Banner Ad on Myspace Serves Adware to 1 Million

An anonymous reader writes "Washingtonpost.com's Security Fix blog reports that a banner ad running on MySpace.com and other Web sites used a Windows security flaw to push adware and spyware out to more than one million computer users this week. The attack leveraged the Windows Metafile (WMF) exploit to install programs in the PurityScan/ClickSpring family of adware, which bombards the user with pop-up ads and tracks their Web usage."

I love how the submission links the comments

[Neoncow]

This way we don't even have to read the article if we want to! We can just comment about the comments of the article. =D

Woohoo!!

[TheDarkener]

Go corporate America!! Way to get your message heard in the most unobtrusive, sincere fashion. I'm sure you'll gain a lot of proud customers through dumb marketing ideas, just like "Let's spam a million people and get 10 suckers to give us money! Woohoo!"

Re:The rise and fall of myspace

[Anonymous Coward]

The internet is a fad. It is a fad that may be here for a long time, but it too shall pass. This type of abuse, as well as the abuse by sexual predators and antagonistic peers will eat away at its usefulness until it is outlived and replaced by the new "cool" thing.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Slashdot one-ups Washington Post moderators

[zaliph]

This is absolutely hilarious. I wonder if more people got AIDS or this from Myspace? Posted by: bvllets | July 19, 2006 05:20 PM

My jaw is open in disbelief.

Re:First time?

[tinkertim]

>> Makes me question myspace, you'd think they have people watching for these sorts of attacks.

Yes, and you're 100% right. Since they are syndicating it, showing 'due diligence' in making sure they aren't syndicating harmful code is their responsibility.

The question comes down to , reasonably, what is a good percentage to equate with 'due diligence' in checking what they syndicate. They have a few million pages, videos and photos to police, as well as watching what their advertisers are using their network to display.

So even if they go way above and beyond the 80% catch rate of abuse prior to it leaving their network, stuff like this is still going to happen. I'd imagine they only catch about 70% of illegal use involving their network, and considering its size and attractiveness to bad-doers, that's not bad.

Of course its an age old argument, who is most at fault. The person who shot the gun or the company that provided it?

I am also noting a rather old vulnerability was exploited, and people not updating their systems need to share some of the blame.

So I guess in essence .. 'shit happens.'

Re:Just update

[Zindagi]

There might be other reasons why your computer is not up to date. For instance, now that Microsoft insists I install WGA before I can get the updates -- I havent been getting the updates. So Lord knows what all critical fixes my computer is missing. Not that that excuses anybody for using IE :)

Re:Prosecute the "sellers" too

[nwbvt]

"How about Myspace as well? It is easily argued that Myspace controls the banner space and content added to the 'global' site (ie every page). This is akin to aiding and abetting. "

Only if Myspace knew what was going on (which they almost certainly did not). Or do you think any business transaction with criminals is 'akin to aiding and abetting'? In which case, shouldn't you also prosecute

• banks, if one or more of their clients deposit money they got illegally?
• hotels, in whose rooms illegal transactions (prostitution, drug dealing, whatever) take place?
• computer manufacturers, whose customers use their computers to steal identities?
• camera manufacturers, whose products may be used to stalk people and invade their privacy?
• etc.

Ask yourself this, do you really want to go down that road? Do you really want companies to run extended background checks on you before they sell you anything to make sure you may not use it in some obscure way to harm others? Is such a police state really what you want? Or do you just not like Myspace (either because it is used by the same teenage girls who wouldn't date you in high school, or because it is owned by NewsCorp)?

Re:DNS Ad-blocking

[computergeek1200]

I agree that public dns servers can be a security risk. Is is possible to get a blocklist and add it to the dns server automatically. (instead of manually creating new zones and host records)

Prosecute MySpace

[Yez70]

Do you really want companies to run extended background checks on you before they sell you anything to make sure you may not use it in some obscure way to harm others?
 

You mean like the government wants our ISPs to track and monitor our web usage and keep copies of all our IM's, searches and emails? Or how about our libraries revealing what books we check out? Maybe AT&T could provide a log of all your phone calls. How about the banks reveal all your financial transactions?

Oops, I forgot - the Patriot Act, among other obscure laws, already allow this.

Innocent until proven guilty no longer applies in the land of the free - why should it apply to corporate America any different? Oh yea, I forgot, they own the politicians.

Why can't Microsoft patch the holes in it's software? Why can't MySpace screen it's advertisers? They aren't showing porn site ads, because they 'screened' the ads, correct? So, how come they are serving adware?

