Malware Delivered By Yahoo, Fox, Google Ads

WrongSizeGlass writes "CNET is reporting that Avast has tracked over 2.6 million instances of malware that have been served up to unsuspecting web surfers since last December by ad services such as Yahoo's Yield Manager, Fox Audience Network's Fimserve.com and even some from Google's DoubleClick. Some high-profile sites include The New York Times, Drudge Report.com, TechCrunch and WhitePages.com. The practice has been dubbed 'malvertising.' I usually suspect the users of 'careless web activity' when I delouse a PC, but now I'm going to have to give some the benefit of the doubt."

Yup....seen it.

[Em+Emalb]

At my work, we allow unrestricted access to the net, but log everything. We had a recent spate of vundo variants come through, and when we went through the logs, almost all of them were via the NYTimes or Wa Post. Frustrating, when large companies like this make work for you. For the most part, the allow everything, log it and using IDPS on the front-end(s) has helped quite a bit.

Re:Yup....seen it.

[tivoKlr]

Having been an IT admin in my former life, and also having operated in a similar fashion to you, allowing unfettered access to the internet for our employees (it was a Fire Department, and the staff was there for 48 hrs straight, so allowing them some creature comforts such as facebook and youtube was appreciated). Having solid, centrally managed AV on each client machine, along with limited local user rights seemed to be effective.

I wish more facilities would take this tact instead of letting some firewall with a blacklist subscription slowly narrow the available internet to static sites that are considered "safe." True irony that advertising from some of these safe sites are now delivering payloads. Ironically, where I work now (not in IT), plenty of popup ads from news sites make it through, so I would assume we're vulnerable through this vector.

Re:Yup....seen it.

[Nos.]

I work in the security group and we had a few machines on our help desk get infected with the Antivirus Live malware. After some research, we determined that it came through a legitimate site (help desk site that emulates various OS... can't think of the name), or more specifically the ads on the site.

We do run WebSense, but this was a legitimate site that our help desk uses quite frequently. All machines were up to date with McAfee, but it was a new variation. We ran it through VirusTotal.com within hours of the infection and I believe there were only two on the list that picked it up at that time.

So it wasn't the fault of the user and it can't be blamed on our choice of AV vendor. Obviously we need a better way of detecting malware. McAfee does have Artemis, but it failed on VirusTotal as well.

Re:Yup....seen it.

[Em+Emalb]

Obviously, the biggest hurdle we're having to deal with is user education. I've got a select few folks in various departments learning to work with ad-block and no script, but for the average person, it's hard to figure out what they need to unblock and what they can block with no ill effects. It's frustrating to them, and by extension, our helpdesk guys who end up fielding calls from the same people (over and over) with the same questions. Of course, the other issue we have is vendor lock in, with their stupid sites working correctly ONLY in IE. I hate that, but in my case (financial industry) it's so rampant there's nothing we can do about it except lock stuff down as best we can.

That said...these large companies that aren't paying attention to the ads their serving are just as at fault as any un-educated (or even educated) user is.

Re:Yup....seen it.

[Em+Emalb]

aren't paying attention to the ads their serving are just as at fault as any un-educated (or even educated) user is.

Aw man. They're. Not their. And I make that gaffe while writing about un-educated and educated. Fail, thy name is Em.

Re:Yup....seen it.

vundo's nothing. try virut

Re:Yup....seen it.

[commodore64_love]

I run a program called "TeaTimer" that automatically blocks changes to your computer or registry. I'm not sure how well it works in a work setting, but for my home PC it's caught numerous browser-based programs from doing damage.

Re:Yup....seen it.

[ShadowRangerRIT]

Ouch. The two news sites I browse most often. Good thing I run AdBlock and NoScript, and I wrote myself a Greasemonkey script to rewrite all the internal links to point to the print-friendly (read: ad-free) versions of the articles.

Re:Yup....seen it.

[Hadlock]

Hell, just last week (last Friday!) a flash ad on TechCrunch (linked to from Google News, no less!) opened a new tab in Google Chrome and downloaded a PDF to my desktop under XP SP3. That was an eye opening experience....

Re:Yup....seen it.

[Talderas]

As I write this message, I am running a scan to make sure I just finished cleaning this virus off one of my user's machines. This user has TeaTimer installed, yet still got infected. It's rather odd, seeing as the infect piggybacks on some registry values. So either the user is mindless hitting Allow on TeaTimer, or the virus is circumventing it.

Re:Yup....seen it.

[Victor_0x53h]

I believe using TeaTimer would teach the average user to constantly click "Yes" without thought. As mentioned before this kind of security has a huge education barrier. I haven't run with TeaTimer since it was first introduced with Spybot, but my experience was pretty awful being prompted anytime anything was run.

Also if TeaTimer prevents changes to the registry prompted by some piece of crapware, said crapware has already been executed. What else has it done; how much protection does blocking changes to the registry really provide?

Re:Yup....seen it.

Frustrating, when large companies like this make work for you.

I remember when Yahoo mail (even Yahoo Mail Classic) was usable without Javashit activated.

About a year or two ago, about the time they integrated some sort of "chat" functionality into their webmail services, they broke the old webmail service. Today, if you try to check your inbox with Javshit disabled (even if you've opted for the "classic" mail, and even if you've deactivated the "chat" bullshit) , the screen auto-refreshes rapidly, and after a few moments, the the Y! servers protect themsevles against a perceived DOS, and lock the user out with a "999 error".

It's not just Yahoo's negligence in policing their ad networks, it's Yahoo's active maliciousness in turning even "old" or "classic" services that worked perfectly fine without Javashit, into ones that won't work unless the user compromises their own client's security.

Re:Yup....seen it.

[commodore64_love]

>>>the user is mindless hitting Allow on TeaTimer

Yes. TeaTimer won't allow the registry to change unless you first click "ok". As for the annoyance I've not noticed any problems. A lot of times I forget TeaTimer is even running. It's certainly less troublesome thatn NoScript's constantly nagging.

Re:Yup....seen it.

One little hint to avoid/recover from virut.

Don't store passwords in your browser or in any text file, registry, or any plain un-encrypted space. Your passwords are going to be the ONLY VALUABLE DATA you have left, and you'll have a small window of time to get them all changed. While if you have no backup, your initial time is going to be wasted reloading an OS. If you have a clone, your up in minutes replacing passwords.

INSTALL A FUCKING HARDWARE FIREWALL
Firewall / router
IPCop + Adv Proxy + URL filter

ADD a URL filter rule

Blacklist "iframe"

looks like on single line

iframe

Some others I like

iframe
eengine.js
down.css
"a.htm"
drsmartload.exe
load1.exe
"http://pages.tvunetworks.com/channels/pulloutad300x250.jsp"
adx.gif
8.txt
out.exe
adrtv.exe
ad2.exe
ntos.exe
audio.dll
video.dll
oembios.exe
twext.exe
local.ds
user.ds
sysproc86.sys
sysproc32.sys

About the iframe block
(sorry no more blogspot.com
posting, without a little work) Most iframe sites are shit anyway, but you can make an EXCEPTION for your favorite crappy coded iframe website. (While you might be able to pull this off with firefox plugins, there are other browsers eh... which is why we block this shit at the input, er well um in squid)

Clone Backup of OS. e.g. 750G drive to 750G drive.
(Clonezilla, Acronis)
You get hit, You roll back. Less than 20 Min.

Password Manager
(Cross Platform on USB - keepassx.org), you get hit, you replace your bank pass's first, your servers second, your blogs like /. third. Bla bla bla, all organized, now you are god.

Virtual Machines.
I always liked vmware, then I found SunVM, and then I heard about win7's vm exploit. So I am sticking with SUNVM. That said, create OS iso's for...

VM OS for dangerous browsing, let er rip, cause when we reboot it's new again, so lets see what happens. Let's learn.

VM OS for shopping.

VM OS for banking.

OTHER PROTECTION.
Obviously all the other security shit, Kaspersky (KIS), pop3 mail only, no webmail, no HTML mail, NoScript, ABP, TOR, ztree, HJT, spybot, process hacker, etc.

OF NOTABLE MENTION: Secunia's PSI http://secunia.com

Re:Yup....seen it.

I wish more facilities would take this tact

<nazi mode="semantics">You mean tack , "the direction of a ship with respect to the trim of her sails" or, metaphorically, "a course or method of action". Tact means "sensitive mental or aesthetic perception" or "a keen sense of what to do or say in order to maintain good relations with others or avoid offense" and is not short for, nor in any way related to, the word tactic.</nazi>

Re:Yup....seen it.

[mzs]

I use yahoo mail classic with noscript and adblock plus in Firefox. I see no such problems. I also use RequestPolicy and CookieMonster, but for that site they happen to do nothing special. You should try again.

Re:Yup....seen it.

I never fucking understood, why someone who is correcting THEMSELF gets modded off topic. FUCK YOU MODS

Re:Yup....seen it.

[tunapez]

What I've found to work is, again, unfettered access combined with some sagely advice on where to find safe smut(redtube,youporn,mega...), and setting up a sandboxie icon that looks just like a regular Firefox button. Whether it be masking the icon for sanboxing or to give them a blue E to start FF/Opera/Safari, I find giving less insight into what I'm doing and just making things seem like nothing has changed is the best policy.

Do muni FDs allow internet access outside of email and work site nowadays? I've set-up privately contracted, shared wireless hubs(VZ USB w/ old laptop & wireless-router) @ a couple stations in the past b/c all they got was work related net. Brother on the right coast concurs, his FD does not supply even 1 station/signal to access their department mail accounts. I was told, Internet has too many expenses and liability for the org to shoulder the costs everyday surfing. Add to that it's part of a critical system with lives depending on instant/unrestricted communication, it's paid for with taxpayer money(thus every log & email is available via a public records request) and the chit really gets deep when that Fck-A-FF MySpace page makes the 6 o'clock news.

Re:Yup....seen it.

If you want to build a botnet do you go for the 35 people who like hirsute midget and bald donkey porn, or do you go for the couple million people who casually visit FoxNews and the NYT?

Re:Yup....seen it.

[Schadrach]

Couple this with setting the permissions on certain registry keys so that "Everyone" is denied the ability to do anything with the key except view it and change permissions, and only "Administrator" can set permissions. A favorite of mine to give that treatment is the file association for executables, as a lot of malware of the "fake AV" type nowadays is changing the association of executables to run itself when you run any other program.

Re:Yup....seen it.

[LordLimecat]

From my experience, simply removing adobe reader and installing foxit (including browser plugins) solves the issue, since its through infected PDF autoloading that ive seen most of my client's infections.

Re:Yup....seen it.

[BrokenHalo]

If you want to build a botnet do you go for the 35 people who like hirsute midget and bald donkey porn, or do you go for the couple million people who casually visit FoxNews and the NYT?

Hey! What about those of us wo are into albino ostrich porn? (Currently zero Google hits: obviously I'll have to invent it...)

Re:Yup....seen it.

It's tack, not tact.

You're welcome.

Re:Yup....seen it.

[E-Rock]

Because of this we have enabled inPrivate filtering for IE8 via group policy (not the same as inPrivate browsing). It's an effective ad blocking tool. I hate that we have to block the revenue sources of the pages we visit, but when they're being used to deliver malware, I don't see an alternative.

Re:Yup....seen it.

Thank you. I saw it but let it slide. I fought my last battle trying to explain that "downfall" was not a synonym for "drawback". They're words, which have meaning.

I don't object to people not knowing words, but I have a real problem with them using words of which they do not know the definitions. Ignorance is not a sin unless your arrogance prevents learning.

Re:Yup....seen it.

Kudos for owning up to the mistake :)

Re:Yup....seen it.

I use yahoo mail classic with noscript and adblock plus in Firefox. I see no such problems. I also use RequestPolicy and CookieMonster, but for that site they happen to do nothing special. You should try again.

Firefox 3.5.2 and 3.6 confirmed. What's your environment like, and/or what Yahoo URLs are you actually ending up at when you attempt to use Yahoo mail?

Here, in about.config, javascript.enabled is false. network.cookie.cookieBehavior 0, network.cookie.alwaysAcceptSessionCookies false. network.cookie.lifetimePolicy 2. privacy.item.cookies is true.

mail.yahoo.com takes me to http://us.mc316.mail.yahoo.com/mc/welcome?.gx=1&.tm=(a timestamp)&.rand=(some random numbers). There's a brief flash about screen readers and a suggestion to go to http://us.mc316.mail.yahoo.com/mc/welcome?noajax, but it also loops incessantly.

Re:Yup....seen it.

[jafiwam]

It's not the sites, it's the ad networks.

Go get a HOSTS file that blocks ads and keep it updated and pushed out on your network.

I see ZERO ads most days. When some new ad network annoys me, I go add it to my HOSTS file. The same thing can be done with the network DNS server without needing to modify machines.

Believe me, most people don't bitch (very much) about not seeing ads on the internet all of a sudden. They might be curious about it, but usually that's it.

Re:Yup....seen it.

[jafiwam]

This is completely unintelligible. iFrame is a legit and useful web design tool. Go back under your rock in your basement dude, there's some FORTRAN waiting for you there.

Re:Yup....seen it.

[NeoSkandranon]

Teatimer's nice, and I've used it to good effect on various machines, but it seems to kill startup performance and eat a ton of memory. Have you seen similar?

Re:Yup....seen it.

[Xtifr]

I don't object to people not knowing words, but I have a real problem with them using words of which they do not know the definitions.

You obviously don't have any kids. Language acquisition is a fascinating process, and bears little resemblance to what I expected, even though I did it myself once upon a time.

Bottom line: if we tried to follow your rule, kids wouldn't be able to speak until they'd learned to read. Which might have some advantages, I admit, but seems unlikely to be practical. :)

Re:Yup....seen it.

[Trarman]

That is a good solution, except, my hosts file got so huge it slowed down all internet access like I was dialup again.

Re:Yup....seen it.

[Skratchez]

I thought we were the mods. :ohdear: But yeah, follow Taco's law, rate down if it's irrelevant or interesting, not because you are the legendary grammar Nazi or if you disagree with a valid point.

Re:Yup....seen it.

Well, that is where I see NoScript as being an improvement over AdBlock. The stuff still gets downloaded, it just doesn't get executed. So you're still hitting the ad server, you just don't let them execute random crap. If it's actually interesting, then you can temporarily enable scripting for that site and click though. If the ad is so broken that it requires scripting, too bad, so sad.

Re:Yup....seen it.

[ppanon]

While there probably are children still learning the use of language using slashdot, it seems to be a reasonable expectation that most posters would be adults with a reasonable command of language who can be held to a higher standard. That said, due to its international nature, this type of problem on slashdot is more likely to be ESL-related.

Re:Yup....seen it.

[mzs]

I have this setup at work. It is firefox 3.0.x on FreeBSD 6.2. I also see that brief screen about the screen reader and then it quickly goes to the familiar classic page. It does not loop endlessly like it does for you. I have had trouble like this before with my banking site where I had a cookie that would trip it up. The easiest thing to do to check if it is something of that sort is to create a new blank firefox profile and try it in that to see if it is such a problem. Then if it works, you can use the cookie manager to remove cookies until you have nuked the troublesome one. For that one I allow session cookies, but on exit/start I clean them all anyway. Maybe you need to be more permissive? Again I use CookieMonster, so I do not believe that the about:config settings are really used. Good luck.

Re:Yup....seen it.

[GameboyRMH]

Yeah Foxit (I'd say without browser plugins, I mean does it HAVE to open in a browser window? That's one less component to exploit) + Flashblock will go a long way to keeping these things out. Browsers are really falling behind on security and privacy these days, none of them even have built-in flash cookie management.

Re:Yup....seen it.

