Malware Installed by LiveJournal Ad

Jamesday writes "LiveJournal recently introduced an ad-supported level. Over the last few days an advertiser used an ad to install the ErrorSafe malware that tried to trick people into believing they had a fault on the computer that needs them to purchase a fix. The ad used a server-side setting and targetted only those outside the US, to prevent LiveJournal's own checks from noticing it. LiveJournal has apologized for the ad and slow response." Even our readers have had to endure more than one browser-crashing ad campaign from time to time. Thanks for sticking around.

Breaking News

This just in: Capitalism and Morals do not necessarily go hand in hand.

Re:Breaking News

http://en.wikipedia.org/wiki/Communism [wikipedia.org] Particularly: "communism as a political goal generally is a conjectured form of future social organization which has never been implemented" IOW, don't confuse the states that purport to be communist with communism. The USSR, China, Cuba, et al are not communist states. They are totalitarian dictatorships claiming to be communist (or that we have dubbed communist regardless of what they claimed to be). A pure communism is moral and not capitalist since there is no self-interest (selfishness) nor any need for it. There's no need to rip anyone off or take advantage of anyone. There is no need for contracts that bind the consumer to the advantage of the vendor. The truth is that communism is probably not achievable by humans, who would want to clean toilets even if you did have the same lifestyle as the head of state. Life on Star Trek starships is communist. Until matter replicators that will freely feed anyone that wants to eat are broadly available on earth communism is impossible but it is moral in ways that capitalism isn't.

Re:Breaking News

People are instinctually selfish, and it will never change.

Exactly, and that's not necessarily a bad thing. It is precisely because of self interest that others are willing to offer us their goods and services. One of my favorite quotes puts it much better than I can:

"It is not from the benevolence of the butcher, the brewer, or the baker that we expect our dinner, but from their regard to their own interest." -- Adam Smith

Re:Breaking News

Because stealing other people's property, censorship, and outright murder is moral.

Don't confuse communism the theory with the dictatorships the claim to be communist. Communism as a theory disclaims most if not all personal property rights, but it has nothing to do with Murder and Censorship, any more than Capitalism has to do with monitoring bank records and tapping phone calls.

Which doesn't mean I'm pro-communism. The problem with communism is motivation, without the acquisition of something as a goal, what motivation do people have? Who assigns people tasks? Who says the community is best served by Jon running the cash register and Joe cleaning septic tanks? Its a system that sounds great in theory but works like crap in practice

At the same time, there's nothing terribly moral about capitalism either. In an ideal capialist society, The sick, old and infirm are left to die. The people in a capitalistic society may be moral and charitable, setting up orphanages to help stranded children, feeding and housing grandma even when she ran out of savings, but thats not Capitalism.

There are very few examples.

Here is one. But because it is based upon Christ's teachings, it would be more of a Theocracy with "communism" as it's economic model.
http://www.hutterites.org/ [hutterites.org]

As for being "moral", as long as they do follow their religious code, they are "moral" by definition.

Now, whether the code they follow would be considered "moral" by someone following a different code, well, that's because "morality" is subjective, not objective.

Re:Breaking News - spin

"This just in: Capitalism and Morals do not necessarily go hand in hand."

Caveat Emptor

Doesn't matter if its politics, economics, religion, software, hardware, or even information.

The fact that there are people running businesses with questionable ethics in no way reflects on the morality of the underlying economic philosophy. History easily shows that people who have questionable morals have no difficulty working within the structure of any social philosophy which gains any significant following whether it be economic, religious, or governmental in nature.

So when someone comes around selling their alternative economic philosophy based on the idea that the current system inherently lacks morality, caveat emptor.

burnin

Are there any humans around?

Newspapers clear ads before printing. Radio stations clear ads before airing them, and so do tv stations. Why should websites be any different?

Re:Are there any humans around?

TFA had to do with LiveJournal, not MySpace...

Xserv

Re:Are there any humans around?

What part of "The ad used a server-side setting and targetted only those outside the US, to prevent LiveJournal's own checks from noticing it. LiveJournal has apologized for the ad and slow response." did you not read?

Re:Are there any humans around?

