Slashdot Mirror
Banner Ad on Myspace Serves Adware to 1 Million
An anonymous reader writes "Washingtonpost.com's Security Fix blog reports that a banner ad running on MySpace.com and other Web sites used a Windows security flaw to push adware and spyware out to more than one million computer users this week. The attack leveraged the Windows Metafile (WMF) exploit to install programs in the PurityScan/ClickSpring family of adware, which bombards the user with pop-up ads and tracks their Web usage."
Darwinism works!
And they wonder why consumers want to block all ads. Its because of illegal virus ads like this. If they prosecuted spyware companies the way they do with other virus creators we would not have as much of a problem with people setting up shop as if this is a legitimate business and then hijacking people's computers for profit and waiting for enough complaints to pile up that maybe the state attempts an enforcement action which at worst closes the company and more likely a few small fines and promises to behave in the future. Either way the owners of these companies never serve a day in prison for releasing their viruses.
This way we don't even have to read the article if we want to! We can just comment about the comments of the article. =D
There is a new variant of the WMF exploit that affects all Mac users running OS X. When a Mac user browses a web page that is displaying a banner ad with the WMF exploit, malicious code is run that silently installs Windows Vista on to the Mac users computer thereby completely replacing OS X with Vista.
Robert Oschler - RobotsRule.com
His solution to the hack that destroys a section of your profile is not that he will fix the site, but that you should install Flash 9.
Heh, I posted about this having been on Facebook earlier today in the Slashback article. I'm rather amazed that these things could have been active for days without getting caught and pulled by the websites. I'd ban the advertising company from my site after a stunt like this, no matter how much money they bring in. They just exposed hundreds of thousands of high school and college students to a virus for a quick buck.
Hah, that's like finding a loaded diaper in a garbage dump and then complaining about the level of sanitation.
"It's called My Space not Your space for a reason."
-MySpace Vice President In Charge Of Revenue Generation
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
If your OS puts out a security fix, it's probably for a reason. This could have been avoided for everyone just by keeping up-to-date.
1. Use Mozilla Firefox.
2. Uninstall Flash, you don't need that proprietary junk, 99% of all flash animations are ads/banners anyways.
3. Maybe you want to "block loading of images from third-party sites".
4. Use the Adblock extension for Firefox, you can get it at http://adblock.mozdev.org/ and get some rules for it.
5. Use a more secure operating system.
I hate Myspace, it is a website that caters to retards, it is so dumb.
How about Myspace as well? It is easily argued that Myspace controls the banner space and content added to the 'global' site (ie every page). This is akin to aiding and abetting.
The sad thing is that a million PCs were infected, and probably 500,000 of them will -stay- infected. And will this even remotely hurt Myspace's market share/traffic? I seriously doubt it.
Please help metamoderate.
expect to pick up something special for the ride home.
I'm not trolling, but I can't stand myspace-type blogs.
People need to understand that the net costs money. If you didn't pull out your credit card to pay for the resources you consumed, you'll be pulling in something into your PC...and when the intelligence quotient is double-digit...
I've visited myspace exactly once. By accident. I'd consider it to be a sesspool of the Internet if I saw more than one profile. My sister, too, has been affected by the WMF exploit in a myspace profile. Let me just say that telephone support for Win98 on an ancient laptop is less fun than most things, including elevator rides with those people that feel that the body cleanses itself.
My perspective -- if one goes to myspace, one deserves its effects.
My solution to solve this problem is to block the domains of the servers that host these ads such as (pagead2.googlesyndication.com) by using a dns server. This is better than firefox ad-blocking or most other systems. This system prevents any connection to the advertising server. I have a dns server for ad-blocking that is publicly avaiable at 68.147.32.114.
Click here to see if you configured your dns properly.>> Makes me question myspace, you'd think they have people watching for these sorts of attacks.
.. 'shit happens.'
Yes, and you're 100% right. Since they are syndicating it, showing 'due diligence' in making sure they aren't syndicating harmful code is their responsibility.
The question comes down to , reasonably, what is a good percentage to equate with 'due diligence' in checking what they syndicate. They have a few million pages, videos and photos to police, as well as watching what their advertisers are using their network to display.
So even if they go way above and beyond the 80% catch rate of abuse prior to it leaving their network, stuff like this is still going to happen. I'd imagine they only catch about 70% of illegal use involving their network, and considering its size and attractiveness to bad-doers, that's not bad.
Of course its an age old argument, who is most at fault. The person who shot the gun or the company that provided it?
I am also noting a rather old vulnerability was exploited, and people not updating their systems need to share some of the blame.
