Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Worms Internet Explorer Security The Internet

Worm Exploit Distributed by Advertising Network 478

Zocalo writes "Given that a lot of Slashdot readers also check The Register, it's important to note that their Internet advertising provider, Falk AG, was compromised by the BOFRA exploit yesterday. The Falk AG service has been suspended by The Register and a statement from Falk AG is due on Monday. The upshot is that if you visited the Register yesterday morning and use IE as your browser, then you probably need to run a full virus scan with up to date data files. Of course, those of us running other browsers and something like AdBlock have nothing to worry about. Again." You're OK for now if you're running SP2. There's also a good security writeup about the problem.
This discussion has been archived. No new comments can be posted.

Worm Exploit Distributed by Advertising Network

Comments Filter:
  • Wow (Score:5, Insightful)

    by metlin ( 258108 ) * on Sunday November 21, 2004 @07:25PM (#10883893) Journal
    This is a really big problem. Okay, so its Register and they realized this and stopped it. But we visit so many other websites - how are we to know which one of those ad providers are infected and which are not?

    Sheesh, where is accountability? Blame the sysadmins, blame the software, pity the customer. Lather, rinse repeat.
    • Re:Wow (Score:2, Interesting)

      by rishistar ( 662278 )
      Hopefully the Register, being an excellent IT news service, will provide an answer to that question.
    • Re:Wow (Score:5, Insightful)

      by skids ( 119237 ) on Sunday November 21, 2004 @07:38PM (#10883973) Homepage
      "Blame the sysadmins, blame the software, pity the customer."

      You left someone out: web developers as a whole, who have insisted on more and more complicated HTML extensions instead of just working with the rather powerful stuff they had at their disposal in the first place. These are the folks that make the "core functionality set" of any competitive browser so large that the software to support it is incredibly complex. That guarantees us a steady flow of bugs and exploits.

    • Re:Wow (Score:5, Informative)

      by KonijnenBunny ( 761868 ) on Sunday November 21, 2004 @07:45PM (#10884035)

      Dutch news-site (with a fairly large, non-techie audience) nu.nl [nu.nl] was affected as well, a large warning was put up Saturday.
      The warning [startpagina.nl] (sorry, dutch only) mentioned that until Sunday afternoon, they received 1300 requests for help from possibly-affected visitors.

      As far as accountability goes, it was nice to see the publisher, Ilse Media, put up a clear FAQ and even a special-purpose contact-form to accomodate for their not-web-savvy users.
      They also mentioned further statements from Falk AG were forthcoming Monday 22nd.

      Using an alternative browser [mozilla.org], with AdBlock [texturizer.net] installed, I wasn't affected myself...

    • Re:Wow (Score:2, Insightful)

      by Xerp ( 768138 )
      Indeed.I pity the home user who has no idea. Mom, pop, uncle, grandma and ever lil sis.

      Sure, corporate users can have their IT guy stick in a Linux web-proxy server to help protect the useless Microsoft Windows system from yet another attack. They can rack it next to the Linux box used to filter the spam, the Linux box used to strip all the Microsoft Windows viruses out of e-mail and file shares, and the Linux based firewalls protecting the whole army of Microsoft Windows flawed desktops.

      It is likely that
    • Re:Wow (Score:5, Informative)

      by Bob Ince ( 79199 ) <and@doxdes[ ]om ['k.c' in gap]> on Sunday November 21, 2004 @09:02PM (#10884415) Homepage
      > how are we to know which one of those ad providers are infected and which are not?

      As a rule of thumb: they all are.

      Seriously. Most of the major ad networks have distributed ActiveX drive-by-downloads and *many* have distributed exploits. Almost everyone in the online ad market has dirty hands.

      Falk are known to have served exploits for some time, but I guess this is the first time they've hit the Reg.

      The exploits are going absolutely crazy right now - they're *everywhere*. See also this incident:

      http://www.dslreports.com/forum/remark,11904374~mo de=flat

      It used to be that IE users could just avoid browsing untrusted sites to stay safe. Not any more. Anyone browsing with IE pre-SP2 and no extra precautions is going to get hit sooner or later, and most likely it'll be with enough chain-loading parasites to render the machine barely usable.