Because those ads are not necessarily static or even served up by the publication's servers. If the ad consists of a "add_link_to_offsite_advertiser_server_here", anything that was "cleared" could change without notice. It's rather hard to dynamically change printed copy ;)

Re:Are there any humans around?

Heh, sometimes they do - but you'd be amazed at what goes on in the online advertising world.
One advertising company I used to work for once had a request to configure an ad campaign to run each advert for 30seconds then switch the advert the user was viewing to a different one.

Only later did we discover it was to bypass a websites manual safety check, where they check each advert complies with their rules by watching it for 20 seconds.

Re:Are there any humans around?

They did. The ad contains code that skips the malware install if it's running in the US, as for example when it's being screened.

A better question is why displaying an ad can install software on your computer. The LiveJournal posts say it was a Flash ad, so until we get real information it's logical to guess that it exploits one of the vulnerabilities in the Shockwave player.

This isn't too surprising

I use an ad-supported LJ account, and the mentioned advertisement was made in flash. I had to deal with it a couple of days ago. Hoo-ray for security holes. Can't we just sue the ad company for unauthorized usage of our computer's resources?

Re:This isn't too surprising

I don't see any part in the TOS or User-Agreement that states "By viewing this site you agree to have shit you don't want installed on your system by our supporting advertisers."

Re:This isn't too surprising

The tricky thing about authorization is, by definition [google.com], it requires conscience thought. So one can not authorize something "unaware" of it.

Re:This isn't too surprising

Yup, yanno why? I'm constantly adminning my home network. CONSTANTLY. pretty hard to set folder permissions and shares and stuff like that when you're not running as admin.

Sucks to use Windows, doesn't it, not being able to use "su -" and control everything from a command window while logged in as a limited-permissions user?

Also, Livejournal, before these ads, was a pretty safe and secure site. Now they put in advertising, some of it flash based, and suddenly I'm nailed by one of their ads and malware hits my system.

Sucks to use IE, doesn't it? Firefox and Flashblocker would have protected you.

Re:This isn't too surprising

Firefox and Flashblocker [mozilla.org] would have protected you.

ads

Slashdot has ads? :)

Obligatory

I, for one, do not welcome our new malware-installing overlords!

Google

Earlier today I searched on Google Groups and when clicking on a link in the result list I got an ad-page that crashed Seamonkey.

It seems to be commonplace these days...

I know publishers hate ad-blockers...

... but they and the advertisers are the ones driving people to them.

No seriously, is it any wonder people turn to ad-blockers? Try reading an informative bit of text when there's a Flash advertisement of box jumping around and flashing like a student at Mardi Gras. I don't care if you are trying to tell me I'm your millionth visitor. You misspelled congratulations! The box makes me wish I had no peripheral vision! FOAD.

Now I know publishers want to make a buck (I have a few websites [sans-advertising] myself), but if the advertisers are going to use annoying/underhand methods, people will take steps to protect themselves. A lot of these companies would do well to look at the sort of program Google offers: inoffensive, targeted, text ads.

In short: make your advertising better -- advertisers AND publishers -- or lose that which you supposedly value. Eyeballs.

Google AdWords = good

You know, Google ads are the only ads I look at any more. (Hell, I run them on my own site!) They are short, not ugly (because Google cares [google.com] about the viewer's experience), and quite often very pertinent to the content. I have to try really hard not to puke when I log in to something like Yahoo! Mail! and I see flashing banner ads for "Get your Credit Rating" or "Cheap Mortgages" or "Warning: Your system is broadcasting an IP address! Ph33rz0r teh RFC!". They are the most useless ads ever. The only reason I think they might survive is if the ad networks charge per impression, not per click--because almost nobody would click on them!

Just one ad?

I once played this web based role playing game a while ago. It was just a so-so game, but one exceptional thing I did notice was that while playing from a Mac I would get randomly named .exe files downloaded to my desktop. Turns out that ads on this game site were just full of malware. Visiting from a Windows computer, I was getting prompted to install crap. So I went to report it on their forums and find out what was being done about it. They didn't care! The site maintainers claimed there was nothing they could do about it. It was their ad provider's fault. All they could say was "you should be running malware protections.." Needless to say, I was outraged by this irresponsibility. I told them off and never visited their god forsaken site again.

