoxious. Heck, I click on text ads to support developers who use unobtrusive advertising.
The upshot is that if you visited the Register yesterday morning and use IE as your browser.
A few years ago I would have laughed at anyone who said something like that and just ignored it as paranoia by someone who didnt really know much about computers and security or who had been watching too many hacker films. Of course you can't get a virus from visiting a web page thats just stupid, who would allow such insane breaches of security? But Microsoft saw a market: they realised that since most people believed you could get a virus that way, why not match their products with peoples expectations? Next slashdot poll should be who uses IE and why...
This comment does not represent the views or opinions of the user.
Bitter and proud of it.
For one, to those people commenting about how some people say that they don't want to use SP2... It isn't their fault that they don't want to. When I installed SP2 on my computer, that was using a legal copy of Windows XP, my computer BSODed and the boot sector was screwed over. This was a mistake on the count of Microsoft that deleted a number of documents that I thought were in a stable, safe place. I now make a backup of all my data to an external hard drive every other day to make sure this doesn't happen. Another comment I would like to make is for the people that are saying that ads are the only sources of revenue that websites have and we should be forced to read them and not block them. Yes, I agree that some websites need ads for money to run the site, but some ads are downright obnoxious. There are, however, sites that live off of things such as Google text only ads. www.neowin.net is an example, where you see at the top of the page only a simple text ad, or once in a while a picture ad. They are a fairly large website, and yet they support themselves by only a text ad. Interesting, isn't it? People rave about how websites absolutely have to have tons of ads to live, and yet Neowin has been living for a good 5 years now on text ads...
What's with the BS concerning "if you had other browsers you're safe" ??!
I have Internet Explorer V6, SP1 with manually installed updates, Ad-Aware and Norton running simultaneously. I also am a reader of the Register.
I also have no problems with any type of virus.
Please, stop the garbage.
PS - a linux-Jedi friend who swears by Mozilla got the worm. Ahem.
I always wonder, when people claim "Sp2 shat my machine" if they are installing on a fresh, or fairly clean system. The machines i've seen that have really screwed up Sp2 either had spyware/viruses or traces of them or some weird software (usually only one application breaks)
Sometimes its not fair to claim a service pack broke your gatored and cometcursored box!
and live on government handouts.
After all you have a RIGHT to make a living. Or in the words of Darl McBride:
"We're fighting for the right in the industry to be able to make a living selling software," McBride told the audience. He compared this right to the ability "to send your children to college" and "to buy a second home."
Check the root of your C: for a file named bla.exe.
For Windows NT 4 *ALPHA* SP6a!
Where MS has to donate $10,000,000 to the EFF for every security exploit in IE that gets used in the wild...
You are in a maze of twisty little passages, all alike.
AOL would never let me down.... They would never use spyware like Wildtangent, or let me be jeapordized with nasty unsigned Active-X like Microsoft has...
(But seriously...) Until they dump the Netscape/Mozilla browser build for IE again.
Now to get back to this email about Hopkin Green Frog from Sierra Leone and how he's going to give me 25% of $14 million if I become his next of kin.....
The IE vulnerability exists in IFRAME and other HTML elements. Text-based ads aren't any less vulnerable.
Wow, you paid for all that 3rd party crud to protect yourself when all you had to do was install any other browser to make it a non issue.
Then you imply your Linux using friend got the Windows only worm.
Your not the brightest light on the Christmas tree there, are you.
Please stop your garbage.
I swear on just about EVERY website i visit, i briefly see "contacting host falkag.net" flash by. No, not one website I contact often. Not just a few sites, but EVERY site that finds it necessary to have banners from 20 different websites, and have all the images hosted on a server that has about a tenth of the bandwidth needed to function properly.
What's falkag's ip? 127.0.0.1
I'm New Here
And WTF do you get off saying, "he". There are a few female IT professionals.
It's correct English to speak of a fictional person of unknown gender as "he."
Just making an observation about Slashdot's choice of icon images. :)
Many of the flaws in Windows are architectural. Fixing them will break things. SP2 did as much as possible to minmize breakage of apps that are in many cases frightening garbage internally, while making some big changes.
