Worm Exploit Distributed by Advertising Network

Zocalo writes "Given that a lot of Slashdot readers also check The Register, it's important to note that their Internet advertising provider, Falk AG, was compromised by the BOFRA exploit yesterday. The Falk AG service has been suspended by The Register and a statement from Falk AG is due on Monday. The upshot is that if you visited the Register yesterday morning and use IE as your browser, then you probably need to run a full virus scan with up to date data files. Of course, those of us running other browsers and something like AdBlock have nothing to worry about. Again." You're OK for now if you're running SP2. There's also a good security writeup about the problem.

Wow

[metlin]

This is a really big problem. Okay, so its Register and they realized this and stopped it. But we visit so many other websites - how are we to know which one of those ad providers are infected and which are not?

Sheesh, where is accountability? Blame the sysadmins, blame the software, pity the customer. Lather, rinse repeat.

Re:Wow

[skids]

"Blame the sysadmins, blame the software, pity the customer."

You left someone out: web developers as a whole, who have insisted on more and more complicated HTML extensions instead of just working with the rather powerful stuff they had at their disposal in the first place. These are the folks that make the "core functionality set" of any competitive browser so large that the software to support it is incredibly complex. That guarantees us a steady flow of bugs and exploits.

Re:Wow

[KonijnenBunny]

Dutch news-site (with a fairly large, non-techie audience) nu.nl was affected as well, a large warning was put up Saturday.
The warning (sorry, dutch only) mentioned that until Sunday afternoon, they received 1300 requests for help from possibly-affected visitors.

As far as accountability goes, it was nice to see the publisher, Ilse Media, put up a clear FAQ and even a special-purpose contact-form to accomodate for their not-web-savvy users.
They also mentioned further statements from Falk AG were forthcoming Monday 22nd.

Using an alternative browser, with AdBlock installed, I wasn't affected myself...

Re:Wow

[Frymaster]

Hopefully the Register, being an excellent IT news service, will provide an answer to that question

yes. but will they be able to implement when they have these guys running their servers?

Re:Wow

[Bob+Ince]

> how are we to know which one of those ad providers are infected and which are not?

As a rule of thumb: they all are.

Seriously. Most of the major ad networks have distributed ActiveX drive-by-downloads and *many* have distributed exploits. Almost everyone in the online ad market has dirty hands.

Falk are known to have served exploits for some time, but I guess this is the first time they've hit the Reg.

The exploits are going absolutely crazy right now - they're *everywhere*. See also this incident:

http://www.dslreports.com/forum/remark,11904374~mo de=flat

It used to be that IE users could just avoid browsing untrusted sites to stay safe. Not any more. Anyone browsing with IE pre-SP2 and no extra precautions is going to get hit sooner or later, and most likely it'll be with enough chain-loading parasites to render the machine barely usable.

(SP2 of course is not safe either, having publically known exploits; but they don't seem to be targeted by the large exploit nets... yet.)

Re:Wow

[mrseth]

"Oh, and the same blocking could be done with a Windows web-proxy server. You don't need Linux, unless you aren't smart enough to figure out how to work Windows."

I do believe you have this precisely backwards. By the way, please note that if people used Linux or OS-X, we would not *need* to block all this shit in the first place.

"They don't need to. You click a button, and it keeps you up to date. Someone with automatic update wouldn't even need to know what SP2 is, but they would be up to date.

Can you point me to the patch for Win2k then? Thanks.

And they wouldn't have to spend hours trying to figure out how to upgrade their OS like they do with Linux."

Never heard of apt, yum, urpmi, or up2date? And as a bonus for Linux users, we do not have to reboot either, save for a kernel update.

Windows is for those with more money than sense.

Re:Wow

[MillionthMonkey]

Oh, and the same blocking could be done with a Windows web-proxy server.

True, but the Linux proxy is obviously uninfectable by anything that could infect the end-user systems being protected. This isn't as obvious with a Windows proxy- you need to know a little more about how the proxy works, how it does its filtering, what vulnerabilities it has, etc. The person making purchasing decisions may not be comfortable with his ability to judge the vulnerability of a Windows proxy. You also need to do a more thorough lockdown because of all the damn features crammed into Windows' every orifice. And keep in mind it can be infected from the inside as well.

In general the best networking strategies involve as diverse a set of operating systems as possible, so that no one agent can infect them all. I would go for a BSD proxy. Since it's always "dying", it offers bulletproof security.