[mzs]

My url matches this glob (all concatenated together, ignore white space)

http ://
us.mc[1-9][0-9][0-9] .mail.yahoo.com/mc/showFolder?fid=Inbox&order=down
&tt=[1-9][0-9]
&pSize=[1-9][0-9]
&.rand=[1-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]

Re:Yup....seen it.

[mzs]

In the preview I did not catch that the backslash escape was lost on the question mark, you get the idea though.

Re:Yup....seen it.

[cffrost]

I hate that we have to block the revenue sources of the pages we visit [...]

Maybe you could ask them to sign you up for some kinda junk mail promo or spam list or something...?

One lesson to learn

[courteaudotbiz]

Never ever click an ad!

Re:One lesson to learn

That won't save you.

You need to block the 3rd party ads, and their scripts cookies or flash.

Re:One lesson to learn

[Anonymusing]

FTA: "Users don't need to click on anything to get infected; a computer becomes infected after the ad is loaded by the browser."

Re:One lesson to learn

[julesh]

Never ever click an ad!

Clicking not necessary. I was infected with malware earlier this month without any interaction after visiting the Pirate Bay. An advert used javascript to redirect me to an obscure URL ( http://uqwaaa.in/cgi-bin/gjj ), which proceded to use a Firefox flaw of some kind to infect me. 3.6 doesn't seem to be susceptible, but 3.5.7 which I was running at the time *was*. The exploit installed a Firefox extension that randomly redirects links from google, yahoo and bing to advertising pages.

Re:One lesson to learn

From the article:

Users don't need to click on anything to get infected; a computer becomes infected after the ad is loaded by the browser, Avast said.

Re:One lesson to learn

[ygthb]

So who says they clicked, it could be auto delivered. I have seen many arenas where they mandate anti-virus (usually crap) and do nothing about malware.

Not many know about locking down host files, using ad-aware, spybot s&d, or the like. I still use javacools stuff.

Re:One lesson to learn

[oldspewey]

Indeed, and for people browsing Fox News, you don't even need a computer to be infected.

Re:One lesson to learn

[L4t3r4lu5]

I guess I'll start whitelisting advertising when they can stop drive-by malware infecting my computer.

AdBlock can stay enabled for the time being. Sorry, Ars.

Re:One lesson to learn

Two pieces:

Ad blocking hosts file

Flashblock

Web browsing just got a whole lot faster.

Re:One lesson to learn

At least when using Windows.

I guarantee 100% of the malware being delivered is Windows only.

Re:One lesson to learn

[ShadowRangerRIT]

Last I checked, Flashblock isn't a security feature, it's a convenience feature. The Flash loads, but is quickly suspended and replaced in the DOM by the button. But it still has a brief window in which to do something malicious. If you want security, you need Adblock and/or NoScript (for blacklisting and whitelisting respectively). I personally run all three; untrusted sites are locked down by NoScript, and trusted sites are unlocked by NoScript, but have the Flash blocked for convenience/performance.

Re:One lesson to learn

[alexhs]

FTA: "Users don't need to click on anything to get infected; a computer becomes infected after the ad is loaded by the browser."

Which probably actually means :

Users don't need to click on anything to get infected; a Microsoft Windows OS becomes infected after the ad is loaded by Microsoft Internet Explorer.

Re:One lesson to learn

[TheThiefMaster]

Don't block using a hosts file, it's not for that. If you do, at least redirect to 0.0.0.0 (guaranteed invalid address) not 127.0.0.1 or 255.255.255.255.

For browsing adblock is better, for general blocks (like what a hosts file would give) use a damn firewall.

Re:One lesson to learn

[stony3k]

Use Noscript - it warns you when a URL hijack attempt occurs

Re:One lesson to learn

[commodore64_love]

Yes becasue it is an established fact that Fox has no bias

STRAWMAN ARGUMENT. I never said that. What I said was that CNN, MSNBC, ABC, CBS, et cetera have a pro-government and anti-individual-liberty bias.

Point - They are ALL biased, therefore if you're going to attack FOX for bias, then you should be attacking all the TV media outlets for the same reason.

Re:One lesson to learn

[Talderas]

Nope, I've had users get infected with this that solely use Firefox for web browsing. This is not a virus that exploits Windows, it's really targeted at exploiting Adobe vulnerabilities plus a few others.

Re:One lesson to learn

[commodore64_love]

P.S.

Outside news sources? Like BBC? Also biased in a pro-government and pro-EU manner. There really is no such thing as an unbiased source, although I do enjoy watching Russia Today for its unique perspective.

Re:One lesson to learn

[oldspewey]

CNN, MSNBC, ABC, CBS, et cetera have a pro-government and anti-individual-liberty bias

Fox zombie detected in commodore64_love

[E]rase, [D]isinfect, [M]ove to Vault, [I]gnore?

Re:One lesson to learn

[somersault]

Does anyone know of an equivalent to having a hosts file that you can use in conjuction with a Windows or Linux DNS server so that you can just block sites at the actual DNS server rather than having to keep updating the hosts file blacklist on all clients?

Re:One lesson to learn

[L0rdJedi]

It might be Windows only, but it certainly is not limited to Internet Explorer. I use FireFox at home exclusively and ran into one of these. It threw up a screen that looks just like the Windows security center telling me I might be infected. Before seeing this, I always thought people were just being careless. After seeing it, I was pissed that a site like the NY Times would allow such an ad on their site. Suddenly, the "safe sites" aren't so safe anymore.

Re:One lesson to learn

[L0rdJedi]

Which is great for someone technical, but ends up involving a lot more calls to the help desk if you put it on a regular users machine. "Hey, I got this message about a warning of some kind?". You'll get about 5 of those in a row before deciding to turn it off and find another solution.

Any time something pops up on a users computer that they aren't use to seeing, they're going to do one of two things. They're either going to call you up about it (not a bad thing if it doesn't happen to often) or they're going to try to "fix it" themselves. That usually ends up making the problem worse. I don't know what it is, but most people are simply incapable of just reading a screen and making a decision. I guess it's the same thing as the oil light on a car. People see it, don't know exactly what it means, but since the car keeps going, they don't worry about it.

Re:One lesson to learn

Easy bud, this is not a spot for that hate

Re:One lesson to learn

[commodore64_love]

"Easily duped by politicians" citizen detected.
Would probably have fit in 1930s Germeny with ease.

Re:One lesson to learn

I disagree 1000%

My 40,000 line hosts file makes the net a very nice place.

I haven't even had to add new hosts in quite a while since i hunted down all the major ad servers and added them awhile ago.

Of course it does break a few sites that rely on ads loading. But then again. I doubt i want to use those sites anyway.

Between the hosts file and having scripting and java disabled. I rarely get annoyed at any sites anymore.

Of course on windows you will need to disable the dns service. Or such a large hosts file will make your boot times into minutes instead of seconds.

Re:One lesson to learn

Or you could just use the hosts file, which works just as well as the firewall but doesn't require you to configure as exceptions every single executable of your computer.

Re:One lesson to learn

Running on Windows.

Why can't the idiots that have to clean up this mess NOTICE THIS?

Re:One lesson to learn

:) some of these comments about Fox News make me wonder if they've ever watched Fox, and if they are at all capable of thinking critically. Yes watching Chris Mathews after mass consumption of alcohol may be entertaining (in fact it's the only way I can stand him), but it's not necessarily informative or unbiased. Had to laugh at the Commune News Network, I had always heard it as the Clinton News Network.

Re:One lesson to learn

[Vancorps]

You sound like Glenn Beck, using scare tactics to shame the citizenry into bending to you will ironically much like the fascists to which you referred.

The reason other networks don't need to be acknowledge for their bias is that they are up front about it. For instance Rachel Maddow and Keith Olberman are both unapologetic and don't present their opinions as unfact in stark contrast to O'Reilly, Beck, Hannity, and all the other talking heads on Fox.

CNN lacks content to have a bias and when they do have content and present news it is presented as news. Their editorial shows are like MSNBC where biases are spelled out from the beginning so again, no need to lump Fox in with them as they are definitely a unique animal. If they didn't present their content as news no one would have a problem with them.

Re:One lesson to learn

[Vancorps]

A lot of DNS servers support blacklisting. If you have Windows server 2008 or most versions of Bind on the Linux side you can use blacklists like you'd expect. In short, it depends on which DNS server you use. There are other DNS servers for Linux that also support blacklisting.

Re:One lesson to learn

What? they are anti-individual liberty? Do you mean against gay marriage? Or against immigration reform? Equality? What the hell are you talking about then? Fighting for liberty does not mean fighting for things that benefit YOU it means fighting for thing that benefit EVERYONE. And frankly only the most LIBERAL organization I know seem to be fighting for individual liberty. (ACLU, EFF, etc)

Frankly I will give Fox a fair shake when it is no longer a thinly veiled PR arm. If it got more facts right than the average uninformed voter. Or if it actually did not confuse news and "pushing agendas" maybe I woudl not get so worked up.

I read news from many sources in many countries. I find the concept of a worldwide liberal agenda humorous.

Fox was created to be a conservative mouthpiece and that is all it is. But what makes it scary is that it has convinces many people to take uninformed emotion driven positions on issues it does nothing to present data on. It does little to educate on the issues and this is terrifyingly to people who wish for an educated and informed voter base. I see Fox doing much to undermine democracy. I see all PR firms as a threat to democracy.

Re:One lesson to learn

I'm currently using Privoxy, which allows domain and URL-based wildcard blocking. It can even rewrite the content of pages on the fly, spoof the user-agent, and remove the "referrer" header. It runs on windows or nix, you can have your DHCP server assign it as the proxy, or you can transparent proxy if you want.

I had used Squid previously, it did the job, but was overkill for the simple blacklisting capabilities I needed.
Before Squid, I had a Windows DNS server, and would add SOA records for bad domains (this was fairly simple through the DNS admin interfaces), I tried doing it on Linux, but it seemed to be more pain that it was worth.
One issue I discovered in the windows solution, was the damn thing was flooding the root DNS servers trying to update the records for the blocked domains (there was a setting to disable this, I don't remember it).

Re:One lesson to learn

[bipbop]

Guaranteed invalid? No. ~$ telnet 0.0.0.0 22
Trying 0.0.0.0...
Connected to 0.0.0.0.
Escape character is '^]'.
SSH-1.99-OpenSSH_5.0 NetBSD_Secure_Shell-20080403-hpn13v1
^]cl

telnet> cl
Connection closed.

Re:One lesson to learn

[theaveng]

Beck, O'reilly and Hannity have said multiple times that they are biased conservatives or libertarians.

That you did not know that indicates you know nothing about FOX because you apparently don't watch it. How do you judge something as "junk" if you don't watch it? Hmmm. Must be magic.

Re:One lesson to learn

[theaveng]

SLASHDOT FAQ:

"Concentrate more on promoting (adding points) rather than on demoting (subtracting points). The real goal here is to find the juicy good stuff and let others read it. Do not promote personal agendas. Do not let your opinions factor in. Try to be impartial about this.

"Simply disagreeing with a comment is not a valid reason to mark it down. Likewise, agreeing with a comment is not a valid reason to mark it up. The goal here is to share ideas. To sift through the haystack and find needles. And to keep the children who like to spam Slashdot in check."

Re:One lesson to learn

[Vancorps]

None of them advertise themselves as being libertarians. O'Reilly and Hannity are staunch republicans, conservative or liberal is not a bias, republican or democrat is. Much like the fact that there are conservative democrats and liberal republicans.

Despite the conclusion you have leapt to I have in fact watched plenty of Fox news as I work at locations that are Fox strangleholds. Additionally much of my family identifies with Fox so going home results in more of the same.

I'll also notice that you didn't comment on what I actually wrote in regards to how content is presented. They present opinions as facts and that is where my complaint was with them. Of course that's in addition to the outright lies they have spread and getting facts wrong often enough that they are either incompetent or screwing up on purpose to further their agenda.

Re:One lesson to learn

[Dragonslicer]

CNN lacks content to have a bias

This is why I always laugh at people that claim CNN is biased. CNN doesn't have a "left" or "right", "liberal" or "conservative", or "Democrat" or "Republican" bias. CNN's only bias is towards repeating whatever people with no lives send them via Twitter.

Re:One lesson to learn

[mundanetechnomancer]

having a long hosts file can cause long delays on laptops when connecting to wireless networks, the dns cache service has to check with the file. this is especially noticeable on netbooks

Re:One lesson to learn

[citizenr]

FTA: "Users don't need to click on anything to get infected; a computer becomes infected after the ad is loaded by the browser."

noo, its like "Users don't need to click on anything to get infected; a computer becomes infected after the ad is loaded by Internet Explorer."

Re:One lesson to learn

[theaveng]

FOX presents opinions as facts

Ditto ABC, CBS, NBC, and CNN. When you hear someone like Katie Couric say something like, "Colon exams should be free," she is presenting an opinion as fact. All of these TV outlets do it.

Re:One lesson to learn

[TheThiefMaster]

That's a bad implementation then, the IP RFC says that 0.0.0.0 is only valid as a source address (meaning "this machine") not a destination address.

Even if your implementation treats it like localhost, you're no worse off than 127.0.0.1. Amusingly 255.255.255.255 is a broadcast address, so really stupid to use, despite having seen it recommended.

Re:One lesson to learn

[oldspewey]

Would probably have fit in 1930s Germeny with ease.

What an utterly foolish retort. I suggest you take a good, long look at the fascist leadership of 1930's Germany and the propaganda efforts there. Then, take a good, long look at the kinds of policies and positions broadcast by Fox News. Your attempts to paint people who distrust Fox News with a Nazi brush are, at the very least, ironic.

Re:One lesson to learn

[Vancorps]

And that doesn't make it okay for Fox to do. That's besides the point that you're example is her clearly stating an opinion without any context as to presenting it as a fact. Like the original reports on Fox about Obama's birth certificate and misrepresenting the numbers of people involved in rallies that were actively supported by Fox News making it seem like the public has a growing problem with current events when the events at hand actually point in the other direction. It's much like the reporting that everyone hates the healthcare bill except when they are polled on the contents of the bill where they actually rate very highly.

Fox does this at a rate no other organisation can match. The closest bet is MSNBC and even they don't often present opinion as fact.

Re:One lesson to learn

[brkello]

If you want to say all news networks are biased you are just being lazy. There are different degrees and by far Fox News is the worst offender. If you are unable to recognize this difference, you aren't trying very hard.

Re:One lesson to learn

[brkello]

People take their words as fact. They hide behind the "Oh, I am just an opinion show" when people try to hold them accountable. Then whatever misinformation they say is reported in their actual new segments as "some people are saying this..." repeat the Beck and friends garbage. More of Fox is opinion than news...shouldn't they be called Fox Opinion?

Re:One lesson to learn

[brkello]

Except "Colon exams should be free" isn't a fact. There is no way to present that as a fact. A fact would be "Most colon diseases can be detected early and prevented". Fox News says things like "Health care bill has death panels". They present something as a fact that isn't one.

Re:One lesson to learn

Indeed, and for people browsing Fox News, you don't even need a computer to be infected.

... Infected by a dose of common sense.

Oooohhh.

Anonymous Coward for obvious reasons, the Slashdot crowd being what it is.

Re:One lesson to learn

[commodore64_love]

I think the first amendment (liberated press) allows them to say whatever they want, even if it's not true. It's called freedom. If you don't want to watch FOX, fine, but then you ought to just drop the subject. Not keep pounding "FOX sucks" into the sand like a troll day-after-day-after-day. It gets tiresome.

And don't try to pretend as if the DNC-NBC is unbiased either.

