Banner Ad on Myspace Serves Adware to 1 Million 390
An anonymous reader writes "Washingtonpost.com's Security Fix blog reports that a banner ad running on MySpace.com and other Web sites used a Windows security flaw to push adware and spyware out to more than one million computer users this week. The attack leveraged the Windows Metafile (WMF) exploit to install programs in the PurityScan/ClickSpring family of adware, which bombards the user with pop-up ads and tracks their Web usage."
Excellent. (Score:5, Funny)
Re:Excellent. (Score:5, Funny)
umm.... (Score:3, Funny)
Re:Excellent. (Score:3, Funny)
Re:Excellent. (Score:5, Funny)
Hah! A real master nerd is never unprepared. I'll watch the whole run of Nuku-Nuku for inspiration and build myself a catgirl android lover, and we'll make dozens of cyborg kittens together.
Take that, natural selection!
Prosecute virus creating companies. (Score:5, Interesting)
Comment removed (Score:5, Insightful)
Re:Prosecute virus creating companies. (Score:5, Funny)
Re:Prosecute virus creating companies. (Score:5, Insightful)
Re:Prosecute virus creating companies. (Score:5, Insightful)
This works for the same reason that spam works - it's cheap to do, and only a few stupid people need to click on the ads for them to be making money again.
Re:Prosecute virus creating companies. (Score:3, Funny)
Re:Prosecute virus creating companies. (Score:5, Insightful)
Re:Prosecute virus creating companies. (Score:3, Interesting)
MySpace is owned by Rupert Murdoch's News Corporation.
Re:Prosecute virus creating companies. (Score:4, Funny)
Re:Prosecute virus creating companies. (Score:3, Insightful)
Re:Prosecute virus creating companies. (Score:2, Informative)
Virus/adware-spreading ads (Score:5, Informative)
Re:Virus/adware-spreading ads (Score:5, Insightful)
The problem is with the ad-serving companies that these websites use. Either they're less-than-trustworthy, and are directly responsible for the exploits being used, or they sub-contract out, and don't care enough to keep an eye on their "partners". Usually, notifying the webmaster of the offending site is enough to get them to have a "talk" with their advertisers to resolve the situation.
Of course, you probably already know this, but it bears repeating as it's something that can be missed by people not familar with the subject.
Please, won't someone think of the n00bs?
Excuses, excuses (Score:3, Insightful)
Funny, that's the same kind of excuse spammers use. "Oh, I'm not a spammer... I purchased this list of e-mail addresses in good faith, how was I to know they weren't all 100% verified opt in like the seller said?"
It's also the same excuse The Pirate Bay use.
Re:Excuses, excuses (Score:3, Informative)
Re:Virus/adware-spreading ads (Score:3, Insightful)
The problem is with the ad-serving companies that these websites use."
The Dilbert website serves ads from these companies, therefore the problem's resolution is ultimately the responsibility of the Dilbert website.
I don't blame the ad-servers just as I don't blame wild animals for mauling tourists. It's in their nature
Re:Virus/adware-spreading ads (Score:3, Funny)
Can I substantiate this? Yes. Will I substantiate it? No.
I don't care if anyone believes me. Just remember, you heard it here first.
Oh and pass the bong, dude. Thanks.
Re:Virus/adware-spreading ads (Score:3, Insightful)
I've never known them not to
What I get a kick out of is how they like to tell you they have no way to contact them and there's nowhere you can complain to.
Um... you're getting a CHECK from them every month, remember? (we know you're not allowing that crapware on your site for free!)
Re:Virus/adware-spreading ads (Score:5, Interesting)
Re:Prosecute virus creating companies. (Score:5, Insightful)
Speaking personally, I generally block ads that are misleading, flashy and/or distracting. I've lost count of the number of times an otherwise perfectly good webpage has been ruined (aesthetically) by an in your face ad.
Anything that attempts to look like a system dialogue, or to convince me that my PC is running slowly and needs to be fixed, etc, gets the entire advertiser's domain and sub-domains blocked. I hate that shit.
Re:Prosecute virus creating companies. (Score:5, Insightful)
I have to disagree with both of you. People block ads not because of risk, not because they take up too much bandwidth and processor power, but because they take up too much attention. People want to pay attention to the real content, not wade through fake distracting crap that wants to sell them something.