      (SP2 of course is not safe either, having publically known exploits; but they don't seem to be targeted by the large exploit nets... yet.)
    • Sorry but ... (Score:5, Insightful)

      by Evil Pete ( 73279 ) on Sunday November 21, 2004 @09:08PM (#10884448) Homepage

      ... who in the IT industry is dumb enough to surf using IE? Not being nasty but really we of all people should know better. Others yeah I can sympathise but Register readers ?

    • Re:Wow (Score:4, Informative)

      by BlackHawk-666 ( 560896 ) on Monday November 22, 2004 @04:49AM (#10886462)
      Try adding a nice big hosts file to block all the ad servers. You get far less pop-ups/banners/sidebars, save bandwidth, and get less flashing shit on your screen. Here's a link [accs-net.com] to one with 10000 entries, but there are others out there too.
  • Hosts File (Score:5, Informative)

    by pollock ( 453937 ) on Sunday November 21, 2004 @07:28PM (#10883913) Homepage
    Yet another reason why it makes sense to use a hosts file with lines like:
    127.0.0.1 as1.falkag.de
    127.0.0.1 as2.falkag.de
    127.0.0.1 as3.falkag.de
    127.0.0.1 as4.falkag.de
    ....
    Check out http://someonewhocares.org/hosts [someonewhocares.org] for more.
    • by squidinkcalligraphy ( 558677 ) on Sunday November 21, 2004 @07:32PM (#10883936)
      But why would you want to run an advertising network on your computer?
      • by TheLink ( 130905 ) on Sunday November 21, 2004 @09:45PM (#10884617) Journal
        Erm. Did that for April 1st this year where I worked.

        I set things up so that *.doubleclick.net etc resolved to a webserver in the company, and the webserver served up "localized content".

        So tons of ads were replaced by the company logo :).

        Surprising how few noticed! No I didn't get fired.

        Maybe I should have served up announcements instead of just the company logo. e.g. "The Company Is Your Friend". "Staff Meeting at 2PM". "You There! Stop Surfing!". "Exploit e-Business Initiatives". "Da Boss is In The Building!" ;).

        Anyway this would save bandwidth and be possibly useful - you could also extend it and customize content on a per user/IP basis.
    • Re:Hosts File (Score:4, Informative)

      by jon787 ( 512497 ) on Sunday November 21, 2004 @07:38PM (#10883976) Homepage Journal
      pffft

      One more reason to run your own DNS server:
      zone "falkag.net" { type master; file "/etc/bind/db.empty"; };
    • Re:Hosts File (Score:5, Informative)

      by Izago909 ( 637084 ) * <tauisgod@g m a i l . com> on Sunday November 21, 2004 @07:49PM (#10884055)
      127.0.0.1 is NOT the right address to use. Some scripts will delay loading or displaying a page until certian data has been downloaded. If your computer is waiting for itself to respond to itself, some pages will never be displayed... even after the browser times out. You should use 0.0.0.0 instead.
    • Re:Hosts File (Score:2, Informative)

      by Azh Nazg ( 826118 )
      sed s/127.0.0.1/0.0.0.0/g

      Use that, so that instead of it routing to localhost (and thereby taking a bit longer), it routes to /dev/null *wink* *wink*
    • Re:Hosts File (Score:2, Interesting)

      by HazE_nMe ( 793041 )
      I have found a nifty IPTABLES Bash Script generator that you can use any plaintext blocklist with. Check it out here: http://www.bluetack.co.uk/converter/index.php You can use the blocklist manager from their site and build a blocklist using multiple sources and generate a bash script to import the deny rules to IPTABLES. And of course for the Windows users there is Protowall (Buggy) which is a driver level packet filtering firewall which you can enter a custom blocklist into also.
  • Text-Ads (Score:5, Insightful)

    by fembots ( 753724 ) on Sunday November 21, 2004 @07:28PM (#10883914) Homepage
    Maybe site owners will start moving or demanding text-based ads (like Google's)?
    • Re:Text-Ads (Score:5, Interesting)

      by NoMercy ( 105420 ) on Sunday November 21, 2004 @07:40PM (#10883995)
      Strange comment now google now does picture adverts, admitidly there not very common to spot but they are out there, quite a few google image adverts pop up on a forum I frequent.
    • Re:Text-Ads (Score:3, Insightful)

      by oexeo ( 816786 )
      > Maybe site owners will start moving or demanding text-based ads (like Google's)?