If it's ok for the government to be constantly running background checks (illegally I might add) on it's own citizens in a 'FREE' country, then MySpace should also be responsible for spreading viruses and spyware. Of course, they won't ever have to answer for it. News Corp may as well be owned by the GOP...

Re:Virus/adware-spreading ads

[SCPRedMage]

In your case, the problem wasn't with the Dilbert website, and in the parent article, it wasn't a problem with myspace, either.

The problem is with the ad-serving companies that these websites use. Either they're less-than-trustworthy, and are directly responsible for the exploits being used, or they sub-contract out, and don't care enough to keep an eye on their "partners". Usually, notifying the webmaster of the offending site is enough to get them to have a "talk" with their advertisers to resolve the situation.

Of course, you probably already know this, but it bears repeating as it's something that can be missed by people not familar with the subject.

Please, won't someone think of the n00bs?

is myspace responsible for their site or not?

[SuperBanana]

Only if Myspace knew what was going on (which they almost certainly did not).

I'll make this very simple for you: Is myspace responsible for the content they put on their site, or not?

When you are a website the size of myspace, failing to vett your advertising borders on gross negligence and incompetence.

Furthermore, if you study how 'responsibility' plays out in the business world, particularly with lawsuits- the first party on the food chain is responsible. If that company wants to take action against its employees, suppliers, etc- so be it. But the buck, figuratively, stops at "round one".

Re:Prosecute the "sellers" too

[arkhan_jg]

I agree with your examples, but not with your linking of them with the original problem. A bank or computer maker or hotel's CUSTOMERS are committing the illegal act. You're right, the business should not be held liable for what their clients do, i.e. myspace shouldn't be held liable for what their users hosting pages put on them.

This is different. This is the business putting up an advertising hoarding that is dangerous to visitors. The business already vets its adverts (so no porn), so it has the duty and capability to vet its adboards for viruses, just as if it was hosting auto-install viruses on the front page in their own webspace.

Just because it subcontracts the advertising out to a third party doesn't get myspace off the hook, any more than a bank with a beartrap inside the front door wouldn't be liable because their builders put it there.

Re:The shocking part is....

[Danga]

The shocking part is that there are still people using Windows

Why is this shocking? Windows has the highest market share and comes pre-installed on way more than the majority of pre-built computers. It is what people are used to using since it is the OS that most people started out on, so the majority of people are more comfortable using Windows since they don't have to learn something new. A lot of people also just don't know any better. They don't realize or care that there are other OS's available, as long as they can surf the web, check their e-mail, use MS Office applications, and play their games what incentive do they have to move to anything else?

The package management system is horribly antiquainted, the dependancy checking leaves a lot to be desired, and then there are the security holes in the stock applications that come with the OS.

Oh, sounds a lot like linux (although it has gotten better recently). I am not a fan of how Windows goes about these things either, but I must say that I have had much more frustrating times with dependency and package management problems on linux than on any Windows machine. On Windows it usually goes like this:

1) Try and install upgrade to software.
2) It doesn't work.
3) Uninstall software package completely.
4) Reinstall software.
5) It magically works.

Yes, it is horrible that a lot of upgrades work that way but at least that is usually all that is needed. With linux on the otherhand I have literally had to spend days sometimes trying to get packages upgraded/working properly, even with Yum and other package handlers. One pain in the ass that I remember off the top of my head was when I was trying to upgrade some Perl MySQL module after upgrading the MySQL server, it literally took me 3 hair pulling days to finally get everything working right and the whole problem was caused by an error with CPAN (I can't remember exactly right now what the error was).

If I had to direct my 91 year old grandmother over the phone how to install some software I would much prefer she be running Windows than linux. It would be great if everyone ran linux but I think you are getting ahead of yourself if you honestly believe that it is easier to use than Windows. Now if you are a Mac guy then you could be right, but I have very limited Mac experience.

Linux is also not immune to having stock applications that have security holes and need to be patched right away, Windows is not alone at all in that regard either. After freshly installing either Windows or linux I have to go through the process of applying the needed patches on both.

Maybe some day it will mature enough to be useful, but for now it's just a novelty that still isn't up to being used in a production environment.

If you play games then Windows is very useful since the majority of games are developed for the Windows platform. It also can be made pretty damn secure as long as you lock it down reasonably well, I have not had any problems at all for the last 4 years on my Windows XP Pro boxes at work or home. My work box also is very useful for Windows development, so it is not just a "novelty" and actually is up to being used in a "production environment".

I don't know what OS you use but you really need to get over your zealotry, you just sound like all of the other zealot sheep who love to rip Windows to pieces even though it does have some useful purposes that they always fail to acknowledge. Windows has its quirks (and quite a few) but so does every other OS that I have used.

Re:Prosecute virus creating companies.

