Spyware Sucks
“There is no magic fairy dust protecting Macs" – Dai Zovi, author of “The Mac Hacker’s Handbook"

How can web sites avoid malicious banner advertisements?

March 24th 2008

Boyd Anderson posted this comment tonight: “What can Classmates do about xponlinescanner.com/2008/1/freescan.php?aid=77011807?“ This was my response: @BoydAnderson, What can classmates.com do? First, source reliable instructions and advice on how to get rid of xponlinescanner from any reputable anti-spyware advisory forum, and get that information out to their clients. Second, conduct more comprehensive checks into the […]

Read On 3 Comments

I received an email from classmates.com today… and it contains some misinformation

March 24th 2008

The email said (my comments are in bold): “Thank you for contacting Classmates. I can understand your frustration and will do my best to address your concerns. Thank you for letting us know that your experience on Classmates.com was interrupted. We always want to know if someone abuses the trust you have in Classmates so […]

Read On 7 Comments

The bad guys have been busy… lots of malvertisement reports…

March 24th 2008

The site referrer report for this blog has revealed reports of malicious banner advertisements appearing on not only classmates.com, but also the StarTribune National News site, cincinnati.com, news.enquirer.com, NYPost and cincymoms.com (and who knows how many more). I’m seeing a common theme in many recent outbreaks – far too often victim web sites are managing […]

Read On Comments Off on The bad guys have been busy… lots of malvertisement reports…

Alert: Adobe Shockwave used in a malicious redirect

March 24th 2008

Cite: http://www.theregister.co.uk/2008/03/18/ebay_scripting_malfeasance/ Interesting – this is the first time that I have heard about Shockwave being used to redirect victims to a malicious site.

Read On 2 Comments

More problems for United Information, aka classmates.com

March 23rd 2008

Kimberley has all the information – she has found some malicious advertisements hosted by United Information that have been around for a very long time: Cite:http://www.bluetack.co.uk/forums/index.php?s=bd3898f29d64c0cfe467d034f2cd6129&showtopic=18064&st=0&p=86509&#entry86509 The creatives: nztv.prod.untd.com/RealMedia/ads/Creatives/ISP/MWS_Getfreecar_LBLINT_2_8671/gfc_728x90.swf and nztv.prod.untd.com/RealMedia/ads/Creatives/ISP/MWS_GetFreeCar_LBLINT_6_8671/getfreecar728x90_REVISED_07052006.swf are different in format to those I wrote about yesterday.  The SWFs are protected (although that is easy enough to remove), they are encrypted, […]

Read On 1 Comment

And another one…. classmates.com has a problem….

March 23rd 2008

   Edited on 21 August 2008 to replace deleted graphic… surprisingly, the SWF is still accessible via the original URL, even after all this time. This time the URL is: http://nztv.prod.untd.com/RealMedia/ads/Creatives/ISP/CM_GeminiIntera_FPWS_5_10179/160×600.swf Same malicious SWF: iexplorer-security.org/?id=624400105 Same redirect, same end result… ———- Something occurs to me – let’s look closely at the URL – it refers […]

Read On 22 Comments

Another malicious SWF at www.classmates.com

March 23rd 2008

Here it is – another myjewelrybox.com malicious creative, visually identical one previously discovered at lyricsmania.com, and reported on here:Malicious advertisement at lyricsmania.com URL of malicious SWF at classmates.com:http://nztv.prod.untd.com/RealMedia/ads/Creatives/ISP/CM_GeminiIntera_LB_1_10179/728×90.swf An analysis of the SWF reveals the URL iexplorer-security.org/?id=624400105. The campaign ID is identical to the ID for the other malicious SWF discovered on classmates.com, being:http://nztv.prod.untd.com/RealMedia/ads/Creatives/ISP/CM_GeminiIntera_FPR_4_10179/300×250.swf? The […]

Read On Comments Off on Another malicious SWF at www.classmates.com

Malicious advertisement detected at www.classmates.com

March 22nd 2008

Thanks to Susan Bradley for the heads up that there is a problem at www.classmates.com   The malicious creative can be seen at this URL: http://nztv.prod.untd.com/RealMedia/ads/Creatives/ISP/CM_GeminiIntera_FPR_4_10179/300×250.swf?clickTAG=http://cyclops.prod.untd.com/RealMedia/ads/click_lx.ads/www.classmates.com/School_List/L18/968920812/TopLeft/ISP/CM_GeminiIntera_FPR_4_10179/300x250_GeminiInter_Mar08.html.html/4f7148557555666c32626f41444a314d?http%3A//www.myjewelrybox.com/%3Fids%3D46ps   Here is a screenshot of the malicious advertisement:   An analysis of the SWF reveals a URL pointing to a known malware domain: iexplorer-security.org/?id=624400105 —————- The iexplorer-security.org URL is […]

Read On 24 Comments

I have two words for Apple – "*** you"

March 22nd 2008

If users on my network have QuickTime installed (which, unfortunately, is required by some law courts that use Quicktime for recording official proceedings) then I CANNOT let them update QuickTime at their own behest. Why?  Because Apple insists on trying to shove iTunes down our throats every time we try to update QuickTime, and I […]

Read On 16 Comments

Success – Malicious advertising campaigns shut down…

March 21st 2008

The following malicious SWFs were removed from circulation approximately 7 1/2 hours ago: medias.voyages-sncf.com/0/VSC/yourmusic-bmgdirect-mar08-ban//yourmusic_468x60.swfrealmedia.pap.fr/0/VSC/yourmusic-bmgdirect-mar08-ban/yourmusic_468x60.swfstream.expedia.fr/0/VSC/yourmusic-bmgdirect-mar08-ban//yourmusic_468x60.swf This is excellent news.  Both Expedia.fr and pap.fr have *massive* readerships. Potentially millions of people have been placed out of the reach of those behind the malvertisements, if only for a while.

Read On Comments Off on Success – Malicious advertising campaigns shut down…