Prosecute the "sellers" too (Score:5, Interesting)
How about Myspace as well? It is easily argued that Myspace controls the banner space and content added to the 'global' site (ie every page). This is akin to aiding and abetting.
The sad thing is that a million PCs were infected, and probably 500,000 of them will -stay- infected. And will this even remotely hurt Myspace's market share/traffic? I seriously doubt it.
Re:Prosecute the "sellers" too (Score:4, Insightful)
Only if Myspace knew what was going on (which they almost certainly did not). Or do you think any business transaction with criminals is 'akin to aiding and abetting'? In which case, shouldn't you also prosecute
- banks, if one or more of their clients deposit money they got illegally?
- hotels, in whose rooms illegal transactions (prostitution, drug dealing, whatever) take place?
- computer manufacturers, whose customers use their computers to steal identities?
- camera manufacturers, whose products may be used to stalk people and invade their privacy?
- etc.
Ask yourself this, do you really want to go down that road? Do you really want companies to run extended background checks on you before they sell you anything to make sure you may not use it in some obscure way to harm others? Is such a police state really what you want? Or do you just not like Myspace (either because it is used by the same teenage girls who wouldn't date you in high school, or because it is owned by NewsCorp)?Prosecute MySpace (Score:4, Insightful)
You mean like the government wants our ISPs to track and monitor our web usage and keep copies of all our IM's, searches and emails? Or how about our libraries revealing what books we check out? Maybe AT&T could provide a log of all your phone calls. How about the banks reveal all your financial transactions?
Oops, I forgot - the Patriot Act, among other obscure laws, already allow this.
Innocent until proven guilty no longer applies in the land of the free - why should it apply to corporate America any different? Oh yea, I forgot, they own the politicians.
Why can't Microsoft patch the holes in it's software? Why can't MySpace screen it's advertisers? They aren't showing porn site ads, because they 'screened' the ads, correct? So, how come they are serving adware?
If it's ok for the government to be constantly running background checks (illegally I might add) on it's own citizens in a 'FREE' country, then MySpace should also be responsible for spreading viruses and spyware. Of course, they won't ever have to answer for it. News Corp may as well be owned by the GOP...
Re:Prosecute MySpace (Score:3, Insightful)
No, not really...
I'm scared to ask, but how does your conspiracy theory reason why the government would want ISPs to monitor all that information, when the government itself really wouldn't ha
Re:Prosecute MySpace (Score:3, Informative)
Actually, most libraries go out of their way to destroy your checkout history. One common library checkout systems only keeps track of the person who has that particular copy at that moment. The only way to look up the book is by its inventory number. Searching by patron name returns no result. Once the book is checked in the record is modified saying that the library has it. The result is that there is no history of who had what books or w
is myspace responsible for their site or not? (Score:5, Insightful)
Only if Myspace knew what was going on (which they almost certainly did not).
I'll make this very simple for you: Is myspace responsible for the content they put on their site, or not?
When you are a website the size of myspace, failing to vett your advertising borders on gross negligence and incompetence.
Furthermore, if you study how 'responsibility' plays out in the business world, particularly with lawsuits- the first party on the food chain is responsible. If that company wants to take action against its employees, suppliers, etc- so be it. But the buck, figuratively, stops at "round one".
Re:Prosecute the "sellers" too (Score:5, Insightful)
This is different. This is the business putting up an advertising hoarding that is dangerous to visitors. The business already vets its adverts (so no porn), so it has the duty and capability to vet its adboards for viruses, just as if it was hosting auto-install viruses on the front page in their own webspace.
Just because it subcontracts the advertising out to a third party doesn't get myspace off the hook, any more than a bank with a beartrap inside the front door wouldn't be liable because their builders put it there.
Re:Prosecute the "sellers" too (Score:3, Insightful)
So why do you then say MySpace should be held responsible?
Look.. the visitors are not MySpace's clients.. the visitors are the product (and if they aren't the product, then at best they are leaches.. they would never be considered a client, since they don't give MySpace a dime).
MySpaces clients are those who give it money.. ie: the advertisers.