I'm no MS fan (and am typing this from a Linux box) but geez, give them credit where it's due. Nobody but MS would've gone to the incredible time and effort of including thousands of compatibility hacks and tweaks so braindead, broken apps could keep on working.
Most other OSes would simply break the apps and be done with it.
Freeware nLite removes IE from 2000, 2003, XP before installation
Technical Details on Reming IE from Windows 2000 before installation
I propose to stop using frames and always click the "no frames" option in every website which provides it. If you believe that frames are evil, please read my relevant blog entry and say all over the world that you hate frames. Perhaps we can make a difference and teach webdevelopers that frames are annoying.
Fuck me to tears already, and get this over with, because I can't take it anymore.
Jailmate
http://shit.slashdot.org/article.pl?sid=04/11/21/2 247232
I find it some what disgusting that there has yet to be one person to post that it might be their own fault for putting themselves in danger of this exploit, when, if they are registered with Slashdot, should be aware of the dangers of using IE in the first place.
Please, stop blaming others when you have at least a choice of 4 other browsers available to you without the same level of security issues as IE:
Who cares what every one else should be doing when YOU YOURSELF are not willing to every thing YOU can to avoid these dangers?
My CV is not in Word format and I have a job. Yes, I've refused to transcribe it into Word and that's surprised the shit out several people. I only had to compromise as far as supplying it in PDF.
Maybe your American employment agencies are stupider than the ones we have here in Australia. That would be pretty unlikely though as ours are dumb as bricks.
Friends don't help friends install M$ junk.
Seriously, those colors are hideous.
Oh, you mean like making movies and music? Go Google it and you will see that free software mixed with non-free on Linux dominates the business now and has for years. When your job depends on this and your company wants to be competitive, you will use Linux.
On the personal level, you should read this glowing Mepis review by a long standing Winblows professional who detailed how to do every conceivable multimedia task, including DVD watching and video editing. If you want a computer that will do tomorrow what it does today without getting schmegged by scammers, advertisers and others, you want Linux.
Where do you want to go today? Free software will get you there with less trouble and cost.
Friends don't help friends install M$ junk.
That's true, you would be foolish to trust an automatic software updater from a company with M$ style QC. They have a long record of breaking applications and not caring. That's why companies pay people to evaluate "updates".
The burden is considerably less in the free software world where there's no incentive to spaghetti code and break other people's applications. When code is properly modularized, it has a tendency not to break other code. I can contrast my experience with frequent distribution upgrades of Debian Unstable without problems to single applications frying Winblows.
In any case, the need for upgrading is much less in the free software world. Exploits there remain largely a laboratory exercise, despite volumes of FUD. Exploits in the Winblows world translate to a mean life for networked machines that are much less than the time it takes to use Winblows updater.
Friends don't help friends install M$ junk.
Surely not many regular Register readers?
I've been running Linux since 1999, and I've never been impressed by the major GUI distributions - they always feel quickly-put-together, like they're elaborate constructions of balsa wood. So, I used Debian, which gave me the power to control the system and high-quality packages to build it into what I wanted.
Lately, I've been using Ubuntu on my laptop, and I love it. It's a clean, simple-to-install, simple-to-administer GNOME-based Debian fork where things just work. Give it a look-over if you're ever in the market for a distribution for other family members. (Karma bonus declined because this is not very on topic.)
|/usr/games/fortune
"hacked by chinese"!?
...you want to have an EULA click-through for every site too? As if having one with every program, every forum, every service wasn't enough?
Advertisers rely on some fraction of their users seeing their ad. Not all of them (some are completely oblivious to their presence), not all of the time (you switch channels sometime) but some.
I could live with that if that was all ads do. But I block them, because several have greatly abused their rights to throw me into endless pop-up loops, ads flowing over content (when not using IE, sigh), minimize-on-show pages that you can't close easily and so on.
I'm sorry that some unserious sites destroy it for all the serious ones. But I'm not unblocking ads until browsers can block the abuse, and they don't. Instead they seem to go the ad-block route themselves. That'll only push advertisers to use other ways like flash, css areas and whatever.