Remember it was MSNBC that did a story about "gun toting protestors" at an Obama speaking event who "appear to be prejudiced or even racist against a sitting black president." And then it was discovered that MSNBC LIED in the report. The gun toters were actually black themselves (i.e. not racist), but by using careful editing of the video (not showing faces) MSNBC conveniently hid that fact and portrayed the black gun owners as white racists.

BOTTOM LINE: The MSNBC channel is no better. While FOX is biased towards the R's, MSNBC is biased towards the D's. So by slamming FOX, and pretending MSNBC is flawless, all you do is demonstrate your own bias and hate.

Re:One lesson to learn

[commodore64_love]

CNN is very clearly pro-Democrat or pro-big government. You probably don't notice it because you, yourself, are pro-D or pro-government but the bias is definitely there. I see it every time I turn on the channel.

For example when a CNN reporter gives a report which assumes government should be providing healthcare for free, and different methods of paying for it. The reporter never once offers the other option: Keeping government out of healthcare.

Another example was the CNN Sunday coverage of the vote. The reporters were so happy with the results, I thought they were going to pull-out their Barak Obama posters and throw a party. That's pro-D and/or pro-big-government bias.

Me, being Jeffersonian and anti-monopoly, would prefer the government was so small as to be almost invisible so I could make my own choices. But CNN never, never, never discusses that option.

Re:One lesson to learn

[commodore64_love]

>>>take a good, long look at the kinds of policies and positions broadcast by Fox News.

Well... I disagree. While FOX has a bias, its bias is generally in favor of LESS government, while the 1930s German propaganda was in favor of More government. Like taking over the car industry (folks' wagon). And taking over the healthcare industry (guaranteed for everyone). And fining people who don't comply..... hmmmm.

The german people ate it up, without realizing they were losing freedom with each new program passed.

Re:One lesson to learn

"...Fox strangleholds"

BWAHAHAHHAHAA...

The only thing NOT funny about this post is that you are a voter - and most probably one of the loser dorks who voted our current President into office. This is a sad thing also; because you probably honestly believed in his "Hope & Change" message, his platitudes, and his lies back then, and even now, when we see demonstrated more all the time that we misunderstood the message, that what was really being stated was "Hoax and Chains".

People, we needn't wonder why our Nation is gone to shit, not when we have examples like this one right here.

"...strangleholds". LOL

Re:One lesson to learn

[flimflammer]

I have to wonder how you get the idea that "Colon exams should be free" is a statement being asserted as a fact, when it is clearly an opinion based on the fact that colon exams are not free.

Re:One lesson to learn

[An+anonymous+Frank]

You could put that hosts file on your proxy host.

Surprise! Oh, wait...

[bhamlin]

Really, who is surprised by this? What's the cost of an ad and fake credentials compared to getting a chance to infect millions of computers?

Say No To Flash

The number one reason to avoid Flash is the advertisements. The numerous exploits means that it is just a matter of displaying the ad, and voila, you have most injected visitors.

JavaScript based ads are not much better, but they're at least not as easy to exploit as Flash based ads.

Re:Say No To Flash

[somersault]

Say no to unsolicited content altogether! Adblockers ftw.

Re:Say No To Flash

But..but...but...Flash Video Porn!

Stop ...sp....looking to porn?

I thought it was the safe way instead of MP3s?!?

Re:Say No To Flash

[jimicus]

Doesn't really help in a business environment - few adblockers allow you to deploy and manage them centrally. Frankly, it would make more sense to block ads at the firewall.

Actually, now I think of it, that's a damn good idea. It'd mess up the page layout for a lot of things but if you served up a blank JPEG of the relevant size that shouldn't matter too much...

Re:Say No To Flash

[L4t3r4lu5]

I just re-enabled AdBlock. I disabled it after the Ars Technica article regarding advertisement supported websites.

I'm happy to have unobtrusive text advertising, even images. Moving images and flash irritate me, but drive-by malware?

AdBlock stays on.

Re:Say No To Flash

[somersault]

We do actually have that option in the content filter on our firewall. When I enabled it before I got complaints from one of the directors because they actually click on ads -.-

Re:Say No To Flash

[commodore64_love]

That's one of the things I like about Opera Turbo -
- it blocks flash ads by default and displays a giant |> play button.
More browsers should do that.

What I don't like about Opera is how many websites refuse to serve it with javascript, and instead serve a broken nonfunctional page. I get a little frustrated with constantly right-clicking and choosing "mask as firefox" or "mask as explorer" to get a page to load properly. That isn't Opera's fault of course but it would be a lot easier if they had a global "mask" setting, so I wouldn't have to do one page at a time.

Re:Say No To Flash

[commodore64_love]

Or how about GIFs and PNGs? Back in the 90s and early 2000s that's what ads were, and it worked just fine. There's no need to waste bandwidth on a 1000 kilobyte or more Flash ad when a ~100 kilobyte animated GIF can do the same job.

Re:Say No To Flash

BUURRRRRRRPPPPPP!!!!

Use Squid / URL Filter

http://tech.slashdot.org/comments.pl?sid=1592276&cid=31584052

Re:Say No To Flash

[John+Hasler]

> I just re-enabled AdBlock. I disabled it after the Ars Technica article
> regarding advertisement supported websites.

Whining. If they don't want to send you their page they are free to ignore your GET requests.

Re:Say No To Flash

[L0rdJedi]

I tried this too. It turned out that our marketing department wanted to see the ads they were buying (or at least wanted to make sure they were showing up correctly), so I had to remove some of the blocks.

Re:Say No To Flash

[TheRaven64]

Or how about GIFs and PNGs? Back in the 90s and early 2000s that's what ads were, and it worked just fine

And back then we had libpng and zlib bugs that gave you arbitrary code execution when the browser tried to load a malformed GIF or PNG. The more things change, the more they stay the same.

Re:Surprise! Oh, wait...

[HungryHobo]

as far as I know the margins on selling infections aren't that fantastic.
I depends on who you're infecting though.

Good thing

[Jaysyn]

Good thing the combo of AdBlock, NoScript & FlashBlock will basically prevent these kinds of attacks.

Re:Good thing

[bunratty]

In addition, you can also use the Plugin Check to make sure you have the most recent versions of plugins to decrease the risk of attack. And don't forget to turn on DEP for all programs and services on Windows.

Re:Good thing

[Bearhouse]

Mod up, mod up...
How many times do we have to repeat this?
For those without Firefox and those extensions you point out, do your 'hosts' file:
http://en.wikipedia.org/wiki/Hosts_file
Good for Chrome lovers and, of course, non-Windows platforms.
Yes - Apple and *Nix users are vunerable too...especially if in a mixed network with Windows boxen.

Peerblock is worth a look too...
http://www.peerblock.com/releases

Re:Good thing

[0ld_d0g]

Unfortunately, that makes the web unusable for many people. Most people commenting here aren't the kind who get infected by malware.

Re:Good thing

[gzipped_tar]

Using hosts file to re-route malicious domain is an ugly hack and should never be used. There are more efficient and maintainable firewalling tools. The hosts file should tell facts instead of lies.

Re:Good thing

[NatasRevol]

How exactly are Mac an *nix users vulnerable?

All of the malware being delivered only runs on Windows.

Re:Good thing

[ShadowRangerRIT]

Well, AdBlock and Flashblock don't cause a problem for most people in my experience. NoScript drives them crazy though. And given that Flashblock (last I checked) doesn't provide real security (the Flash is loaded briefly before being replaced in the DOM, so the window of vulnerability remains), you're stuck with hoping the AdBlock filters are up to date. It's better than letting them browse on unprotected IE6, but without NoScript you're still vulnerable to exploits served from very new hosts (too new to show up in the AdBlock filters).

Re:Good thing

So will running any OS but Windows. This malware only runs on Windows.

Re:Good thing

[Jaysyn]

When I "fix" a Windows PC I always make sure to explain to the owner exactly what NoScript does & how to use it. I also stress to them how important it is that they actually use it & don't just "enable all" scripts. I generally don't charge my friends or co-workers for the 1st time I clean a PC but the on the two occasions I did get a PC back that had the floodgates opened so to speak, I charged the owner about $10 less than what Best Buy does for cleaning a PC. You can't fix stupid, but you can make them pay for it.

Re:Good thing

Using hosts file to re-route malicious domain is an ugly hack and should never be used. There are more efficient and maintainable firewalling tools. The hosts file should tell facts instead of lies.

The HOSTS file not only tells fact, it defines fact.

The HOSTS file doesn't care if you're a web browser or /usr/bin/ping. It doesn't care if the machine is behind a firewall or on the free WiFi at Starbucks.

When I modify the HOSTS file, I reject the advertisers' reality and substitute one of my own.

Re:Good thing

[gzipped_tar]

Srsly, is learning Networking 101 so much more difficult, arduous and benefiting than flirting with weasel words like "my own reality"?

Re:Good thing

Basically as more Windows machines become infected, the levels of smug exuded by Mac users can reach dangerous levels. In such an emergency oxygen masks will lower, help yourselves, then the children.

Re:Good thing

It's a quote from Mythbusters. Least, that's where I'm going to hope he picked it up from.

Re:Good thing

[NatasRevol]

That's good right?

Since your Windows PC will be in flames from all the malware running on it.

Re:Good thing

[TheRaven64]

Maybe it also runs under WINE? After I installed VirtualPC on my old PowerPC Mac, all of the viruses I was sent via email got a nice Windows icon on them, maybe you can do something similar with WINE on *NIX now?

Re:Good thing

[mzs]

I concur with ShadowRangerRIT, for most people noscript is much too difficult to use. There are two big problems.

In many situations there is some site they go to for the first time and it does not work. Then the ones that are trying go and click on the noscript icon or message and are promptly presented with a list of ten or so sites with blocked scripts. They pick one essentially arbitrarily (hopefully the same domain) and then let the page reload. But 7 out of ten times it is some cross domain script that needs to be allowed. So it still does not work. At this point they may try one more by guessing or simply give-up on noscript.

The other big problem is when it does not work but now the page is missing any indication of flash content. There they may go through the steps above or they may just decide right then and there that this noscript extension is breaking this website, and that is the last that they ever use it.

Re:Good thing

[BlackSnake112]

We have had mac machines running things that attacked the windows machines at work. The mac user did allow the software to be installed. They were prompted for their password to install it. It's OSX, it's apple, they are safe. Wrong. The software was trying to gain access by guessing the account and password and sending them to a machine in China. Well, CA and the owner of the site is in China. It actually sent the failed ones as well. It could have been doing more, but that is what we found first.

This person got this by visiting a dating site. He was prompted for his apple password when the site loaded. No he was not looking to date Chinese girls. We did a few tests (with test machines). On windows logged in with guest access, errors on page load. Windows with regular user or admin, page loaded fine. Machine appeared fine. It wasn't. On linux, a bunch or errors messages (can't find C:\windows, missing file, etc.). Yes the faculty did have to explain to his director why he was looking at dating sites while at work on university machines. I was not there for that meeting. I so wanted to be.

Re:Good thing

[NatasRevol]

Why the fuck do you have people using ANY computer that know the admin password?
And why the fuck to you have people ENTERING the admin password when they visit a website?

Change the admin credentials, problem solved right there. At least on a Mac.

Re:Good thing

Well, if you encounter a site running 1800banners ads, and if you're using Google Chrome so you don't have detailed JS controls, then you won't get infected but you'll find your browser wandering off to other sites and performing irritating Flash tricks. So your *nix machine won't get infected, but you'll have browsing awkwardness.

Re:Good thing

[daeley]

The blockers aren't the ones responsible for making the Web unusable. It's the people trying to turn the Internet into television.

Re:Good thing

[troll8901]

I guess it's not safe to reveal in Slashdot that you allow your users to have local admin access to their own PCs. You'll get flamed to a crisp.

I particularly enjoy reading honest anecdotes written by other people. But I guess with such negative feedback that these anecdotes attract, they'd simply get lesser.

Re:Good thing

[metamatic]

Yes, but NoScript functionality really needs to be part of the core Firefox product. Security shouldn't be something that you have to download plugins to get.

(Meanwhile, Mozilla devs are working on adding address books to the browser. Yeah, nice sense of priorities there.)

Adblockers anyone

[Galestar]

Yet another reason to use ad blockers. I'm starting to think Firefox should come with it out of the box.

Re:Adblockers anyone

I don't think that's going to happen. Firefox has gained too big a marketshare to be able to do this without getting massive pressure from various sides.

Re:Adblockers anyone

[Monkeedude1212]

The problem is that a large amount of money on the internet is made through advertisements. If Firefox gains marketshare, and starts with adblocking, thats tons of revenue stream being cut off. Google makes a lot of money through advertising, and they seem to be the only ones pushing for progress right now. I don't know if I'd want to go and reduce their income.

In Alberta - it's illegal to have a billboard on a Highway. Based solely on the idea that it causes more accidents because billboards are distracting. This isn't a direct attack on the speed limit, a major factor, or Alchohol, another major factor. Because attempting to control those other 2 factors would cause a huge upset.

Same with internet advertising, you can't just stop it all and make the world a better place.

Re:Adblockers anyone

[rtaylor]

You might want to double check FireFox's revenue streams before suggesting they implement adblocking by default.

Re:Adblockers anyone

[delinear]

You could conceivably stop all flash and scripted ads though. Sure there have been cases in the past of people exploiting image formats but they're all pretty well locked down now, if you can't get your message across with images and text then you can't expect your audience to be too sympathetic when your flashy advert allows the bad men to infect their PCs.

Re:Adblockers anyone

[Monkeedude1212]

The problem is that you need a script of some form to track redirects. Otherwise you don't know how effective ads are on what sites, so you don't know how much to pay to who.

Because of this - it will always be present that people will find some way to sneak malware into whatever script you run.

Re:Adblockers anyone

[kent_eh]

The problem is that a large amount of money on the internet is made through advertisements.

Then it's in the financial best interest of the ad networks to stomp this out. Hard and fast.
When they were merely annoying only some people blocked their content.
Once it becomes well known that they are an actual threat, then a much larger group will be blocking their stuff, and their entire business sector is in serious financial jeopardy.

Re:Adblockers anyone

[Mandrel]

The problem is that a large amount of money on the internet is made through advertisements. If Firefox gains marketshare, and starts with adblocking, thats tons of revenue stream being cut off. Google makes a lot of money through advertising, and they seem to be the only ones pushing for progress right now. I don't know if I'd want to go and reduce their income.

Particularly as Firefox is funded by a Google product placement deal.

Re:Adblockers anyone

[cbreak]

They could just parse referrers and relay all links (clicks) on the banner over their own server. That way they have tracked both banner shows and clicks.

Re:Adblockers anyone

Ad-blocking in Opera by default, and I'm pretty sure the desktop editions of their browser are subsidized through a default-search-engine deal with Google. ... Which AFAIK is the same deal for Firefox.

Re:Adblockers anyone

Do you live in Alberta? Because I do, and I have seen billboards on highways all over the place. In fact, there's one on Hwy 14 as it crosses the Sherwood Park Freeway, and I drive by it every day. Not only is it a billboard, but it's a whole computer screen, constantly rolling ads, animated ones no less. They set it up about a month ago, and for the first week I had to watch it flip between default Windows XP backgrounds. I thought... what a shame, such a huge screen and they slap XP on it.

Re:Adblockers anyone

One might want to also consider walling the browser with some form of sandbox, such as sandboxie.

Re:Adblockers anyone

[PhxBlue]

The problem is that a large amount of money on the internet is made through advertisements.

And whose problem is that, exactly? When I first got started on the Internet (1995), there was almost no advertising whatsoever. I didn't miss them then, and (thanks to AdBlock) I don't miss them now. Advertising can still work as a model, but advertisers need to get smart about it, a la Google ads. Plain text, non-obtrusive ads are the only safe method of Internet advertising -- even JPGs can be compromised.