You don't need Linux, unless you aren't smart enough to figure out how to work Windows.

clap clap clap... Post of the week!

Someone with automatic update wouldn't even need to know what SP2 is, but they would be up to date.

And that person would have more balls than I do for leaving that thing on automatic. Every SP2 install I have done so far has turned into a nerve-wracking experience.

Re:Wow

[mrseth]

This is FUD. Linux and OS-X have much better segregation between user space and the OS. If what you say is true, then why are there so many exploits for IIS and not Apache? Even the ones that do exist for Apache do not buy you much, because Apache typically runs as its own user. Most exploits I've seen for IIS buy you SYSTEM access. Not only that, but the user base for Linux and OS-X are far less monolithic in terms of what folks use to read mail, browse the web, etc., and the typical applications seem to have far fewer security issues. E.g., compare the secuity track record for Mozilla versus MSIE.

Re:Wow

[BlackHawk-666]

Try adding a nice big hosts file to block all the ad servers. You get far less pop-ups/banners/sidebars, save bandwidth, and get less flashing shit on your screen. Here's a link to one with 10000 entries, but there are others out there too.

Hosts File

[pollock]

Yet another reason why it makes sense to use a hosts file with lines like:

127.0.0.1 as1.falkag.de
127.0.0.1 as2.falkag.de
127.0.0.1 as3.falkag.de
127.0.0.1 as4.falkag.de
....

Check out http://someonewhocares.org/hosts for more.

Re:Hosts File

[squidinkcalligraphy]

But why would you want to run an advertising network on your computer?

Re:Hosts File

[jon787]

pffft

One more reason to run your own DNS server:
zone "falkag.net" { type master; file "/etc/bind/db.empty"; };

Re:Hosts File

[Izago909]

127.0.0.1 is NOT the right address to use. Some scripts will delay loading or displaying a page until certian data has been downloaded. If your computer is waiting for itself to respond to itself, some pages will never be displayed... even after the browser times out. You should use 0.0.0.0 instead.

Re:Hosts File

[petecarlson]

Hmm, Seing as we can have "laws" which make it illegal to fast forward through a commercial on your device, it seems it would be a trivial matter to make it illegal for you to do this on your DNS server or with your hosts file...

Re:Hosts File

[oexeo]

> If your computer is waiting for itself to respond to itself, some pages will never be displayed

Not in XP! in XP the chances are you already have a trojan-server running on 127.0.0.1:80 so it should respond instantly!

Re:Hosts File

[TheLink]

Erm. Did that for April 1st this year where I worked.

I set things up so that *.doubleclick.net etc resolved to a webserver in the company, and the webserver served up "localized content".

So tons of ads were replaced by the company logo :).

Surprising how few noticed! No I didn't get fired.

Maybe I should have served up announcements instead of just the company logo. e.g. "The Company Is Your Friend". "Staff Meeting at 2PM". "You There! Stop Surfing!". "Exploit e-Business Initiatives". "Da Boss is In The Building!" ;).

Anyway this would save bandwidth and be possibly useful - you could also extend it and customize content on a per user/IP basis.

Text-Ads

[fembots]

Maybe site owners will start moving or demanding text-based ads (like Google's)?

Re:Text-Ads

[NoMercy]

Strange comment now google now does picture adverts, admitidly there not very common to spot but they are out there, quite a few google image adverts pop up on a forum I frequent.

Re:Text-Ads

[oexeo]

> Maybe site owners will start moving or demanding text-based ads (like Google's)?

This won't make a big difference if Google (for instance) was compromised, a virus could replace the innocent text-ads (which are dynamically inserted client side via JavaScript in Google's case) with whatever malicious code it may desire.

Fortunately..

[The+Mgt]

.. falkag.net are the second entry in my ad filter, right after doubleclick

"You're OK for now if you're running SP2."

[mirko]

how many ie users have switched to sp2 ,yet ?

Re:"You're OK for now if you're running SP2."

[Mnemia]

Ok, I can give you specifics.
I think the problem is caused by some incompatibility between SP2 and my wireless LAN card's drivers. It doesn't happen if I don't have the card in there. I need to use the card, so there isn't anything I can do to work around this problem. Unfortunately for me the manufacturer hasn't released any patches to the (buggy I'm sure) drivers. From what I've gathered online they rely on an undocumented interface in Windows that was broken by SP2.
BTW, uninstalling and reinstalling SP2 didn't help. Microsoft's site actually acknowledges the problem with the blue screens and the specific DLL updated by SP2 that causes them, but they don't have any patch available yet.

