There is no magic fairy dust protecting Macs - Dai Zovi, security researcher and co-author of The Mac Hacker's Handbook.
hardwaregeeks.com blocked by Haute Secure
You know -- it'd be great if haute secure actually posted the behavior that caused the ban.
-Mike
Moderator note: post edited to remove live links.
(Mike, you can get a copy of an ethereal capture either by messaging me privately on the HS forums, or by emailing Sandi. I sent her a copy when we became aware of this post.)
According to Haute Secure’s current blocking policy, if navigating to a URL causes an infection without further user interaction, then that URL will be blocked. The Hardware Geeks site results in an infection due to malicious advertisements served as a result of navigating to the URL below.
The specific Hardware Geeks URL in question is:
http : / / www . hardwaregeeks . com/comments.php?catid=4&id=3046
This URL will still (as of 15-July) result in an infection on an unpatched system. Relevant bits:
1. Initial request to Hardware Geeks:
GET /comments.php?catid=4&id=3046 HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30)
Host: www.hardwaregeeks.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Mon, 16 Jul 2007 00:05:59 GMT
Server: Apache/2.0.51 (Fedora)
X-Powered-By: PHP/4.4.2
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Mon, 16 Jul 2007 00:05:59GMT
Cache-Control: no-cache, must-revalidate
Pragma: no-cache
Set-Cookie: theme_4=5; expires=Tue, 15 Jul 2008 00:05:59 GMT; path=/; domain=.hardwaregeeks.com
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html
2. Response contains the following IFRAME:
<iframe id='a8bb3077' name='a8bb3077' src='www.geekadverts.com/.../adframe.php' framespacing='0' frameborder='no' scrolling='no' width='728' height='90'><a href='www.geekadverts.com/.../adclick.php' target='_blank'><img src='www.geekadverts.com/.../adview.php' border='0' alt=''></a></iframe>
3. That IFRAME retrieves content from http: / / ad.ad-flow.com / st?ad_type=iframe&ad_size=728x90§ion=15849
4. Returned content pulls more content from http: / / ad.yieldmanager.com / iframe3?KbIAAOk9AAAkXQYAl0gCAAIAAAAAAP8AAAABEQAABgN9VgAA8loAAL-dAwAAAAAAAAAAAAAAAAAAAAAAAAAAAGZmZmZmZsY.ZmZmZmZmxj9mZmZmZmbWP2ZmZmZmZtY.AAAAAAAA4D8AAAAAAADgPwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAmUGuP1GX4wItWGMASKf8D.YhR2H-YTmtaXWaLQAAAAA=,,www.geekadverts.com/.../adframe.php
5. Returned content pulls more content from http: / / mod.adsview.net / adserve/view/7483-265214909-9010/
6. Mod.adsview.net returns a 302, pointing at http: / / 80.93.48.74 /oiewupqoidasqw/
7. Host 80.93.48.74 eventually serves the exploit code + malware.
I suspect that it is your banner advertisement that is triggering the block. Flash banner advertisements have become notorious for being used as a conduit to infect systems with malware - look at the outbreak that affecting the Windows Live Messenger contact pane banner ad as a high profile example.
