Banner Ad on Myspace Serves Adware to 1 Million

An anonymous reader writes "Washingtonpost.com's Security Fix blog reports that a banner ad running on MySpace.com and other Web sites used a Windows security flaw to push adware and spyware out to more than one million computer users this week. The attack leveraged the Windows Metafile (WMF) exploit to install programs in the PurityScan/ClickSpring family of adware, which bombards the user with pop-up ads and tracks their Web usage."

Excellent.

Darwinism works!

Re:Excellent.

[jZnat]

Well, it surely wasn't Intelligent Design that did it...

Re:Excellent.

...Which is pathetically ironic given that people here don't get laid.

Re:Excellent.

[ultranova]

...Which is pathetically ironic given that people here don't get laid.

Hah! A real master nerd is never unprepared. I'll watch the whole run of Nuku-Nuku for inspiration and build myself a catgirl android lover, and we'll make dozens of cyborg kittens together.

Take that, natural selection!

Prosecute virus creating companies.

[Facekhan]

And they wonder why consumers want to block all ads. Its because of illegal virus ads like this. If they prosecuted spyware companies the way they do with other virus creators we would not have as much of a problem with people setting up shop as if this is a legitimate business and then hijacking people's computers for profit and waiting for enough complaints to pile up that maybe the state attempts an enforcement action which at worst closes the company and more likely a few small fines and promises to behave in the future. Either way the owners of these companies never serve a day in prison for releasing their viruses.

Re:Prosecute virus creating companies.

[CRCulver]

And they wonder why consumers want to block all ads. Its because of illegal virus ads like this.

Not at all. I imagine that most of us around here who install AdBlock and FlashBlock do so because of the bandwidth and processor power that ad-laden pages take. People on non-Windows platforms hardly have to fear WMF exploits.

Re:Prosecute virus creating companies.

[Ethan+Allison]

People on non-Windows platforms are generally not the targets of ads, as indicated by XP-styled "message box" banners.

Re:Prosecute virus creating companies.

[Tim+C]

I imagine that most of us around here who install AdBlock and FlashBlock do so because of the bandwidth and processor power that ad-laden pages take.

Speaking personally, I generally block ads that are misleading, flashy and/or distracting. I've lost count of the number of times an otherwise perfectly good webpage has been ruined (aesthetically) by an in your face ad.

Anything that attempts to look like a system dialogue, or to convince me that my PC is running slowly and needs to be fixed, etc, gets the entire advertiser's domain and sub-domains blocked. I hate that shit.

Re:Prosecute virus creating companies.

[suffe]

I must confess, I've never been able to quite understand how companies are willing to show those adds on their space. Seemingly serious sites can be littered with them and in regard to professionalism it just seems like scraping the bottom of the barrel. Who can take a company/site serious when they are (through their ads) trying to outright scam their customers?

Re:Prosecute virus creating companies.

[panaceaa]

OMG WTF I THOUGHT THOSE WERE POP-UPS BY HACKERS!!! when i pressed the "X" it still went to there page!!!!! those are the ppl we should really be suing$@!one!!

Re:Prosecute virus creating companies.

[tehshen]

Who can take a company/site serious when they are (through their ads) trying to outright scam their customers?

This works for the same reason that spam works - it's cheap to do, and only a few stupid people need to click on the ads for them to be making money again.

Re:Prosecute virus creating companies.

[Bogtha]

I have to disagree with both of you. People block ads not because of risk, not because they take up too much bandwidth and processor power, but because they take up too much attention. People want to pay attention to the real content, not wade through fake distracting crap that wants to sell them something.

Re:Prosecute virus creating companies.

[bcmm]

The creation of this basically malicious content was wrong and should be punished by the Law, but please don't join the media and the less educated parts of our governments in refering to all computer security exploits as "viruses".

This attack is not a virus because it cannot spread to new hosts from infected machines. It is, more accuratly, a trojan, in that it is "executed" under the false pretence of being non-malicious code (I put "executed" in inverted commas because there is the additional issue of how it ended up actually executing native code on the infected machines).

Also, the people who recieve harsh sentances are normally writers of worms, rather than viruses. This is because the extremely rapid way in which some worms infect new machines can cause serious overload of the networks over which they spread, which tends to cause more $s of damage than the damage to the actual machines. Although these ads are wrong, they have not had that sort of global impact on networks.