      This won't make a big difference if Google (for instance) was compromised, a virus could replace the innocent text-ads (which are dynamically inserted client side via JavaScript in Google's case) with whatever malicious code it may desire.
  • Fortunately.. (Score:3, Interesting)

    by The Mgt ( 221650 ) on Sunday November 21, 2004 @07:28PM (#10883916)
    .. falkag.net are the second entry in my ad filter, right after doubleclick
  • by mirko ( 198274 ) on Sunday November 21, 2004 @07:30PM (#10883927) Journal
    how many ie users have switched to sp2 ,yet ?
    • I would assume a lot of users have switched over to SP2 since it's a "crictal update" on windows update. However, most of the people I know running XP (yes, it's a biased sample...) use FireFox. I've tried at work to force FireFox as the default browser for reason exactly like this.
  • Interesting. (Score:5, Insightful)

    by xanadu-xtroot.com ( 450073 ) <(moc.tibroni) (ta) (udanax)> on Sunday November 21, 2004 @07:31PM (#10883932) Homepage Journal
    You're OK for now if you're running SP2.

    Ummm... My Win machine is running SP4. Oh, you mean XP SP2. Not on my machines, man... The highest I'll go on my personal machines is 2k.

    Aside, you left out another browser of very worthy note. [konqueror.org] Oh, well, make that two. [apple.com]
  • No one is safe... (Score:5, Interesting)

    by jarich ( 733129 ) on Sunday November 21, 2004 @07:31PM (#10883933) Homepage Journal
    I once stumbled across a spyware installation program (about a year ago) that was launched by a site counter! Some poor person had put the counter into their web site because they wanted a free counter. Everyone who visited got spyware installed... everyone using IE with default security settings, that is.

    Sad thing was the company was based in the Netherlands so it wasn't even worth pursuing legally... but if you are on the net, you aren't safe. MS products are more insecure, but you should always take steps to protect yourself, like keep the OS and applications up to date, etc etc

    • by arminw ( 717974 ) on Sunday November 21, 2004 @07:42PM (#10884007)
      ... but if you are on the net, you aren't safe...

      Unless you are a Mac user that is. Every time there is anything in the news or /. about another piece of malware, there is always the refrain: "Does not affect Mac users". Unless you are running some proprietary vertical app, why still suffer Windows? What computing JOB can be done in Windows that can't be done as well or better by a Mac or Linux?
      • by Izago909 ( 637084 ) * <tauisgod@g m a i l . com> on Sunday November 21, 2004 @07:54PM (#10884087)
        What computing JOB can be done in Windows that can't be done as well or better by a Mac or Linux?
        I've got a couple ideas: Professioal gamer or spyware/virus tester.
        • > I've got a couple ideas: Professioal gamer or spyware/virus tester.

          Man, I know you'r kidding, but I've already been paid to play games (for a quality assurance department). The idea was to test and benchmark the latest hardware, and that included playing games on it, and no, it couldn't be done without Windows.
        • our embedded development tools require windows

          -sob-
      • Re:No one is safe... (Score:5, Interesting)

        by linguae ( 763922 ) on Sunday November 21, 2004 @08:18PM (#10884223)

        I would love to switch every Windows user that I know to Linux, *BSD, or (if they're in the market for a new computer) Mac OS X. However, there are a few reasons why many people are still using Windows, and will stick with it for about another two years or so:

        1. I don't want to learn (insert new OS here)
        2. But I need (insert some proprietary app here)
        3. But would (this exotic piece of hardware) work on (this new OS)
        4. What's an OS? Why's security important? (insert typical questions asked by computer illiterates)

        Even so, things are getting brighter for these alternate OSes every day. The graphical environments for *nix are getting easier to use with every new release of KDE and GNOME. In fact, if I switched my parents and siblings to *nix tomorrow, they might feel comfortable (provided that I set everything up, that is). Many Windows users are now starting to see the benefits of Open Source software (through OSS projects such as Mozilla Firefox and OpenOffice), and they will feel more comfortable once they make the switch. Hardware support for *nix is getting improved by the day, and more manufacturers are starting to take a look at *nix compatibility. On the Mac side of things, more people are getting exposed to Apple products (through the iPod) and are learning about the virtues of having a Mac.