Re:Adblockers anyone

[JesseMcDonald]

You can't trust the referrer. It's completely voluntary. For example, no matter what link I just followed your server will see its own address in the referrer header, not the address of the previous page.

A better scheme is to include the original site's ID in the URL.

Re:Adblockers anyone

Based solely on the idea that it causes more accidents because billboards are distracting.

Doubt it. Safety is usually part of the package of reasons promoting the legislation, but the primary thrust of billboard bans is tourism dollars; they spoil the view. Provinces and States are in serious competition for getting people to visit and drive around. Getting rid of highway billboards was a big push by the departments responsible for maximizing that revenue. Safety was already adequately addressed by prior legislation on setbacks, and restrictions on things like flashing lights and animation.

I can't recall -- are there highway billboards in Alberta on Indian land? That'd be another clue the safety portion of the argument didn't have much traction. I've noticed that across the border from you in BC. You'll be driving along and hit a stretch of billboards, and know you're crossing a Reserve. The old setback restrictions and limits on lights are clearly in force on these, just not the restriction on marring the view.

Re:Adblockers anyone

[metamatic]

Yeah, I think advertisers are the real reason why the Mozilla devs are adamantly against making NoScript functionality a core part of Firefox.

However, Google's added the functionality to the recent nightly builds of Chrome, so as soon as it stabilizes I'm just going to switch. Mozilla can pull their heads out of their asses and start serving users rather than advertisers, or lose their market share.

[Opinions mine, not my employer's.]

Re:Adblockers anyone

[cbreak]

Executing JavaScript is also voluntary. You have to trust the client to give you the correct data, otherwise you can give up on it and just store on the server side which add you send to which web page.

Much more profitable than click-throughs...

1) Flash-based Banner Ad
2) JRE Exploit (CVE-2008-5353)
3) Adobe Reader Exploit
4) Profit?

Re:Much more profitable than click-throughs...

[julesh]

1) Flash-based Banner Ad
2) JRE Exploit (CVE-2008-5353)
3) Adobe Reader Exploit
4) Profit?

From what I saw when this happened to me:

1) Javascript-based banner ad
2) MFSA2010-01 (or something similar that was present in Firefox 3.5.7)
3) Mozilla extension to redirect links from google, yahoo and bing to a site of your choice
4) Site that serves large numbers of per-impression banners for dubious porn sites
5) Profit.

Adblocker

[wisnoskij]

I would like to support sites by viewing their ads but if it leaves you more open to viruses even on high-profile sites then it is not worth the risk.

Re:Adblocker

[jedidiah]

Yes. This goes way beyond being "merely annoyed". If it becomes a security issue then ads need to go in general.

This is another example of how "outsourcing" leads to loss of quality and control. If you are going to spam someone then you need to be in control of the relevant content. You need to take responsibility for it. That seems to be the real problem here. You end up needing to whitelist 10 or 20 scripting hosts for the average "legitimate" website.

Re:Adblocker

[ajs]

You could always whitelist ads on sites that you want to support while turning off JavaScript (e.g. using noscript). Most ads will still display (unless they're flash, and then it really was their choice, wasn't it?)

That's what I do. I even leave Slashdot's ad opt-out checkbox unchecked.

Re:Adblocker

[daveime]

I think you'll find very few malware writers outsource to India. They prefer their malware to actually work !

Re:Adblocker

[Tlosk]

I think your point is spot on, this is why big reputable sites need to take charge of their own advertising instead of farming everything out to 3rd parties that are getting it wrong a lot lately.

You may save some money in the short term by not having to deal with the overhead yourself, but unless all the content that is getting shoveled your way is reputable you just force your readers to block everything to keep their systems safe.

But realistically what this means is using ads that don't rely on delivery mechanisms with a huge attack surface like flash and active scripting.

Re:Adblocker

[jedidiah]

I was speaking of all of the ad images getting owned and infecting the readers of the Post and such.

Re:Adblocker

I just blocked a flash ad on slashdot because it was moving around so much that I couldn't concentrate on the text to the left of it.

So it's not just malware that makes me want to block the f'ing ads.

Re:Adblocker

I would like to support sites by viewing their ads but if it leaves you more open to viruses even on high-profile sites then it is not worth the risk.

Supporting the technical sites that assist you is really important.
Many sites even a few of mine would close due to costs if it wasn't for advertising revenue.
It's best to offer Text advertisement for now until this issue that for me dates back to May 2005 at DigitalSpy.co.uk.

Keep the ads coming because if you offer good content I'll click on them.
Heck I even found things I needed via advertisements.

So at what point does Adobe become liable?

Since the attact vector isn't Flash itself, but the implementation that 99.9999999% of people have installed.

Re:So at what point does Adobe become liable?

I think they're at least second in line to Microsoft, no?

Re:So at what point does Adobe become liable?

[ShadowRangerRIT]

That's what EULAs are for. Software is much harder to do right than hardware, so people accept a certain amount of misbehavior in exchange for more powerful software that doesn't cost an arm and a leg. We could do bug free software, but it drastically limits the scope of the software and drastically increases the cost. The software used for aircraft control is usually subject to this level of testing, along with that used in a lot of embedded systems. But for a general purpose computer, you need to do things like conditional code, interacting processes, etc., that make it nearly impossible to do 100% thorough tests. Yeah, Adobe is doing worse than it should, but the only solution to that is to stop using it. And until everyone does, Adobe will continue to get away with it.

Re:So at what point does Adobe become liable?

[ShadowRangerRIT]

That said, even in these theoretically 100% testable scenarios things sometimes go wrong. Assuming Toyota's issues aren't purely mechanical, it will be an object lesson in how even extremely limited functionality software can have critical failures in edge conditions.

The real defense line

[geegel]

The way I see it, no browser should be designed to require admin rights. All that it needs is a sandboxed environment for temporary files. When this mantra gets in the developers' heads, such exploits will no longer be possible. Of course, by that time, other type of exploits will be invented, but we'll cross that bridge when we reach it.

Re:The real defense line

[FlyingBishop]

Designing a browser not to require admin rights will never prevent users from running it as admin.

Re:The real defense line

[Neil+Watson]

In UNIX one might try running the browser as another user via 'su'. That user could be isolated with no useful data or access. Probably some X permissions will have change to allow the browser to display on an X server owned by another user.

Could this be accomplished with Windows?

Re:The real defense line

[Culture20]

The way I see it, no browser should be designed to require admin rights. All that it needs is a sandboxed environment for temporary files. When this mantra gets in the developers' heads, such exploits will no longer be possible. Of course, by that time, other type of exploits will be invented, but we'll cross that bridge when we reach it.

The way I see it, no browser updates should be designed to require admin rights. Back in the day, FF installers for windows didn't require admin rights; anywhere a user could install was fair game. I don't know if that's still true. But, what if the core executables were owned by root, but updates could be owned by various users? i.e. on opening, browser checks web for updates, if it finds some, it downloads the updated exe or dll to local user dir, and then restarts itself using the new version. If no updates are found on the web, it checks local user dir to see if there were updates previously downloaded, and restarts using the latest downloaded update. Then every user can update their browser.

Even better: Make the command line browser updater work _only_ on the command line so that sysadmins can update hundreds of machines at a time. Why do command line browser updaters need to open a GUI for a progress bar?

Re:The real defense line

[geegel]

Most users follow the path of minimal resistance (i.e. they will most likely go with default settings). If these settings mean security by design, most of these problems would disappear.

Re:The real defense line

Even without admin rights malware can still cause you tremendous grief. The real problem is two fold:

1. Automatic download and execution without the user's knowledge or consent.
2. User education / trust

Fix the first issue and you solve a big chunk of the problem; Microsoft is getting better at it, but it still happens.
The second issue is harder. Even today we STILL read about people who siphon all their life savings off to some Nigerian scumbag. You think these same people wouldn't click through some dialogs to download and run "Fuck.Up.My.Pc.exe"? I think most people just don't understand enough about how computers work to know any better.

Re:The real defense line

[geegel]

Basically yes. What's to stop a developer to code a browser with an emulator type architecture? You load the environment and in that environment you load the browser, while restricting its rights to the bare minimum.

Re:The real defense line

[The+MAZZTer]

Huh? AFAIK none of the major players require admin rights. In addition Chrome (on XP/Vista/7) and IE8 (on Vista/7, not XP) both sandbox themselves and have been doing so for over a year now...

Re:The real defense line

[geegel]

Well, most Windows users login into their OS with admin rights and when they launch the browser they automatically assign these rights. Basically, a browser should start with minimum rights regardless of what type of user launches it. Thank you for helping me clarify my point.

Chrome and IE8 have a combined market share of about 30% according to statcounter. This is indeed the right approach, but until ALL the major players and their most important versions take the route of sandboxing, malvertising will continue to be a reality.

Re:The real defense line

[ShadowRangerRIT]

Well, the browser can lower its own privileges just fine. IE8 (and IE7 IIRC) run with lower privileges than a normal user for that reason. Even if you tell it to execute as admin, it programmatically lowers its privileges at runtime.

Re:The real defense line

[wiredlogic]

Back in the day, FF installers for windows didn't require admin rights; anywhere a user could install was fair game. I don't know if that's still true.

It isn't. You have to be admin now. This gets annoying when I get update notices on a regular account and don't want to shut down and switch over to admin to update.

Re:The real defense line

[Rysc]

Better be careful with permissions and umask settings or your downloaded files won't be readable/writable by your regular user. Some kind of auto(or easy)-chown would really be ideal here.

Re:The real defense line

[Rysc]

I've been predicting for a couple of years now that most software will go this way, sooner or later. On the server side per-daemon jails are not unheard of and switching to per-daemon VMs seems like a logical isolation maneuver. Doing it for user apps presents considerably more challenge, but I expect it to happen. It will probably be Apple who does it first, since they have already embraced isolating all app resources (.app bundles) even if it's not yet a 100% solution.

Mark my words: Within 10 years double-clicking an icon to launch an app in its own VM will be normal. The system will eventually make it so seamless that your average user doesn't know that's what's going on; he'll just see a window as usual.

Re:The real defense line

[TheRaven64]

The problem with this approach is that the browser itself contains useful data - things like access to your Internet banking site, for example. Ideally the browser would create a new process when you navigate to a new site and chroot() that instance so that it can't get any access to the filesystem beyond that. That way, a compromised browser would only ever gain access to caches and passwords for the site that performed the attack. The wrapper would reparent each of these processes' windows into something that would give the appearance of a single application.

Re:The real defense line

[FlashBIOS]

Until that happens, check out Sandboxie. Sandboxie is a fantastic piece of software that I've been using for years on my browser (and more importantly at home, my wife's and son's). It is largely transparent, and regularly updated. And, it works with any software, not just the browser.

http://sandboxie.com/

Re:The real defense line

[Culture20]

Back in the day, FF installers for windows didn't require admin rights; anywhere a user could install was fair game. I don't know if that's still true.

It isn't. You have to be admin now. This gets annoying when I get update notices on a regular account and don't want to shut down and switch over to admin to update.

But did you install into c:\Program Files\ or into your own user dir? I haven't installed it as a non-admin for a long time.

Re:The real defense line

Sigh.

You think that because your browser runs locally you're safe? Listen up... and repeat after me. The fact that a local user can't infect that entire computer doesn't mean *your account* can't be infected as a local user.

You run firefox as something not root. Big deal. Local access is enough for me to spawn a netcat reverse tunnel bound to your bash shell and hunt around for a local exploit. And you know you have them. If you don't know you have them--you either don't know enough about your system, or you're on something so hardened you haven't had any non-security updates in over three years, and you're probably running at most firefox 2.x.

If your system gets jacked, hacking firefox is as simple as copying the relevant binary, somewhere hidden deeeep in your /home/.someapplicationstuff and injecting whatever the hell I feel like into it after modifying your little firefox icon and user path to launch mine. But that's a stupid hack--why even bother--it'd be easier to just install a local application that binds into your bashrc or registry equivalent and browse around as you at my convenience. After getting an exploit to run on firefox I can do anything you could anyway.

If I don't have root access I can't use an lkmod rootkit...I can still do 95% of what's interesting as a local user, can *probably* find a local exploit, and even if I can't, 95% of the world will NEVER NOTICE anyway.

Getting rid of root gets rid of trivial remote installation of rootkits. At that point you'll just see people go back to the drop, stage, and infect pattern.

Re:The real defense line

But most users will just click on the browser icon to start it up, and not bother using 'sudo'.
Or did you mean on MS Windows?

Ars Technica

And Ars Technica says I shouldn't block ads.

I repeatedly told their staff that I don't block Ars Technica, but I do block ad servers. If they want to send me ads let them server them from their own domain.

Sites resposible for ad-vectored infections should be hit with hundreds of small claims court lawsuits to recoup the costs to clean up the infections.

Maybe then they'll learn.

Re:Ars Technica

[shadowbearer]

I will definitely second that, I am cleaning up a computer right now that got hit with a drive-by infection; ended up with a TDSS variant and enough other crap on it to make the machine nearly unusable. The user swears up and down that he didn't click on any ads, and his browsing history reflects that. I've been seeing a lot more infections like this lately, even on machines whose users know better than to click ads (old customers). Took some time to track down where these were coming from; this news comes as no surprise to me. Back about two months ago one of my home machines here got infected that way - and not only is it thoroughly locked down with up to date antivirus and antispyware, I was using it at the time, and I KNOW I didn't cause the infection myself. Tracked it to an advertisement loaded at the same time I was viewing a NYT article. I knew for certain that I hadn't clicked on any ads; this just confirms my hypothesis at the time. I spend nearly all my time fixing computers just removing infections. If this is going to continue, it is going to make it nearly impossible for even the most careful users to keep their machines clean. I agree that the main hosts need to start being careful who they host their ads from, it is ultimately their responsibility to ensure they don't host malware drive-by advertising. SB

'careless web activity'

[John+Hasler]

> I usually suspect the users of 'careless web activity' when I delouse a PC...

They are guilty of 'careless web activity': not blocking ads.

Re:'careless web activity'

[FlyingBishop]

Don't block ads. Use NoScript. Blacklists are easily compromised. Whitelists are much more difficult.

Re:'careless web activity'

[John+Hasler]

> Don't block ads. Use NoScript.

I use NoScript to block scripts. I use Privoxy to block ads.

> Blacklists are easily compromised. Whitelists are much more difficult.

Nothing gets through and I can selectively allow scripts.

Re:'careless web activity'

[delinear]

I'm more than happy to tolerate ads if it supports my continued free access to some great web content and services. To be honest, I pretty much never notice them anyway so if the site owner benefits from them being there and I don't suffer any detriment, that's a true win-win situation (I've never blocked /. ads for the same reason, even though they kindly give me the option to disable them, I'm happy enough with the service they provide). If, however, I was similarly infected by visiting a reputable site I'd seriously rethink that policy. Google got so big on the back of offering very basic, minimal intrusion advertising so why do we need yet more dancing monkeys when they're a possible threat to my security?

Scary

I recently loaded the website of a local paintball facility in Firefox 3.5.7 with NoScript and the site somehow added itself to the NoScript allowed sites and attempted to install one of the Antivirus XP 2010 type pieces of crapware. This was on Vista and the installation went nowhere; testing on an XP machine yielded full and complete installation with no user interaction beyond opening the original web site. Pretty scary.

ORLY?

