Posted Friday 15th August 2008 18:26 GMT
"The rogue link remains even after the user copies a new batch of text. The only way to remove it is to reboot the computer."
That the problem can't be resolved by less drastic means, such as logging off, user switching, or killing the offending process seems... unlikely. In fact, according to at least one poster, they solved the problem by killing the firefox process. I suspect that the attack works by running a loop which continuously inserts the malicious link into the copy and paste buffer. This is supported by another poster reporting that they can, in fact, copy and paste another block of text, assuming they do it very very quickly.
If I had more time today, I'd fire up a virtual machine and go looking for a copy of this exploit myself; it looks like it would be fun to disect.
-Daniel
Posted Friday 15th August 2008 19:05 GMT
...at least, according to the links posted (which I actually read; did the author? ;)). Trouble is, if true this isn't really a bug, it's correct functionality being abused. One for advertising vendors, perhaps, not browser developers.
Posted Friday 15th August 2008 19:05 GMT
Playing with a bit of wget and changing the user agent to Firefox/IE, the quoted exploit site appears to just redirect me to Google's home page. Does this mean that someone's already clobbered the target site? Or is it looking for some bit of cleverness that I failed to duplicate? I run NoScript on Firefox so if that's the vector then I'm not likely to find out by accident.
Posted Friday 15th August 2008 19:05 GMT
A user came by with a laptop, then later a desktop, where the clipboard wasn't functional and would only paste a similar link yesterday.
A fresh Ad-Aware install + Avast found nothing, rebooted and things were fine. Haven't seen it since.
Posted Friday 15th August 2008 19:05 GMT
I've received a lot of spam email today, supposedly from MSNBC Breaking News. Actual return email addresses vary.
Is this how the virus/trojan/malware is being spread?
Posted Friday 15th August 2008 19:51 GMT
If what you say is true, then it's not a browser bug, nor an OS bug.
Looks like I'll be firing up Lynx over the weekend. :-)
Posted Friday 15th August 2008 19:51 GMT
I have recently had to write JavaScript code that reads and writes the clipboard, and making it work for Mozilla is painful. You need about 30 lines of gobbledegook, and even then it doesn't work unless you change a security setting in about:config, and you then still get a warning when the code first runs.
The interesting thing is that permission to access the clipboard is covered by the same setting as the most serious types of access, such as reading and writing local files. So it's not impossible that the hole that's being exploited here could be put to more unpleasant purposes.
But if it's flash, perhaps things are different.
Posted Friday 15th August 2008 19:51 GMT
...why websites (or Flash for that matter) should have access to the clipboard at all.
Providing scripts with read-write access (in IE at least) to a buffer that may well contain confidential data is just asking for trouble in so many ways... So many people copy/paste passwords, CC numbers, etc...
Posted Friday 15th August 2008 19:51 GMT
This week I have had a fair number of msnbc news updates in my spam as well as nearly as many cnn news updates.
Posted Friday 15th August 2008 19:51 GMT
Most likely it is a small Flash (SWF) embedded object on the page. It continuously copies data to the clipboard.
I encountered this once when taking an opinion survey.
Posted Friday 15th August 2008 19:51 GMT
to google with iceweasel under linux or telnetting to web site. Connects to internetscanner2009.com if running under XP and tries to get user to install the program AV2009Install_77011807.exe by lying about infected system. I will try and find the method/advert used to get link into the clipboard. could take sometime.
Posted Friday 15th August 2008 20:19 GMT
This happened to me on July 29th while browsing technology and news sites (so nothing I expected to be particularly dangerous) with Firefox 2 and Linux. I then pasted the link, I saved the AV2009... file and tested it with an online virus scanner. It tested negative. The day after, it tested positive.
At the time I could not find information about this on the web, but this exact attack has been in the wild for at least two weeks.
Posted Friday 15th August 2008 20:36 GMT
I managed to initially misread the headline as "Mystery web attack hijacks your cupboard". Man, even my sugar isn't safe from hackers any more...:)
Posted Friday 15th August 2008 23:08 GMT
I just ignored the MSNBC spam assuming it was piggybacking on the CNN top ten junk from last week.
Posted Friday 15th August 2008 23:08 GMT
Not sure it's related but a lot of the sites listed in the forums have had tons and tons of spam sent out in their names in the past several days... yesterday alone our spam server recorded over 7,000 emails from "MSNBC".
Coincidence? Probably.
Posted Friday 15th August 2008 23:08 GMT
Flash is full of obnoxious features ripe for abuse by malvertisements. If it's not the clipboard access, or cookies you can't block with the normal browser controls, it's the mundane irritation of pop-ups, surprise LOUD auto-playing sound and CPU-killing animations.
The Firefox Flashblock extension - or some similar means of disabling such plug-ins by default in other browsers - is the only sensible response.
Posted Friday 15th August 2008 23:09 GMT
I have been getting these emails for weeks, was originally CNN news, now MSNBC, straight to my Yahoo spam (well apart from a few that ended up in my inbox). Using XP, Firefox 3 and Avast, Lavasoft SE, nothing picked up, although superantispyware did pick up quite abit
Posted Friday 15th August 2008 23:09 GMT
Flash can only write to the clipboard, with a simple
System.copyToClipboard()
call. It cant read the clipboard.
Posted Friday 15th August 2008 23:09 GMT
After spending an hour setting up a new VM and over 2 hours browsing News and social networking sites (shudder), I just could not get infected, had clipboard viewer up all the time not a single bite. What this exercise has made me realise is how absolutely vital NoScript and AdBlock are to browsing. I was amazed at the amount of flashing junk and pop ups dominating websites, especially the American news sites. It's a shame I didn't find the swf or script that does this, I am curious how this is done. I will have another try tomorrow.