[Tim C]

I imagine that most of us around here who install AdBlock and FlashBlock do so because of the bandwidth and processor power that ad-laden pages take.

Speaking personally, I generally block ads that are misleading, flashy and/or distracting. I've lost count of the number of times an otherwise perfectly good webpage has been ruined (aesthetically) by an in your face ad.

Anything that attempts to look like a system dialogue, or to convince me that my PC is running slowly and needs to be fixed, etc, gets the entire advertiser's domain and sub-domains blocked. I hate that shit.

Re:This comes right after a Flash hack

[Slow2Show]

Its because it is a bug in flash's understanding of DOM security. Not myspace's, so hence your attempt at insinuating that they don't know what they're doing is incorrect.

Sorry try again after you RTFM RE: security issues.

Its the Ad, not Myspace

[Fr3d]

Before we go on with all the Myspace and Windows bashing it's important to note who is at fault here.

Myspace isn't at fault and neither is Microsoft

Sure they make shitty products for the below average user, but that isn't the problem. Myspace administrator's don't choose exactly which ads are dissplayed on their pages, they sell their ad space to an ad company with a few constraints on what types of ads are allowed to appear. The company who provides the ads then chooses specifically which ads it wishes to display on each of Myspace's, and for that matter, hundreds of other web site's web pages. And the users who didn't update their Windows OS arn't any more at fault either. Is it my fault if I leave my window unlocked and I get robbed because of it? No.
Another important note:
Myspace users were not the only one affected by this banner ad

So enough with the flame wars, go fuck the adware companies that are fucking everyone over.

Re:This comes right after a Flash hack

[paganizer]

I make my kids use firefox when they go to myspace; I also only let them access it on a system that is firewalled from the rest of the network, which they have to keep running.
I figure it's good training for when they have to go off to college away from their MCSE/Linux Geek/Ex-BBS sysop dad.

MySpace Hate

[IClavdivs]

omg. wow. who would've thought that so many nerds would have such hate for a SOCIAL networking website.

Re:Prosecute the "sellers" too

[dfjghsk]

You're right, the business should not be held liable for what their clients do

So why do you then say MySpace should be held responsible?

Look.. the visitors are not MySpace's clients.. the visitors are the product (and if they aren't the product, then at best they are leaches.. they would never be considered a client, since they don't give MySpace a dime).

MySpaces clients are those who give it money.. ie: the advertisers.

Re:Just update

[cliffski]

not everyone who is not tech savvy is an idiot. Don't fall into the trap of assuming stupidity because someone has a differing skillset. Im sure most car mechanics think I'm an idiot because I have sod all idea how my car works, or for that matter, how to keep the engine in top condition. Like most drivers, if it starts , stops and gets me to work, I'm fine.

Re:Firefox with Adblock?

[Library Spoff]

>>Did you see the picture of the CEO on the front of Wired?

err - he's Rupert Murdoch. If he wasn't going to "make millions off of that company" he wouldn't of bothered with it.

Re:Prosecute virus creating companies.

[suffe]

I must confess, I've never been able to quite understand how companies are willing to show those adds on their space. Seemingly serious sites can be littered with them and in regard to professionalism it just seems like scraping the bottom of the barrel. Who can take a company/site serious when they are (through their ads) trying to outright scam their customers?

Re:Really??

[Vo0k]

Not on "reputable sites". The problem is you don't have to try hard to get to the "less reputable sites". All you need is to type "com" instead of "org" or "net", make a typo or misspell the domain name, click a result that on first sight looks genuine in Google Search, visit a site from your bookmark which is two years old, enter any phpbb-based forum or any site running on older, unpatched IIS. Minor sites get hijacked all the time.

Re:Prosecute virus creating companies.

[tehshen]

Who can take a company/site serious when they are (through their ads) trying to outright scam their customers?

This works for the same reason that spam works - it's cheap to do, and only a few stupid people need to click on the ads for them to be making money again.

Re:First time?

[Vo0k]

The problem is that was not a user-provided content, one of millions of user pages, but advertizer content, something you directly get paid for, and certainly it appears in numbers much smaller than the user pages.

'Due dilligence' in schools, for example, may not be assuring no single kid ever smokes crack, but it certainly is making sure the school bus driver doesn't.

Re:Prosecute virus creating companies.

[Bogtha]

I have to disagree with both of you. People block ads not because of risk, not because they take up too much bandwidth and processor power, but because they take up too much attention. People want to pay attention to the real content, not wade through fake distracting crap that wants to sell them something.

Aren't there antihacking laws that apply?

[TheLink]

Y'know unauthorized modification of a computer system and all that stuff?