Interesting.

[xanadu-xtroot.com]

You're OK for now if you're running SP2.

Ummm... My Win machine is running SP4. Oh, you mean XP SP2. Not on my machines, man... The highest I'll go on my personal machines is 2k.

Aside, you left out another browser of very worthy note. Oh, well, make that two.

No one is safe...

[jarich]

I once stumbled across a spyware installation program (about a year ago) that was launched by a site counter! Some poor person had put the counter into their web site because they wanted a free counter. Everyone who visited got spyware installed... everyone using IE with default security settings, that is.

Sad thing was the company was based in the Netherlands so it wasn't even worth pursuing legally... but if you are on the net, you aren't safe. MS products are more insecure, but you should always take steps to protect yourself, like keep the OS and applications up to date, etc etc

Re:No one is safe...

[arminw]

... but if you are on the net, you aren't safe...

Unless you are a Mac user that is. Every time there is anything in the news or /. about another piece of malware, there is always the refrain: "Does not affect Mac users". Unless you are running some proprietary vertical app, why still suffer Windows? What computing JOB can be done in Windows that can't be done as well or better by a Mac or Linux?

Re:No one is safe...

[Izago909]

What computing JOB can be done in Windows that can't be done as well or better by a Mac or Linux?

I've got a couple ideas: Professioal gamer or spyware/virus tester.

Re:No one is safe...

[linguae]

I would love to switch every Windows user that I know to Linux, *BSD, or (if they're in the market for a new computer) Mac OS X. However, there are a few reasons why many people are still using Windows, and will stick with it for about another two years or so:

1. I don't want to learn (insert new OS here)
2. But I need (insert some proprietary app here)
3. But would (this exotic piece of hardware) work on (this new OS)
4. What's an OS? Why's security important? (insert typical questions asked by computer illiterates)

Even so, things are getting brighter for these alternate OSes every day. The graphical environments for *nix are getting easier to use with every new release of KDE and GNOME. In fact, if I switched my parents and siblings to *nix tomorrow, they might feel comfortable (provided that I set everything up, that is). Many Windows users are now starting to see the benefits of Open Source software (through OSS projects such as Mozilla Firefox and OpenOffice), and they will feel more comfortable once they make the switch. Hardware support for *nix is getting improved by the day, and more manufacturers are starting to take a look at *nix compatibility. On the Mac side of things, more people are getting exposed to Apple products (through the iPod) and are learning about the virtues of having a Mac.

Finally, security is starting to become much more important to comptuer users, even the Joe Average type, these days. It used to be that the Internet was a reasonably nice place to go to to find information and to communicate. Now, it is infested with commerical advertising, popups, insecure "portals" to the Internet (*cough Internet Exploiter* cough), and malware. Stuff that we never would have guessed that would happen about a decade (or even five years) ago, such as phishing and worms activated by just browsing a web page, are happening now. More people are becoming aware about the dangers of viruses, worms, spyware, adware, and the other crap that happens on the Windows platform daily. More people are starting to learn about alternate browsers such as Firefox and Opera. Some people are now finally setting up firewalls and anti-malware applications so that way they would be safer from the dangers of the Internet. Some are even planning the switch to a Mac, *nix, or another alternative.

I believe with the current landscape of computing, the Windows hegemony will last another two to three years. I feel with all of the improvements that *nix and OS X are making each and every day, the computing environment will be pretty interesting in the years to come....

Re:AdBlock is unethical

I guess I should stop using Lynx then! It's unethical since I don't see images.

Article's Shameless attack at IE

[clinko]

So if your XP machine is up to date you're ok?

That's kool, because all I do is download new browsers for security and never run windows update. That would make too much sense...

Re:AdBlock is unethical

[flossie]

Even if AdBlock were responsible for preventing a user from getting a virus this time, that's hardly enough to make up for the theft of services and fraud that people who use it commit every day.

Utter drivel. I suppose you think that it is "theft" to change the channel on the TV when adverts come on, as well. Is it also "theft" to turn the page of a magazine without looking at the adverts on it? As far as I am concerned, advertising is a form of pollution. It reduces the visual beauty of the environment and I don't want to see it.

Re:AdBlock is unethical

[Famatra]

"Extensions and programs like AdBlock are tantamount to theft; you are acquiring the content but not "paying" for it by loading the advertisements."