Kjella
Live today, because you never know what tomorrow brings
When my anti-virus program went off a few days ago about an .htm file with the IFRAME exploit, I was convinced it came from the ads displayed on AOL IM since the file was in an IE.Cache folder and I only use Firefox. I wasn't even browsing the web at the time, but AIM was running and displaying its little ads. I assumed I might be overreacting by blaming AIM for the problem, but now I guess it really could have come from the ads on AIM. AIM started using popup ads last week too.... Anyway I'm now using GAIM.
Falk AG is not the only advertising provider that has been compromized.
K-otik reported that Realmedia (OpenAdStream, those oas.* hosts) where compromized as well.
{{.sig}}
.... *big bank**cough*cough*cough* "wisely" institute IE explorer as the official browser to use corporate wide (in spite of the outcry of UNIX people, that keep using anything else under the table anyway).
:-P ) was using a sane Web browser.
The tragic thing is that this is to access mostly internally developed sites. The company could be following standards, using safe browsers and making sure that everybody (including Windows SAs
THe "developed for IE only" internal policies of some comapnies is pure insanity, and hopefully some people taking those decisions will be burned, and badly (i.e. unemployment) for their misguided stuborness.
If you visit the Falk AG website, there is nothing on the exploit. The management clearly doesn't know what to do with the problem - otherwise they would have posted a full explanation by now. Ah well, I guess they need some time to wiggle themselves out of this one.
Slashdot: stuff for news, nerds that matter, matter for news, stuff that nerd
Tell them that somebody could upload kiddie porn on their hard drives and then tip off the police.
That concentrates minds wonderfully in my experience.
IANAL but write like a drunk one.
MS feels like they own your damn PC.
Applications should have a target that is not moving all the time. A stable OS.
Once that is provided then MS should not be responsible for making apps work, but the application developers.
They have got the working relationship backwards. Don't ask us to praise them fur such braindead apporach to software development.
IANAL but write like a drunk one.
The fact that this attack happened
or,
The Register editors sacrificed their sacrosanct weekends to post the warning story.
Any regular reader would see that most of the stories abruptly stop at Beer O'Clock on Friday [4 p.m. roughly, depending on British Sunshine].
Due to the regular lack of stories over the weekend, I think the number of readers exposed would have been much less. If it had happened about this time [Monday morning London time] a lot more people would've been exposed.
[% slash_sig_val.text %]
http://isc.sans.org/
Important note: Due to a major disk failure, the database is not available right now. At this time, we are waiting for replacement hardware, and it looks like we will be back around Thursday.
The class I'm referring to is the Datacentre Class.
All those hardworking infrastructure people who've managed not to be outsourced to the Cayman Islands.
All those admins who surf to TheRegister from their Win2k3 Advanced Server terminals IN the datacentre via their KVM.
Some SysAdmins don't, granted, but SOME do. When I was doing Unix work at Level3 and Colt, we did it all the time. It's a per company, per employee based decision as to whether it occurs.
These servers are much more likely to have gone unpatched due to availability/stability concerns.
So here you have important computers left on all the time, with ph@t bandwidth exposed. Not just some home win98 pIII over a 56K link.
A bit worrying.
[% slash_sig_val.text %]
Now of course microsoft has changed their operating system to match the Hollywood expectations, and I have seen it take ~30 seconds to delete a 1K text file...
There's not a single thing flamebait about this. Because MaelstromX said something you didn't like, you modded him down. Censorship at it's finest. Re:AdBlock is unethical (Score:-1, Flamebait) by MaelstromX (739241) on Sunday November 21, @08:02PM (#10884143) Well you can keep attacking that straw man argument if you want but it has nothing to do with AdBlock. If a commmercial web site operator knew that a user had AdBlock installed, they would NOT agree to the terms of that user accessing the website, not only wasting bandwidth but acquiring the content contained on the website (which costs money to produce). Their website, their rules. Nobody is forcing you to go, you can leave at any time -- or you can stay and use unethical methods to make your visit slightly more convenient. And all of you bitching about it being within your rights to view content how you want, blah blah blah, shut up already. I am addressing the ethical wrongness of AdBlock -- you are stealing bandwidth and content without also viewing the means for which the web site creates enough revenue for the web site to sustain itself. -- As a side note, observe what happens when you go against slashbot groupthink: Due to excessive bad posting from this IP or Subnet, comment posting has temporarily been disabled. If it's you, consider this a chance to sit in the timeout corner .