How can you NOT take responsibility for malware spread through your own site? I understand that people contract out ads, but geez, come on. No need to draw from the bottom of the barrel.

-matthew

Re:Just one ad?

Nice story, but if you'd like it to be remotely useful for Slashdotters, could you please tell us the NAME of the game so we can avoid it?

simple fix

My simple fix for the security problems associated with Flash is to not install flash. Let's face it, 99.9% of flash is just obnoxious ads anyway. Who needs it.

It's for this reason that any webmaster who insists on using 100% flash to view their site deserves a swift kick to the nutsack.

Re:simple fix

My simple fix for the security problems associated with Flash is to not install flash. Let's face it, 99.9% of flash is just obnoxious ads anyway. Who needs it.

It's for this reason that any webmaster who insists on using 100% flash to view their site deserves a swift kick to the nutsack.

Google Videos, for one, are all Flash.

Use Firefox and install Flashblock, then you'll have the benefits of both worlds.

Re:simple fix

My simple fix for the security problems associated with Flash is to not install flash. Let's face it, 99.9% of flash is just obnoxious ads anyway

Even better, just disconnect your computer from the internet. Who needs internet? Let's face it, 99.9% of internet is just obnoxious anyway.

Haw!

I gave up on you guys years ago. I'm just here to mock.

Adverts?

Do people still get them? I thought everyone had adblock [mozdev.org] installed.

Re:Adverts?

Heh. On my screen your message is directly below this one.

Re:Haw! (Score:1)
by heinousjay (683506) Alter Relationship on 18:36 24th June, 2006 (#15596823)
I'm only here for the blowjobs. I bet our experiences are similarly disatisfying.

Adverts? (Score:3, Insightful)
by Karellen (104380) Alter Relationship on 17:17 24th June, 2006 (#15596520)
Do people still get them? I thought everyone had adblock [mozdev.org] installed.

Which became even funnier when I saw who the post was from.

Identify the Advertiser

Even our readers have had to endure more than one browser-crashing ad campaign from time to time.

The way to discourage this kind of nonsense is to make sure that the advertisers are identified and given a large public black eye. Probably that's not appropriate if the ad just uncovered a bug in the Flash player, but I think it certainly is in the case where an ad installs spyware.

Did the advertiser know this was going to be done? Quite possibly not, but they are still the ones responsible for the ad: they want the good consequences (more sales), so they have to take the bad ones as well. If their bottom line is hurt, they'll start paying more attention to what their ad agencies and other agents are doing. (This is just an application of Murphy's Golden Rule: the guy who has the gold makes the rules.)

weak effort

While it was good of them to pull the ad from the rotation immediately, they failed in several other ways:

(1) they failed to post a notice or provide links for the removal of the malware. At best in the blog there are references that such removal instructions exist, peppered with a warning that some of them are actually malware themselves. They should have made the fix EASY and FOOLPROOF to obtain after getting their readers infected. It's been how long since they got their subscribers infected and they have done nothing more than to stop more of them from getting infected. They helped to break the computers, they should play an active roll in fixing them.

(2) the impression I got from their posts in their blog was that "oops sorry not our fault, not our advertiser's fault, it's one of the ad companies that subscribed to our advertiser". This is a cop-out. When you provide a service like they do, your advertisement is a bundle that comes with your service, and as such you are responsible for its content. I don't care if it's a 3rd party. You take on the responsibility for the content you deliver, regardless of how you get it. You can have legal arrangements with your content providers that provide YOU with a legal remedy, but the grief passes through you. You get sued, and then you sue the ones upsteam that caused you to get sued. You do not "pass the buck" and point a finger up the chain three levels and say not my problem good luck getting anything out of them, because the consumer has no legal recourse against those people. You as the content provider do have a legal recourse against your advertiser, and they have recourse against their affiliate who caused the problem in the first place. This pass the buck mentality is cheap and lazy, and they should be ashamed for trying to pull it.

FlashBlock

That is why I use FlashBlock [mozilla.org]. Actually, I use Linux first, so that helps, but when I am on Windows, FlashBlock, in addition to Firefox, helps.

I tried to read the apology

But I kept getting problems with my computer while reading the ad filled apology page.