[SpicyBrownMustard]

Let's see here... an anti-malvertising/malware firm reporting lots and lots of malicious "bad things" being served up by those terrible pesky Internet ads... no agenda here. The report failed to follow-through and dig into the real problem with malicious payloads associated with online ads, the ad network daisy-chain. If network-A has no impression for you, you're handed off to network-B, which may have no impression and then gives you to network-C... and so on. As your impression traverses the daisy chain, the likelihood of hitting a low-tier ad network that allows any wanker with a (stolen) credit card to order millions of impressions increases... where the malware begins. We scan our ad tags daily, using two methods -- a dozens-of-times-an-hour service, and our own script on a minimally-protected PC. We've never seen malware from a advertising assets delivered by a top-tier ad network... when we see malware, it's ALWAYS from a provider down the daisy-chain.

Re:ORLY?

[John+Hasler]

Why don't you think that the top tier services should be held responsible for the results of their daisy-chaining? They got paid for handing you off.

Re:ORLY?

[shoehornjob]

Every major av vendor I know of (Symantec, Mcafee, Panda, Trend Micro, Kaspersky etc) do something like this so I disagree that there is a hidden agenda here. We saw the NY Times exploit on Slashdot a while back so they're not spreading FUD. As far as digging into the real problem, I guess it depends on the audience.

Re:ORLY?

[SpicyBrownMustard]

I do think they should be responsible, but the nature of the report -- specifying top-tier domains as a *SOURCE* of malware -- is deceptive and inaccurate.
The daisy-chain is the problem in both this and privacy concerns.

Re:ORLY?

[SpicyBrownMustard]

And every major AV vendor obfuscates and over-states the threat associated with cookies.
nope - no agenda

Disable JavaScript

Disable JavaScript and 3rd party cookies.
Obviously, don't use IE and configure it at the highest possible internet security options to stop accidental use by users or other programs hard coded to use it.

Not just that...

[naplam33]

And not just malware, scam shops and all kinds of shady stuff. You want to know what's the best part? Google, Yahoo, and so on don't give a f*ck about it, I've reported such ads several times and I've never seen any action taken. As long as the criminals pay for the ads, nobody cares.

Who Pays for These Ads?

Seems like it should be easy to track and either immediately shut down the compromised accounts used or decapitate the morons responsible. If it's not easy then the payment systems need to be completely re-engineered such that it is. There's no excuse in this privacy-impaired online global society for not being able to track down where the money comes from. Heck, just ask the fraking RIAA for help if you can't figure out it's really a 70 year old grandmother without a computer who is placing these ads.

OK, if the ad networks won't police this

[WCMI92]

Then we should start blocking the ad networks from our networks.

If lots of people started doing that, I wonder how quick Google, Yahoo, et all would start screening advertisers for malware?

google ads?

[pikine]

I thought the text-only ads from Google will not allow an advertiser to embed Javascript. Not sure about their newer Flash ads which can embed ActionScript, but one would think Google will be more careful with that. Maybe it is possible that Google still unknowingly redirects you to a malware page after you click on an ad, but the pie chart in TFA does not show Google DoubleClick (probably an insignificant amount under Others). In addition, Google may use the automated method behind stopbadware.org to determine whether an ad is clean or not. I'd be surprised if they're not already doing that.

What is interesting is, although the chart does not show Google, the article still lumps Google Ads to their headline. Why? It's more catchy to sling mud on Google? What kind of irresponsible journalism is that?

Make the Ads Safe

[The+Angry+Mick]

I would like to support sites by viewing their ads but if it leaves you more open to viruses even on high-profile sites then it is not worth the risk.

Very good point, especially in light of Ars Technica's recent plea to users to stop blocking ads.

I, too, would be than more willing to disable the protective measures I've got in place, but as long as these sites rely on third party advertisers that are more concerned with eyeball collection than system security, we have a stalemate. If sites want me to see their ads, they have the burden of making sure the ads are safe (less annoying, would also be good). If I lower my guard out of "friendship" for a site, only to get a drive by download as a reward, I'm going to take it as a major breech of trust.

Re:Make the Ads Safe

[IICV]

Are the Breeches of Trust related in any way to the Trousers of Time?

On a more serious note, this is exactly why Ars Technica's plea was in vain - they want users to stop blocking ads, because that will bring them more money from the people who buy ads on their site. However, the people who buy ads on their site aren't making enough revenue from the ads as it is, and so resort to these intrusive, virus-laden pieces of shit in a weird attempt to generate more revenue.

This is why I don't feel bad about blocking those big complex ads, even after reading Ars's article. The people who buy them will eventually go out of business, because their business model is unsupportable. They are simply not the future of the Internet - or at least, not the future of my Internet.

Re:Make the Ads Safe

[The+Angry+Mick]

Heh heh. That's what I get for not proof reading. I blame the Lederhosen of Lethargy.

Re:Make the Ads Safe

[hoggoth]

Your posts have inspired me to put on my Culottes of Confusion.

Re:Make the Ads Safe

[unixpgmr]

I agree entirely with that statement. As long as third party scripting is done, I am very wary. Once a breach of trust is made, It will be very hard for the site to win back my trust.

Re:Make the Ads Safe

FWIW, I consider any ad that automatically begins playing sound another kind of breach of trust.

It's one thing to show an ad, even if it's epilepsy-inducing, but one which unexpectedly blares sound and voices over my speakers from somewhere in my stack of tabs is a transgression demanding harsh retribution.

Re:Make the Ads Safe

[psydeshow]

as long as these sites rely on third party advertisers that are more concerned with eyeball collection than system security, we have a stalemate. If sites want me to see their ads, they have the burden of making sure the ads are safe (less annoying, would also be good). If I lower my guard out of "friendship" for a site, only to get a drive by download as a reward, I'm going to take it as a major breech of trust.

Bingo. If your site relies on ad revenue to survive, maybe you should be the one serving the ads so that you have control over what's appearing next to your precious content.

Because here's the thing: ad blockers do not block server-included ads. Right? They block 3rd-party ads that are placed using client-side includes.

If you (as a content provider) trust your advertisers enough to serve the ads from your own site (and take responsibility for redistributing any malware they hand you, yes?) then I won't try to block your ads. It would be like blocking the photos embedded in your stories, or the graphics of your ui. It just wouldn't make sense.

The problem is that most sites are apparently so desperate for money that they will allow *anyone* to put *anything* on their pages. They may not intend for that to be the case, but that's the nature of client-side includes. When you use them, you have no control over what some other site is going to decide to do.

Re:Make the Ads Safe

[NeoSkandranon]

I guess I have the panties of perplexity.

_>

Re:Make the Ads Safe

[bughunter]

the panties of perplexity

Which are only slightly worse than the Skivvies of Skepticism.

Re:Make the Ads Safe

Which are nowhere near as bad as the Cursed Codpiece of Cowardice.

Makes it hard to meet them halfway

[MikeRT]

They complain about advertising revenues while they are serving up ads that contain malware. To someone who hates ads to begin with, that's like saying "we know you don't enjoy crawling over broken glass, so how about crawling over glass mixed with AIDS-infected blood and barbed wire?"

malvertising?

how about badvertising?

Say NO to active content.

That's why I am so pissed at site designers who go "lalala I can't hear you" whenever I request they make their site accessible without "active content" (i.e. Javascript, Flash, Java or even worse things).

It's nifty and all, but nowadays it's the main malware distribution mechanism. And you can't tell users "just switch off Javascript", because suddenly, half of the Web won't work (I do switch of Javascript: no, not NoScript. Just The Real Thing -- and for most, I'm even glad *this* half of the Web doesn't work -- but I can't tell a regular user to do the same). Heck, those $@#%! web designers even do regular links with javascript snippets for reasons inscrutable to me. Disgusting.

Advertisers? Do you hear me? I'll look at pngs, jpegs and gifs, even animated. I'll read text. but I won't even see your Javascript/Flash/whatever stuff.

There. Had to be said.

On the contrary!

[Errol+backfiring]

Watch an ad and you're f*cked automatically!

Ban Javascript!

[tedhiltonhead]

Ad networks should not enable their clients to include Javascript, Flash, Java, or other active content in the first place. If they have a compelling business case for doing so, all code should be "whitelist" filtered before being distributed. The ad network's reputation is on the line every time they serve an impression.

Ars Says

[JackSpratts]

It's a small price to pay for not using AdBlock. So remember: don't use it.

Are you kidding me?

[malp]

The simple act of browsing the web should never under any circumstances infect your computer. The web browser is simply a viewer. It should only have permission to save bookmarks, cookies, and maybe a few other things to disk. If your operating system allows the web browser to infect your computer or to modify itself without prompting you first, someone seriously dropped the ball when designing your OS. Relying on anti-virus protection or only visiting reputable web-sites is like piling sandbags in front of your house when you shouldn't have built in a flood-plane in the first place.

Re:Are you kidding me?

the interweb is a flood plane genius

      its the absence of rule of law and of course the downside is, this policing is going to limit, reduce, invade...activity, freedom and privacy

      But the internet will soon become no different as the nation itself, increasingly subject to more regulation, law and prosecution and why, cause some fuckfaces cannot control themselves and are the scum of the earth, too lazy to actually make something worthwhile so they make trouble

      the long sentence recently doled out to that ahole hacker, its just the begining so get ready and no one will be able to blame bush

Re:Are you kidding me?

[kalirion]

A browser is an application, like any other. Should an OS have a list of all web browsers and treat them differently from every other program?

What? Me Worry?

For the past 10+ years I've had no worries about clicking on any ad or link I see. Never picked up anything from doing so, despite being warned for the past decade that my days of worry-free browsing will soon come to an end. It's been over 10 years now and I'm still waiting. I run no A/V, never have, and my firewall is gathering dust. (I assume it works but I've never turned it on.) Mod this post into oblivion all you want, but I'm just here to tell ya, there really is a better way.

I don't need to tell you what OS I'm using. That should be obvious.

Re:i'd rather have a malware infested web with ads

ONE small claims court victory for PC cleanup costs a month would pur a serious hurt an any site's revenue.

Serve the ads yourself and take responsibility for them, every other media format does.

Privoxy

[John+Hasler]

> Doesn't really help in a business environment - few adblockers allow you to
> deploy and manage them centrally. Frankly, it would make more sense to block
> ads at the firewall.

Privoxy does exactly that.

Adblock and Noscript

[erroneus]

Once again, we cannot trust advertising that does not come directly from the web site being contacted. No surprise there. Further, there are times when we cannot trust advertising that DOES come from the site being contacted.

The only safe content, so far, is based on simple text and pictures.

Are you listening advertisers? TRUST the people you are advertising through to host and deliver your ads appropriately. RESPECT your audience enough to avoid using flash and other nonsense. Do this and people will not block your ads so much. People block not only because it is annoying, it is a risk to do otherwise.

i hope the folks at Ars see this

[fightinfilipino]

i understand their position, but they're got to realize ours. hours wasted cleaning out malware/spyware does not make for a good browsing experience, period.

You can't tell the enemy from your friends...

[rickb928]

I have a running dialogue with a webmaster of a celebrity paps site (ok, sue me) about the various bits of malware that are being served up by her various advertisers. This began a few months ago, and it took a while before I figured out they could not be expected to know this was happening. She has tracked down the source of these adverts to an agency that offered her triple the usual rate. Now she knows, among other things, that if it's too good to be true, there is a reason why.

But, she and I have synched clocks so she can know to the few seconds what I got. She has to report back precise details to get her advertisers to figure out what happened, cause most of her direct advertisers are contracting out ads to other agencies, and they sell other ads, and the chain gets long and obscure in no time at all.

So far, she is helpful, but last week I sent her a screenshot of a nasty one installing that 2010 antivirus onto one of my virtual machines, and it turned out to be her oldest and most loyal sponsor, and an entirely legitimate ad that had gotten hijacked on the way to her server. Yup, her server is compromised, and some ads are being re-written on the fly from other sources. Makes sense to me, just another vector. This is not good - even honest webmasters are vulnerable, though she called in a team/favor to fix up her server, which is supposed to be monitored for this stuff. Oh well.

Is there any defense? I'm using VPC2007 to run browsers just to be able to look at the nasty stuff being inflicted on me (not the celebs, thank you) and I can't imagine the fun of doing this from my desktop. Ewww.

When the NYT is being used, we are past blaming the source.

Not to mention the waiting time I see for ad servers. I want the damned content I asked for, thank you, perhaps webmasters need to find a way to ditch slow ads and let us see what we wanted to in the first place, ok? Thanks!

Re:You can't tell the enemy from your friends...

[bjohnson]

Of course there's a defense.

Stop
Using
Windows

There, it's easy.

Re:You can't tell the enemy from your friends...

[rickb928]

No, you're just changing the venue. Or the rules, depending on your chosen metaphor.

Nothing is secure. Some are more or less secure, but nothing is absolutely secure.

Now, as an interesting defense, I've taken to opening some sites on my phone. A few behave very, very badly, begging me to visit them with a 'supported' browser. Ha!

Twice from Slashdot

[Alistair+Hutton]

I've been hit twice in two weeks with attempted installs of trojans/fake anti-spyware just from visiting pages linked to from Slahsdot stories. Not amusing.

I sure am glad...

[NewbieProgrammerMan]

...that I never removed DoubleClick from the list of sites that aren't allowed to deliver content to my browser.

Sites complain about adblockers then serve viri

I read a couple posts last week about how ad blockers are destroying ad revenue for sites and how ad blockers will destroy the sites you love...but if ads are serving that many viruses then how can you justify not using an ad blocker.

AdBlockPlus and Ghostery

[XB-70]

I install Firefox on every machine I set up and then add AdBlockPlus and Ghostery. It's amazing what these two block. Mind you, they are not perfect and sometimes you have to allow some code to get through with Ghostery or the site does not work. Lastly, of course, you should use Linux. That helps a lot...

Re:AdBlockPlus and Ghostery

[NorQue]

Ghostery seems to be fishy, being owned by an advertising company. Easy Privacy filter for Ablock Plus might be a better solution.

Follow the money..

[js_sebastian]

We do actually have that option in the content filter on our firewall. When I enabled it before I got complaints from one of the directors because they actually click on ads -.-

Wow... so these are the guys that actually pay for all of our free internet services? By all means do not ad-block them or the internet will collapse!

nobody has to suport your idiot business model

[Thud457]

Advertising shitheads that want to run ad servers and serve up ads to hapless intarweb users should vet the content their customers are asking them to serve up. And not allow their customers to upload new content without being vetted. They should report any customers that misbehave. And they should be forced to do all this, on pain of literally having some guy named bubba come an break a finger for each offense.

Or

not. Wow, you can't even post useless crap correctly. You sure suck at life.

Yeah, this does not square with Googles analysis..

[Tran]

The other day someone posted a nice link to Google's facebook analysis, so I tried some of the pages mentioned above.
For example:
http://google.com/safebrowsing/diagnostic?site=drudgereport.com/

Seems that Google has a different opinion on this information.

Why I don't run ads

[KingSkippus]

Yup, I've seen it, too. I run a gaming web site that gets around 2 million page loads a month. A long time ago, I made a deliberate decision not to run ads. My rationale at the time was that I didn't mind paying the hosting cost because it's my hobby. Some people pay a lot on woodworking, some people pay a fortune on golf. My hobbyist indulgence is paying the monthly fee for a VPS to host the site.

A while back, when I needed more power for the site and the hosting costs went up, I made a deal to move the site (which was a MediaWiki-based wiki) to Wikia. They promised me that there would only be one ad on the site, that it would never be injected in the content, that it wouldn't be obtrusive, and other such things. After the site was moved, they proceeded to go back on these promises, and several more.

After less than a year, the other administrators and I decided to re-host the site ourselves, and ask for donations. Again, we don't run ads, and thanks to donations, I'm almost breaking even on the hosting costs.