        Finally, security is starting to become much more important to comptuer users, even the Joe Average type, these days. It used to be that the Internet was a reasonably nice place to go to to find information and to communicate. Now, it is infested with commerical advertising, popups, insecure "portals" to the Internet (*cough Internet Exploiter* cough), and malware. Stuff that we never would have guessed that would happen about a decade (or even five years) ago, such as phishing and worms activated by just browsing a web page, are happening now. More people are becoming aware about the dangers of viruses, worms, spyware, adware, and the other crap that happens on the Windows platform daily. More people are starting to learn about alternate browsers such as Firefox and Opera. Some people are now finally setting up firewalls and anti-malware applications so that way they would be safer from the dangers of the Internet. Some are even planning the switch to a Mac, *nix, or another alternative.

        I believe with the current landscape of computing, the Windows hegemony will last another two to three years. I feel with all of the improvements that *nix and OS X are making each and every day, the computing environment will be pretty interesting in the years to come....

  • I don't get it... (Score:2, Insightful)

    by sH4RD ( 749216 )
    What's with all this "Microsoft should patch this", "Microsoft should patch that". I am NOT a pro Microsoft person, but they made SP2 for a reason. If SP2 fixes it, why in the hell should they go back and patch an older version? If you don't like SP2 that's your problem, but if you want to actually get the latest updates, use it. Don't complain if sticking with SP1 (or no SP) is going to stop you from getting any security fixes.
    • Re: (Score:2, Insightful)

      Comment removed based on user account deletion
      • Then complain about that, not about not getting updates. That's just a side effect of someone not using SP2. Microsoft's not going to listen to you if you complain about something they claim is "fixable" with an upgrade to SP2. So tell them SP2 doesn't work instead.
    • What's with all this "Microsoft should patch this", "Microsoft should patch that". I am NOT a pro Microsoft person, but they made SP2 for a reason. If SP2 fixes it, why in the hell should they go back and patch an older version? If you don't like SP2 that's your problem, but if you want to actually get the latest updates, use it. Don't complain if sticking with SP1 (or no SP) is going to stop you from getting any security fixes.

      There's an OS besides XP, sweetie. As long as people like Dell sell machines
    • I agree with you. If I had some mod points, I'd mod you up. MS shouldn't have to give security patches to every single version of Windows that it currently supports; same goes for other software (you wouldn't expect the Mozilla Foundation to release bug fixes for Firefox 0.9.3, even though Firefox 1.0 is the latest version). Unfortunately, there are still lots of Windows machines out there still running Windows 95, 98, NT, ME, and 2000. Some of these people can't afford Windows XP, never mind the fact t

      • ...Mozilla need not support firefox 0.9.3 for two very good reasons. First, it is a pre-release piece of software (or preview if you prefer), second the cost of "entry" to obtain Firefox 1.0 is merely a 4-7 MB download.

        If Microsoft say they will support older operating systems (i.e. Windows 2000) then they need to support it 100% (not 90%, for the extra 10% upgrade to XP that they are now). Lots of people paid good money for Windows 2000 and were led to expect full support, including security updates, f
  • by clinko ( 232501 ) on Sunday November 21, 2004 @07:39PM (#10883984) Journal
    So if your XP machine is up to date you're ok?

    That's kool, because all I do is download new browsers for security and never run windows update. That would make too much sense...

  • by Antony-Kyre ( 807195 ) on Sunday November 21, 2004 @07:42PM (#10884010)
    If you may have visited The Register between 6am and 12.30pm GMT on Saturday, Nov 20 using any Windows platform bar XP SP2 we strongly advise you to check your machine with up to date anti-virus software, to install SP2 if you are running Windows XP, and to strongly consider running an alternative browser, at least until Microsoft deals with the issue. [theregister.co.uk]

    I just wanted to make this comment. One of the SP2 versions trashed my computer so bad when I ran it. And I'm still suffering from the effects. Such effects include freezing on websites for minutes at a time. Installing it also took my computer like 10 minutes to boot if I remember correctly.

    If you can get an anti-virus program, do it. It's better than nothing.

    I hate third party ads. www.tvtome.com serves one malicious ad, unless they took care of it already. If I remember correctly, the "ad" kept asking me to do something, in which I had to end up killing the IE6 process to stop it. But I run an ad blocking program most of the time. I really hope websites switch to text ads, like Google does.
  • by Valen0 ( 325388 ) <michael@elvensMONETtar.tv minus painter> on Sunday November 21, 2004 @07:51PM (#10884067)
    This worm gives new meaning to the term "viral marketing"...
  • by Dynamoo ( 527749 ) on Sunday November 21, 2004 @07:55PM (#10884090) Homepage
    It's not the first time this has happened either, see this article [dynamoo.com] relating to an incident that happened back in September with Falk AG.
  • RSS Readers too (Score:5, Informative)

    by simetra ( 155655 ) on Sunday November 21, 2004 @07:55PM (#10884095) Homepage Journal
    Also... if you use an RSS reader on Windows, chances are good that it uses Internet Exploder for it's web previewing. So, take that into account too.

  • by prandal ( 87280 ) on Sunday November 21, 2004 @08:13PM (#10884196)
    The ISC has more details here [sans.org] and here [sans.org].
  • This really helps add credibility to the claim that blocking ads can help aid security, giving ad blocking credibility outside of the "I don't want to look at irritating banners" department.

    How long until anti-virus software has built-in pop-up and ad blocking? It's past due.
  • I consider this to be a troll in a way but I'd like to see what others think about it just the same:

    What if this advertiser wasn't actually exploited? What if this was all just plausible deniability and really an intentional way of getting more spyware and crap out there? We have no way of measuring the ethical standards of these essentially unknown parties but we do know there are people out there willing to make a buck while invading the computer systems of private individuals.

    "Oh, we're sorry... we w
  • by MattInFinland ( 833287 ) on Sunday November 21, 2004 @08:37PM (#10884306) Homepage
    The write up for the attack is incorrect. The correct sequence of events is at http://www.finlandforum.org/bb/viewtopic.php?t=768 5. I know because I noticed it at The Register first and contacted Falk AG. Thanks for the aknowledgement too Slashdot, NOT.
  • by Deorus ( 811828 ) on Sunday November 21, 2004 @08:40PM (#10884319)
    Last time I read about the Microsoft's buffer overflow protection implementation in Windows PX Service Pack 2, they were talking about the NX bit present in page entries when the PAE mode was active in AMD x86-64 processors. Even though that protection exists in the new AMD x86-64 processors' MMUs, Intel P4 as well as older AMD processors do not yet support that bit, which means that processes running over them do not get any page-based protection against code execution, even while running SP2.

    However I see many people trusting their lives on SP2's protection even without processor support, and I don't see Microsoft willing to clarify this issue either, so I'm starting to believe that probably there is something else that I am not aware of in SP2 which simulates the same kind of protection on processors without hardware support.

    Is SP2 really protecting against stack smashing (for example) on processors without hardware support for non-executable pages? Or is it just general ignorance that Microsoft exploits for their own profit?
    • Yes, aside from the AMD64 NX bit, they've added some overflow detection. According to this article [unixwiz.net] they do it by placing a cookie after the end of buffers and then checking this cookie for changes. They call it 'software-enforced DEP(Data Execution Prevention)' and more information can be found at http://support.microsoft.com/kb/875352 [microsoft.com] and codeguru [codeguru.com] has the best description I've found. If you have XP with SP2 you can go to Control Panel, System, Advanced, Performance Settings button and choose the Data Exe
    • by btg ( 99991 ) on Monday November 22, 2004 @03:08AM (#10886165)
      This particular problem is a heap overrun, not a stack overflow. XPSP2 introduced major changes to the way heap memory is laid out.