Um, it is clearly *your* problem if your website's cash flow relies on wasting my bandwidth with advertisements.

Your supposed 'right' to profit does not extend to the point where I have to bend my life around your profit model. Thanks.

Re:AdBlock is unethical

[flossie]

If there were a beggar on your way to work, and you surrounded him with some walls so no one would see him, that would be unethical.

Are you saying that it is wrong to house the homeless?!

Re:AdBlock is unethical

[oexeo]

AdBlock is unethical [...] Extensions and programs like AdBlock are tantamount to theft

It's kinda ironic that a lot of the ads on tech sites are advertising anti-spyware/pop-ups/ads/adware/spam tools, isn't it?

Maybe if these companies agree with you that the use of these tools constitute fraud/theft, then they should stop advertising them.

Re:AdBlock is unethical

[hyfe]

Even if AdBlock were responsible for preventing a user from getting a virus this time, that's hardly enough to make up for the theft of services and fraud that people who use it commit every day.

You're a troll, but I'm biting even so.

We are under no obligation to play by whatever crooked-up business model a company cooks up. Unless I sign/click an agreement to view the ads, they don't have a legal leg, nor a moral one for that matter, to stand on.

They offer a web-page because they have something to say. I select how to view it. What more is there to it?

I guess you're ok with printer cartridge prices too? After all, its 'their business model' and not following it would be 'theft of service and fraud'?

Viral Marketing

[Valen0]

This worm gives new meaning to the term "viral marketing"...

It's not the first time..

[Dynamoo]

It's not the first time this has happened either, see this article relating to an incident that happened back in September with Falk AG.

RSS Readers too

[simetra]

Also... if you use an RSS reader on Windows, chances are good that it uses Internet Exploder for it's web previewing. So, take that into account too.

0.0.0.0 Hosts File

[pollock]

In that case, feel free to use this version that uses "0.0.0.0" instead.

Re:AdBlock is unethical

[BenjyD]

It's not quite so clear cut as that, though. As I see it:

For adverts:
- Running a web site costs money. The guys running it might even want to make a living
- hiring good writers is expensive
- Advertising money is a proven revenue source for media outlets
- subscription sites don't seem to be a popular option

but, against that:
- The adverts many sites run are overly intrusive and bandwidth-intensive
- people who block adverts probably aren't the kind of people who are going to take notice of them anyway
- just cramming more and more adverts down the throats of consumers is not a sustainable policy: evevntually, everybody will block them because it's impossible to read anything on the web otherwise.

But, sites have to be paid for somehow. Do you have any suggestions of alternative profit models for web sites?

Penny-arcade seems to get by well enough on its merchandise, advertising, freelance art work etc revenue, for example. I'm not sure how well that scales to smaller sites, though.

Not just "The Register"

[prandal]

The ISC has more details here and here.

Re:LOL

[prandal]

The latest version for many users is IE 6 SP1, which is vulnerable. Not everybody has XP, and even a lot of XP users still don't have SP2 (you try downloading it over a dialup line sometime).

Re:AdBlock is unethical

[PalmerEldritch42]

No, No, and No. I fail to see your argument. It is not unethical to block or otherwise not look at ads on a free site. The site is free. There is no EULA stating that in order to view the free content, my eyeballs have to focus on an ad. The ads do pay, and quite possibly, without that income, the site might go down. That si the problem of the admins. Here on Slashdot, we her quite a lot of noise about how failing business models need to be updated. If a site can not sustain itself from ad revenue, then perhaps it needs a different model.

There was never any agreement between me and the website admins that I had a limited license to view the content predicated by my looking at ads. Websites that are on the internet are free to the consumer, unless explicitly stated otherwise.

Pity the write up is incorrect.

[MattInFinland]

The write up for the attack is incorrect. The correct sequence of events is at http://www.finlandforum.org/bb/viewtopic.php?t=768 5. I know because I noticed it at The Register first and contacted Falk AG. Thanks for the aknowledgement too Slashdot, NOT.

Re:AdBlock is unethical

[Realistic_Dragon]

I still see the adds on penny arcade because they are small enough it's not worth my effort to block them, and occasionally something interesting comes up.

I see no adds here because they are huge flash obscenities for Microsoft FUD campaigns.

You want clickthroughs? Rethink your ad placement policies. (If I could select as a pref nothing but text adds for Linux/Unix/Hardware with _informational_ content - I might well see adds on Slashdot. And you might get paid more that the 0 you get for me at present.)

