Mac, Windows clipboards poisoned by URL attacks

Networkworld ^ | By Gregg Keizer | 08/19/2008

[Swordmaker]

Infected Web ads are poisoning Mac and Windows users' clipboards with URLs, researchers said Tuesday, in a "very cunning" attack designed to trick people into visiting sites touting bogus security software.

Flash-based ads that have been infected with malicious script and somehow inserted into the Web advertising ecosystem are planting the URLs into clipboards on both Macs and PCs running Windows, said Graham Cluley, a senior technology consultant with U.K.-based Sophos.

"We do think that Flash is the technology being abused," said Cluley, "because it does have a facility to put content into people's clipboards." The most likely method, another Sophos researcher said earlier Tuesday, is the "setClipboard" Flash command.

Users have reported seeing their clipboards repeatedly stuffed with strange URLs after visiting legitimate Web sites, said Cluley, which led him to believe that the source of the clipboard poisoning was infected ads. "The attackers have somehow managed to insert malicious adverts into the system," added Cluley. "That's not unusual."

With the malicious URL embedded in the clipboard, the next step is up to the user. When the contents of the clipboard are pasted into, say, the address bar of a browser, the user can be taken to the malware distribution Web site.

"People are pasting links all the time," said Cluley. "If you're in an instant message conversation with someone, and they say, 'Here's that link I was talking about,' you're more likely to believe it's legitimate. It's very cunning."

Users on several forums, including one of Apple 's support forums, have reported the clipboard poisoning .

"When I say 'taking over my clipboard' I mean it appears on my clipboard and can't be removed," explained Andrew Sinclair on a Leopard support thread. "Whenever I paste, that's what gets pasted. If I copy something else and then paste, whatever I copied isn't actually copied and that string is what gets pasted."

Chris Thornton, the creator of ClipMate , a Windows clipboard add-on, also ran across the trick.

"This spreads their URL," he observed in a post to the ClipMate support forum. "If someone replies to an e-mail, they paste from the clipboard, and get the URL. Maybe they catch it, maybe not. Likewise with blog posts, guestbooks, comments, Facebook , etc. They're hoping that when you paste, you paste their crap, and it gets through."

Thornton said his clipboard had been hit after visiting the Web site of the MSNBC cable news channel.

Want to compare security products? Visit the IT Buyer's Guides now. The URLs, said Cluley, all lead to sites pitching phony security software. So-called "rogue" security programs either make bogus claims that the user's machine is infected with malware in an attempt to dupe people into buying the software, or in some cases, downloads malware rather than real antivirus software.

Users can flush the clipboard by shutting down the browser, or in some cases, by closing the browser tab with the infected Flash ad.

"Companies should also run some kind of Web filtering solution," recommended Cluley, "to block the pages that are putting out these fake security programs."

[Swordmaker]

This appears to be a FUD. The issue is technically true... but you have to read this phrase correctly: ". . . are planting the URLs into clipboards on both Macs and PCs running Windows . . ." The key is that Macs, running Windows, are vulnerable to having the Windows' clipboard taken over!

Macs running OS X and browsing with Safari under OS X are not affected.

[doc1019]

Great catch! ;-)

[Swordmaker]

The headline is FUD by including Macs in a Windows issue.

This, apparently, is a Windows vulnerability. Mac users that run Windows XP or VISTA—in either virtualization through Parallels or VMWare's Fusion, or through Boot Camp—AND use Windows for browsing (It is much safer to browse in OS X), can get their Windows' Clipboards taken over by this exploit. Although this report has appeared in at least three on-line publications, Sophos has no article citing the problem on their website.

Still, a warning is appropriate. PING!

Mac Window User Semi-FUD Ping!

If you want on or off the Mac Ping List, Freepmail me.

[lowbridge]

The key is that Macs, running Windows, are vulnerable to having the Windows' clipboard taken over! Macs running OS X and browsing with Safari under OS X are not affected.

Dammit. I was hoping to rub this in the faces of you Mac users.

Oh well. Someday, someday...

[Swordmaker]

Dammit. I was hoping to rub this in the faces of you Mac users. Oh well. Someday, someday...

I have been trying to find anything that shows this actually does affect OS X Macs. There is some logic that it might, being a Flash script exploit. Sorry, I could not find anything.

Maybe next time...

[SlowBoat407]

Macs running OS X and browsing with Safari under OS X are not affected.

Computer viruses are spread behaviorally. Just say NO to Windows!

[no-s]

I was able to get the test website to load into clipboard while browsing in safari under OSX 10.5.4 on my macbook pro. It also affected 3 versions of firefox running in OSX, Linux (FC6), and XP, all with the NoScript plugin. IE6 and IE7 were affected as well.

Only under IE was it able to use the clipboard to load the “evil” url. So it’s not as effective on Linux/OS X but it can get part of the way there.

[Swordmaker]

I was able to get the test website to load into clipboard while browsing in safari under OSX 10.5.4 on my macbook pro.

Where is this "test website?" I can't seem to find it. Gat a link?

