Banner Ad on Myspace Serves Adware to 1 Million

An anonymous reader writes "Washingtonpost.com's Security Fix blog reports that a banner ad running on MySpace.com and other Web sites used a Windows security flaw to push adware and spyware out to more than one million computer users this week. The attack leveraged the Windows Metafile (WMF) exploit to install programs in the PurityScan/ClickSpring family of adware, which bombards the user with pop-up ads and tracks their Web usage."

Excellent.

Darwinism works!

Re:Excellent.

[jZnat]

Well, it surely wasn't Intelligent Design that did it...

Re:Excellent.

[ultranova]

...Which is pathetically ironic given that people here don't get laid.

Hah! A real master nerd is never unprepared. I'll watch the whole run of Nuku-Nuku for inspiration and build myself a catgirl android lover, and we'll make dozens of cyborg kittens together.

Take that, natural selection!

Prosecute virus creating companies.

[Facekhan]

And they wonder why consumers want to block all ads. Its because of illegal virus ads like this. If they prosecuted spyware companies the way they do with other virus creators we would not have as much of a problem with people setting up shop as if this is a legitimate business and then hijacking people's computers for profit and waiting for enough complaints to pile up that maybe the state attempts an enforcement action which at worst closes the company and more likely a few small fines and promises to behave in the future. Either way the owners of these companies never serve a day in prison for releasing their viruses.

Re:Prosecute virus creating companies.

[CRCulver]

And they wonder why consumers want to block all ads. Its because of illegal virus ads like this.

Not at all. I imagine that most of us around here who install AdBlock and FlashBlock do so because of the bandwidth and processor power that ad-laden pages take. People on non-Windows platforms hardly have to fear WMF exploits.

Re:Prosecute virus creating companies.

[Ethan+Allison]

People on non-Windows platforms are generally not the targets of ads, as indicated by XP-styled "message box" banners.

Re:Prosecute virus creating companies.

[Tim+C]

I imagine that most of us around here who install AdBlock and FlashBlock do so because of the bandwidth and processor power that ad-laden pages take.

Speaking personally, I generally block ads that are misleading, flashy and/or distracting. I've lost count of the number of times an otherwise perfectly good webpage has been ruined (aesthetically) by an in your face ad.

Anything that attempts to look like a system dialogue, or to convince me that my PC is running slowly and needs to be fixed, etc, gets the entire advertiser's domain and sub-domains blocked. I hate that shit.

Re:Prosecute virus creating companies.

[suffe]

I must confess, I've never been able to quite understand how companies are willing to show those adds on their space. Seemingly serious sites can be littered with them and in regard to professionalism it just seems like scraping the bottom of the barrel. Who can take a company/site serious when they are (through their ads) trying to outright scam their customers?

Re:Prosecute virus creating companies.

[tehshen]

Who can take a company/site serious when they are (through their ads) trying to outright scam their customers?

This works for the same reason that spam works - it's cheap to do, and only a few stupid people need to click on the ads for them to be making money again.

Re:Prosecute virus creating companies.

[Bogtha]

I have to disagree with both of you. People block ads not because of risk, not because they take up too much bandwidth and processor power, but because they take up too much attention. People want to pay attention to the real content, not wade through fake distracting crap that wants to sell them something.

Re:Prosecute virus creating companies.

[bcmm]

The creation of this basically malicious content was wrong and should be punished by the Law, but please don't join the media and the less educated parts of our governments in refering to all computer security exploits as "viruses".

This attack is not a virus because it cannot spread to new hosts from infected machines. It is, more accuratly, a trojan, in that it is "executed" under the false pretence of being non-malicious code (I put "executed" in inverted commas because there is the additional issue of how it ended up actually executing native code on the infected machines).

Also, the people who recieve harsh sentances are normally writers of worms, rather than viruses. This is because the extremely rapid way in which some worms infect new machines can cause serious overload of the networks over which they spread, which tends to cause more $s of damage than the damage to the actual machines. Although these ads are wrong, they have not had that sort of global impact on networks.

So, while I agree that these people should be prosecuted and severely punished, I believe that it is misguided to say that they should be prosecuted under the same laws as virus and worm authors, as this would just muddy the water and add to the current situation where all computer users have to be worried about which laws they might be breaking.

Re:Prosecute virus creating companies.

[suffe]

If anything, I might overestimate the value of a returning customer. Or they might underestimate it. Who knows.

I love how the submission links the comments

[Neoncow]

This way we don't even have to read the article if we want to! We can just comment about the comments of the article. =D

This comes right after a Flash hack

[ben+there...]

Tom (the site's...er, spokesperson) left this message in everyone's Inbox on the 17th:

Latest Update: 05:15PM PST, Monday, July 17th.
hey folks - we are moving myspace music players and video players to flash 9.0. flash 9 has security fixes so that people can't mess with you on myspace. if your 'about me' got screwed up this weekend, you could have been safe if you had flash 9 installed. here's an easy way to install it, go watch this dashboard video i posted last week. if you don't like dashboard, just watch any video in our video section, and you'll be prompted to install flash 9.

His solution to the hack that destroys a section of your profile is not that he will fix the site, but that you should install Flash 9.

Re:First time?

[hendridm]

Makes me question myspace, you'd think they have people watching for these sorts of attacks.

Hah, that's like finding a loaded diaper in a garbage dump and then complaining about the level of sanitation.

All your Myspace are belong to us?

[davidwr]

"It's called My Space not Your space for a reason."
    -MySpace Vice President In Charge Of Revenue Generation

Just update

[bigtimepie]

From the article:

Microsoft released a patch in January to fix a serious security flaw in the way Windows renders WMF
What is clear from this attack is that there are plenty of people who still haven't installed this security update from Microsoft.

If your OS puts out a security fix, it's probably for a reason. This could have been avoided for everyone just by keeping up-to-date.

Re:Just update

[0racle]

Lots of exploits that have been released have been fixed before the exploit made the rounds. Its just that the type of moron MySpace caters to are also the type of moron that won't ever learn how to do things right.

MySpace knows its users are idiots, and that they aren't going anywhere until their 15 minutes of fame are up. What do they care that ads they carry also target those same idiots.

Re:Just update

[Zindagi]

There might be other reasons why your computer is not up to date. For instance, now that Microsoft insists I install WGA before I can get the updates -- I havent been getting the updates. So Lord knows what all critical fixes my computer is missing. Not that that excuses anybody for using IE :)

Tips

1. Use Mozilla Firefox.
2. Uninstall Flash, you don't need that proprietary junk, 99% of all flash animations are ads/banners anyways.
3. Maybe you want to "block loading of images from third-party sites".
4. Use the Adblock extension for Firefox, you can get it at http://adblock.mozdev.org/ and get some rules for it.
5. Use a more secure operating system.

I hate Myspace, it is a website that caters to retards, it is so dumb.

Prosecute the "sellers" too

[SuperBanana]

Prosecute virus creating companies.

How about Myspace as well? It is easily argued that Myspace controls the banner space and content added to the 'global' site (ie every page). This is akin to aiding and abetting.

The sad thing is that a million PCs were infected, and probably 500,000 of them will -stay- infected. And will this even remotely hurt Myspace's market share/traffic? I seriously doubt it.

Re:Prosecute the "sellers" too

[arkhan_jg]

I agree with your examples, but not with your linking of them with the original problem. A bank or computer maker or hotel's CUSTOMERS are committing the illegal act. You're right, the business should not be held liable for what their clients do, i.e. myspace shouldn't be held liable for what their users hosting pages put on them.

This is different. This is the business putting up an advertising hoarding that is dangerous to visitors. The business already vets its adverts (so no porn), so it has the duty and capability to vet its adboards for viruses, just as if it was hosting auto-install viruses on the front page in their own webspace.

Just because it subcontracts the advertising out to a third party doesn't get myspace off the hook, any more than a bank with a beartrap inside the front door wouldn't be liable because their builders put it there.

DNS Ad-blocking

[computergeek1200]

My solution to solve this problem is to block the domains of the servers that host these ads such as (pagead2.googlesyndication.com) by using a dns server. This is better than firefox ad-blocking or most other systems. This system prevents any connection to the advertising server. I have a dns server for ad-blocking that is publicly avaiable at 68.147.32.114.

Click here to see if you configured your dns properly.

Re:DNS Ad-blocking

Using a public DNS server requires a fair amount of trust. I'd rather have just a list of hosts to block, which are widely available and much less of a security risk.

Re:First time?

[tinkertim]

>> Makes me question myspace, you'd think they have people watching for these sorts of attacks.

Yes, and you're 100% right. Since they are syndicating it, showing 'due diligence' in making sure they aren't syndicating harmful code is their responsibility.

The question comes down to , reasonably, what is a good percentage to equate with 'due diligence' in checking what they syndicate. They have a few million pages, videos and photos to police, as well as watching what their advertisers are using their network to display.

So even if they go way above and beyond the 80% catch rate of abuse prior to it leaving their network, stuff like this is still going to happen. I'd imagine they only catch about 70% of illegal use involving their network, and considering its size and attractiveness to bad-doers, that's not bad.

Of course its an age old argument, who is most at fault. The person who shot the gun or the company that provided it?

I am also noting a rather old vulnerability was exploited, and people not updating their systems need to share some of the blame.

So I guess in essence .. 'shit happens.'

Re:why?

[kjart]

Anyone who protests tracking of their web usage obviously hates america.

Exactly - every time you delete a cookie an american flag bursts into flame.