Apparently, I needed to download some software because my computer was out of date. Thank goodness I visited LiveJournal today, which told me to update with their new UrP0wnd.exe update.

similar attack possible by PointRoll [semi-ot]

These jokers [pointroll.com] tried for hours to convince me to install a fairly innocent looking HTML file on my server.

What it does is circumvent the Javascript protection between an iframe and the page it lives on. It gives full access to your site DOM from inside the iframe. The reason is so that their content can "expand out" of the iframe and cover part of the page content.

They claim they don't read your cookies, but that's as far as their "guarantee" goes. Someone malicious on their side could easily read those cookies or access form data, etc.

So my point is - this problem is only going to get worse as advertisers look for more and more obnoxious ways to stick ads in your face.

Finally, the sales lady realized that the site I work for doesn't run ads that expand out of an iframe and admitted that they have an alternative which doesn't require the awful Javascript hack. So it worked out for me in the end. The scary thing was she listed some huge high-profile sites that *did* install their file.

You can read their justification here [pointroll.com].

Instead of refusing to use Flash...

You might want to try using the FlashBlock [mozilla.org] extension for Firefox.

On Slashdot?

"Even our readers have had to endure more than one browser-crashing ad campaign from time to time. Thanks for sticking around."

Oh? What happened?

Web advertising considered harmful

and this is a great example of why and how at work. As if you needed another reason to get your ISP to run a web proxy running adzapper [sf.net] or switch to one that does.

Cyberterrorists

Companies like this make the Internet a frightening, dangerous place. They literally attempted to crack into people's computers without their consent.

Why don't we sue them into the ground as pursuing cyberterrorism as a business model?

Yawn . . .

OS X [apple.com] and Firefox [getfirefox.com] with AdBlock [mozilla.org] and NoScript [mozilla.org] included for good measure == no worries here.

Still think Windows is [cheaper|easier|better|stronger|faster]?

The solution to this?

Simple. Websites need to stop being lazy and host ads on their own servers. Yes, there would beed to be a way for the advertisers to track hits, but there should be a way to do that while keeping the potentially dangerous content off the advertisers site.

Squarely Microsoft's fault

Just thought I should point that out, since no one else here seems aware of this fact.

For fuck's sake, when are all the individuals and companies who have had to spend countless hours and dollars dealing with Microsoft's shoddy security architecture going to demand their pound of flesh?

Microsoft is directly responsible for the existence of Spyware, Malware, and Adware.

It's not like they couldn't have foreseen this and dealt with it years ago. No doubt they've always had smart geeks on staff who would happily patch these holes in all versions of Windows, but these bright minds have been forever hobbled by working for Microsoft, which is primarily a marketing firm.

Considering that most of us use their OS's to do our work, and every hour of our time is worth something, and we've spent so much of it on preventable headaches, frankly Microsoft owes us thousands of dollars apiece.

Before you go off on your philanthropic vacation Mister Gates, pay up!

dupeware

According to the Symantec article on this:

Transmission

This security risk is manually downloaded and installed.

Still more reason to block ads.

No ad blocker!

This right after they declare that it is against the user agreement to use any type of ad blocking software on your computer. Not when viewing the site, but on your computer.

Do they consider antivirus as an ad blocker now?

Six Apart

Well I hope this guy is prosecuted for every computer user he tricked into his scheme, I use typepad after tangling with my Live Journal account to much, I hated having to handcode everything. I bet this company will only shine in the future with all its loyal members livejournal will soon become the next MySpace, I just wonder what Billionair will buy them out when they get that many millions of users.

Re:Duh

You make sound like someone has been killed..

Re:Duh

Unfortunately, LiveJournal is one of the better ones out there. I've had an account there for three years now, and when I joined, LiveJournal still had the "by invite only" policy. They dropped that policy sometime afterward, then recently implemented the Sponsored+ account option. Although it does mean putting up with ads when reading straight from other people's weblogs, I still have the option not to have them on my own, which means I don't have to put up with them when reading other people's entries from my friends page. Even when I do read from others' pages, the ads aren't generally all that bad, especially compared to the eye-sores that many sites have.

Re:Ho ho!

Tempted to smile along with you, but... those are likely your family and friends that you're smiling at.

Analogy time: It kind of seems like laughing when a bunch of people who don't know how to cook get food poisoning.