Tampering with 1 million computers without permission and AFAIK without good reason. Isn't that a serious criminal offense?

That's what annoys me the most about all those "antihacker" crusades. Don't the same laws apply to spyware, unauthorized adware etc? Even Sony's DRM crap.

But no, the FBI and other authorities round the world seem to prefer trying to jail people who are pretty harmless (like that brit looking for UFOs).

If directors/owners of companies doing such stuff were sent to jail (or even seriously threatened with jail), you'd see a lot less spyware or nasty adware around.

Instead there's one law for the small stupid amateur and another law for the incorporated pros.

And that is the real reason why there's so much spyware around. Not because users are clueless (even though they are) or click on attachments without thinking.

Re:Prosecute virus creating companies.

[suffe]

If anything, I might overestimate the value of a returning customer. Or they might underestimate it. Who knows.

Re:Prosecute virus creating companies.

[hotdiggitydawg]

What's to stop them checking the user's platform before deciding which ad (XP, OS/X, or whatever style) to serve up?

Good Job

[krelian]

I liked the fact that the writer avoided linking to the site so they won't get any boost on google from being mentioned on the Washington Post.

Re:Virus/adware-spreading ads

[v1]

might ?

I've never known them not to

What I get a kick out of is how they like to tell you they have no way to contact them and there's nowhere you can complain to.

Um... you're getting a CHECK from them every month, remember? (we know you're not allowing that crapware on your site for free!)

Excuses, excuses

[metamatic]

The problem is with the ad-serving companies that these websites use. Either they're less-than-trustworthy, and are directly responsible for the exploits being used, or they sub-contract out, and don't care enough to keep an eye on their "partners".

Funny, that's the same kind of excuse spammers use. "Oh, I'm not a spammer... I purchased this list of e-mail addresses in good faith, how was I to know they weren't all 100% verified opt in like the seller said?"

It's also the same excuse The Pirate Bay use. "Oh, no, we're not responsible... we just provide a service which other people use to serve up illegal content."

Re:Prosecute MySpace

[nwbvt]

"You mean like the government wants our ISPs to track and monitor our web usage and keep copies of all our IM's, searches and emails? Or how about our libraries revealing what books we check out? Maybe AT&T could provide a log of all your phone calls. How about the banks reveal all your financial transactions?"

No, not really...

I'm scared to ask, but how does your conspiracy theory reason why the government would want ISPs to monitor all that information, when the government itself really wouldn't have any trouble doing it themselves?

"Why can't Microsoft patch the holes in it's software?"

They do. Users just don't always install the patches.

"Why can't MySpace screen it's advertisers? They aren't showing porn site ads, because they 'screened' the ads, correct? So, how come they are serving adware?"

What part of 'hidden in the ad' did you not get?

Spyware common on MySpace

[geomark]

Seems pretty common for MySpace to be serving up spyware ads. Another recent case was reported here [netscape.com] of spyware from Starware being advertised with a banner they made by sticking Osama's face on the body of an Asian model in a bikini. Given the background of the founders of MySpace it shouldn't be surprising (they came from the spyware business according to references sited in that spyware report).

Re:First time?

[Darkman, Walkin Dude]

Of course its an age old argument, who is most at fault. The person who shot the gun or the company that provided it?

More like the age old argument, is it illegal or not. Sadly the facts are that this event is not a criminal event, the police won't be getting involved, and no one really cares. Not the infected users, not myspace, and not the advertisers. This is just more roadkill on the information superhighway. Nothing to see here, please move along.

Re:This comes right after a Flash hack

[kabocox]

His solution to the hack that destroys a section of your profile is not that he will fix the site, but that you should install Flash 9.

You gotta love laziness! You know the weird thing is that is most likely the best thing that he could have done to "fix" his problem. I'm on several security mailing lists and get notices of all the holes in nearly everything. Do you want to know the real dirty secret? That process is worthless to me unless they happen to be announcing a patch to the product that fixes the problem. There is little to nothing he could have done if his problem was in a piece of software that he runs but doesn't write himself. About the only thing that, he could do to speed up develop of a patch is pray. Suggesting to users to update their flash players after a flash hack sounds like it should be a valid solution if the problem was in the vast majority of user's outdated flash players.

Re:Virus/adware-spreading ads

[F_Scentura]

"In your case, the problem wasn't with the Dilbert website, and in the parent article, it wasn't a problem with myspace, either.

The problem is with the ad-serving companies that these websites use."

The Dilbert website serves ads from these companies, therefore the problem's resolution is ultimately the responsibility of the Dilbert website.

I don't blame the ad-servers just as I don't blame wild animals for mauling tourists. It's in their nature ;)