Re:Prosecute the "sellers" too (Score:3, Informative)
Only a general link is embedded in the page which causes the user's browser to makes a request to the ad companies server. Every time the link is used a different ad is served. The ad travels directly from the ad company to the user, nothing of it is seen by the company hosting the page.
The ad company likes this arrangement because they then know the ad they are paying for was really served.
Really?? (Score:3, Interesting)
I thought I followed the field fairly well, but I have never heard of any previous virus ads like this.
Re:Really?? (Score:4, Interesting)
Re:Really?? (Score:3, Insightful)
Re:Prosecute virus creating companies. (Score:5, Informative)
This attack is not a virus because it cannot spread to new hosts from infected machines. It is, more accuratly, a trojan, in that it is "executed" under the false pretence of being non-malicious code (I put "executed" in inverted commas because there is the additional issue of how it ended up actually executing native code on the infected machines).
Also, the people who recieve harsh sentances are normally writers of worms, rather than viruses. This is because the extremely rapid way in which some worms infect new machines can cause serious overload of the networks over which they spread, which tends to cause more $s of damage than the damage to the actual machines. Although these ads are wrong, they have not had that sort of global impact on networks.
So, while I agree that these people should be prosecuted and severely punished, I believe that it is misguided to say that they should be prosecuted under the same laws as virus and worm authors, as this would just muddy the water and add to the current situation where all computer users have to be worried about which laws they might be breaking.
I love how the submission links the comments (Score:5, Insightful)
First time? (Score:2)
Re:First time? (Score:5, Funny)
Hah, that's like finding a loaded diaper in a garbage dump and then complaining about the level of sanitation.
Re:First time? (Score:5, Insightful)
Yes, and you're 100% right. Since they are syndicating it, showing 'due diligence' in making sure they aren't syndicating harmful code is their responsibility.
The question comes down to , reasonably, what is a good percentage to equate with 'due diligence' in checking what they syndicate. They have a few million pages, videos and photos to police, as well as watching what their advertisers are using their network to display.
So even if they go way above and beyond the 80% catch rate of abuse prior to it leaving their network, stuff like this is still going to happen. I'd imagine they only catch about 70% of illegal use involving their network, and considering its size and attractiveness to bad-doers, that's not bad.
Of course its an age old argument, who is most at fault. The person who shot the gun or the company that provided it?
I am also noting a rather old vulnerability was exploited, and people not updating their systems need to share some of the blame.
So I guess in essence
Re:First time? (Score:3, Insightful)
'Due dilligence' in schools, for example, may not be assuring no single kid ever smokes crack, but it certainly is making sure the school bus driver doesn't.
Re:First time? (Score:3, Insightful)
Of course its an age old argument, who is most at fault. The person who shot the gun or the company that provided it?
More like the age old argument, is it illegal or not. Sadly the facts are that this event is not a criminal event, the police won't be getting involved, and no one really cares. Not the infected users, not myspace, and not the advertisers. This is just more roadkill on the information superhighway. Nothing to see here, please move along.
WMF Exploit Now Affects Mac Users! (Score:2, Funny)
Re:WMF Exploit Now Affects Mac Users! (Score:2, Funny)
Re:WMF Exploit Now Affects Mac Users! (Score:4, Funny)
Users further complained that their productivity shot way down when a number of games mysteriously started working.
This comes right after a Flash hack (Score:5, Interesting)
His solution to the hack that destroys a section of your profile is not that he will fix the site, but that you should install Flash 9.
Re:This comes right after a Flash hack (Score:4, Informative)
His solution to the hack that destroys a section of your profile is not that he will fix the site, but that you should install Flash 9.
So if you're not a Windows or Mac OS X (PowerPC) user, you're SOL [adobe.com].
Re:This comes right after a Flash hack (Score:2)
If your kids use Windows or you're intelligence-challenged yourself, you're screwed. The rest of us are safe.
Re:This comes right after a Flash hack (Score:3, Insightful)
I figure it's good training for when they have to go off to college away from their MCSE/Linux Geek/Ex-BBS sysop dad.