So, while I agree that these people should be prosecuted and severely punished, I believe that it is misguided to say that they should be prosecuted under the same laws as virus and worm authors, as this would just muddy the water and add to the current situation where all computer users have to be worried about which laws they might be breaking.

Re:Prosecute virus creating companies.

[suffe]

If anything, I might overestimate the value of a returning customer. Or they might underestimate it. Who knows.

I love how the submission links the comments

[Neoncow]

This way we don't even have to read the article if we want to! We can just comment about the comments of the article. =D

This comes right after a Flash hack

[ben+there...]

Tom (the site's...er, spokesperson) left this message in everyone's Inbox on the 17th:

Latest Update: 05:15PM PST, Monday, July 17th.
hey folks - we are moving myspace music players and video players to flash 9.0. flash 9 has security fixes so that people can't mess with you on myspace. if your 'about me' got screwed up this weekend, you could have been safe if you had flash 9 installed. here's an easy way to install it, go watch this dashboard video i posted last week. if you don't like dashboard, just watch any video in our video section, and you'll be prompted to install flash 9.

His solution to the hack that destroys a section of your profile is not that he will fix the site, but that you should install Flash 9.

Re:This comes right after a Flash hack

[ozbird]

His solution to the hack that destroys a section of your profile is not that he will fix the site, but that you should install Flash 9.

So if you're not a Windows or Mac OS X (PowerPC) user, you're SOL.

Re:This comes right after a Flash hack

[Slow2Show]

Its because it is a bug in flash's understanding of DOM security. Not myspace's, so hence your attempt at insinuating that they don't know what they're doing is incorrect.

Sorry try again after you RTFM RE: security issues.

Heh, on Facebook too.

[betterthanducttape]

Heh, I posted about this having been on Facebook earlier today in the Slashback article. I'm rather amazed that these things could have been active for days without getting caught and pulled by the websites. I'd ban the advertising company from my site after a stunt like this, no matter how much money they bring in. They just exposed hundreds of thousands of high school and college students to a virus for a quick buck.

Re:Heh, on Facebook too.

[rhizome]

I'd ban the advertising company from my site after a stunt like this, no matter how much money they bring in.

Let me guess, you generally don't receive advertising money.

Re:First time?

[hendridm]

Makes me question myspace, you'd think they have people watching for these sorts of attacks.

Hah, that's like finding a loaded diaper in a garbage dump and then complaining about the level of sanitation.

All your Myspace are belong to us?

[davidwr]

"It's called My Space not Your space for a reason."
    -MySpace Vice President In Charge Of Revenue Generation

Just update

[bigtimepie]

From the article:

Microsoft released a patch in January to fix a serious security flaw in the way Windows renders WMF
What is clear from this attack is that there are plenty of people who still haven't installed this security update from Microsoft.

If your OS puts out a security fix, it's probably for a reason. This could have been avoided for everyone just by keeping up-to-date.

Re:Just update

[0racle]

Lots of exploits that have been released have been fixed before the exploit made the rounds. Its just that the type of moron MySpace caters to are also the type of moron that won't ever learn how to do things right.

MySpace knows its users are idiots, and that they aren't going anywhere until their 15 minutes of fame are up. What do they care that ads they carry also target those same idiots.

Re:Just update

[Zindagi]

There might be other reasons why your computer is not up to date. For instance, now that Microsoft insists I install WGA before I can get the updates -- I havent been getting the updates. So Lord knows what all critical fixes my computer is missing. Not that that excuses anybody for using IE :)

Re:Just update

[smash]

Upgrade from XP to 2000, which doesn't insist on installing WGA before you can install updates, runs faster, and generally pisses you off less by trying to do stuff behind your back.

Less security problems as well :D

Tips

1. Use Mozilla Firefox.
2. Uninstall Flash, you don't need that proprietary junk, 99% of all flash animations are ads/banners anyways.
3. Maybe you want to "block loading of images from third-party sites".
4. Use the Adblock extension for Firefox, you can get it at http://adblock.mozdev.org/ and get some rules for it.
5. Use a more secure operating system.

I hate Myspace, it is a website that caters to retards, it is so dumb.

Re:Tips

[inject_hotmail.com]

1. Use Mozilla Firefox.
2. Uninstall Flash, you don't need that proprietary junk, 99% of all flash animations are ads/banners anyways.
3. Maybe you want to "block loading of images from third-party sites".
4. Use the Adblock extension for Firefox, you can get it at http://adblock.mozdev.org/ and get some rules for it.
5. Use a more secure operating system

Another great way to block most (99% ??) ad sites is to go here and download this. It's a hosts file that directs your PC to essentially IGNORE ALL known ad servers.

