Forgot your password?
typodupeerror

Malware Installed by LiveJournal Ad 199

Posted by CowboyNeal
from the egg-on-face dept.
Jamesday writes "LiveJournal recently introduced an ad-supported level. Over the last few days an advertiser used an ad to install the ErrorSafe malware that tried to trick people into believing they had a fault on the computer that needs them to purchase a fix. The ad used a server-side setting and targetted only those outside the US, to prevent LiveJournal's own checks from noticing it. LiveJournal has apologized for the ad and slow response." Even our readers have had to endure more than one browser-crashing ad campaign from time to time. Thanks for sticking around.
This discussion has been archived. No new comments can be posted.

Malware Installed by LiveJournal Ad

Comments Filter:
  • Breaking News (Score:3, Insightful)

    by PakProtector (115173) <cevkiv.gmail@com> on Saturday June 24, 2006 @11:52AM (#15596421) Journal

    This just in: Capitalism and Morals do not necessarily go hand in hand.

    • Re:Breaking News (Score:3, Insightful)

      I'm not sure if I agree or disagree but your post implies that there is an alternative to Capitalism that is hand in hand with positive morality. Please tell us what that is.
      • by Nutria (679911)
        I'm not sure if I agree or disagree but your post implies that there is an alternative to Capitalism that is hand in hand with positive morality. Please tell us what that is.

        Communism. You know, communes, community, kum-bay-yah, matriarchy and all that crap.
        • Re:Breaking News (Score:2, Interesting)

          Tell us why Communism is more moral than Capitalism.
          • Re:Breaking News (Score:4, Insightful)

            by maird (699535) on Saturday June 24, 2006 @12:50PM (#15596638) Homepage
            http://en.wikipedia.org/wiki/Communism [wikipedia.org] Particularly: "communism as a political goal generally is a conjectured form of future social organization which has never been implemented" IOW, don't confuse the states that purport to be communist with communism. The USSR, China, Cuba, et al are not communist states. They are totalitarian dictatorships claiming to be communist (or that we have dubbed communist regardless of what they claimed to be). A pure communism is moral and not capitalist since there is no self-interest (selfishness) nor any need for it. There's no need to rip anyone off or take advantage of anyone. There is no need for contracts that bind the consumer to the advantage of the vendor. The truth is that communism is probably not achievable by humans, who would want to clean toilets even if you did have the same lifestyle as the head of state. Life on Star Trek starships is communist. Until matter replicators that will freely feed anyone that wants to eat are broadly available on earth communism is impossible but it is moral in ways that capitalism isn't.
            • Re:Breaking News (Score:3, Insightful)

              by corbettw (214229)
              A pure communism is moral and not capitalist since there is no self-interest (selfishness) nor any need for it.

              In other words, it runs counter to human nature. People are instinctually selfish, and it will never change.
              • Re:Breaking News (Score:5, Insightful)

                by Jacked (785403) on Saturday June 24, 2006 @01:59PM (#15596936)
                People are instinctually selfish, and it will never change.

                Exactly, and that's not necessarily a bad thing. It is precisely because of self interest that others are willing to offer us their goods and services. One of my favorite quotes puts it much better than I can:

                "It is not from the benevolence of the butcher, the brewer, or the baker that we expect our dinner, but from their regard to their own interest." -- Adam Smith
                • People are instinctually selfish, and it will never change.
                  Exactly, and that's not necessarily a bad thing. It is precisely because of self interest that others are willing to offer us their goods and services.
                  I'm not articulate enough to explain just what, but there's something very screwed up in your thinking there. 'Circular logic' sounds like a term that might fit.
              • Actually there have been small communistic religious groups, where status was the sought after goal, and the community agreed to award status in ways that reinforced the communal goal of a communist ethic.

                These groups don't tend to last very long, but they have existed. They generally require a small isolated community and a charismatic and idealistic leader. And carefully selected followers.