[Swordmaker]

Comments from another Sophos analyst:

---

Pwning the clipboard - latest trick used in FakeAlert distribution

There are certain notorious threats for which the mere mention of their name can make malware analysts groan - Zlob, Pushdo, Dorf (aka Storm) to name but a few. Just recently, a new class of malware is starting to have that same effect - we are seeing an abundance of ‘fake alert’ trojans. This is malware designed to scam the victim into paying money to remove non-existent threats [1,2].

If the professional looking sites that are being used to distribute this fake alert malware are anything to go by, the criminals behind it are very organized. They are making significant efforts to evade detection and filtering - using polymorphic packing techniques and hosting the content on numerous domains.

They are using aggressive techniques to infect victims as well - for example large spam campaigns and compromised web sites. At the end of last week another interesting technique was discovered - they were clobbering the contents of the user clipboard with the URL of their distribution site. Numerous postings to various forums reported similar issues, for example [3]:

“I’m going crazy here. Any time I copy a url by selecting it, then pressing ctrl+c, the next time I paste something it comes up with this link: http://[removed].net /?id=… (link intentionally broken) … Probably spam/virus link … I wouldn’t click on it.

For instance, I copy “http://www.google.com” onto window’s clipboard and what I paste is the former url. I had this happen a week ago, so I scanned my drives with AVG (found nothing). So, I reformatted my harddrive and reinstalled windows. Now, a week later, it’s doing it again. Does anyone have _any_ idea what this is coming from?“

So, the attackers are overwriting the victim clipboard in the hope that the victim subsequently pastes the URL somewhere that may result in traffic to their site. Not that unlikely, users frequently copy and paste links to each other via email, IM, or comment postings.

A nasty little trick - but is it anything new? No, techniques to automatically copy data to the system clipboard using common scripting languages (Javascript and ActionScript) are well known.

The fact that victims report experiencing these issues after browsing legitimate, popular sites, suggests that malicious Flash is the culprit. The attackers are probably using the setClipboard() method [4] within ActionScript embedded in Flash content. Maybe the attackers have poisoned some ad-stream as a way of hitting large volumes of users?

At the time of writing, I am aware of the victim clipboard getting overwritten with either of two URLs. In each case browsing to the URL will result in the fake system scan running on the victim machine, very similar to that reported here.

I guess we should be glad the Adobe folks were wise enough to not provide the corresponding getClipboard() method!

[Swordmaker]

Hot-diggity damn.

It's NOT FUD!

The clipboard hijack exploit DOES INDEED work on an OSX Mac with Safari!

Security researcher Aviv Raff has created a proof-of-concept demo to show how easy it is to use Flash with ActionScript code to load (persistently) a malicious URL into a target clipboard. (BEWARE: If you click on the demo link, your clipboard is automatically hijacked and will only be released if the browser window is closed).

For those of you who want to try it, the link to the demo page is below:

WARNING! CLICK AT YOUR OWN RISK!

Demo Link to ClipBoard hijack exploit!

I have found, however, that with a Mac, simply navigating away from the offending hijacking website will end the attack. There is no need to close the browser window.

[jsc572]

NoScript will not block flash script exploits. The best security combo for Firefox is AdblockPlus+NoScript+FlashBlock. And if you are really surf paranoid, get ImgLikeOpera extension for FF too, it lets you block all graphics (to avoid rare GIF exploits).

[Swordmaker]

Dammit. I was hoping to rub this in the faces of you Mac users.

After further research... it's not FUD.

It affects both Macs and Windows—apparently anything that runs FLASH that has a clipboard.

You can start rubbing...

[Swordmaker]

Great catch! ;-)

Not so great. I was wrong. It does impact Macs!

[aimee5291]

I’ve been dealing with this!! Its terrible!

thanks for posting

[cherry]

this seems to be what is wrong with my puter the last two days......anybody with computer knowledge know how to get rid of this virus?......I do have Norton and I thought I had McAfee.....thx in advance..

[Inyo-Mono]

Ok, I’m feel like an idiot, but what is Windows clipboard?

[Swordmaker]

Ok, I’m feel like an idiot, but what is Windows clipboard?

Don't feel like an idiot. The only stupid questions are the ones that go unasked.

It's a temporary file where anything you cut or copy is kept until you paste it somewhere or until you cut or copy something else.

The exploit here is that a FLASH presentation (Frequently used to put moving advertisements on websites) uses a command to place a malicious URL (web address) into the clipboard in hopes that the victim will then paste it into a browser and wind up at a malicious website.

Macs also use a clipboard file for the same purpose.

[antiRepublicrat]

Yep, it works, Firefox 3 on Leopard, and it keeps the info in the clipboard.

OTOH, woohoo, it put a text link into my clipboard. I must say I am far less than impressed. Much self-inflicted idiocy must follow for it to be damaging, or much more work to make this effectively malicious.

Still, we’re inching towards that one inevitable day when OS X will finally get an in-the-wild, effective, propagating virus. Until then I’ll keep enjoying not having three protection programs running, sucking up resources.

[SunkenCiv]

Oh no! The only answer is to navigate away or close the browser window?!? ;’)

[B Knotts]

I hope someday, Flash will just go away. It’s just awful.