So I guess in essence
Exactly - every time you delete a cookie an american flag bursts into flame.
Ads can be a growing security risk in the future. I'd like to ban all ads at work, but I can't do that since IE6 is the only allowed browser here and no extra software is allowed to be installed. Once I surfed to Dilbert website for comics that I thought would be safe, but Errorsafe malware tried to install itself to my machine (by ActiveX component in an ad). See http://koti.mbnet.fi/jnyman/dilbert.html screen capture here (the dialogue text is in Finnish, but the bottom line asks "Do you want to install Errorsafe program to your computer to check your computer for free (recommended)?". I complained about this to Dilbert website's webmaster and to Scott Adams and they replied that they're looking at the problem, but after that nothing. Haven't visited Dilbert website since at work. Hope this is not a growing trend.
> Exactly - every time you delete a cookie an american flag bursts into flame. So what happens when you clear all cookies from you machine?
The shocking part is that there are still people using Windows. I've got a laptop sitting around here with Windows on it that I use as a novelty once in a while, but it's not like it can really do anything useful. The package management system is horribly antiquainted, the dependancy checking leaves a lot to be desired, and then there are the security holes in the stock applications that come with the OS. Maybe some day it will mature enough to be useful, but for now it's just a novelty that still isn't up to being used in a production environment.
Circumcision is child abuse.
And they wonder why consumers want to block all ads. Its because of illegal virus ads like this
I thought I followed the field fairly well, but I have never heard of any previous virus ads like this.
... they DO end up with less stench on them at the top of the ride than at the bottom, since convervation of mass means that the stuff suffocating me had to come from somewhere...
Help poke pirates in the eyepatch, arr.
While I agree with you about myspace, the exploit is not by any means MySpace specific.
On previous occasions Falk AG has served exploits like this through websites like www.theregister.co.uk. In that case Falk had their ad delivery servers broken into.
This is not the first time and as the time goes we will see much more of this.
Baker's Law: Misery no longer loves company. Nowadays it insists on it
http://www.sigsegv.cx/
God kills an American kitten.
Please stop APK.. you're only hurting yourself.
wow... ok so not to interupt and windows hate fest.
but the WMF exploit has been patched since jan of this year
anyone that got hit by this only has themselve to blame.
actually I am happy to see you, however that is in fact a banana in my pocket.
Anyone know if Windows Defender will catch the spyware component of this exploit? I suppose its a moot point since people who run IE unpatched aren't going to run Defender anyway.
You mean like the government wants our ISPs to track and monitor our web usage and keep copies of all our IM's, searches and emails? Or how about our libraries revealing what books we check out? Maybe AT&T could provide a log of all your phone calls. How about the banks reveal all your financial transactions?
Oops, I forgot - the Patriot Act, among other obscure laws, already allow this.
Innocent until proven guilty no longer applies in the land of the free - why should it apply to corporate America any different? Oh yea, I forgot, they own the politicians.
Why can't Microsoft patch the holes in it's software? Why can't MySpace screen it's advertisers? They aren't showing porn site ads, because they 'screened' the ads, correct? So, how come they are serving adware?
If it's ok for the government to be constantly running background checks (illegally I might add) on it's own citizens in a 'FREE' country, then MySpace should also be responsible for spreading viruses and spyware. Of course, they won't ever have to answer for it. News Corp may as well be owned by the GOP...
Only if Myspace knew what was going on (which they almost certainly did not).
I'll make this very simple for you: Is myspace responsible for the content they put on their site, or not?
When you are a website the size of myspace, failing to vett your advertising borders on gross negligence and incompetence.
Furthermore, if you study how 'responsibility' plays out in the business world, particularly with lawsuits- the first party on the food chain is responsible. If that company wants to take action against its employees, suppliers, etc- so be it. But the buck, figuratively, stops at "round one".
Please help metamoderate.
Before we go on with all the Myspace and Windows bashing it's important to note who is at fault here.
Myspace isn't at fault and neither is Microsoft
Sure they make shitty products for the below average user, but that isn't the problem. Myspace administrator's don't choose exactly which ads are dissplayed on their pages, they sell their ad space to an ad company with a few constraints on what types of ads are allowed to appear. The company who provides the ads then chooses specifically which ads it wishes to display on each of Myspace's, and for that matter, hundreds of other web site's web pages. And the users who didn't update their Windows OS arn't any more at fault either. Is it my fault if I leave my window unlocked and I get robbed because of it? No.