                I don't think that such goups could be stable for multiple generations even without exterior pressures, but they ca
              • Re:Breaking News (Score:3, Interesting)

                by notque (636838)
                The social and behavioral sciences should be seriously studied, not only for their intrinsic interest, but so that the student can be made quite aware of exactly how little they have to say about the problems of man and society that really matter.
                --Noam Chomsky
            • Re:Breaking News (Score:2, Insightful)

              by mdwh2 (535323)
              A pure communism is moral and not capitalist since there is no self-interest (selfishness) nor any need for it. There's no need to rip anyone off or take advantage of anyone.

              No self-interest? How is that achieved? The only way you could do this was to provide everyone with everything they wanted - but no economic system can do that. As you say, we need Star Trek replicators. It's not communism which gets rid of the self-interest - it's the replicators. In a society with unlimited resources, economics doesn'
      • your post implies that there is an alternative to Capitalism that is hand in hand with positive morality

        No it doesn't. All his post says is that capitalists are not necessarily moral. He says nothing about the existence of capitalists that *are* moral, or of other systems that are moral (or for that matter, other systems that are less moral).
      • I'm not sure if I agree or disagree but your post implies that there is an alternative to Capitalism that is hand in hand with positive morality. Please tell us what that is.

        I would debate that Capitalism will be replaced by Technocratism [wikipedia.org] in about 100-500 or so years.

        Not becaues Capitalism is bad or anything, but because a Technological Singularity will make it a moot point.

        When you have the technology to produce or simulate anything that you could buy through virtual reality then what is the point of payin
      • http://en.wikipedia.org/wiki/Parecon/ [wikipedia.org] seems to fit that bill quite nicely
    • by burnin1965 (535071) on Saturday June 24, 2006 @12:45PM (#15596625) Homepage
      "This just in: Capitalism and Morals do not necessarily go hand in hand."

      Caveat Emptor

      Doesn't matter if its politics, economics, religion, software, hardware, or even information.

      The fact that there are people running businesses with questionable ethics in no way reflects on the morality of the underlying economic philosophy. History easily shows that people who have questionable morals have no difficulty working within the structure of any social philosophy which gains any significant following whether it be economic, religious, or governmental in nature.

      So when someone comes around selling their alternative economic philosophy based on the idea that the current system inherently lacks morality, caveat emptor.

      burnin
      • The fact that there are people running businesses with questionable ethics in no way reflects on the morality of the underlying economic philosophy.

        I don't think the poster's point was that Capitalism is immoral, but that it is amoral, and therefore, if it is to be a beneficial force in the world, morality must be injected into it - or imposed upon it. The same goes for Communism or any other economic system. Whatever the system is, it requires limitations and regulations to keep it in line.

    • As Keynes said... (Score:3, Interesting)

      by CarpetShark (865376)
      "Capitalism is the extraordinary belief that the nastiest of men, for the nastiest of reasons, will somehow work to the benefit of us all."
  • by Watson Ladd (955755) on Saturday June 24, 2006 @11:53AM (#15596425)
    Newspapers clear ads before printing. Radio stations clear ads before airing them, and so do tv stations. Why should websites be any different?
    • by Anonymous Coward on Saturday June 24, 2006 @11:56AM (#15596438)
      What part of "The ad used a server-side setting and targetted only those outside the US, to prevent LiveJournal's own checks from noticing it. LiveJournal has apologized for the ad and slow response." did you not read?
      • Sounds like an attempt at an excuse for not doing one's own vetting. Allowing anyone to dynamically insert arbitrary content, or outsourcing ad vetting to another party makes one vulnerable and blameworthy. Ultimately, it comes down to what do site administrators value. Now we know.
    • by TommydCat (791543) on Saturday June 24, 2006 @12:03PM (#15596472) Homepage
      Because those ads are not necessarily static or even served up by the publication's servers. If the ad consists of a "add_link_to_offsite_advertiser_server_here", anything that was "cleared" could change without notice. It's rather hard to dynamically change printed copy ;)
    • by mpcooke3 (306161) * on Saturday June 24, 2006 @12:11PM (#15596504) Homepage
      Heh, sometimes they do - but you'd be amazed at what goes on in the online advertising world.
      One advertising company I used to work for once had a request to configure an ad campaign to run each advert for 30seconds then switch the advert the user was viewing to a different one.