The thing that pisses me off most of course is that the ultra lightweight version still has the heavy and blotated flash/animated adverts :\

Buffer overlow protections?

[Deorus]

Last time I read about the Microsoft's buffer overflow protection implementation in Windows PX Service Pack 2, they were talking about the NX bit present in page entries when the PAE mode was active in AMD x86-64 processors. Even though that protection exists in the new AMD x86-64 processors' MMUs, Intel P4 as well as older AMD processors do not yet support that bit, which means that processes running over them do not get any page-based protection against code execution, even while running SP2.

However I see many people trusting their lives on SP2's protection even without processor support, and I don't see Microsoft willing to clarify this issue either, so I'm starting to believe that probably there is something else that I am not aware of in SP2 which simulates the same kind of protection on processors without hardware support.

Is SP2 really protecting against stack smashing (for example) on processors without hardware support for non-executable pages? Or is it just general ignorance that Microsoft exploits for their own profit?

Re:Buffer overlow protections?

[btg]

This particular problem is a heap overrun, not a stack overflow. XPSP2 introduced major changes to the way heap memory is laid out.

The improvements included safe unlinking, randomising the base address of the PEB (makes it harder to overwrite the UEF for example), and a heap version of a stack canary called a security cookie.

There are also improvements to the stack security by using a stack canary a la StackGuard compiled in by default for all MS apps.

Basically SP2 does contain a bunch of actual, measurable improvements to the way writeable memory is dealt with. It's not bulletproof but it will screw most 'stock' exploits.

By the way, something that nobody will tell you about BOFRA is that there _is_ a workaround - you can disable active scripting. The exploit uses javascript to allocate masses of heap memory to 'seed' the heap ready for the exploit. This is NOT a fix for all possible ways to attack this bug, just a fix for this particular attack.

Re:Falkag.net still used by The Register

[MattInFinland]

Yes it's a lie. They haven't suspended the service. When I first contacted the Falk AG support team in Germany they were clueless. It took them several hours before I received a response after I'd sent them an e-mail documenting the attack and where the exploit was on their site. I forwarded the same e-mail to several people at The Register too. Later today the article appeared on their site. I don't think The Register had any idea what was going on until much later. The original infection was in http://f.as-eu.falkag.net/server/asldata.js?rdm=01 684246 which was ad based just below the banner. What's there now is I think just data mining.

Sorry but ...

[Evil+Pete]

... who in the IT industry is dumb enough to surf using IE? Not being nasty but really we of all people should know better. Others yeah I can sympathise but Register readers ?

A few things.

[flamechocobo]

For one, to those people commenting about how some people say that they don't want to use SP2... It isn't their fault that they don't want to. When I installed SP2 on my computer, that was using a legal copy of Windows XP, my computer BSODed and the boot sector was screwed over. This was a mistake on the count of Microsoft that deleted a number of documents that I thought were in a stable, safe place. I now make a backup of all my data to an external hard drive every other day to make sure this doesn't happen. Another comment I would like to make is for the people that are saying that ads are the only sources of revenue that websites have and we should be forced to read them and not block them. Yes, I agree that some websites need ads for money to run the site, but some ads are downright obnoxious. There are, however, sites that live off of things such as Google text only ads. www.neowin.net is an example, where you see at the top of the page only a simple text ad, or once in a while a picture ad. They are a fairly large website, and yet they support themselves by only a text ad. Interesting, isn't it? People rave about how websites absolutely have to have tons of ads to live, and yet Neowin has been living for a good 5 years now on text ads...

Re:LOL

[roca]

Put it this way: Firefox offers pre-WinXP users a *free* path to being secure. Microsoft forces them to spend a significant amount of money.

Re:LOL

[toddestan]

No, the latest version for EVERYONE is IE6 SP2. If they're still using an older OS, that's tough shit for them. You can't say "Well the latest version of Windows is XP, but some people decided not to upgrade so the latest version for them is 2000." It just makes no sense.

Yet another disadvantage of tying the web browser to the OS. Atleast the latest versions of Opera and Firefox run on Windows 95 just fine.

Besides, I don't think IE6SP2 runs on Windows 2003 Server. What do you have to say to users of that OS?

Re:LOL

[johnashby]

Besides, I don't think IE6SP2 runs on Windows 2003 Server. What do you have to say to users of that OS?

Perhaps I would say stop surfing the net from the server, O Master of Secure Computing.