Tuesday, July 25, 2006

On-line ads are dangerous even at popular places like MySpace !

An online banner advertisement that ran on MySpace.com and other sites over the past week used a Windows security flaw to infect more than a million users with spyware when people merely browsed the sites with unpatched versions of Windows. The attack was spotted while browsing MySpace on a Linux-based machine. When somebody browsed a page headed with an ad for DeckOutYourDeck.com, the browser asked you whether yoy want to open a file called exp.wmf. Microsoft released a patch in January to fix a serious security flaw in the way Windows renders WMF (Windows Metafile) images, and online criminal groups have been using the flaw to install adware, keystroke loggers and all manner of invasive software for the past seven months. Internet Explorer users who visited a Web page containing this ad and whose IE was not equipped with the WMF patch would not get that warning. Rather, their machines would silently download a Trojan horse program that installs junk software in the family of adware. This stuff bombards the user with pop-up ads and tracks their Web usage. Using software that captures and analyzes Web traffic, we found that the installation program contacted a Russian-language Web server in Turkey that tracks how many times the program was installed, presumably because most of this adware is installed by third parties who get paid for each installation. The data there indicate that the adware was installed on over 1 million computers. Even other ads trying to serve up adware on Webshots.com a popular photo-sharing site were spotted. It's not clear when this particular campaign started but an anonymous user at the invaluable CastleCops security forum posted information about a similar attack spotted on MySpace on July 12. Users at this online gaming forum apparently spotted the same WMF exploit being served via the DeckOutYourDeck ad as early as July 8. A WHOIS database search for Deckoutyourdeck.com listed a fax machine as a contact phone number, but also contained an e-mail contact at RedTurtleInvestments.com. A WHOIS search on that domain turned up an address at Springfusion.com , which appears to be a fairly new online-affiliate marketing company. Springfusion.com is registered to a guy in Seattle, who replied that he was not connected with any of the sites I looked up. What is clear from this attack is that there are plenty of people who still haven't installed this security update from Microsoft. It's also fairly obvious that online criminals are targeting high-traffic Web sites. Again examples of what I call targeted attacks. And that was the case during my holiday period. But I'm back! ;-)

Monday, July 10, 2006

Drome: The biggest Lan-event in Benelux.

This weekend my son played at Drome in Hengelo. With 1600 players it was the biggest event of the year. My son is the Battlefield 2 manager of the known Knights* clan. (www.ks-gaming.com) This was their first Lan event . They played 2 Leagues, 8 on 8 conquest and 4 on4 Infantery . Results: 3rd place 8 on 8 Conquest and 1st place 4 on 4 Infantery .... Not bad at all ... and they are now officially one of the best clans in the Benelux. Nice to know as well is that the organizers advised everybody to use 'updated' AV-scanners before entering the party! My son reported to me that some of the people over there got some problems with some viruses. BigSkizil (my son Frank) is in the middle of this picture. Of course he didn't got any problems as he always plays with his on-access scanner enabled!

Thursday, July 06, 2006

Holidays and vacation time...

At last, I switched my 3 weeks out-of-office on ... however I'm still reachable and I'm following everything what moves on the malware front but I'm also resting, gardening, out to 'DROME' (my son is a top gamer; look at www.drome.nl ).... In mean time several anti-virus companies reached the top of 200.000 malwares in their database. When will it stop? Will we see nothing during the Holidays? I doubt it.