"There is no magic fairy dust protecting Macs" - Dai Zovi, security researcher and co-author of The Mac Hacker's Handbook. "The Biblical wisdom “pride comes before a fall” needs to be foremost in the minds of security professionals. There are several aspects to this truth, but it starts with believing it is true. For one, the bad guys are always getting better and trying to get in. They are working harder than ever to defeat whatever you are doing to protect your enterprise. This knowledge alone will change your perspective on your job and when you are “done". What worked today may not work tomorrow. In this light, be careful about the promises you make to others regarding security and the protections you are deploying." - Dan Lohrmann
Spyware Sucks is accepting donations, with thanks.
Help us catch the bad guysUse Fiddler to capture evidence of browser hijackings
Get Safe Online will help you protect yourself against internet threats.
The site is sponsored by government and leading businesses working together to provide a free, public service.http://www.getsafeonline.org/
Edited to fix title...
Hi Sandi--
I just came across this on your site, and I wanted to possibly provide more information on this. We were just hit with a malicious E*TRADE campaign. They were running a set of swfs just fine since 8/13, but on 8/21 they sent a new 250x250 swf unit to replace the ad that was running, and it was during this week that we started getting reports from users being hit with fake virus scans. I placed the 250x250 on the following test page for review:
www.usatoday.com/.../life-front_0508.htm
We also reviewed the SWF, and found the same batch of coding we discovered in the 4CETERA (ebooks) campaign, the first Malware campaign we were ever hit with:
if (!btn)
{
var_reg1=(_global.gtn=function()
}
).prototype:
_reg0.main=function (mc)
_root.clickTarget="_blank";
;
ASSetPropFlags(_reg1,null,1);
I'm not sure exactly what that action script is calling for, but it a perfect match to the coding in our other batch of Malware, so I think it's our 'smoking gun'.
The campaign was sent to us from Olympicmedia.net. A quick WHOIS shows www.who.is/.../olympicmedia.net
The red flags are that the IP location is the Netherlands, but the agency is in Ontario. The domain was also created on 6/12/08. All suspicious information, but we had out IT team monitoring the ad on the test page on outside internet connections and no one was able to get the virus pop-up. We suspended the campaign anyway, and I wanted to give you a heads up so you could investigate and warn the community.
If you'd like me to send you the swf, or any additional information, please let me know.
Thank you!
Heather
hzeman@usatoday.com