Another important note:
Myspace users were not the only one affected by this banner ad
So enough with the flame wars, go fuck the adware companies that are fucking everyone over.
omg. wow. who would've thought that so many nerds would have such hate for a SOCIAL networking website.
Now all we need is a little energon, and a lot of luck. -Optimus Prime
...quickly upgrade all flash ads and video to Flash9 this morning. I was just prompted to upgrade to Flash9 (I don't really keep on top of Flash updates) an hour or so ago.
Although I'd like to see MySpace increase its response time, a week response time is fairly fast for corporations. Apple took two weeks to patch the vulnerabilities discovered last February and they were applauded for having a fast response. The shame is that Microsoft's glacier-like response to security vulnerabilities makes two weeks look speedy, and one week look positively instantaneous.
I realize that it will be popular to bash MySpace around here over this but the real culprits are, in order from least to greatest responsibility, the users who hadn't patched their OS with the latest updates, Microsoft for pushing such crappy code in the first place, and greatest of all, the ad agency that didn't catch this little beauty. They should lose their contract at the least over this, IMO. I use a Mac, Safari, and an adblocker style sheet, but I want to see an end to this. Kids shouldn't be used to propagate malwarez and if I was a band over at MySpace I'd be plenty ticked off about this, too.
The Splintered Mind - Overcoming
>>Did you see the picture of the CEO on the front of Wired?
err - he's Rupert Murdoch. If he wasn't going to "make millions off of that company" he wouldn't of bothered with it.
Acid House saves Souls
So that's what's meant by that term?
(You know I've been waiting to say that for weeks now)
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
The problem is that was not a user-provided content, one of millions of user pages, but advertizer content, something you directly get paid for, and certainly it appears in numbers much smaller than the user pages.
'Due dilligence' in schools, for example, may not be assuring no single kid ever smokes crack, but it certainly is making sure the school bus driver doesn't.
Anagram("United States of America") == "Dine out, taste a Mac, fries"
Yes, it's an online dating site. No, I haven't met anyone on there yet. Shut up.
Y'know unauthorized modification of a computer system and all that stuff?
Tampering with 1 million computers without permission and AFAIK without good reason. Isn't that a serious criminal offense?
That's what annoys me the most about all those "antihacker" crusades. Don't the same laws apply to spyware, unauthorized adware etc? Even Sony's DRM crap.
But no, the FBI and other authorities round the world seem to prefer trying to jail people who are pretty harmless (like that brit looking for UFOs).
If directors/owners of companies doing such stuff were sent to jail (or even seriously threatened with jail), you'd see a lot less spyware or nasty adware around.
Instead there's one law for the small stupid amateur and another law for the incorporated pros.
And that is the real reason why there's so much spyware around. Not because users are clueless (even though they are) or click on attachments without thinking.
Most people on MySpace have so much spyware to begin with that no change was noticed in their daily activity.
I liked the fact that the writer avoided linking to the site so they won't get any boost on google from being mentioned on the Washington Post.
Funny, that's the same kind of excuse spammers use. "Oh, I'm not a spammer... I purchased this list of e-mail addresses in good faith, how was I to know they weren't all 100% verified opt in like the seller said?"
It's also the same excuse The Pirate Bay use. "Oh, no, we're not responsible... we just provide a service which other people use to serve up illegal content."
GCHQ Quantum Insert installed. If only our tongues were made of glass, how much more careful we would be when we speak
Seems pretty common for MySpace to be serving up spyware ads. Another recent case was reported here of spyware from Starware being advertised with a banner they made by sticking Osama's face on the body of an Asian model in a bikini. Given the background of the founders of MySpace it shouldn't be surprising (they came from the spyware business according to references sited in that spyware report).
Khao Yai Land
Of course its an age old argument, who is most at fault. The person who shot the gun or the company that provided it?
More like the age old argument, is it illegal or not. Sadly the facts are that this event is not a criminal event, the police won't be getting involved, and no one really cares. Not the infected users, not myspace, and not the advertisers. This is just more roadkill on the information superhighway. Nothing to see here, please move along.
What he can't kill, he has sex on. Trent.
So if you're not a Windows or Mac OS X (PowerPC) user, you're SOL.
You mean to tell us that a site that is pratically a shrine to petty teenage popularity contests, cliquishness, and ad-whoring for the biggest businesses in the world only supports the two OSes used by more than 2% of the market!?
Holy crap! What is the world coming to?
If it's for-profit but free, you're not the customer -- you're the product (e.g., the Slashdot Beta's "audience").
Yup! The virus evolved by itself from random bits and used WMF as a host, and then became active on users' PCs.... ;)