Why forge a battle on your computer between your browser and an ad server, when one can ignore the war?

Prosecute the "sellers" too

[SuperBanana]

Prosecute virus creating companies.

How about Myspace as well? It is easily argued that Myspace controls the banner space and content added to the 'global' site (ie every page). This is akin to aiding and abetting.

The sad thing is that a million PCs were infected, and probably 500,000 of them will -stay- infected. And will this even remotely hurt Myspace's market share/traffic? I seriously doubt it.

Re:Prosecute the "sellers" too

[nwbvt]

"How about Myspace as well? It is easily argued that Myspace controls the banner space and content added to the 'global' site (ie every page). This is akin to aiding and abetting. "

Only if Myspace knew what was going on (which they almost certainly did not). Or do you think any business transaction with criminals is 'akin to aiding and abetting'? In which case, shouldn't you also prosecute

• banks, if one or more of their clients deposit money they got illegally?
• hotels, in whose rooms illegal transactions (prostitution, drug dealing, whatever) take place?
• computer manufacturers, whose customers use their computers to steal identities?
• camera manufacturers, whose products may be used to stalk people and invade their privacy?
• etc.

Ask yourself this, do you really want to go down that road? Do you really want companies to run extended background checks on you before they sell you anything to make sure you may not use it in some obscure way to harm others? Is such a police state really what you want? Or do you just not like Myspace (either because it is used by the same teenage girls who wouldn't date you in high school, or because it is owned by NewsCorp)?

Re:Prosecute the "sellers" too

[arkhan_jg]

I agree with your examples, but not with your linking of them with the original problem. A bank or computer maker or hotel's CUSTOMERS are committing the illegal act. You're right, the business should not be held liable for what their clients do, i.e. myspace shouldn't be held liable for what their users hosting pages put on them.

This is different. This is the business putting up an advertising hoarding that is dangerous to visitors. The business already vets its adverts (so no porn), so it has the duty and capability to vet its adboards for viruses, just as if it was hosting auto-install viruses on the front page in their own webspace.

Just because it subcontracts the advertising out to a third party doesn't get myspace off the hook, any more than a bank with a beartrap inside the front door wouldn't be liable because their builders put it there.

When you go to the community pool...

[inject_hotmail.com]

expect to pick up something special for the ride home.

I'm not trolling, but I can't stand myspace-type blogs.

People need to understand that the net costs money. If you didn't pull out your credit card to pay for the resources you consumed, you'll be pulling in something into your PC...and when the intelligence quotient is double-digit...

I've visited myspace exactly once. By accident. I'd consider it to be a sesspool of the Internet if I saw more than one profile. My sister, too, has been affected by the WMF exploit in a myspace profile. Let me just say that telephone support for Win98 on an ancient laptop is less fun than most things, including elevator rides with those people that feel that the body cleanses itself.

My perspective -- if one goes to myspace, one deserves its effects.

DNS Ad-blocking

[computergeek1200]

My solution to solve this problem is to block the domains of the servers that host these ads such as (pagead2.googlesyndication.com) by using a dns server. This is better than firefox ad-blocking or most other systems. This system prevents any connection to the advertising server. I have a dns server for ad-blocking that is publicly avaiable at 68.147.32.114.

Click here to see if you configured your dns properly.

Re:DNS Ad-blocking

Using a public DNS server requires a fair amount of trust. I'd rather have just a list of hosts to block, which are widely available and much less of a security risk.

Re:First time?

[tinkertim]

>> Makes me question myspace, you'd think they have people watching for these sorts of attacks.

Yes, and you're 100% right. Since they are syndicating it, showing 'due diligence' in making sure they aren't syndicating harmful code is their responsibility.

The question comes down to , reasonably, what is a good percentage to equate with 'due diligence' in checking what they syndicate. They have a few million pages, videos and photos to police, as well as watching what their advertisers are using their network to display.

So even if they go way above and beyond the 80% catch rate of abuse prior to it leaving their network, stuff like this is still going to happen. I'd imagine they only catch about 70% of illegal use involving their network, and considering its size and attractiveness to bad-doers, that's not bad.

Of course its an age old argument, who is most at fault. The person who shot the gun or the company that provided it?

