Posted on 08/23/2008 7:25:48 PM PDT by Swordmaker
Infected Web ads are poisoning Mac and Windows users' clipboards with URLs, researchers said Tuesday, in a "very cunning" attack designed to trick people into visiting sites touting bogus security software.
Flash-based ads that have been infected with malicious script and somehow inserted into the Web advertising ecosystem are planting the URLs into clipboards on both Macs and PCs running Windows, said Graham Cluley, a senior technology consultant with U.K.-based Sophos.
"We do think that Flash is the technology being abused," said Cluley, "because it does have a facility to put content into people's clipboards." The most likely method, another Sophos researcher said earlier Tuesday, is the "setClipboard" Flash command.
Users have reported seeing their clipboards repeatedly stuffed with strange URLs after visiting legitimate Web sites, said Cluley, which led him to believe that the source of the clipboard poisoning was infected ads. "The attackers have somehow managed to insert malicious adverts into the system," added Cluley. "That's not unusual."
With the malicious URL embedded in the clipboard, the next step is up to the user. When the contents of the clipboard are pasted into, say, the address bar of a browser, the user can be taken to the malware distribution Web site.
"People are pasting links all the time," said Cluley. "If you're in an instant message conversation with someone, and they say, 'Here's that link I was talking about,' you're more likely to believe it's legitimate. It's very cunning."
Users on several forums, including one of Apple 's support forums, have reported the clipboard poisoning .
"When I say 'taking over my clipboard' I mean it appears on my clipboard and can't be removed," explained Andrew Sinclair on a Leopard support thread. "Whenever I paste, that's what gets pasted. If I copy something else and then paste, whatever I copied isn't actually copied and that string is what gets pasted."
Chris Thornton, the creator of ClipMate , a Windows clipboard add-on, also ran across the trick.
"This spreads their URL," he observed in a post to the ClipMate support forum. "If someone replies to an e-mail, they paste from the clipboard, and get the URL. Maybe they catch it, maybe not. Likewise with blog posts, guestbooks, comments, Facebook , etc. They're hoping that when you paste, you paste their crap, and it gets through."
Thornton said his clipboard had been hit after visiting the Web site of the MSNBC cable news channel.
Want to compare security products? Visit the IT Buyer's Guides now. The URLs, said Cluley, all lead to sites pitching phony security software. So-called "rogue" security programs either make bogus claims that the user's machine is infected with malware in an attempt to dupe people into buying the software, or in some cases, downloads malware rather than real antivirus software.
Users can flush the clipboard by shutting down the browser, or in some cases, by closing the browser tab with the infected Flash ad.
"Companies should also run some kind of Web filtering solution," recommended Cluley, "to block the pages that are putting out these fake security programs."
I did not know that. Thanks for the info.
Yeah, I just tried it with several browsers on my Mac G5 quad OSX 10.4, the clipboard was captured and kept pasting “evil.com” (Hillary’s website??) into everything.
It flushed the clipboard when I closed the window.
Ed
There is a solution to the problem: Look at the url you paste in the address box before you hit ENTER.
Wrong. Flash is good. Now PDF files...
That's just sloppy writing. The vulnerability is in Flash, which has the ability to access the clipboard on both operating systems (and Linux, too).
If you have a Photobucket account, you've probably used the Direct Link facility they put below each image. Click it, and it copies the picture URL to the clipboard. If you examine the underlying code, you will find it uses Javascript to access an included .swf, which does the actual copy operation.
I really wish there was a way to send a large EMP into the servers owned by these spammers. I'd like to tase the spammers too for good measure!
Flash needs to be replaced with something open. For crying out loud, Adobe *still* hasn’t released a 64-bit Flash player!
So you're the guy spreading all the Flash malware.
/kidding
Yes, if you open the clipboard viewer (clipbrd.exe) with the site open, you can watch the clipboard being rapidly over written with the infected URL. Navigate away from the site and the clipboard contents stay, but can be overwritten by the user.
I believe I have witnessed the end-result of this very problem. I have received numerous messages on facebook from folks I know, that have a short three or four word message, and a long crazy looking url. While the URLs appear to be different, they all go to the same fake video hosting “page” that if you click ANYWHERE on the page, it downloads an exe file that appears to be a pretty ugly bug.
The friends I have received this from are all pretty good folks who would not intentionally pass on such trash. I suspect they used one of the apps on facebook to send something to all their friends - and the malicious url was put through instead.
Or the problem is completely unrelated - but sure sounds so (notice the reference to facebook in the text).
Of course, as I sit here typing on my iBook, I’m not worried about the .exe file sitting on my desktop.
Anyone want me to send you the file????
Thank you for this tip. I use Firefox and have only run NoScript until I saw this post. I'm amazed at how much faster my ad-heavy homepage loads now. Much appreciated.
Lynx doesn’t seem to suffer from this problem. ;)
No problem, don’t forget to subscribe to filter list for ABP to eliminate 99% of the ad junk out there, I personally prefer Rick’s Easylist.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.