      The improvements included safe unlinking, randomising the base address of the PEB (makes it harder to overwrite the UEF for example), and a heap version of a stack canary called a security cookie.

      There are also improvements to the stack security by using a stack canary a la StackGuard compiled in by default for all MS apps.

      Basically SP2 does contain a bunch of actual, measurable improvements to the way writeable memory is dealt with. It's not bulletproof but it will screw most 'stock' exploits.

      By the way, something that nobody will tell you about BOFRA is that there _is_ a workaround - you can disable active scripting. The exploit uses javascript to allocate masses of heap memory to 'seed' the heap ready for the exploit. This is NOT a fix for all possible ways to attack this bug, just a fix for this particular attack.
  • by t_allardyce ( 48447 ) on Sunday November 21, 2004 @09:06PM (#10884438) Journal
    The upshot is that if you visited the Register yesterday morning and use IE as your browser.

    A few years ago I would have laughed at anyone who said something like that and just ignored it as paranoia by someone who didnt really know much about computers and security or who had been watching too many hacker films. Of course you can't get a virus from visiting a web page thats just stupid, who would allow such insane breaches of security? But Microsoft saw a market: they realised that since most people believed you could get a virus that way, why not match their products with peoples expectations? Next slashdot poll should be who uses IE and why...
  • A few things. (Score:3, Informative)

    by flamechocobo ( 792168 ) on Sunday November 21, 2004 @09:09PM (#10884453)
    For one, to those people commenting about how some people say that they don't want to use SP2... It isn't their fault that they don't want to. When I installed SP2 on my computer, that was using a legal copy of Windows XP, my computer BSODed and the boot sector was screwed over. This was a mistake on the count of Microsoft that deleted a number of documents that I thought were in a stable, safe place. I now make a backup of all my data to an external hard drive every other day to make sure this doesn't happen. Another comment I would like to make is for the people that are saying that ads are the only sources of revenue that websites have and we should be forced to read them and not block them. Yes, I agree that some websites need ads for money to run the site, but some ads are downright obnoxious. There are, however, sites that live off of things such as Google text only ads. www.neowin.net is an example, where you see at the top of the page only a simple text ad, or once in a while a picture ad. They are a fairly large website, and yet they support themselves by only a text ad. Interesting, isn't it? People rave about how websites absolutely have to have tons of ads to live, and yet Neowin has been living for a good 5 years now on text ads...
  • Not surprisingly... (Score:3, Interesting)

    by thrill12 ( 711899 ) * on Monday November 22, 2004 @04:02AM (#10886302) Journal
    If you visit the Falk AG [falkag.co.uk] website, there is nothing on the exploit. The management clearly doesn't know what to do with the problem - otherwise they would have posted a full explanation by now. Ah well, I guess they need some time to wiggle themselves out of this one.

  • by tezza ( 539307 ) on Monday November 22, 2004 @04:26AM (#10886383)
    I don't know what is more amazing:

    The fact that this attack happened

    or,

    The Register editors sacrificed their sacrosanct weekends to post the warning story.

    Any regular reader would see that most of the stories abruptly stop at Beer O'Clock on Friday [4 p.m. roughly, depending on British Sunshine].

    Due to the regular lack of stories over the weekend, I think the number of readers exposed would have been much less. If it had happened about this time [Monday morning London time] a lot more people would've been exposed.

  • by tezza ( 539307 ) on Monday November 22, 2004 @04:47AM (#10886455)
    TheRegister attracts a different class of readers.

    The class I'm referring to is the Datacentre Class.

    All those hardworking infrastructure people who've managed not to be outsourced to the Cayman Islands.

    All those admins who surf to TheRegister from their Win2k3 Advanced Server terminals IN the datacentre via their KVM.

    Some SysAdmins don't, granted, but SOME do. When I was doing Unix work at Level3 [level3.com] and Colt [colt.net], we did it all the time. It's a per company, per employee based decision as to whether it occurs.

    These servers are much more likely to have gone unpatched due to availability/stability concerns.

    So here you have important computers left on all the time, with ph@t bandwidth exposed. Not just some home win98 pIII over a 56K link.

    A bit worrying.

news: gotcha

Working...