I am also noting a rather old vulnerability was exploited, and people not updating their systems need to share some of the blame.

So I guess in essence .. 'shit happens.'

Re:why?

[kjart]

Anyone who protests tracking of their web usage obviously hates america.

Exactly - every time you delete a cookie an american flag bursts into flame.

Virus/adware-spreading ads

[john_prog]

Ads can be a growing security risk in the future. I'd like to ban all ads at work, but I can't do that since IE6 is the only allowed browser here and no extra software is allowed to be installed. Once I surfed to Dilbert website for comics that I thought would be safe, but Errorsafe malware tried to install itself to my machine (by ActiveX component in an ad). See http://koti.mbnet.fi/jnyman/dilbert.html screen capture here (the dialogue text is in Finnish, but the bottom line asks "Do you want to install Errorsafe program to your computer to check your computer for free (recommended)?". I complained about this to Dilbert website's webmaster and to Scott Adams and they replied that they're looking at the problem, but after that nothing. Haven't visited Dilbert website since at work. Hope this is not a growing trend.

Re:Virus/adware-spreading ads

[SCPRedMage]

In your case, the problem wasn't with the Dilbert website, and in the parent article, it wasn't a problem with myspace, either.

The problem is with the ad-serving companies that these websites use. Either they're less-than-trustworthy, and are directly responsible for the exploits being used, or they sub-contract out, and don't care enough to keep an eye on their "partners". Usually, notifying the webmaster of the offending site is enough to get them to have a "talk" with their advertisers to resolve the situation.

Of course, you probably already know this, but it bears repeating as it's something that can be missed by people not familar with the subject.

Please, won't someone think of the n00bs?

Re:Virus/adware-spreading ads

I had dilbert.com as my home-page for years, but recently gave up on it in disgust. 9 times out of 10 Firefox would block anything upto 3 popups, and then they started to carry an extremly obnoxious popup that even Firefox couldn't block. I figure anyone being that anti-social doesn't want me around, so I left. If I were Scott Adams I'd be outraged by United Medias total dimwitedness, but I guess his Clue departed many years ago.

Re:Virus/adware-spreading ads

[FlyingCheese]

The Government is spying on you and killing off people who speak bad about the government. The whole "Freedom" thing is a public face, the original writers of the Constitution are a mysterious and well hidden group that has links to The Masons and Illuminati.

Can I substantiate this? Yes. Will I substantiate it? No.

I don't care if anyone believes me. Just remember, you heard it here first.


Oh and pass the bong, dude. Thanks.

Re:why?

[GodOfCode]

> Exactly - every time you delete a cookie an american flag bursts into flame. So what happens when you clear all cookies from you machine?

The shocking part is....

[Rapier]

The shocking part is that there are still people using Windows. I've got a laptop sitting around here with Windows on it that I use as a novelty once in a while, but it's not like it can really do anything useful. The package management system is horribly antiquainted, the dependancy checking leaves a lot to be desired, and then there are the security holes in the stock applications that come with the OS. Maybe some day it will mature enough to be useful, but for now it's just a novelty that still isn't up to being used in a production environment.

Re:why?

[Stormwatch]

Exactly - every time you delete a cookie an american flag bursts into flame.

So what happens when you clear all cookies from you machine?

The USA will become an islamic republic.

Re:Really??

[babbling]

It happens all the time. It happened on LiveJournal only a month or two ago.

Re:The rise and fall of myspace

[arivanov]

While I agree with you about myspace, the exploit is not by any means MySpace specific.

On previous occasions Falk AG has served exploits like this through websites like www.theregister.co.uk. In that case Falk had their ad delivery servers broken into.

This is not the first time and as the time goes we will see much more of this.

Re:why?

[max99ted]

Exactly - every time you delete a cookie an american flag bursts into flame. So what happens when you clear all cookies from you machine?

God kills an American kitten.

umm there has been a patch since jan

[atarione]

wow... ok so not to interupt and windows hate fest.

but the WMF exploit has been patched since jan of this year

anyone that got hit by this only has themselve to blame.

Does Windows Defender Catch This?

[fragMasterFlash]

Anyone know if Windows Defender will catch the spyware component of this exploit? I suppose its a moot point since people who run IE unpatched aren't going to run Defender anyway.

Prosecute MySpace

[Yez70]

Do you really want companies to run extended background checks on you before they sell you anything to make sure you may not use it in some obscure way to harm others?
 