Wheel in the sky keeps on turnin'.
The vagueness of the report has me a little confused. It looks to me like the Load Balancer got hacked and someone loaded some malcode on it that took advantage of end users via the IFrame BO exploit, which Bofra also exploits. Did the attacker load Bofra onto the ad server or are they misreporting this as a virus. Also what was the compromised server trying to upload onto victims machines? (This sort of reminds me of the EBay/Kelly Blue Book/MLB web site hack using a cross domain exploit)
News Reporters Make Tasty Polar Bear Treats!
>> Of course, those of us running other browsers and something like AdBlock have nothing to worry about Hey don't forget Konqueror! Or lynx and links! Some of us don't need no fancy graphics....
Stop the Slashdot effect! Don't read the articles!
win98se ie5.5/128 spybot nav2001 hijackthis ad-aware
installed in 99, never reinstalled, used daily
there's jus nuthin like the golden oldies
I wonder why after first posting an explanation The Register would then back out of what was said and change their story?
a _statement. It looks a little different to what was said earlier.
The current story can be found on their site. http://www.theregister.co.uk/2004/11/22/falk_bofr
Falk statement on Bofra attack
By Falk eSolutions
Published Monday 22nd November 2004 10:04 GMT
Site notice On Saturday, The Register suspended service by third party ad serving supplier, Falk, following security issues detailed here.
Falk fixed the problem within six hours of notificatin. Here is its account of what went wrong:
Summary
Incident at delivery level - Between 6:10 AM and 12:30 AM (GMT) on Saturday, 20th November 2004 Falk sSolutions clients using AdSolution Global experienced problems with banner delivery. This started on Saturday morning with a hacker attack on one of our load balancers. This attack made use of a weak point on this specific type of load balancer. The function of a load balancer is to evenly distribute requests to the multiple servers behind it. The system concerned was only used to handle a specific request type to our ad server and has now been investigated. The results are outlined in this document.
Description of the problem
The use of a weak point in one of our load balancers type FLB02/CP lead to user requests not being passed to the ad servers. Instead the user requests were answered with a 302 redirect. This happened with approximately every 30th request. Users visiting websites that carry banner advertising delivered by our system were periodically delivered a file from the compromised site. This file tries to execute the IE-Exploit function on the users' computer.
Problem analysis
The weak point occurred due to a memory leak on the load balancer concerned. After the load balancer was taken out of service on Saturday at 11:30 AM (GMT) this was no longer possible. Because of this it was difficult at the beginning to find an error on our side. The servers that deliver the banners were not affected at all. Only afterwards we were able to find the error on the load balancer by analysing its log files.
Results of investigation
By attacking a single load balancer type FLB02/CP it was possible for users to be redirected to 'search.comedycentral.com' which tried to install the exploit type 'Bofra/IFrame-Expoit'. With approximately every 30th request for banner media this redirect occurred.
Further measures
The load balancer concerned has been taken out of service indefinitely and has been replaced with a newer model. An additional monitoring has been instated that supervises the load balancing process and whether this has been interrupted of manipulated. Further, a policing tool that supervises redirects to unknown, erroneous or infected files has been deployed.
We need more people like this guy. Thanks man!
Sad thing was the company was based in the Netherlands
tell us the company, so the dutch readers can find the company if it ever does this again. We do have an anti spyware commnuity over at the netherlands.
The green dude in the picture is a larva.
It's all just for fun.
It is never even meant to do real harm. If it were, it wouldn't work.
Remember the "Litigious Bastards" campaign with sco? That worked, and it used the same concept...
A swift Google led me to this site.
...what ads?
There is a real risk that people could start thinking that the people advocating the FireFox browser are the same group of people creating MSIE exploits. That would not be a good thing. Cheer at your own peril.
Final 2006 "Proof of Global Warming" US Hurricane Count -> 0