      Only later did we discover it was to bypass a websites manual safety check, where they check each advert complies with their rules by watching it for 20 seconds.
    • by Beryllium Sphere(tm) (193358) on Saturday June 24, 2006 @12:12PM (#15596506) Homepage Journal
      They did. The ad contains code that skips the malware install if it's running in the US, as for example when it's being screened.

      A better question is why displaying an ad can install software on your computer. The LiveJournal posts say it was a Flash ad, so until we get real information it's logical to guess that it exploits one of the vulnerabilities in the Shockwave player.
      • this is why i block all ads, even google syndication counters. i probably trust cnn servers , but i can't trust to all that IPs my browser pulls the ads from.

        besides slowing down the page download (mostly DNS related issues), disturbing my attention and wasting my time my machine (and IP address) is getting exposed to numerous unknown or little known servers.

        chain of ads suppliers can be very long. ad can go from the initial seller via multiple broker companys to reach my Linux/Win32. in any point on th

    • They don't clear classified ads. All kinds of scams are running around in those.
    • Well, there are two things:

      1) If any of the media you listed ran an offensive ad, they'd be fined or similarly chastised by the appropriate regulatory body. No such body exists for the web, that I'm aware of.

      2) In each of those media, the ads are submitted for approval to a human, and a human manually puts them in place (by running the tape/CD, dropping the ad in place in Quark, etc). On the web, it's entirely possible for a person to approve a third party ad serving service, then for that service to pull a
  • by Khyber (864651) <techkitsune@gmail.com> on Saturday June 24, 2006 @11:55AM (#15596432) Homepage Journal
    I use an ad-supported LJ account, and the mentioned advertisement was made in flash. I had to deal with it a couple of days ago. Hoo-ray for security holes. Can't we just sue the ad company for unauthorized usage of our computer's resources?
    • I use an ad-supported LJ account, and the mentioned advertisement was made in flash. I had to deal with it a couple of days ago. Hoo-ray for security holes. Can't we just sue the ad company for unauthorized usage of our computer's resources?

      You're using Windows from an account that has Administrator privs, aren't you?
      • Yup, yanno why? I'm constantly adminning my home network. CONSTANTLY. pretty hard to set folder permissions and shares and stuff like that when you're not running as admin. Also, Livejournal, before these ads, was a pretty safe and secure site. Now they put in advertising, some of it flash based, and suddenly I'm nailed by one of their ads and malware hits my system. I had no reason to worry about malware when visiting LJ before, now I do. I bet if slashdot alowed flash-based ads there'd be plenty of probl
        • by Nutria (679911) on Saturday June 24, 2006 @12:38PM (#15596605)
          Yup, yanno why? I'm constantly adminning my home network. CONSTANTLY. pretty hard to set folder permissions and shares and stuff like that when you're not running as admin.

          Sucks to use Windows, doesn't it, not being able to use "su -" and control everything from a command window while logged in as a limited-permissions user?

          Also, Livejournal, before these ads, was a pretty safe and secure site. Now they put in advertising, some of it flash based, and suddenly I'm nailed by one of their ads and malware hits my system.

          Sucks to use IE, doesn't it? Firefox and Flashblocker would have protected you.
    • This is what adblock is for.
  • ads (Score:3, Funny)

    by Anonymous Coward on Saturday June 24, 2006 @11:57AM (#15596446)
    Slashdot has ads? :)
  • Obligatory (Score:4, Funny)

    by BertieBaggio (944287) * <bob@manTOKYOics.eu minus city> on Saturday June 24, 2006 @11:58AM (#15596451) Homepage

    I, for one, do not welcome our new malware-installing overlords!

  • by pe1chl (90186)
    Earlier today I searched on Google Groups and when clicking on a link in the result list I got an ad-page that crashed Seamonkey.

    It seems to be commonplace these days...
    • Re:Google (Score:3, Insightful)

      Oh MY GOD! Won't someone think of the Sea Monkeys?

      Seriously, people should be making use of the adblocking functionality in their browsers, or better yet, installing filtering proxies like proxo [proxomitron.info] to halt this crap before it gets to the browser.

