Spyware Sucks

But here is the dirty little secret of browser security: Even if every Internet browser made today were completely bug-free, it wouldn't stop malicious hackers and malware. Why? Because the vast majority of successful malicious exploits today don't exploit buggy browsers, but rather unwitting end-users. That is, Web-based malware is successful because end-users are intentionally installing it! Most exploit code doesn't search for an unpatched vulnerability, but simply asks the user to install. - Roger Grimes, Infoworld

"There is no magic fairy dust protecting Macs" - Dai Zovi, security researcher and co-author of The Mac Hacker's Handbook.

Malicious advertisement on MySpace.com

Sadly, the criminals behind the malicious Flash banner advertisements have been using "How2Vacation" creatives for a long time - in fact, How2Vacation was listed way back on May 2007 by MikeOnAds as a known malicious advertisement.

The challenge that the advertising industry faces is how to share information more effectively. It is frustrating to see incidents such as that which hit MySpace - frustrating because those of us who have been monitoring malicious advertisements recognize potential danger in a heartbeat.

This particular advertisement is, in fact, quite unsophisticated. If we analyse the creative we immediately detect suspicious content. For example, we see that the creative contains the following actionscript:

System.security.allowDomain("*")

Also, we see this:

mysurvey4u.com/statsa.php?campaign=me9ntthe

mysurvey4u.com is a known "shell" web site that uses a nameserver at, you guessed it, securehost.com. Domains sharing name servers and mail servers include:

candid-search.com
loffersearch.com
manage-search.com
roller-search.com
rombic-search.com
se7ensearch.com
search-the-prey.com
searchmandrake.com
searchonline-ease.com
searchvirtuoso.com
simplesamplesearch.com
stratosearch.com
traveltray.com   <-- mentioned on this blog before
treekindsearch.com
wontu-search.com
zooworld-search.com

Its Registrar is YESNIC CO LTD, yet another name that appears far too often in association with malware and fraudware sites.

Ok, so now we know that malicious advertisements featuring "how2vacation" have been around for a while now, and that mysurvey4u.com is highly suspicious, that it has a very bad reputation, and that it is sharing a bed with some bad names. Let's look at what the advertisement actually does.

The URL of the malicious SWF is cache.opt.fimserve.com/contents/61/27/27061/CR_(SeptthroughDec)How2vacation_120x600_V2.swf.

fimserve.com is MySpace (ns1.myspace.com and ns2myspace.com, fimserv.myspace.com)

In the case of this particular campaign, it is coded so that the redirect will *not* trigger under the following conditions:

If the computer is in the following countries - IN, IL, AU, NZ
If the computer is in the following IP ranges - 207.46.0.0-207.46.255.25; 216.178.0.0-216.178.255.25; 216.205.0.0-216.205.255.25

As a point of interest, MySpace uses the following IP addresses - you will note that they fall within the IP ranges listed above:

216.178.39.14, 216.178.38.130, 216.178.39.16, 216.178.39.15, 216.178.39.74, 216.178.39.12, 216.178.39.11, 216.178.39.13, 216.178.38.131, 216.178.38.129

What is the significance of the script system.security.allowdomain("*")

I shall quote Adobe:

"If two SWF files are served from the same domain -- for example, http://mysite.com/movieA.swf and http://mysite.com/movieB.swf -- then movieA.swf can examine and modify variables, objects, properties, methods, and so on in movieB.swf, and movieB.swf can do the same for movieA.swf. This is called cross-movie scripting or simply cross-scripting.

If two SWF files are served from different domains -- for example, http://mysite.com/movieA.swf and http://othersite.com/movieB.swf -- then, by default, Flash Player does not allow movieA.swf to script movieB.swf, nor movieB.swf to script movieA.swf. A SWF file gives SWF files from other domains permission to script it by calling System.security.allowDomain(). This is called cross-domain scripting. By calling System.security.allowDomain("mysite.com"), movieB.swf gives movieA.swf permission to script movieB.swf."

Cross domain scripting can be a "bad thing". Advertising networks should consider very carefully whether they are willing to allow such content into their networks, especially content that uses a wildcard when calling system.security.allowdomain.

The above call, system.security.allowdomain("*"), means that the SWF at CR_(SeptthroughDec)How2vacation_120x600_V2.swf is allowing ANY SWF on ANY DOMAIN to script it.

First of all, MySpace should have been aware that there was a risk involved in hosting this SWF because it features how2vacation.com. Second, even a cursory examination using a service such as adopstools reveals the dangerous script, and the mysurvey4you.com URL. In short, this advertisement should never have made it through security checks.

Published Fri, Feb 22 2008 23:30 by sandi

Filed under: Security, safety and privacy on the Internet, Vulnerabilities, viruses and exploits

Comments

# re: Malicious advertisement on MySpace.com

Friday, February 22, 2008 4:04 PM by Barry

Insane. If you're a third-party plugin author, why would you ever allow scripting to cross from one instance of your plugin to another? Doing so relies on the browser to manage security for you, which, as you've just demonstrated, is completely foolhardy.

# re: Malicious advertisement on MySpace.com

Thursday, May 29, 2008 1:27 PM by yo

i want on myspace but school sucks!!

Spyware Sucks

This Blog

Syndication

Search

Tags

Community

Archives

News

Malicious advertisement on MySpace.com

Comments

# re: Malicious advertisement on MySpace.com

# re: Malicious advertisement on MySpace.com