Virus/adware-spreading ads

[john_prog]

Ads can be a growing security risk in the future. I'd like to ban all ads at work, but I can't do that since IE6 is the only allowed browser here and no extra software is allowed to be installed. Once I surfed to Dilbert website for comics that I thought would be safe, but Errorsafe malware tried to install itself to my machine (by ActiveX component in an ad). See http://koti.mbnet.fi/jnyman/dilbert.html screen capture here (the dialogue text is in Finnish, but the bottom line asks "Do you want to install Errorsafe program to your computer to check your computer for free (recommended)?". I complained about this to Dilbert website's webmaster and to Scott Adams and they replied that they're looking at the problem, but after that nothing. Haven't visited Dilbert website since at work. Hope this is not a growing trend.

Re:Virus/adware-spreading ads

[SCPRedMage]

In your case, the problem wasn't with the Dilbert website, and in the parent article, it wasn't a problem with myspace, either.

The problem is with the ad-serving companies that these websites use. Either they're less-than-trustworthy, and are directly responsible for the exploits being used, or they sub-contract out, and don't care enough to keep an eye on their "partners". Usually, notifying the webmaster of the offending site is enough to get them to have a "talk" with their advertisers to resolve the situation.

Of course, you probably already know this, but it bears repeating as it's something that can be missed by people not familar with the subject.

Please, won't someone think of the n00bs?

Re:Virus/adware-spreading ads

I had dilbert.com as my home-page for years, but recently gave up on it in disgust. 9 times out of 10 Firefox would block anything upto 3 popups, and then they started to carry an extremly obnoxious popup that even Firefox couldn't block. I figure anyone being that anti-social doesn't want me around, so I left. If I were Scott Adams I'd be outraged by United Medias total dimwitedness, but I guess his Clue departed many years ago.

Re:Heh, on Facebook too.

[rhizome]

I'd ban the advertising company from my site after a stunt like this, no matter how much money they bring in.

Let me guess, you generally don't receive advertising money.

The shocking part is....

[Rapier]

The shocking part is that there are still people using Windows. I've got a laptop sitting around here with Windows on it that I use as a novelty once in a while, but it's not like it can really do anything useful. The package management system is horribly antiquainted, the dependancy checking leaves a lot to be desired, and then there are the security holes in the stock applications that come with the OS. Maybe some day it will mature enough to be useful, but for now it's just a novelty that still isn't up to being used in a production environment.

Re:The rise and fall of myspace

[arivanov]

While I agree with you about myspace, the exploit is not by any means MySpace specific.

On previous occasions Falk AG has served exploits like this through websites like www.theregister.co.uk. In that case Falk had their ad delivery servers broken into.

This is not the first time and as the time goes we will see much more of this.

Re:why?

[max99ted]

Exactly - every time you delete a cookie an american flag bursts into flame. So what happens when you clear all cookies from you machine?

God kills an American kitten.

Prosecute MySpace

[Yez70]

Do you really want companies to run extended background checks on you before they sell you anything to make sure you may not use it in some obscure way to harm others?
 

You mean like the government wants our ISPs to track and monitor our web usage and keep copies of all our IM's, searches and emails? Or how about our libraries revealing what books we check out? Maybe AT&T could provide a log of all your phone calls. How about the banks reveal all your financial transactions?

Oops, I forgot - the Patriot Act, among other obscure laws, already allow this.

Innocent until proven guilty no longer applies in the land of the free - why should it apply to corporate America any different? Oh yea, I forgot, they own the politicians.

Why can't Microsoft patch the holes in it's software? Why can't MySpace screen it's advertisers? They aren't showing porn site ads, because they 'screened' the ads, correct? So, how come they are serving adware?

If it's ok for the government to be constantly running background checks (illegally I might add) on it's own citizens in a 'FREE' country, then MySpace should also be responsible for spreading viruses and spyware. Of course, they won't ever have to answer for it. News Corp may as well be owned by the GOP...

is myspace responsible for their site or not?

[SuperBanana]

Only if Myspace knew what was going on (which they almost certainly did not).

I'll make this very simple for you: Is myspace responsible for the content they put on their site, or not?

When you are a website the size of myspace, failing to vett your advertising borders on gross negligence and incompetence.

Furthermore, if you study how 'responsibility' plays out in the business world, particularly with lawsuits- the first party on the food chain is responsible. If that company wants to take action against its employees, suppliers, etc- so be it. But the buck, figuratively, stops at "round one".

Same thing on OKCupid...

[Max+Threshold]

I encountered an ad which prompted me to download a file called 'exp.wmf'.

Yes, it's an online dating site. No, I haven't met anyone on there yet. Shut up.

Doesn't matter

[Frightening]

Most people on MySpace have so much spyware to begin with that no change was noticed in their daily activity.