      • In this case that won't help because those ads are click-throughs to the search result. When you block them, you will block your search result.
  • ... but they and the advertisers are the ones driving people to them.

    No seriously, is it any wonder people turn to ad-blockers? Try reading an informative bit of text when there's a Flash advertisement of box jumping around and flashing like a student at Mardi Gras. I don't care if you are trying to tell me I'm your millionth visitor. You misspelled congratulations! The box makes me wish I had no peripheral vision! FOAD.

    Now I know publishers want to make a buck (I have a few websites [sans-advertising] myself), but if the advertisers are going to use annoying/underhand methods, people will take steps to protect themselves. A lot of these companies would do well to look at the sort of program Google offers: inoffensive, targeted, text ads.

    In short: make your advertising better -- advertisers AND publishers -- or lose that which you supposedly value. Eyeballs.

    • Slashdot's ads drive me crazy. I usually forget how bad the state of internet ads are. Then I'll browse somewhere without adblock plus and it will totally drive me nuts.
    • by ThinkingInBinary (899485) <thinkinginbinaryNO@SPAMgmail.com> on Saturday June 24, 2006 @12:58PM (#15596667) Homepage

      You know, Google ads are the only ads I look at any more. (Hell, I run them on my own site!) They are short, not ugly (because Google cares [google.com] about the viewer's experience), and quite often very pertinent to the content. I have to try really hard not to puke when I log in to something like Yahoo! Mail! and I see flashing banner ads for "Get your Credit Rating" or "Cheap Mortgages" or "Warning: Your system is broadcasting an IP address! Ph33rz0r teh RFC!". They are the most useless ads ever. The only reason I think they might survive is if the ad networks charge per impression, not per click--because almost nobody would click on them!

    • In short: make your advertising better -- advertisers AND publishers -- or lose that which you supposedly value. Eyeballs.
      look, these guys piss me off just as much, and i've certainly entertained thoughts of dismemberment, but to actually threaten to remove their eyes? that's harsh, man. harsh.
  • Just one ad? (Score:5, Interesting)

    by misleb (129952) on Saturday June 24, 2006 @12:11PM (#15596497)
    I once played this web based role playing game a while ago. It was just a so-so game, but one exceptional thing I did notice was that while playing from a Mac I would get randomly named .exe files downloaded to my desktop. Turns out that ads on this game site were just full of malware. Visiting from a Windows computer, I was getting prompted to install crap. So I went to report it on their forums and find out what was being done about it. They didn't care! The site maintainers claimed there was nothing they could do about it. It was their ad provider's fault. All they could say was "you should be running malware protections.." Needless to say, I was outraged by this irresponsibility. I told them off and never visited their god forsaken site again.

    How can you NOT take responsibility for malware spread through your own site? I understand that people contract out ads, but geez, come on. No need to draw from the bottom of the barrel.

    -matthew
    • This wasn't Utopia, was it?

      I quit playing it a few years ago when their ads started playing sound. I'm sure they've gone downhill from there.
    • Re:Just one ad? (Score:5, Insightful)

      by Lord_Dweomer (648696) on Saturday June 24, 2006 @02:52PM (#15597163) Homepage
      Nice story, but if you'd like it to be remotely useful for Slashdotters, could you please tell us the NAME of the game so we can avoid it?

    • Re:Just one ad? (Score:2, Interesting)

      by Anonymous Coward
      Sounds a lot like Outwar to me. I joined that game in about the 6th month of its existance. It was alright for a month or two, but it went downhill from there. In order to even survive in the game, you needed to use "points" at a special store that gives you upgrades, like the ability to go to the forums, or getting more attacks per hour, or increasing the amount of money you could store in the bank, etc. You could buy points at $5 for 100 points, but they also had some offers to get free points. The l
  • simple fix (Score:2, Insightful)

    by Whammy666 (589169)
    My simple fix for the security problems associated with Flash is to not install flash. Let's face it, 99.9% of flash is just obnoxious ads anyway. Who needs it.

    It's for this reason that any webmaster who insists on using 100% flash to view their site deserves a swift kick to the nutsack.

    • Re:simple fix (Score:4, Informative)

      by Nutria (679911) on Saturday June 24, 2006 @12:34PM (#15596579)
      My simple fix for the security problems associated with Flash is to not install flash. Let's face it, 99.9% of flash is just obnoxious ads anyway. Who needs it.

      It's for this reason that any webmaster who insists on using 100% flash to view their site deserves a swift kick to the nutsack.


      Google Videos, for one, are all Flash.

      Use Firefox and install Flashblock, then you'll have the benefits of both worlds.
    • by vivek7006 (585218) on Saturday June 24, 2006 @12:55PM (#15596658) Homepage
      My simple fix for the security problems associated with Flash is to not install flash. Let's face it, 99.9% of flash is just obnoxious ads anyway

      Even better, just disconnect your computer from the internet. Who needs internet? Let's face it, 99.9% of internet is just obnoxious anyway.
      • Even better, just disconnect your computer from the internet. Who needs internet? Let's face it, 99.9% of internet is just obnoxious anyway.

        Mod +2 (Unintentionally Insightful)
      • Even better, just disconnect your computer from life. Who needs life? Let's face it, 99.9% of life is just obnoxious anyway.
    • Re:simple fix (Score:2, Interesting)

      by Draelen (920902)
      I think a better way to deal with flash is to use the FlashBlocker plugin for Firefox
      All flash-based ads get replaced with a placeholder and a little play button, then you get to selectively enable the ones which you require - http://flashblock.mozdev.org/ [mozdev.org]
  • Haw! (Score:2, Troll)

    by imrdkl (302224)
    I gave up on you guys years ago. I'm just here to mock.
  • Adverts? (Score:5, Insightful)

    by Karellen (104380) on Saturday June 24, 2006 @12:17PM (#15596520) Homepage
    Do people still get them? I thought everyone had adblock [mozdev.org] installed.
    • Re:Adverts? (Score:4, Funny)

      by erroneous (158367) on Saturday June 24, 2006 @02:07PM (#15596966) Homepage
      Heh. On my screen your message is directly below this one.

      Re:Haw! (Score:1)
      by heinousjay (683506) Alter Relationship on 18:36 24th June, 2006 (#15596823)
      I'm only here for the blowjobs. I bet our experiences are similarly disatisfying.

      Adverts? (Score:3, Insightful)
      by Karellen (104380) Alter Relationship on 17:17 24th June, 2006 (#15596520)
      Do people still get them? I thought everyone had adblock [mozdev.org] installed.

      Which became even funnier when I saw who the post was from.
  • by richg74 (650636) on Saturday June 24, 2006 @12:19PM (#15596526) Homepage
    Even our readers have had to endure more than one browser-crashing ad campaign from time to time.


    The way to discourage this kind of nonsense is to make sure that the advertisers are identified and given a large public black eye. Probably that's not appropriate if the ad just uncovered a bug in the Flash player, but I think it certainly is in the case where an ad installs spyware.

    Did the advertiser know this was going to be done? Quite possibly not, but they are still the ones responsible for the ad: they want the good consequences (more sales), so they have to take the bad ones as well. If their bottom line is hurt, they'll start paying more attention to what their ad agencies and other agents are doing. (This is just an application of Murphy's Golden Rule: the guy who has the gold makes the rules.)

  • weak effort (Score:5, Insightful)

    by v1 (525388) on Saturday June 24, 2006 @12:20PM (#15596533) Homepage Journal
    While it was good of them to pull the ad from the rotation immediately, they failed in several other ways:

    (1) they failed to post a notice or provide links for the removal of the malware. At best in the blog there are references that such removal instructions exist, peppered with a warning that some of them are actually malware themselves. They should have made the fix EASY and FOOLPROOF to obtain after getting their readers infected. It's been how long since they got their subscribers infected and they have done nothing more than to stop more of them from getting infected. They helped to break the computers, they should play an active roll in fixing them.

