Sometimes it isn’t malvertizing….
I’m still keeping an eye on the Farm Town forums, now that they’ve caught my eye because of the malvertizing incident and the amazing 30+ page complaint thread on their forums (all of the old posts were deleted from that thread on or close to the 20th of April, btw).
Anyway, the complaint seen in the screenshot below is one of the few posts that remain in the thread, and I’ve been watching to see what sort of advice is proffered.
One thing immediately jumps out at you, don’t it, that make you suspect that the problem is *NOT* a bad advertisement, but rather a virus alert triggered by content from the Farm Town application itself:
The alert was triggered by “poppy.swf”
The Farm Town application uses a “poppy.swf” as well as myriad other “SWF” to display various farm assets:
Ok, so what about “bloodhound.exploit.52” – what is that?
“Bloodhound.Exploit.52 is a heuristic detection for the Flash Player 7 Improper Memory Access Vulnerability.
An attacker who exploits this vulnerability could perform a denial-of-service, or potentially execute arbitrary code with the privileges of the logged-on user. The exploit is triggered by viewing a specially crafted Macromedia Flash file. This is usually hosted on a web page.”
In short, assuming the server at cdn.slashkey.com has not been hacked, and assuming that the file “poppy.swf” that is being served by cdn.slashkey.com has not been replaced with a fake one that tries to take advantage of the Flash vulnerability, then I think we can safely assume that the virus alert was a false positive. Certainly, the fact that the SWF detected is named “poppy.swf” makes it extremely unlikely that the alert was being triggered by any advertisement that was being displayed (the fact that there is a  appended to the name of the SWF simply means that there was already a SWF named poppy.swf on the computer in question, so the new copy was downloaded and saved but renamed).
Anyway, SillySandy hasn’t logged in at the Farm Town forums since she posted her last message so I think we can assume that she has abandoned the topic. And it is probably not worth posting to the thread in question to submit my theory on the incident because my last few posts to that thread were moderated, and were not allowed to go live AND my forum account was locked down so much I couldn’t even edit my own profile details, or view anybody else’s public profile. Not only that, a couple of posts by other people were deleted before a moderator went ahead and got rid of the whole lot (as evidenced by the “Reply to Thread” emails that I received that quoted messages that were no longer there by the time I went to review the thread). I haven’t received any correspondence to tell me why my posts were not allowed to go live, or to tell me that my profile had been locked down, or why, or if/when the moderation would be lifted. All in all, the place is a little too revisionist for my tastes.
The only public response to SillySandy has been:
Further info from SillySandy: