Spyware Sucks
“There is no magic fairy dust protecting Macs" – Dai Zovi, author of “The Mac Hacker’s Handbook"

Malicious banner advertisement at National Geographic??

November 22nd 2007 in Uncategorized

Uh oh…

Somebody using the pseudonym MWT has posted a comment warning that he was hit by a banner advertisement redirect when browing a National Geographic article.

Note that he was using Opera at the time (his name is a link to a screenshot of the redirect).

I also have screenshots of such malware redirects affecting Firefox, and Firefox on a MAC, and that is a worry because these advertising campaigns rely as much on social engineering as they do exploits, and its only a small step to change from redirecting to a fake security software site to redirecting to a site that has been compromised by MPACK or equivalent – and remember, MPACK targets exploits that affect IE, Firefox *AND* Opera.

This is absolutely essential that such advertisements are shut down as soon as they are discovered.  I’m off to the National Geographic site now to try and capture evidence of the redirect.

If any of my gentle readers want to help out, you’ll see a link to Fiddlercap, and a link to a Macromedia page that will flush out cached Flash data, in the News pane to left of screen.  If you manage to capture a redirect affecting National Geographic, please contact me using the Contact link at top of screen.

More later if I find anything.


2 comments to...
“Malicious banner advertisement at National Geographic??”

F. Engelmann

I came across the same this morning, with a redirect to scanner.malwarealarm.com served by blessedads.com.

Most interesting is the degree to which the redirect crippled Safari 3.0.4, on OS 10.4.11. The original page shrunk to the top left and could not be resized either by dragging or the widgets, additionally most menu items were disabled and command-Q didn’t work, requiring a force quit.

The page containing the ad triggering the redirect was

After that it was the usual scareware, with plenty of tricks to download an exe. I’ll try Fiddlercap and send additional data if successful.


@F Engelmann

Damn.  I spent several hours last night trying to catch the redirect without luck.

It would be great if you could grab a copy of Fiddlercap and record the redirect for me; Fiddlercap is very safe from a privacy point of view – unlike products like Wireshark or Microsoft network monitor it only captured IE traffic.

Note that you may need to delete all cookies and temporary internet files, and also use the link to left of screen to delete all cached Flash objects as well before the redirect will happen again.


An old trick, but always effective – this was in my inbox this morning.
Remember, your users WILL get complacent and they WILL click on this stuff.

Hello friend!You have just received a postcard from someone who cares about you!
This is a part of the message:”Hy there! It has been a long time since I haven’t heared […]

Previous Entry

This one is interesting to my alter-ego…
Consider the following scenario. In a Microsoft Exchange Server organization, the Exchange Server server has no size restrictions for e-mail attachments and no quota settings on mailboxes. Additionally, size restrictions are set on the firewall.
In this scenario, you may receive non-delivery reports (NDR) when you send e-mail attachments […]

Next Entry