    (2) the impression I got from their posts in their blog was that "oops sorry not our fault, not our advertiser's fault, it's one of the ad companies that subscribed to our advertiser". This is a cop-out. When you provide a service like they do, your advertisement is a bundle that comes with your service, and as such you are responsible for its content. I don't care if it's a 3rd party. You take on the responsibility for the content you deliver, regardless of how you get it. You can have legal arrangements with your content providers that provide YOU with a legal remedy, but the grief passes through you. You get sued, and then you sue the ones upsteam that caused you to get sued. You do not "pass the buck" and point a finger up the chain three levels and say not my problem good luck getting anything out of them, because the consumer has no legal recourse against those people. You as the content provider do have a legal recourse against your advertiser, and they have recourse against their affiliate who caused the problem in the first place. This pass the buck mentality is cheap and lazy, and they should be ashamed for trying to pull it.
    • Re:weak effort (Score:3, Informative)

      by electronerdz (838825)
      Actually, from their TOS:

      VI. INDEMNITY

      You agree to indemnify and hold LiveJournal, and its subsidiaries, affiliates, officers, agents, co-branders or other partners, and employees, harmless from any alleged claim or demand, including reasonable attorney fees, made by any third party due to or arising out of your Content, your use of the Service, your connection to the Service, your violation of the TOS, or your violation of any rights of another, whether you are a registered user or not. The user is s
      • As a (hypothetical) site visitor, how does simply visiting the site bind me to their terms? Also, if the malware-laden advertiser hits my machine at my first visit, before I have a chance to evaluate the TOS, there's NO way the TOS can be held to protect them.

        Moreover, if the malware violates unauthorized-access statutes, the TOS would be well and truly trumped by such legislation.

        Overall, they're in a very weak legal position; a reasonable person would conclude that the best course of action is to mitigate
    • (1) they failed to post a notice or provide links for the removal of the malware.

      Agreed. Correct me if I'm wrong, but for the LJ user to see a particular ad, the user has to be a) logged in with a username and password, b) with a "Sponsored+" account (or whatever it's called). Unless the ad system was implemented in a braindead way, there should be a record that Ad X was served to user Y. Having a logged-in user gives you a guaranteed way to track a specific user across sessions (the old standby of using co
    • Re:weak effort (Score:2, Interesting)

      by Ciaran_H (579351)
      I was the user who posted the entry in no_lj_ads, and commented on the post in lj_ads.

      I know you're probably not referring to me, but for reference, I'm not LiveJournal staff and nor do I play one on TV. I hate LiveJournal ads and I wish they would get rid of them already.

      Just to clear things up for anybody who was wondering.
  • by WebHostingGuy (825421) on Saturday June 24, 2006 @12:39PM (#15596609) Homepage Journal
    But I kept getting problems with my computer while reading the ad filled apology page.

    Apparently, I needed to download some software because my computer was out of date. Thank goodness I visited LiveJournal today, which told me to update with their new UrP0wnd.exe update.
  • "Even our readers have had to endure more than one browser-crashing ad campaign from time to time. Thanks for sticking around."

    Oh? What happened?
  • and this is a great example of why and how at work. As if you needed another reason to get your ISP to run a web proxy running adzapper [sf.net] or switch to one that does.
  • Cyberterrorists (Score:3, Interesting)

    by paulproteus (112149) <slashdot@@@asheesh...org> on Saturday June 24, 2006 @01:37PM (#15596829) Homepage
    Companies like this make the Internet a frightening, dangerous place. They literally attempted to crack into people's computers without their consent.

    Why don't we sue them into the ground as pursuing cyberterrorism as a business model?
  • OS X [apple.com] and Firefox [getfirefox.com] with AdBlock [mozilla.org] and NoScript [mozilla.org] included for good measure == no worries here.

    Still think Windows is [cheaper|easier|better|stronger|faster]?
    • Re:Yawn . . . (Score:2, Informative)

      by jofi (908156)
      According to TFA, it doesn't use an exploit except the one located between the chair and keyboard. It's a little vague, but a non-admin account in XP would have not allowed "ErrorSafe" to install.
  • by toadlife (301863) on Saturday June 24, 2006 @02:52PM (#15597159) Journal
    Simple. Websites need to stop being lazy and host ads on their own servers. Yes, there would beed to be a way for the advertisers to track hits, but there should be a way to do that while keeping the potentially dangerous content off the advertisers site.

HOLY MACRO!

Working...