Slashdot Mirror

← Back to Stories (view on slashdot.org)

Worm Exploit Distributed by Advertising Network

Posted by michael on from the you-thought-you-were-safe dept.

Zocalo writes "Given that a lot of Slashdot readers also check The Register, it's important to note that their Internet advertising provider, Falk AG, was compromised by the BOFRA exploit yesterday. The Falk AG service has been suspended by The Register and a statement from Falk AG is due on Monday. The upshot is that if you visited the Register yesterday morning and use IE as your browser, then you probably need to run a full virus scan with up to date data files. Of course, those of us running other browsers and something like AdBlock have nothing to worry about. Again." You're OK for now if you're running SP2. There's also a good security writeup about the problem.

40 of 478 comments (clear)

  1. Wow by metlin · · Score: 4, Insightful

    This is a really big problem. Okay, so its Register and they realized this and stopped it. But we visit so many other websites - how are we to know which one of those ad providers are infected and which are not?

    Sheesh, where is accountability? Blame the sysadmins, blame the software, pity the customer. Lather, rinse repeat.

    1. Re:Wow by skids · · Score: 5, Insightful

      "Blame the sysadmins, blame the software, pity the customer."

      You left someone out: web developers as a whole, who have insisted on more and more complicated HTML extensions instead of just working with the rather powerful stuff they had at their disposal in the first place. These are the folks that make the "core functionality set" of any competitive browser so large that the software to support it is incredibly complex. That guarantees us a steady flow of bugs and exploits.

      --
      Someone had to do it.
    2. Re:Wow by KonijnenBunny · · Score: 5, Informative

      Dutch news-site (with a fairly large, non-techie audience) nu.nl was affected as well, a large warning was put up Saturday.
      The warning (sorry, dutch only) mentioned that until Sunday afternoon, they received 1300 requests for help from possibly-affected visitors.

      As far as accountability goes, it was nice to see the publisher, Ilse Media, put up a clear FAQ and even a special-purpose contact-form to accomodate for their not-web-savvy users.
      They also mentioned further statements from Falk AG were forthcoming Monday 22nd.

      Using an alternative browser, with AdBlock installed, I wasn't affected myself...

    3. Re:Wow by Frymaster · · Score: 4, Funny
      Hopefully the Register, being an excellent IT news service, will provide an answer to that question

      yes. but will they be able to implement when they have these guys running their servers?

      --

      2 1337 4 u!

    4. Re:Wow by Bob+Ince · · Score: 4, Informative

      > how are we to know which one of those ad providers are infected and which are not?

      As a rule of thumb: they all are.

      Seriously. Most of the major ad networks have distributed ActiveX drive-by-downloads and *many* have distributed exploits. Almost everyone in the online ad market has dirty hands.

      Falk are known to have served exploits for some time, but I guess this is the first time they've hit the Reg.

      The exploits are going absolutely crazy right now - they're *everywhere*. See also this incident:

      http://www.dslreports.com/forum/remark,11904374~mo de=flat

      It used to be that IE users could just avoid browsing untrusted sites to stay safe. Not any more. Anyone browsing with IE pre-SP2 and no extra precautions is going to get hit sooner or later, and most likely it'll be with enough chain-loading parasites to render the machine barely usable.

      (SP2 of course is not safe either, having publically known exploits; but they don't seem to be targeted by the large exploit nets... yet.)

    5. Re:Wow by mrseth · · Score: 5, Insightful

      "Oh, and the same blocking could be done with a Windows web-proxy server. You don't need Linux, unless you aren't smart enough to figure out how to work Windows."

      I do believe you have this precisely backwards. By the way, please note that if people used Linux or OS-X, we would not *need* to block all this shit in the first place.

      "They don't need to. You click a button, and it keeps you up to date. Someone with automatic update wouldn't even need to know what SP2 is, but they would be up to date.

      Can you point me to the patch for Win2k then? Thanks.

      And they wouldn't have to spend hours trying to figure out how to upgrade their OS like they do with Linux."

      Never heard of apt, yum, urpmi, or up2date? And as a bonus for Linux users, we do not have to reboot either, save for a kernel update.

      Windows is for those with more money than sense.

    6. Re:Wow by MillionthMonkey · · Score: 4, Informative

      Oh, and the same blocking could be done with a Windows web-proxy server.

      True, but the Linux proxy is obviously uninfectable by anything that could infect the end-user systems being protected. This isn't as obvious with a Windows proxy- you need to know a little more about how the proxy works, how it does its filtering, what vulnerabilities it has, etc. The person making purchasing decisions may not be comfortable with his ability to judge the vulnerability of a Windows proxy. You also need to do a more thorough lockdown because of all the damn features crammed into Windows' every orifice. And keep in mind it can be infected from the inside as well.

      In general the best networking strategies involve as diverse a set of operating systems as possible, so that no one agent can infect them all. I would go for a BSD proxy. Since it's always "dying", it offers bulletproof security.

      You don't need Linux, unless you aren't smart enough to figure out how to work Windows.

      clap clap clap... Post of the week!

      Someone with automatic update wouldn't even need to know what SP2 is, but they would be up to date.

      And that person would have more balls than I do for leaving that thing on automatic. Every SP2 install I have done so far has turned into a nerve-wracking experience.

  2. Hosts File by pollock · · Score: 5, Informative
    Yet another reason why it makes sense to use a hosts file with lines like:
    127.0.0.1 as1.falkag.de
    127.0.0.1 as2.falkag.de
    127.0.0.1 as3.falkag.de
    127.0.0.1 as4.falkag.de
    ....
    Check out http://someonewhocares.org/hosts for more.
    1. Re:Hosts File by squidinkcalligraphy · · Score: 4, Funny

      But why would you want to run an advertising network on your computer?

      --
      "I think it would be a good idea" Gandhi, on Western Civilisation
    2. Re:Hosts File by Izago909 · · Score: 5, Informative

      127.0.0.1 is NOT the right address to use. Some scripts will delay loading or displaying a page until certian data has been downloaded. If your computer is waiting for itself to respond to itself, some pages will never be displayed... even after the browser times out. You should use 0.0.0.0 instead.

    3. Re:Hosts File by petecarlson · · Score: 4, Insightful

      Hmm, Seing as we can have "laws" which make it illegal to fast forward through a commercial on your device, it seems it would be a trivial matter to make it illegal for you to do this on your DNS server or with your hosts file...

    4. Re:Hosts File by oexeo · · Score: 5, Funny

      > If your computer is waiting for itself to respond to itself, some pages will never be displayed

      Not in XP! in XP the chances are you already have a trojan-server running on 127.0.0.1:80 so it should respond instantly!

    5. Re:Hosts File by TheLink · · Score: 4, Funny

      Erm. Did that for April 1st this year where I worked.

      I set things up so that *.doubleclick.net etc resolved to a webserver in the company, and the webserver served up "localized content".

      So tons of ads were replaced by the company logo :).

      Surprising how few noticed! No I didn't get fired.

      Maybe I should have served up announcements instead of just the company logo. e.g. "The Company Is Your Friend". "Staff Meeting at 2PM". "You There! Stop Surfing!". "Exploit e-Business Initiatives". "Da Boss is In The Building!" ;).

      Anyway this would save bandwidth and be possibly useful - you could also extend it and customize content on a per user/IP basis.

      --
  3. Text-Ads by fembots · · Score: 5, Insightful

    Maybe site owners will start moving or demanding text-based ads (like Google's)?

    --
    Rock that crushes, Paper & Scissors that don't matter.
    1. Re:Text-Ads by NoMercy · · Score: 4, Interesting

      Strange comment now google now does picture adverts, admitidly there not very common to spot but they are out there, quite a few google image adverts pop up on a forum I frequent.

  4. Interesting. by xanadu-xtroot.com · · Score: 4, Insightful

    You're OK for now if you're running SP2.

    Ummm... My Win machine is running SP4. Oh, you mean XP SP2. Not on my machines, man... The highest I'll go on my personal machines is 2k.

    Aside, you left out another browser of very worthy note. Oh, well, make that two.

    --
    I'm not a prophet or a stone-age man,
    I'm just a mortal with potential of a super man.
  5. No one is safe... by jarich · · Score: 4, Interesting
    I once stumbled across a spyware installation program (about a year ago) that was launched by a site counter! Some poor person had put the counter into their web site because they wanted a free counter. Everyone who visited got spyware installed... everyone using IE with default security settings, that is.

    Sad thing was the company was based in the Netherlands so it wasn't even worth pursuing legally... but if you are on the net, you aren't safe. MS products are more insecure, but you should always take steps to protect yourself, like keep the OS and applications up to date, etc etc

    --
    Agile Artisans
    1. Re:No one is safe... by arminw · · Score: 5, Insightful

      ... but if you are on the net, you aren't safe...

      Unless you are a Mac user that is. Every time there is anything in the news or /. about another piece of malware, there is always the refrain: "Does not affect Mac users". Unless you are running some proprietary vertical app, why still suffer Windows? What computing JOB can be done in Windows that can't be done as well or better by a Mac or Linux?

      --
      All theory is gray
    2. Re:No one is safe... by Izago909 · · Score: 5, Funny
      What computing JOB can be done in Windows that can't be done as well or better by a Mac or Linux?
      I've got a couple ideas: Professioal gamer or spyware/virus tester.
    3. Re:No one is safe... by linguae · · Score: 4, Interesting

      I would love to switch every Windows user that I know to Linux, *BSD, or (if they're in the market for a new computer) Mac OS X. However, there are a few reasons why many people are still using Windows, and will stick with it for about another two years or so:

      1. I don't want to learn (insert new OS here)
      2. But I need (insert some proprietary app here)
      3. But would (this exotic piece of hardware) work on (this new OS)
      4. What's an OS? Why's security important? (insert typical questions asked by computer illiterates)

      Even so, things are getting brighter for these alternate OSes every day. The graphical environments for *nix are getting easier to use with every new release of KDE and GNOME. In fact, if I switched my parents and siblings to *nix tomorrow, they might feel comfortable (provided that I set everything up, that is). Many Windows users are now starting to see the benefits of Open Source software (through OSS projects such as Mozilla Firefox and OpenOffice), and they will feel more comfortable once they make the switch. Hardware support for *nix is getting improved by the day, and more manufacturers are starting to take a look at *nix compatibility. On the Mac side of things, more people are getting exposed to Apple products (through the iPod) and are learning about the virtues of having a Mac.

      Finally, security is starting to become much more important to comptuer users, even the Joe Average type, these days. It used to be that the Internet was a reasonably nice place to go to to find information and to communicate. Now, it is infested with commerical advertising, popups, insecure "portals" to the Internet (*cough Internet Exploiter* cough), and malware. Stuff that we never would have guessed that would happen about a decade (or even five years) ago, such as phishing and worms activated by just browsing a web page, are happening now. More people are becoming aware about the dangers of viruses, worms, spyware, adware, and the other crap that happens on the Windows platform daily. More people are starting to learn about alternate browsers such as Firefox and Opera. Some people are now finally setting up firewalls and anti-malware applications so that way they would be safer from the dangers of the Internet. Some are even planning the switch to a Mac, *nix, or another alternative.

      I believe with the current landscape of computing, the Windows hegemony will last another two to three years. I feel with all of the improvements that *nix and OS X are making each and every day, the computing environment will be pretty interesting in the years to come....

  6. Re:AdBlock is unethical by Anonymous Coward · · Score: 5, Interesting

    I guess I should stop using Lynx then! It's unethical since I don't see images.

  7. Article's Shameless attack at IE by clinko · · Score: 4, Funny

    So if your XP machine is up to date you're ok?