Recently, someone pointed me back to Wikia's site. It is a tragedy. Aside from being woefully out of date, there were six or eight ads, including javascript and Flash ads that obscure parts of the screen and injected into the articles. Worst of all, some of the "malvertising" discussed in this article.

Here's what's kind of bad. Because Wikia uses SEO crappy games, their site still comes up on top of the search results in Google. (You should see the page titles, they're 10 or 15 words long.) I recently posted a message on the game's official forums warning people of the malevolent advertising, because I wanted to make sure people used the right URL for our wiki, and it was a good chance to reiterate how important it is to us to keep the site ad-free.

A week or so ago, one of the guys at Ars Technica ranted in an article about how people who use ad blocking are stealing content. It's the same argument I've seen higher profile people (Rubert Murdoch, I'm looking at you...) make the same claim. I said then, and I still maintain, that using ad blocking and Flash blocking is not just a matter of convenience, but a matter of maintaining the security of my system.

Fortunately, I like sites like Ars Technica, because they provide an alternate means of reading their content without "stealing" it, and I have a paid subscription to the site. However, as long as a site's only business model is advertising, I don't feel one iota of guilt in protecting my system. If they block content if ad blockers are being used, more power to them, I'll find another site to read.

But stories like this, stories I've actually felt first-hand, are why I support sites without advertising, I do what I can to opt out of advertising, and I don't force advertising on visitors to sites I run myself.

Re:Why I don't run ads

[Seedy2]

I saw the word "malvertising" and thought it was redundant. I have always considered ALL advertising to be malware. Including print and TV advertising. They are all an attempt to force me to view their message, which I neither want nor asked for, and block or delay me viewing what I want to see.

Re:Why I don't run ads

[psithurism]

week or so ago, one of the guys at Ars Technica ranted in an article about how people who use ad blocking are stealing content... I said then, and I still maintain, that using ad blocking and Flash blocking is not just a matter of convenience, but a matter of maintaining the security of my system.

Well if his business model is trading content for malware, then it's just plain unfair that you get content but he doesn't get to give you malware. In fact now he has to use twice as much malware on the honest costumers who don't adblock him.

Re:Why I don't run ads

[bzipitidoo]

I don't allow ads because some of my hardware is very old and slow. Firefox 3.6 takes 30 seconds to come up on a 133 MHz Pentium system. Flash is so slow I seldom install it. Ok, ok, hardware that old ought to be thrown out. Not worth even the electricity it takes to power them, let alone the time it takes me to install the latest OSes. But I like to keep them around. I sometimes find such machines useful for performance testing. Gives you an appreciation for how bloated KDE, Gnome, and even XFCE is. If I'm scratching around looking for every little performance boost, I'm sure not overlooking ads. I'm not keeping ads if I'm giving up compositing and anti-aliasing.

Re:Why I don't run ads

[vux984]

Well if his business model is trading content for malware, then it's just plain unfair that you get content but he doesn't get to give you malware

If his business model can be trivially rendered non-viable, its up to him to change it, not us to suffer with it.

Re:Why I don't run ads

[kalirion]

Sure, just like highway billboards and road-side bombs are really similar, when you think about it.

Re:Why I don't run ads

[psithurism]

If his business model can be trivially rendered non-viable, its up to him to change it, not us to suffer with it.

Agreed. I avoid the checkout counter at the local supermarket as I exit with groceries, it trivially renders their business model non-viable, but really, it's up to them to change it, not me to suffer with it.

Re:Why I don't run ads

[ekhben]

I look forward to a future where it is a crime to ignore or outright avoid advertisements.

Re:Why I don't run ads

[psithurism]

Well if his business model is trading content for malware, then it's just plain unfair that you get content but he doesn't get to give you malware

If his business model can be trivially rendered non-viable, its up to him to change it, not us to suffer with it.

Actually I figured out how to improve his business model: the malware serves you the content, now he can be sure that you're infected and maximizing his profits before you get to access his content.

Re:Why I don't run ads

[vux984]

I avoid the checkout counter at the local supermarket as I exit with groceries, it trivially renders their business model non-viable, but really, it's up to them to change it, not me to suffer with it.

What? You've never seen a supermarket in with a security gaurd? Or where they check receipts as you leave? Or where they've renovated the store to make avoiding the checkout much harder, added turnstiles at the entrance to make going "out" the "in" harder, etc, etc. Of course a certain level of theft is inevitable... but I'm sure you are the price of goods on the shelves already covers a certain level of anticipated theft.

So far they've adapted just fine to people 'avoiding the checkout counter'. That's why they're still in business. If avoiding the checkout counter became so epidemic that all these measures didn't work, rest assured they'd adapt.

Re:Why I don't run ads

[vux984]

Actually I figured out how to improve his business model: the malware serves you the content, now he can be sure that you're infected and maximizing his profits before you get to access his content.

Exactly. Like DRM music. ;)

Of course my response to that was to stop consuming content. And now drm free music is readily available again.

I'm a professional Malware removal guy. Literally.

[_KiTA_]

I work at a pinch hitter Tier 2 Pay to Play tech support company that is outsourced to by several major ISPs.

I see these damned things all the time. Usually they come with names like XP Antivirus 2010 or "Vista Security Center" or somesuch crap. They almost exclusively look the same, and there are new names that appear every so often -- XP Antivirus 2010 was "Internet Security 2010" not too long ago, for example. I suspect there is a kit that these companies are using to make their products.

They are almost exclusively coming in from banner ads. Specifically they use a Flash ad that, after a few minutes, or upon webpage close, or mouseover, opens an infected PDF file on a random infected server. Google Chrome occasionally catches these domain names, usually they are IP addresses or something similar.

Flashblock is NOT foolproof (although it does help), as occasionally they just have the ad banner on an infected server that auto-redirects you to a PDF file immediately.

They are occasionally Java files instead, but almost exclusively they are PDF files.

They're actually getting very creative in their infections. XP AV 2010, for example, sets itself up as the handler for EXE files -- in order to remove it, you have to install Malwarebytes and rename the mbam.exe file as 1.com or something similar. You can also dive into the registry to fix the EXE thing, except if the program is running it will just break it again immediately. Either windows does not have support for hijacking the .COM support in Windows XP/Vista/7, or these viruses just aren't thinking to try yet. Once they do, then our options drop to "OS Reinstall", as you can literally not run anything.

Some of these programs install themselves in such a way that if you attempt to load Safe Mode, your OS will intentionally BSOD. Or, in at least one infection, the screen filled with ASCII smiley faces and didn't continue.

Combofix will also remove most of these, and usually with "Security Center" or "XP AV 2010" we give up and run Combofix immediately.

The solution to prevent future infections isn't to move to Firefox or Chrome -- these infect those just as easily, although Chrome seems to just crash it's Flash plugin instead. In order to fix these, you have to update Adobe Flash, Adobe PDF, and Sun Java to the latest versions. PDF is the most important, but not the only one. Better browsers won't work. Antimalware programs won't work. The only way to fix it is to patch the holes.

Ad CDNs have been a nightmare

[Coopjust]

Two weeks ago, someone asked me to reinstall Windows XP for them. Their disk was XP SP3.

I reinstall, and open IE to visit Windows Update

Instantly, I get a Vundo variant from a malicious ad attacking the out-of-date Flash Player that came with XP that installs without any user intervention whatsoever.

This only served to reinforce that I was right and not a webmaster/free content hating jerk when I block ads online.

Re:Ad CDNs have been a nightmare

[Coopjust]

To be clear: It was an ad on the MSN homepage.

Common sense for me will be going to the control panel and changing the homepage to Windows Update first now.

Re:Ad CDNs have been a nightmare

[PhxBlue]

This only served to reinforce that I was right and not a webmaster/free content hating jerk when I block ads online.

I hate that webmasters seem to think we're responsible for their prosperity. Webmasters: If your advertising model works, great. If not, find another model or get off the Internet.

Re:Ad CDNs have been a nightmare

[mholda]

Why not just go Start -> Run -> Windows Update?

Re:Ad CDNs have been a nightmare

[Coopjust]

To be honest, I forgot the shortcut was even there.

On XP, I slipstream now. On Vista & 7, it's all in the control panel anyways.

Re:Ad CDNs have been a nightmare

[shadowbearer]

Doesn't help users with new computers that were built without opening IE first, nor those who use MSNBC as a homepage. If MSNBC's homepage had one malware ad on it, you can bet there are or will be more. Sigh :( SB

Re:Ad CDNs have been a nightmare

I call FUD: Flash doesn't come with Windows. Either you installed from a copy bundled with Flash (i.e., not Windows XP), or you installed Flash before you updated. Thus, it's your fault.

QED

Re:Ad CDNs have been a nightmare

[Coopjust]

http://www.microsoft.com/technet/security/advisory/979267.mspx

Microsoft is aware of reports of vulnerabilities in Adobe Flash Player 6 provided in Windows XP.
The Adobe Flash Player 6 was provided with Windows XP and contains multiple vulnerabilities that could allow remote code execution if a user views a specially crafted Web page.

You were saying?

Angry mods

There are some angry mods this am, I don't think correcting your own grammatical error is as offtopic as it is insightful...

Re:CUSTOM HOSTS FILES ARE THE SUPERIOR ANSWER

[geekboy642]

1 is flat-out false.
2 is technically correct.
3 is true.
4, while true, is pointless. A far better (and simpler, easier) job of this can be done with a local caching DNS server.
5 is the same as 4.
6 is stupid and wrong. Text editors that can easily handle 30MB of text are rare under Windows, and nobody should ever do that anyways.
7 is completely stupid. There might be bugs in Window's HOSTS implementation. If there are, they will never be corrected. An AdBlock bug, or a DNS server bug, will be corrected within hours at the longest.
8 is vacuously true.
9 is completely false. Any malware that doesn't have admin access can get it trivially, under any Windows platform. It is impossible to lockdown the HOSTS file to the point that an admin-level malware cannot interfere with it.
10 is entirely wrong. See 6), and inspect any modern ad blocker. They've had 3-click-to-block for years now.
11 is flat-out wrong. See 9).

It takes you over an hour to process one million db entries? That's shameful. What are you doing that takes 4ms per entry? And why wouldn't "cat HOSTS | sed -e 's/[\t ]+/ /g' -e 's/[ ]+$//g' | sort -dfu" be faster and easier than processing text in assembler?

Careless web activity SHOULD NOT be a problem

There's no such a thing. I don't buy the "web user stupidity" argument from all the paid M$ astroturfers that dodge the fundamental underlying issue.

Unless a user purposely download and install and enter the admin password, he's not being careless. The OS is. And that is an entirely different topic.

How on earth is it possible that by simply surfing the Web from your browser your PC can become part of a botnet?

The answer is simple: sloppy security, from the browser up to the OS.

A carefully conceived OS doesn't "get rooted" by surfing the Web. A carefully conceived browser does NOT leave anything escape its sandbox.

Truth is: most browsers are abysmal piece of ***t developed by security-clueless programmers and regarding Windows, my views are not printable, not even as an AC.

Re:I'm a professional Malware removal guy. Literal

[mr.bri]

Yep. You don't have to click on anything to get infected. We've had a couple of our systems infected over the past couple of months. What scares me is:

1. We were running the latest version of Firefox
2. Acrobat Reader was fully patched (version 8, not 9. But, we have to leave the JS enabled)
3. Adobe Flash was up-to-date
4. Windows was fully patched
5. We have web filters
6. They got past 2 layers of IDS/IPS and 3 layers of antivirus scanners (different engines)
7. Users are NOT admins!!!

Since then, we have switched to a few new products and attempted to tighten things up even more, but these things have gotten incredibly complex. In one case, it was a triple attack. The Flash ad (0-day exploit) loaded an exploited PDF (0-day exploit) that took advantage of a 0-day IE exploit (keep in mind we use Firefox), which compromised the system. We have a nuke-from-orbit policy on any system we suspect has been infected, but what a waste of time!

It was hosted from a site in India. The user was on Yahoo's website (we've had 4 infections through Yahoo's ads). They did NOT click on anything!

Be very afraid!

Difficult change in habbits

[LoudMusic]

I usually suspect the users of 'careless web activity' when I delouse a PC, but now I'm going to have to give some the benefit of the doubt."

I too have found myself in this situation and it is really difficult for me to not immediately jump to conclusions. To this day the only malware detected on my computers were put there by software I should have known better than to install. When I stopped installing that software I stopped having problems. But I know a lot of people who get viruses regularly and never use any warez and claim to be very careful about what they open from emails and where they browse on the web and which browsers they use.

Re:Difficult change in habbits

[bipbop]

I had a Windows box compromised, because I foolishly had Adobe's PDF reader installed, which was up-to-date but had Javascript enabled. (At the time, I had no idea PDFs even had Javascript support. Blecch.) A website served an ad containing a PDF, which popped up Adobe's application. The window closed itself a fraction of a second later, but I saw it, and figured out what happened.

I'd put "uses Adobe Reader" on the list of high-risk activities, to be avoided when at all possible.

This is NEWs?

[SpacePunk]

Anybody that's been dealing with this stuff already knew that it was being served up by ad servers. The people running the ad servers evidently do not check scripts for malware before they are put into rotation, and they'll sell ad rotation to anybody that has the money with no questions asked.

This is not new news, I am not shocked by this, nobody should be.

Re:I'm a professional Malware removal guy. Literal

[Archon-X]

Things have indeed changed: posting with the attitude that sloppy practices are the only vector for attacks is dated.
I recently had my laptop (OEM fresh, everything updated, running chrome) owned by something nasty. MalwareBytes, WebRoot, etc etc - all turn up blank.

How it got on remains a mystery - and the only fix seems to be the mentioned nuke-from-orbit.

Doubleclick too...

[Tteddo]

I fix PC's for a living and I have been seeing this too. Some people all the do is Facebook and they are getting "XP Antivirus" or it's variants, and I know there is no way they are doing anything. They all use Firefox, etc. The last 2 weeks I have been putting on Ad Block Plus and explaining to them what it does because I was having people get infected again in a manner of weeks after I clean it up the first time. I know that kinda sucks for website revenue, but what else is there to do. One guy got infected from Photobucket, and it was repeatable.

Re:I'm a professional Malware removal guy. Literal

Why use Adobe Reader in the first place? There are alternatives out there which are less embarrassingly insecure. You should be telling your customers to switch from Adobe Reader, if possible.

Re:I'm a professional Malware removal guy. Literal

[herksc]

FYI: If you can kill the malware process and then delete it, you can manually re-associate EXEs to run as applications in the File Types menu. Just did this for a machine on my network last week. Of course I also ran Malware Bytes...

I just dealt with a truly nasty version yesterday though that not only sets itself up as the handler for EXE files, but also closes the task manager immediately when you try to open it. In order to remove it I had to boot the machine using a Linux live CD, and then remove the offending files.

So whats going to be done about it?

[Stan92057]

So whats going to be done about it? I see allot of use ad block and such,but thats not going to put the criminals who are stealing resources to spread there malware. If they get caught it should be high profile news and the punishment every painful as in length of prison time,not insert blunt obj in rectum kinda pain lol. Anyways i always see allot of talk but not any action against the criminals,this anti virus scam has been going on for years. Don't ya think its time to stop them?

Re:So whats going to be done about it?

[compro01]

You can bet your ass these people aren't operating out of the US and you're going to have to trace through layers upon layers of contracting and shell corporations to track down the people actually behind this crap.

ad servers really shot themselves in the foot here

[Vorpix]

the biggest change this has for me is that it has moved installing adblocking software from just 'something i do for my personal computers' to 'something i do on any computer i touch, even professionally'.

it was the ad server's responsibility to regulate what they distribute. instead, they have just become an avenue for zero-day attacks that can spread across the web in no time at all. since they did NOT act responsibly in preventing this type of attack (really, is there NO review process at all on what they serve out to millions of people?), it falls on us, the users, to protect ourselves. when companies complain about lost revenue due to adblocking software, this is your justification.