You mean like the government wants our ISPs to track and monitor our web usage and keep copies of all our IM's, searches and emails? Or how about our libraries revealing what books we check out? Maybe AT&T could provide a log of all your phone calls. How about the banks reveal all your financial transactions?

Oops, I forgot - the Patriot Act, among other obscure laws, already allow this.

Innocent until proven guilty no longer applies in the land of the free - why should it apply to corporate America any different? Oh yea, I forgot, they own the politicians.

Why can't Microsoft patch the holes in it's software? Why can't MySpace screen it's advertisers? They aren't showing porn site ads, because they 'screened' the ads, correct? So, how come they are serving adware?

If it's ok for the government to be constantly running background checks (illegally I might add) on it's own citizens in a 'FREE' country, then MySpace should also be responsible for spreading viruses and spyware. Of course, they won't ever have to answer for it. News Corp may as well be owned by the GOP...

is myspace responsible for their site or not?

[SuperBanana]

Only if Myspace knew what was going on (which they almost certainly did not).

I'll make this very simple for you: Is myspace responsible for the content they put on their site, or not?

When you are a website the size of myspace, failing to vett your advertising borders on gross negligence and incompetence.

Furthermore, if you study how 'responsibility' plays out in the business world, particularly with lawsuits- the first party on the food chain is responsible. If that company wants to take action against its employees, suppliers, etc- so be it. But the buck, figuratively, stops at "round one".

Re:WMF Exploit Now Affects Mac Users!

[MobileTatsu-NJG]

Sources indicate that OSX users only noticed because their computer started to "crash a lot". "I didn't even notice the change to be quite honest," an anonymous user explained. "Only that the buttons moved to the other side of the window."

Users further complained that their productivity shot way down when a number of games mysteriously started working.

MySpace's Response Was To..

[Absentminded-Artist]

...quickly upgrade all flash ads and video to Flash9 this morning. I was just prompted to upgrade to Flash9 (I don't really keep on top of Flash updates) an hour or so ago.

Although I'd like to see MySpace increase its response time, a week response time is fairly fast for corporations. Apple took two weeks to patch the vulnerabilities discovered last February and they were applauded for having a fast response. The shame is that Microsoft's glacier-like response to security vulnerabilities makes two weeks look speedy, and one week look positively instantaneous.

I realize that it will be popular to bash MySpace around here over this but the real culprits are, in order from least to greatest responsibility, the users who hadn't patched their OS with the latest updates, Microsoft for pushing such crappy code in the first place, and greatest of all, the ad agency that didn't catch this little beauty. They should lose their contract at the least over this, IMO. I use a Mac, Safari, and an adblocker style sheet, but I want to see an end to this. Kids shouldn't be used to propagate malwarez and if I was a band over at MySpace I'd be plenty ticked off about this, too.

Re:Firefox with Adblock?

[Library+Spoff]

>>Did you see the picture of the CEO on the front of Wired?

err - he's Rupert Murdoch. If he wasn't going to "make millions off of that company" he wouldn't of bothered with it.

Viral marketing

[Opportunist]

So that's what's meant by that term?

(You know I've been waiting to say that for weeks now)

Same thing on OKCupid...

[Max+Threshold]

I encountered an ad which prompted me to download a file called 'exp.wmf'.

Yes, it's an online dating site. No, I haven't met anyone on there yet. Shut up.

Aren't there antihacking laws that apply?

[TheLink]

Y'know unauthorized modification of a computer system and all that stuff?

Tampering with 1 million computers without permission and AFAIK without good reason. Isn't that a serious criminal offense?

That's what annoys me the most about all those "antihacker" crusades. Don't the same laws apply to spyware, unauthorized adware etc? Even Sony's DRM crap.

But no, the FBI and other authorities round the world seem to prefer trying to jail people who are pretty harmless (like that brit looking for UFOs).

If directors/owners of companies doing such stuff were sent to jail (or even seriously threatened with jail), you'd see a lot less spyware or nasty adware around.

Instead there's one law for the small stupid amateur and another law for the incorporated pros.

And that is the real reason why there's so much spyware around. Not because users are clueless (even though they are) or click on attachments without thinking.

Doesn't matter

[Frightening]

Most people on MySpace have so much spyware to begin with that no change was noticed in their daily activity.

umm....

[1800maxim]

Yup! The virus evolved by itself from random bits and used WMF as a host, and then became active on users' PCs.... ;)