No way! You're kidding me! (Score:3, Funny)
You mean to tell us that a site that is pratically a shrine to petty teenage popularity contests, cliquishness, and ad-whoring for the biggest businesses in the world only supports the two OSes used by more than 2% of the market!?
Holy crap! What is the world coming to?
Re:This comes right after a Flash hack (Score:2)
Unfortunately, it won't fix the crappy member pages that crash your browser.
Re:This comes right after a Flash hack (Score:3, Insightful)
Sorry try again after you RTFM RE: security issues.
Re:This comes right after a Flash hack (Score:3, Insightful)
You gotta love laziness! You know the weird thing is that is most likely the best thing that he could have done to "fix" his problem. I'm on several security mailing lists and get notices of all the holes in nearly everything. Do you want to know the real dirty secret? That process is worthless to me unless they happen to be announcing a patch to the product that fixes the
Heh, on Facebook too. (Score:3, Interesting)
Re:Heh, on Facebook too. (Score:2)
We're talking about Myspace users here. What's the problem?
Re:Heh, on Facebook too. (Score:5, Funny)
Let me guess, you generally don't receive advertising money.
All your Myspace are belong to us? (Score:5, Funny)
-MySpace Vice President In Charge Of Revenue Generation
Just update (Score:5, Funny)
If your OS puts out a security fix, it's probably for a reason. This could have been avoided for everyone just by keeping up-to-date.
Re:Just update (Score:2)
If your OS puts out a security fix, it's probably for a reason. This could have been avoided for everyone just by keeping up-to-date.
"Sorry all your stuff was stolen, but it's your fault for not installing a better lock."
Maybe security updates wouldn't be so critical if the people that took advantage of them (and those that aided them, like Myspace) got bitch-slapped.
Re:Just update (Score:5, Interesting)
MySpace knows its users are idiots, and that they aren't going anywhere until their 15 minutes of fame are up. What do they care that ads they carry also target those same idiots.
Re:Just update (Score:3, Insightful)
Re:Just update (Score:4, Insightful)
Re:Just update (Score:4, Funny)
Less security problems as well :D
Re:Just update (Score:3, Funny)
If it's not. I just want to mention 'Windows Genuine Advantage', the oh-so-very critical security fix. Sure, it's there for a reason, but that reason ain't your computers well-being!
Tips (Score:4, Informative)
2. Uninstall Flash, you don't need that proprietary junk, 99% of all flash animations are ads/banners anyways.
3. Maybe you want to "block loading of images from third-party sites".
4. Use the Adblock extension for Firefox, you can get it at http://adblock.mozdev.org/ [mozdev.org] and get some rules for it.
5. Use a more secure operating system.
I hate Myspace, it is a website that caters to retards, it is so dumb.
Re:Tips (Score:2, Interesting)
Other than that, I agree with everything you put up.
Re:Tips (Score:3, Informative)
Another great way to block most (99% ??) ad sites is to go here [mvps.org] and download this [mvps.org]. It's a hosts file that directs your PC to essentially IGNORE ALL kno
Re:Tips (Score:2, Interesting)
Re:Tips (Score:2)
Re:Tips (Score:2)
I'm personally too annoyed by the large flash marks it leaves to use it, but if you need flash, FlashBlock at least will let you survive.
Slashdot one-ups Washington Post moderators (Score:2, Insightful)
Re:Slashdot one-ups Washington Post moderators (Score:2, Interesting)
When you go to the community pool... (Score:3, Interesting)
I'm not trolling, but I can't stand myspace-type blogs.
People need to understand that the net costs money. If you didn't pull out your credit card to pay for the resources you consumed, you'll be pulling in something into your PC...and when the intelligence quotient is double-digit...
I've visited myspace exactly once. By accident. I'd consider it to be a sesspool of the Internet if I saw more than one profile. My sister, too, has been affected by the WMF exploit in a myspace profile. Let me just say that telephone support for Win98 on an ancient laptop is less fun than most things, including elevator rides with those people that feel that the body cleanses itself.
My perspective -- if one goes to myspace, one deserves its effects.