Re:I'm a professional Malware removal guy. Literal

[mzs]

I second this. I see exactly this with PDF files routinely. I have simply uninstalled acrobat (aka adobe reader) on all on the Windows machines at this point and use SumatraPDF instead. It is only a matter of time until they start using zero-day exploits.

Re:CUSTOM HOSTS FILES ARE THE SUPERIOR ANSWER

[Vancorps]

Notepad can easily handle 30meg text files or even 2gig text files. When your list is that long it makes sense to go the server route, but in my experience you only need a couple megs to block the majority of sites and performance is not noticeably impacted then.

Nice Solution

[bizitch]

Try Ghostery - the ad script killing plugin for Firefox - nukes everything - awesome

Re:I'm a professional Malware removal guy. Literal

[beavioso]

I had to clean up a vundo and Antivirus 2009 on a few of my relatives computers. The best thing I've found is the Ultimate Boot CD for windows (UBCD for windows). You need a legitimate copy of a Windows OS disc and then it creates a boot CD of a clean fresh new OS with a whole host of tools.

It's a great way to attack the virus from a fresh OS install running off a RAM disk.

Re:I'm a professional Malware removal guy. Literal

[E-Sabbath]

Same experience except: my sneaky trick is to install mbam on the infected computer, then run the same version of it off a flash drive. Surprisingly, it works.

Also, do you think using Foxit instead of Adobe might help? For that matter, setting PDFs to not auto-open?

So what do I do to protect the family network?

[techie42]

This new form of attach makes me sad as I recently chewed out my kid for infecting two differtent computers at home. But, last night I got hit by a side panel ad that set off my AV alert. I have also seen some unusual firewall alerts so there is still something there under the hood. The last time I got hit I accendently clicked on a questionable ad while attempting to scroll down the page. But at least I knew that I had clicked. What to do about this? Do I run web browing and email sandboxie? Do I setup VMplayer copies of Windows to browse and email? Are there other (better) solutions? Tea-Timer and the rest seem to drive my wife and Teen age daughter nuts with prompts (and they are never sure what is okay anyway.)

Re:i'd rather have a malware infested web with ads

[sourcerror]

Google does fine with their text-ads, most ad-blockers leave it alone as well.

Remind me

[sjames]

Why is it somehow un-ethical to block ads again?

Perhaps it's a good idea for big sites with a reputation to maintain to borrow just a bit from the old model where they sell ad space with an approval process directly to advertisers and serve the images from their own servers.

Sue DoubleClick

[Animats]

A big class action against DoubleClick, etc. would be appropriate. They "exceeded authorized access", as defined in the Computer Crime and Abuse Act. That they got the attack from someone else isn't an absolute defense. The ad network obtained "something of value" for the attack. If they sent out one attack after they'd been informed, they were doing so "knowingly".

The ad network has the right to find and sue the source of the ad, but that's their problem, not the end user's problem. This is well-established law. In general, you can sue the party you dealt with, and they can sue the next party up the chain.

Re:I'm a professional Malware removal guy. Literal

[_KiTA_]

No, just run Combofix. Then MBAM. It'll fix it. It's a rootkit, which is blocking MBAM and Webroot from seeing it.

That's the most terrifying thing about these things -- they literally install as rootkits, without admin privileges, even on a fully up to date WinVista or Win7 box. UAC, Security Policies, etc do nothing.

It's no wonder Google got hacked by China.

Re:I'm a professional Malware removal guy. Literal

[darkain]

No need for an OS reinstall yet. Actually, it isn't too bad...

I used a clean machine to export the registry keys for the EXE file association to a .REG file. Reboot the infected machine into safe mode, import the .REG file, and then use a program such as System Explorer or Security Task Manager to help clean up any bad processes.

Next, locate the exact filename of the virus (av.exe as one example). Rename/Remove the virus EVE file. Then create a DIRECTORY with same name in the same path (so a directory named "av.exe") - While the virus creators have been finding craftier and craftier ways to get it to execute itself on systems, this is an absolute stupid simple way to prevent it from even being writable (until they change the filename or path for where it saves itself).

Oh, and there is always PeerBlock with a daily updated list, which is great at blocking 3rd party malware servers entirely (this has worked much MUCH better at being up-to-date with Malware lists than any AV application as of recent) - http://www.peerblock.com/

life safety !== internet

[tivoKlr]

Your brother is likely working somewhere where they don't want to provide internet access bureaucratically. FD's are notorious for micromanagement, and internet access is so easy and tasty a target when it comes to exerting control over your minions.

As for the critical systems part, at least in our installation, there were no critical life safety systems running on our internal network, just our incident report database system, the personnel scheduling system, exchange and SMB. Last time I checked the rig rolled out the door regardless of the internet. Dispatching is handled over the airwaves, no internet required. In fact, I'd be hard pressed to trust any life safety item that REQUIRES the internet, seems like an oxymoron to me...just like the fact that the ultrasound machine (GE) I use at work runs XP, but then again, it's not life safety.

Remember, it's all about control when you're in IT (or in management at a FD). You can either be a dick or a doormat, but the best people fall somewhere in between, albeit a modicum of paranoia helps to one keep the generosity in check.

Are All These Comments From Windows Users?

Are all these comments regarding being infected coming from windows users? Or are some of these infections on Linux Machines too... say for instance via Flash/Firefox. This is an honest question.

I really would like to know, because from what I read, there is no easy way to tell if a Linux machine is infected, besides digging through network traffic, guessing that some processes might be a bad one, etc. There is no antivirus signature checking and REMOVAL software for Linux right?

I always thought when reading about Linux security that it's great that it is so secure compared to other OS's but when people post to message boards that they think that they are infected, the responders post back that there is no way to really know for sure and no way to remove Trojans from an infected Linux machine with any sense of certainty. Not to prop up windows, but as I read it, with windows antivirus software, one can remove viruses from an infected machine with some realm of certainty that it is gone, without the need to reinstall the whole OS.

Thanks, Please comment.

OT: no such law exists

[freeweed]

In Alberta - it's illegal to have a billboard on a Highway. Based solely on the idea that it causes more accidents because billboards are distracting. This isn't a direct attack on the speed limit, a major factor, or Alchohol, another major factor. Because attempting to control those other 2 factors would cause a huge upset.

Everyone once in a while people post things that are 100% incorrect.

Alberta highways are full of billboards. No such law exists. From advertising the local ski resorts (of which we have many), to "keep Ottawa out of Alberta" (ie: Alberta separatists), we have plenty of billboards.

And those are only 2 examples out of the hundreds I saw last time I went on the road.

There are rules to limit them, but they are most certainly not illegal. If they are, it's certainly a law that's not being enforced very well.

There are guidelines, but no ban..

Re:OT: no such law exists

[Monkeedude1212]

The ones you see are on Native People's soil. I cannot buy land from the government and put up a billboard.

Re:CUSTOM HOSTS FILES ARE THE SUPERIOR ANSWER

[Schadrach]

1 is only semi-false. Using a HOSTS file doesn't use significant CPU that you aren't already using because your request is already going to hit your HOSTS file anyways. I suppose technically having a very large HOSTS file would consume more parsing it than a small one, but in comparison to alternatives, it's CPU light at the least.

Who modded this guy up? He's been shot down badly

See subject. All he had in reply was modding down the initial poster as well. Poor showing on technical issues and yet he was modded up? Please. What has this place come to?

Re:I'm a professional Malware removal guy. Literal

How about not running any plug-ins at all?
I got this nice checkbox "aktivate plugins" in Opera. It is always unchecked unless I need to see a video.

Re:Who modded this guy up? He's been shot down bad

I'm sorry, are you trying to claim somebody posted and moderated in the same discussion? Get the fuck out of here, you illiterate halfwit.

Re:Time to blow you AWAY "geek wannabe"

[geekboy642]

1) Tell me: Does performing a lookup into a one-million-entry list require more or less CPU than performing a lookup into an empty list? The page will be parsed no matter what you do.
4) Dan Kaminsky's work is important. But the flaw he found is non-trivial to exploit, has never been discovered in the wild, and on a private DNS server is trivial to protect against. (Like, oh, say, using Source Port Randomization)
6) Okay, my mistake. Let's try that, open notepad, open some 30MB file. Oh, look at that. It's locked up. Two minutes later, it's loaded the file. That's certainly easier than the three clicks required to block an entire adserver with AdBlock.
7) What profanity? Is WebSense blocking me? Untwist your panties, grandpa. And again, Dan Kaminsky. One flaw renders the entirety of DNS unusable? I suppose you throw your car away when it runs out of gas, too.

As for your PS, I don't care what you call it. A file containing a series of organized entires in a regular structure is a database. The fact that it's not SQL matters not in the slightest. The fact that it takes you an hour to process this "not a database" with only a million entries is shameful, and the shell script I provided you would likely perform the same task in under a minute. Why so defensive?

Re:I'm a professional Malware removal guy. Literal

[Statecraftsman]

SumatraPDF ftw.

Re:I'm a professional Malware removal guy. Literal

[shadowbearer]

Yes, using Foxit does seem to help, but unfortunately it doesn't seem to be 100% compatible with all pdf files. Anyone know any more about that? SB

Re:I'm a professional Malware removal guy. Literal

[DMUTPeregrine]

I, too, clean many malware infested machines. I've never had a problem with .exe handling being rewritten, because I do all my cleaning from a boot CD. Why you'd ever try to clean a machine from an infected install is beyond me. OS reinstall is pretty much never necessary, though it can be cheaper (when the time needed to backup data, install OS, install apps, & restore data is smaller than the time needed to clean the infection.)

Re:I'm a professional Malware removal guy. Literal

[kalirion]

Combofix will also remove most of these, and usually with "Security Center" or "XP AV 2010" we give up and run Combofix immediately.

I hadn't heard of combofix before, so I googled it.

From combofix.net:

Known issues
        * ComboFix is made to only run on 32-bit versions of Microsoft Windows 2000, Windows XP and Windows Vista.

        * Some antivirus software may detect ComboFix as malicious; for example it uses NirCmd, which is considered as a backdoor by many antivirus software.

        * ComboFix may disrupt internet connectivity.The majority of times only a simple fix is required.

        * ComboFix may attempt deletion all files from the system drive on systems infected with a rootkit.

That last one might give me pause....

Re:Yeah, this does not square with Googles analysi

[SpicyBrownMustard]

Because the "bad stuff" didn't come from the domain you're testing.

Re:I'm a professional Malware removal guy. Literal

I've had users hit with these things several times over the last few months. Some of them do prevent you from doing ANYTHING to the running system. The one thing they can't stop though, is the 'hook the drive up as a secondary in another pc to clean it' method. I've even seen a couple of them installing stuff in the boot sectors.

Re:I'm a professional Malware removal guy. Literal

[_KiTA_]

That last one might give me pause....

The guy who writes it has English as a second language. Basically it's asking for permission to do delete rootkits it finds, and warning you that Rootkit removal is an art, not a science, and some OS Loss may occur.

Besides, this is the real Combofix site, not that one:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Re:Yeah, this does not square with Googles analysi

[Tran]

Right. but if you put in facebook.com, you see that they are an intermediary for an infection. Is what Google describes for facebook.com different than what you describe? And is it different what the summary claims ( yeah i did not rtfa this time either)?

revenue stream cut off?? TOUGH SHIT!

You don't know if you'd want to reduce their income??? So because a lot of people make money with advertising online, then we should all just ignore the fact that seemingly every major ad purveryor is also purveying malware with their ads? Sorry pal, but fuck advertising, fuck you, and fuck your concern for advertiser's revenue streams.

Thanks! I was wondering what happened to me...

[WoTG]

For the first time in years (i.e. since I was a teenager pirating computer games from 3.5 inch floppy disks), I got malware on my PC last week. PC Total Defender 2010, I think it called itself.

I couldn't figure out how I got caught. I have the standard firewall and antivirus installed, plus SpyBot's TeaTimer tool. And I tend to browse safe sites, anything questionable is done in a virtual machine.

Anyway, it turns out that my Adobe Reader was somewhat out of date, and I had half a dozen versions of JVM installed. I suspected one of these was at fault.

Crazy. How am I supposed to blame my users now?

Now, to COMPLETELY blow you away... apk

"6) Okay, my mistake. Let's try that, open notepad, open some 30MB file. Oh, look at that. It's locked up. Two minutes later, it's loaded the file. That's certainly easier than the three clicks required to block an entire adserver with AdBlock." - by geekboy642 (799087) on Tuesday March 23, @04:15PM (#31588660)

You did make a mistake, pretty big one too... & hosts reads? They occur @ the IP Stack level, FAR FASTER in RPL0/Ring 0 driver code than it takes place in user mode. E.G.-> Ever create a program in GUI, & then redo it in tty/console mode/DOS prompt/character mode code?? You get a 10 fold increase in speed usually (less message passing & other overheads)... now, think it "slows down more" when you step down to a higher privelege level like drivers & the kernel run in??? Guess again.

----

"1) Tell me: Does performing a lookup into a one-million-entry list require more or less CPU than performing a lookup into an empty list? The page will be parsed no matter what you do." - by geekboy642 (799087) on Tuesday March 23, @04:15PM (#31588660)

You're doing ADDITIONAL PARSING using browser addons, for each page. That doesn't occur using a HOSTS file (it merely filters out the ability to load data from various sites, albeit, @ the IP Stack level).

----

"4) Dan Kaminsky's work is important. But the flaw he found is non-trivial to exploit, has never been discovered in the wild, and on a private DNS server is trivial to protect against. (Like, oh, say, using Source Port Randomization)" - by geekboy642 (799087) on Tuesday March 23, @04:15PM (#31588660)

He still illustrates flaws, & THEY ARE EASILY EXPLOITED too - how so? Ok - say I know you are about to query your DNS, & that you are querying a site (a particular one, say GOOGLE) - IF the DNS server doesn't KNOW the answer, it begins calling out to other DNS servers, & guess what?? If I flood your DNS server with incorrect responses, BEFORE others legit DNS servers can get a legit answer?? Guess what - I have just misdirected you to a (probably) BOGUS site (to exploit your system). Get it??

D.K. has successfully done this, literally, in SECONDS FLAT no less... it is NOT that tough to do actually, & because of how DNS servers work (especially those set into recursive mode).

----

"7) What profanity? Is WebSense blocking me? Untwist your panties, grandpa. And again, Dan Kaminsky. One flaw renders the entirety of DNS unusable? I suppose you throw your car away when it runs out of gas, too." - by geekboy642 (799087) on Tuesday March 23, @04:15PM (#31588660)

Listen "LITTLE BOY" - it's not that it's unusable: It's just quite easily exploitable by its OWN NATURE is all & design... get it?? On the "grandpa" thing, too??? Hey - the day you have done all this (which I did whilst you were in diapers in this life no doubt)???

"My Name is Ozymandias: King of Kings - Look upon my works, ye mighty, & DESPAIR..."

----

Windows NT Magazine (now Windows IT Pro) April 1997 "BACK OFFICE PERFORMANCE" issue, page 61

(&, for work done for EEC Systems/SuperSpeed.com on PAID CONTRACT (writing portions of their SuperCache program increasing its performance by up to 40% via my work) albeit, for their SuperDisk & HOW TO APPLY IT, took them to a finalist position @ MS Tech Ed, two years in a row 2000-2002, in its HARDEST CATEGORY: SQLServer Performance Enhancement).