    That's kool, because all I do is download new browsers for security and never run windows update. That would make too much sense...

  8. Re:AdBlock is unethical by flossie · · Score: 5, Insightful
    Even if AdBlock were responsible for preventing a user from getting a virus this time, that's hardly enough to make up for the theft of services and fraud that people who use it commit every day.

    Utter drivel. I suppose you think that it is "theft" to change the channel on the TV when adverts come on, as well. Is it also "theft" to turn the page of a magazine without looking at the adverts on it? As far as I am concerned, advertising is a form of pollution. It reduces the visual beauty of the environment and I don't want to see it.

    --
    flossie

    Write now. Defend liberty

  9. Re:AdBlock is unethical by Famatra · · Score: 5, Insightful

    "Extensions and programs like AdBlock are tantamount to theft; you are acquiring the content but not "paying" for it by loading the advertisements."

    Um, it is clearly *your* problem if your website's cash flow relies on wasting my bandwidth with advertisements.

    Your supposed 'right' to profit does not extend to the point where I have to bend my life around your profit model. Thanks.

  10. Re:AdBlock is unethical by flossie · · Score: 4, Funny
    If there were a beggar on your way to work, and you surrounded him with some walls so no one would see him, that would be unethical.

    Are you saying that it is wrong to house the homeless?!

    --
    flossie

    Write now. Defend liberty

  11. Viral Marketing by Valen0 · · Score: 5, Funny

    This worm gives new meaning to the term "viral marketing"...

    --
    -Valen
  12. It's not the first time.. by Dynamoo · · Score: 4, Interesting

    It's not the first time this has happened either, see this article relating to an incident that happened back in September with Falk AG.

    --
    Never email donotemail@WeAreSpammers.com
  13. RSS Readers too by simetra · · Score: 4, Informative
    Also... if you use an RSS reader on Windows, chances are good that it uses Internet Exploder for it's web previewing. So, take that into account too.

    --

    "Would it kill you to put down the toilet seat?" -- Maya Angelou
  14. 0.0.0.0 Hosts File by pollock · · Score: 5, Informative

    In that case, feel free to use this version that uses "0.0.0.0" instead.

  15. Re:AdBlock is unethical by BenjyD · · Score: 4, Interesting

    It's not quite so clear cut as that, though. As I see it:

    For adverts:
    - Running a web site costs money. The guys running it might even want to make a living
    - hiring good writers is expensive
    - Advertising money is a proven revenue source for media outlets
    - subscription sites don't seem to be a popular option

    but, against that:
    - The adverts many sites run are overly intrusive and bandwidth-intensive
    - people who block adverts probably aren't the kind of people who are going to take notice of them anyway
    - just cramming more and more adverts down the throats of consumers is not a sustainable policy: evevntually, everybody will block them because it's impossible to read anything on the web otherwise.

    But, sites have to be paid for somehow. Do you have any suggestions of alternative profit models for web sites?

    Penny-arcade seems to get by well enough on its merchandise, advertising, freelance art work etc revenue, for example. I'm not sure how well that scales to smaller sites, though.

  16. Not just "The Register" by prandal · · Score: 4, Informative

    The ISC has more details here and here.

  17. Re:LOL by prandal · · Score: 5, Informative

    The latest version for many users is IE 6 SP1, which is vulnerable. Not everybody has XP, and even a lot of XP users still don't have SP2 (you try downloading it over a dialup line sometime).

  18. Re:AdBlock is unethical by PalmerEldritch42 · · Score: 4, Insightful
    No, No, and No. I fail to see your argument. It is not unethical to block or otherwise not look at ads on a free site. The site is free. There is no EULA stating that in order to view the free content, my eyeballs have to focus on an ad. The ads do pay, and quite possibly, without that income, the site might go down. That si the problem of the admins. Here on Slashdot, we her quite a lot of noise about how failing business models need to be updated. If a site can not sustain itself from ad revenue, then perhaps it needs a different model.

    There was never any agreement between me and the website admins that I had a limited license to view the content predicated by my looking at ads. Websites that are on the internet are free to the consumer, unless explicitly stated otherwise.

    --
    Ceci n'est pas une sig.

    :wq!

  19. Pity the write up is incorrect. by MattInFinland · · Score: 5, Informative

    The write up for the attack is incorrect. The correct sequence of events is at http://www.finlandforum.org/bb/viewtopic.php?t=768 5. I know because I noticed it at The Register first and contacted Falk AG. Thanks for the aknowledgement too Slashdot, NOT.

  20. Re:AdBlock is unethical by Realistic_Dragon · · Score: 4, Insightful

    I still see the adds on penny arcade because they are small enough it's not worth my effort to block them, and occasionally something interesting comes up.

    I see no adds here because they are huge flash obscenities for Microsoft FUD campaigns.

    You want clickthroughs? Rethink your ad placement policies. (If I could select as a pref nothing but text adds for Linux/Unix/Hardware with _informational_ content - I might well see adds on Slashdot. And you might get paid more that the 0 you get for me at present.)

    The thing that pisses me off most of course is that the ultra lightweight version still has the heavy and blotated flash/animated adverts :\

    --
    Beep beep.
  21. Buffer overlow protections? by Deorus · · Score: 4, Interesting

    Last time I read about the Microsoft's buffer overflow protection implementation in Windows PX Service Pack 2, they were talking about the NX bit present in page entries when the PAE mode was active in AMD x86-64 processors. Even though that protection exists in the new AMD x86-64 processors' MMUs, Intel P4 as well as older AMD processors do not yet support that bit, which means that processes running over them do not get any page-based protection against code execution, even while running SP2.

    However I see many people trusting their lives on SP2's protection even without processor support, and I don't see Microsoft willing to clarify this issue either, so I'm starting to believe that probably there is something else that I am not aware of in SP2 which simulates the same kind of protection on processors without hardware support.

    Is SP2 really protecting against stack smashing (for example) on processors without hardware support for non-executable pages? Or is it just general ignorance that Microsoft exploits for their own profit?

    1. Re:Buffer overlow protections? by btg · · Score: 4, Informative

      This particular problem is a heap overrun, not a stack overflow. XPSP2 introduced major changes to the way heap memory is laid out.

      The improvements included safe unlinking, randomising the base address of the PEB (makes it harder to overwrite the UEF for example), and a heap version of a stack canary called a security cookie.

      There are also improvements to the stack security by using a stack canary a la StackGuard compiled in by default for all MS apps.

      Basically SP2 does contain a bunch of actual, measurable improvements to the way writeable memory is dealt with. It's not bulletproof but it will screw most 'stock' exploits.

      By the way, something that nobody will tell you about BOFRA is that there _is_ a workaround - you can disable active scripting. The exploit uses javascript to allocate masses of heap memory to 'seed' the heap ready for the exploit. This is NOT a fix for all possible ways to attack this bug, just a fix for this particular attack.

  22. Sorry but ... by Evil+Pete · · Score: 4, Insightful

    ... who in the IT industry is dumb enough to surf using IE? Not being nasty but really we of all people should know better. Others yeah I can sympathise but Register readers ?

    --
    Bitter and proud of it.
  23. Re:LOL by roca · · Score: 4, Insightful

    Put it this way: Firefox offers pre-WinXP users a *free* path to being secure. Microsoft forces them to spend a significant amount of money.

  24. Re:LOL by toddestan · · Score: 4, Insightful

    No, the latest version for EVERYONE is IE6 SP2. If they're still using an older OS, that's tough shit for them. You can't say "Well the latest version of Windows is XP, but some people decided not to upgrade so the latest version for them is 2000." It just makes no sense.

    Yet another disadvantage of tying the web browser to the OS. Atleast the latest versions of Opera and Firefox run on Windows 95 just fine.

    Besides, I don't think IE6SP2 runs on Windows 2003 Server. What do you have to say to users of that OS?