Unfortunately, the elevator riders are right... (Score:3, Funny)
The more reason for text based advertisements. (Score:2)
DNS Ad-blocking (Score:5, Informative)
My solution to solve this problem is to block the domains of the servers that host these ads such as (pagead2.googlesyndication.com) by using a dns server. This is better than firefox ad-blocking or most other systems. This system prevents any connection to the advertising server. I have a dns server for ad-blocking that is publicly avaiable at 68.147.32.114.
Click here to see if you configured your dns properly.Re:DNS Ad-blocking (Score:5, Informative)
Re:DNS Ad-blocking (Score:2, Insightful)
adzapper Squid redirector (Score:2)
The shocking part is.... (Score:4, Funny)
Re:The shocking part is.... (Score:3, Insightful)
Why is this shocking? Windows has the highest market share and comes pre-installed on way more than the majority of pre-built computers. It is what people are used to using since it is the OS that most people started out on, so the majority of people are more comfortable using Windows since they don't have to learn something new. A lot of people also just don't know any better. They don't realize or care that there are other OS's available, a
umm there has been a patch since jan (Score:3, Informative)
but the WMF exploit has been patched since jan of this year
anyone that got hit by this only has themselve to blame.
Does Windows Defender Catch This? (Score:3, Interesting)
Its the Ad, not Myspace (Score:2, Insightful)
Myspace isn't at fault and neither is Microsoft
Sure they make shitty products for the below average user, but that isn't the problem. Myspace administrator's don't choose exactly which ads are dissplayed on their pages, they sell their ad space to an ad company with a few constraints on what types of ads are allowed to appear. The company who provides the ads then chooses specifically which ads it wishes
MySpace's Response Was To.. (Score:4, Interesting)
Although I'd like to see MySpace increase its response time, a week response time is fairly fast for corporations. Apple took two weeks to patch the vulnerabilities discovered last February and they were applauded for having a fast response. The shame is that Microsoft's glacier-like response to security vulnerabilities makes two weeks look speedy, and one week look positively instantaneous.
I realize that it will be popular to bash MySpace around here over this but the real culprits are, in order from least to greatest responsibility, the users who hadn't patched their OS with the latest updates, Microsoft for pushing such crappy code in the first place, and greatest of all, the ad agency that didn't catch this little beauty. They should lose their contract at the least over this, IMO. I use a Mac, Safari, and an adblocker style sheet, but I want to see an end to this. Kids shouldn't be used to propagate malwarez and if I was a band over at MySpace I'd be plenty ticked off about this, too.
Viral marketing (Score:4, Funny)
(You know I've been waiting to say that for weeks now)
Same thing on OKCupid... (Score:5, Funny)
Yes, it's an online dating site. No, I haven't met anyone on there yet. Shut up.
Aren't there antihacking laws that apply? (Score:4, Insightful)
Tampering with 1 million computers without permission and AFAIK without good reason. Isn't that a serious criminal offense?
That's what annoys me the most about all those "antihacker" crusades. Don't the same laws apply to spyware, unauthorized adware etc? Even Sony's DRM crap.
But no, the FBI and other authorities round the world seem to prefer trying to jail people who are pretty harmless (like that brit looking for UFOs).
If directors/owners of companies doing such stuff were sent to jail (or even seriously threatened with jail), you'd see a lot less spyware or nasty adware around.
Instead there's one law for the small stupid amateur and another law for the incorporated pros.
And that is the real reason why there's so much spyware around. Not because users are clueless (even though they are) or click on attachments without thinking.
Doesn't matter (Score:4, Funny)
Re:why? (Score:5, Funny)
Exactly - every time you delete a cookie an american flag bursts into flame.
Re:why? (Score:3, Funny)
Re:why? (Score:4, Funny)
Re:why? (Score:5, Funny)
God kills an American kitten.
Re:The rise and fall of myspace (Score:2)
Re:The rise and fall of myspace (Score:5, Informative)
On previous occasions Falk AG has served exploits like this through websites like www.theregister.co.uk. In that case Falk had their ad delivery servers broken into.
This is not the first time and as the time goes we will see much more of this.
Re:Oh the horror!!! (Score:2)
Re:Firefox with Adblock? (Score:4, Insightful)
err - he's Rupert Murdoch. If he wasn't going to "make millions off of that company" he wouldn't of bothered with it.