WINDOWS MAGAZINE, 1997, "Top Freeware & Shareware of the Year" issue page 210, #1/first entry in fact (my work is there)

PC-WELT FEB 1998 - page 84, again, my work is featured there

WINDOWS MAGAZINE, WINTER 1998 - page 92, insert section, MUST HAVE WARES, my work is again, there

PC-WELT FEB 1999 - page 83, again, my work is featured there

CHIP Magazine 7/99 - page 100, my work is there

Re:Now, to COMPLETELY blow you away... apk

[geekboy642]

Go lookup "database" in any mainstream dictionary. No, wait. I'll do it for you. Here's what Princeton's wordnet thinks a database is:

Noun

S: (n) database (an organized body of related information)

Note a lack of references to indexes, attributes, varchars, or any other SQL-specific artifact.
Here's what my deadtree edition Webster's unabridged dictionary thinks a database is:

data base, data bank, a large collection of data in a computer, organized so it can be expanded, updated, and retrieved rapidly for various uses: also written database, databank.

Again note a lack of 'attributes', and a few moments of careful thought will prove that a structured text file matches the definition of database precisely. You, sir, are the one inventing your own definitions.

By the way: When YOU can write such a program, YOURSELF MIND YOU (& make it do ALL THAT I NOTE ABOVE) & not just "use others' tools" as I suspect you are only capable of, & faster than mine? Well, then?? Then, you can talk... otherwise, you're a windbag b.s. artist, period. A talker/wannabe...

Let's consider specifications:
* Remove trailing blanks
* Translate 127.0.0.1, 0.0.0.0, and 0 entries to a specific value (for argument's sake, say '0').
* Remove duplicate entries
* Sort alphabetically

If this is correct, then I can write, and have written, a piece of shellscript that accomplishes all these tasks which runs in under a minute. What possible reason could there be to re-implement the wheel in this case? Surely if you are as established a programmer as that collection of unverifiable citations and forum posts would be intended to support, then you understand the value of relying on code re-use. And it takes no thought at all to consider a <1min script as vastly superior to the >1hr (but entirely hand-written and optimized!) code. I could give you my credentials as a programmer, but you wouldn't believe them, and my past employers certainly wouldn't be willing to divulge sensitive information to a wild-eyed forum troll. So I'm sure you understand why I'd rather just let you think whatever you like about my abilities and education, rather than open up another line of pointless flamewar.

But that's gone rather far afield. The argument, which you seem to've forgotten, is that a HOSTS database is an unsupported and poorly-chosen kludge that a simple AdBlocking extension makes a far superior replacement for, and that if DNS security is your concern, that a local DNS server can be run with heightened security and rendered nigh impervious to Dan Kaminsky's attack. Your religious mania, your ersatz multiple degrees, your claimed work history, they are no more than argumentum ad verecundiam, and mean nothing. Please stay on topic, flamewars are so much more fun that way.

Oh, and:

I met a traveller from an antique land
Who said: Two vast and trunkless legs of stone
Stand in the desert. Near them, on the sand,
Half sunk, a shattered visage lies, whose frown
And wrinkled lip, and sneer of cold command
Tell that its sculptor well those passions read
Which yet survive, stamped on these lifeless things,
The hand that mocked them and the heart that fed.
And on the pedestal these words appear:
"My name is Ozymandias, king of kings:
Look on my works, ye Mighty, and despair!"
Nothing beside remains. Round the decay
Of that colossal wreck, boundless and bare
The lone and level sands stretch far away

You would do well to avoid aggrandizing yourself with that particular reference. Unless you mean to imply you are a washed-up and useless wreck.

GO FUCK YOURSELF DOUCHEBAG

See the subject line.

Re:GO FUCK YOURSELF DOUCHEBAG

Aww, so cute. You're having an argument with yourself. Can I join in, you knob-gobbling empty-headed meringue pie?

Re:GO FUCK YOURSELF DOUCHEBAG

You appear to be arguing with yourself, since both posts are anonymous coward.

Re:GO FUCK YOURSELF DOUCHEBAG

Good show, self. That'll make them think we're not the same person having another episode. Wait, shut up! No episode!

Re:I'm a professional Malware removal guy. Literal

....or simply set Firefox to "Save AS" any PDF file, and view off-line, if you really want to see what's in it.

You're a script kiddie, & "never will be" wann

"You would do well to avoid aggrandizing yourself with that particular reference. Unless you mean to imply you are a washed-up and useless wreck." - by geekboy642 (799087) on Wednesday March 24, @03:14PM (#31601942)

Sure, sure, & you're a NOBODY/NOTHING who has never accomplished squat... or is your lack of the same types of things I did while you were in diapers not indicative of that? Typical b.s. from a never will be are replies like that... it's fairly obvious.

----

"If this is correct, then I can write, and have written, a piece of shellscript that accomplishes all these tasks which runs in under a minute" - by geekboy642 (799087) on Wednesday March 24, @03:14PM (#31601942)

Oh, no no senor: WRITE IT YOURSELF, in a programming language like C, C++, Delphi, VB, etc. (not having a shell script engine do the work for you by calling prewritten commands)...

Kknow what they call people, like you? SCRIPT KIDDIES, lol!

YOU ARE NOTHING BUT A "SCRIPT KIDDIE", PERIOD... & your inability to create such engines ON YOUR OWN from scratch only evidences this for me.

----

"Go lookup "database" in any mainstream dictionary. No, wait. I'll do it for you. Here's what Princeton's wordnet thinks a database is:" - by geekboy642 (799087) on Wednesday March 24, @03:14PM (#31601942)

Are websters dictionary or any other, database programmers? No. Their "definitions" are VERY "loose".

APK

Re:CUSTOM HOSTS FILES ARE THE SUPERIOR ANSWER

Mr. Alexander Peter Kowalski
903 East Division Street
Syracuse, N.Y. 13208

We are watching you, AlecStaar.

Re:You're a script kiddie, & "never will be" w

[geekboy642]

Oh, now you're being boring. Nothing but banal insults? So jejune. Farewell, grandpa.

Awwww, "Poor lil' 'Script Kiddie'" ran... lol!

See subject-line, & realize you're nothing but that, & a wannabe/never-will-be... lol! You shot your mouth off, but the fact remains you have NEVER done anything noted well by others in publication in this art & science... & YOU KNOW IT (now, so do we all reading).

"Oh, now you're being boring. Nothing but banal insults? So jejune. Farewell, grandpa." - by geekboy642 (799087) on Wednesday March 24, @03:54PM (#31602554)

Sure, sure... uhm, didn't you start with the 'grandpa' stuff, & first, "script kiddie" (lmao): Sure you did... what's the matter BOY? You can dish it out, but you can't take it...?? Apparently so.

APK

P.S.=> Want to know WHY I wrote it, & by hand in Delphi (an actual REAL programming language, not script kiddie usage of already built commands & engines)?

Because not everyone has *NIX level string processing commands @ hand, for one thing!

(E.G.-> Windows for the longest time, really didn't @ the DOS command prompt level, @ least NOT AS GOOD (sure, you've got batches with FOR % tools & NOWADAYS @ least) OR recently, Powershell - but you have to have SOMEKIND of skills in those areas to use them both!)

I.E.-> Batch commands & how to use them in looping OR VB type skills @ least!

AND, not everyone has Access for instance (which iirc, lacks a VARCHAR field, which would cut off trailing blanks if I did, say, a SELECT DISTINCT command to trim out duplicates of an imported HOSTS file - & then, I'd have to run a script in Access via its VBScript built in to pull off that TRIM)...

Since that is the case for most folks? I wrote it up, myself, so if they need a tool like it, they can have one that works is all!

I can rip thru processing removal of duplicated entries in less than a second over a million records from an imported HOSTS file in Access, OR any other SQL compliant DB engine really, & because of its JET ENGINE/RUSHMORE QUERY ENGINE & indexing... but again, not everyone has those tools! apk

Re:I'm a professional Malware removal guy. Literal

[_KiTA_]

Why use Adobe Reader in the first place? There are alternatives out there which are less embarrassingly insecure. You should be telling your customers to switch from Adobe Reader, if possible.

Oh, there certainly are alternatives.

But my average user is not "technically savvy". To the point that getting them to type in the URL of our website, then find the icon for our service, is very difficult.

It doesn't help that the company I pinch hit for (the stupidity of which inspired the Dilbert comic) has decided to give our service any of 4 different names depending on which website, state, etc you are in, and decided to hide our icon literally off the screen.

No, literally, you have to scroll down and to the right to find it.

My typical call entails taking 10-20 minutes to get a customer to type in a simple URL (domain.com/servicename), explaining that the My Web Search bar is not the address bar, explaining that again, explaining that you can't put a space in our URL, explaining that I wanted them to spell out the word minus instead of typing in -, etc etc.

Oh, and a VERY large number of these people are running IE6. Or are running machines with 128/256 megs of ram and can't run anything else. Or have tried installing IE8 (it thinks it can run on 64 megs of ram and will auto-install) on a WinXP machine with 128 megs of ram and are upset the machine is slow...

Er, sorry, lost myself for a second. I guess what I'm saying is that these people can't even SPELL "PDF", yet alone uninstall Reader and install a different program. And since my metrics -- i.e., the thing keeping me from being fired -- is based on getting customers off the phone as fast as possible...

(Oh, and our parent phone company does NOT want us giving tech advice or suggesting alternatives to programs like Reader, cause "they're not in the toolkit"...)

The funniest part of all this is his mod up +4

Now after he outright ran, geekboy has to have everyone look at his frontpage highly rated post being blown to smithereens here http://tech.slashdot.org/comments.pl?sid=1592276&cid=31585690 and here http://tech.slashdot.org/comments.pl?sid=1592276&cid=31599184 by an AC no less as well as others here who caught him in mistakes also here http://tech.slashdot.org/comments.pl?sid=1592276&cid=31585518 and here http://tech.slashdot.org/comments.pl?sid=1592276&cid=31587184. Like I said the funniest part of all this is his mod up +4 because it only makes me think that geekboy tried to be clever and use an alternate account he has mod points on to mod his post up with, because his technical mistakes and clear lack of technical prowess demonstrates anything but a posting that deserved an upward mod.

Priceless in reply to your first reply Mr. ac

http://tech.slashdot.org/comments.pl?sid=1592276&cid=31604444

Re:I'm a professional Malware removal guy. Literal

[LeonPierre]

I'd like to know which company you work for...

Disk caches make up for it (or DNS cache)

Bit of clarification for you, my man (& thanks for bolstering my points too):

"1 is only semi-false. Using a HOSTS file doesn't use significant CPU that you aren't already using because your request is already going to hit your HOSTS file anyways. I suppose technically having a very large HOSTS file would consume more parsing it than a small one, but in comparison to alternatives, it's CPU light at the least." - by Schadrach (1042952) on Tuesday March 23, @02:24PM (#31587184)

A relatively "smallish" HOSTS file resides in the native DNS Clientside caching service on Windows (so it is constantly in memory, inside of what C/C++ folks call a "structure" (either standalone, or part of an object), or what PASCAL "fiends" like myself, call a record (or again, object) since PASCAL RECORD = C/C++ STRUCTURE).

Also - this avoids being "diskbound slow"... now, if you use a relatively "LARGISH" hosts file? You have to disable your DNS Clientside cache service - or, it "breaks down" & you lag, rather horribly (I have pointed this out to Microsoft on their blogs (S. Sinofsky's, head of Windows development iirc) & Foredecker (a senior mgt. figure @ MS too, who posts here no less)... so, what makes up for that? See subject-line... answer = YOUR DISKCACHE!

HOSTS files, after all, are JUST ANOTHER FILE... & what caches repeatedly used files? Caches do!

("&, there ya are")

APK

P.S.=> Loads & POSSIBLY reloads (if you stop your connection, OR, change entries in your HOSTS file) of a HOSTS eat FAR LESS CPU than ADBLOCK'S constant parsing of each webbrowser page you load in FireFox (the ONLY browser family that ADBLOCK COVERS, mind you, not all others as HOSTS files do, as well as email programs & really ANY WEBBOUND PROGRAM YOU HAVE)... period!

The "right idea" here though? Layered security - use BOTH methods of protection! I expound on that in this security guide for Windows 2000/XP/Server 2003/Windows VISTA/Windows 7/Windows Server 2008, here -> http://www.tcmagazine.com/forums/index.php?s=705f48ab441c8cafce3f0657e1309b87&showtopic=2662 & it works! Nearly 300,000 views strong, with testimonials like this are its results:

Proofs to its efficacy?

Ok, some quoted testimonials:

----

http://www.xtremepccentral.com/forums/showthread.php?s=672ebdf47af75a0c5b0d9e7278be305f&t=28430&page=2

"I recently, months ago when you finally got this guide done, had authorization to try this on simple work station for kids. My client, who paid me an ungodly amount of money to do this, has been PROBLEM FREE FOR MONTHS! I haven't even had a follow up call which is unusual." - THRONKA, user of my guide @ XTremePcCentral

AND

"APK, thanks for such a great guide. This would, and should, be an inspiration to such security measures. Also, the pc that has "tweaks": IS STILL GOING! NO PROBLEMS!" - THRONKA, user of my guide @ XTremePcCentral

AND

http://www.xtremepccentral.com/forums/showthread.php?s=672ebdf47af75a0c5b0d9e7278be305f&t=28430&page=3

"Its 2009 - still trouble free! I was told last week by a co worker who does active directory administration, and he said I was doing overkill. I told him yes, but I just eliminated the half life in windows that you usually get. He said good point. So from 2008 till 2009. No speed decreases, its been to a lan party, moved around in a move, and it still NEVER has had the OS reinstalled besides the fact I imaged the drive over in 2008. Great stuff! My client STILL Hasn't called me back in regards to that one machine to get it locked down for the kid. I am glad it wor

Anyone with mult. accounts or mult. IP's can do it

See subject-line, and realize 1 thing: Anyone here can "mod themselves up", @ any time, by doing what's in my subject-line in fact...

"I'm sorry, are you trying to claim somebody posted and moderated in the same discussion? Get the fuck out of here, you illiterate halfwit." - by Anonymous Coward on Tuesday March 23, @04:02PM (#31588520)

My my, such profanity: geekboy, this is doubtless you, because I know that reg'd users can elect to post as AC here, for 1 thing. Now, onto my subject-line's statement... What's in my subject's a PART of why I refuse to "join the 'in crowd'" almighty elitist "registered user" crowd here really (I don't want anyone accusing ME of that much).

I also don't like how 'trackable for trolling' a reg'd user is here either.

Of course, I also really don't have the desire for "karma points" b.s. either, that's like welfare man! Freebies for nada, instead of merit, and I don't like how some of the low-digit long-timers here often think they're like "GODS" or something, lol... it's hilarious @ times.

I am really just here to learn & grow, more than anything (@ least hopefully - there are some "smart cookies" here, & that's NOT sarcasm (especially in the programmer's or network engineering and sciences topics is why, & these are areas I take interest in).

APK

P.S.=> Me? I'd rather be part of the "MIB" around here because of the above reasons... & this quotes suits that much:

"From now on you'll have no identifying marks of any kind. You'll not stand out in any way. Your entire image is crafted to leave no lasting memory with anyone you encounter. You're a rumor, recognizable only as deja vu and dismissed just as quickly. You don't exist; you were never even born. Anonymity is your name. Silence your native tongue. You're no longer part of the System. You're above the System. Over it. Beyond it. We're "them." We're "they." We are the Men in Black..."

I like the "You're above the System. Over it. Beyond it." part, because I know how to beat the "10 posts per 24 hour" limit on AC's, & I'd suppose that "qualifies" me on that in quotes remark, lol... apk