Posted Friday 15th August 2008 23:09 GMT
While using Facebook on Safari recently, with no other sites open, I got a pop-up window with an xp-vista-update.net URL. I can only guess it was due to a malicious ad served on Facebook. Looks like these goons have more than one vector.
Posted Friday 15th August 2008 23:11 GMT
Also redirected to google here, running MSIE6 in Windows XP inside virtualbox. Searching google for the site name turns up a URL with some token on the end of it, which did work.
Nasty bit of extortionware that they're trying to push, too. It 'found' 41 really dangerous-sounding bits of malware on a completely fresh install of XP and just will NOT go away.
Posted Friday 15th August 2008 23:11 GMT
i use vista, so i am immune, jah?
fnarr fnarr
Posted Friday 15th August 2008 23:11 GMT
If a website can run code that loops and continuously inserts a link, who's to say it can't run a loop that continuously copies data from your clipboard and sends it off to a bot?
Posted Saturday 16th August 2008 07:52 GMT
I'm 90% certain I got hit on the Ars Technica site. I was using IE7 and the only strange thing I noticed was one of the ads was making some kind of clicking sound. My network folks scanned my comp. but didn't see any malware.
Possibily, they are just hoping that someone will paste a link and go to it.
Posted Saturday 16th August 2008 07:58 GMT
SmitFraudFix BugHunt 2.2 HijackThis and a GOOD (read: not Norton or McAfee) AV scanner. Works for me. I work in remote support and have been seeing this for a while now (3 weeks IIRC) and there are 3 versions that I know of.
1) This version is a pain in the ass but can be gotten rid of by the above mentioned tools if run in safe mode.
2) This version is a dick. Spent 6 hours trying to figure this little bugger out to no avail. This one (for lack of a better way of putting it) appears to remove everything from the start menu and prevent many hotkeys from working. I have since given up trying to fix the damage and just restore the system cause im not gonna bother wasting my time or the customers.
3) This final one that I have seen is rather new. Above mentioned programs work, at least so it appears. Everything appears to be fine for about 15 minutes after cleaning the system and then it started to goto hell again. I have experienced this happening more frequently lately. Gave it 2 hours of work trying to fix/remove the problem child without ever finding it. (No I love Karen but meh I personally like making customers suffer) So I default to restore system.
As far as I have seen this 3rd one is becoming more and more frequent. Now stop infecting yourselves. For those that dont know you can get infected by clicking link in email/going to webpages/installing everything pushed on you/reading email/running programs/opening files/sex/farting sideways/eating/sleeping/having a pet/having a child/having a job/going to work/getting up in the morning/turning computer on/coffee/drinking coffee/small children/peanut butter and jelly sandwiches/. . .<ENTERING RECURSIVE LOOP>
<joke>
Sorry about that all you out there in Register Central. Our latest attempt at mind cont...erm a marketable program appears to still have a few bugs in it. Heh get it? A few bugs? Anyway please help us beta test it so that we can continue beta testing bugs like this to prevent this in the future. Just click this link http://notavirus.com/*nix_fanboi_or_m$_fanboi_or_apple_fanboi/fuck_your computer_up_and_steal_all_your_money_including_identity/vista_*nix_osx/ great_sparkling_magic_notofthisearth_super_uber_amazing_supercalifragilisticexpialidocious_antivirus2009/your_boned.exe to help us test for bugs like this in the future. Thank you for your time.
Or for an easier time if your keyboard isnt working just use this tinyurl:
http://tinyurl.com/fuckupyourcomputer.exe
Again thank you.
</joke>
Sorry if the formatting sucks tried my best.
/mines the one with the penicillin in the pocket.
Posted Saturday 16th August 2008 07:58 GMT
This will probably get ignored, but anyway.
The overwriting firefox/IE clipboard has been available for a long time. I imagine these users, (although I haven't read all the four forums and subsequent links for each post)
had a window hidden from them or a frame around a webpage. The only change is to use it for spamming links which is a nice human touch to spreading spam, lots of people Ctrl-C-V without thinking.
It overwrites anything you have in clipboard without requiring any action such as clicking or selecting, you do need flash and javascript running which 99% do.
For an example,
clipboard.swf is (I think from decompiling it)
// Action script...
// [Action in Frame 1]
if (clipboard.length)
{
System.setClipboard(clipboard);
} // end if
The script is, according to google search
#
function copy(inElement) {
#
if (inElement.createTextRange) {
#
var range = inElement.createTextRange();
#
if (range && BodyLoaded==1)
#
range.execCommand('Copy');
#
} else {
#
var flashcopier = 'flashcopier';
#
if(!document.getElementById(flashcopier)) {
#
var divholder = document.createElement('div');
#
divholder.id = flashcopier;
#
document.body.appendChild(divholder);
#
}
#
document.getElementById(flashcopier).innerHTML = '';
#
var divinfo = '<embed src="_clipboard.swf" FlashVars="clipboard='+escape(inElement.value)+'" width="0" height="0" type="application/x-shockwave-flash"></embed>';
#
document.getElementById(flashcopier).innerHTML = divinfo;
#
}
#
}
In 2005
http://www.jeffothy.com/weblog/clipboard-copy/
http://ajaxian.com/archives/auto-copy-to-clipboard
http://www.rodsdot.com/ee/cross_browser_clipboard_copy_with_pop_over_message.asp
Posted Saturday 16th August 2008 09:02 GMT
Yep, I know, which is why I clarified my moan about read access with "(in IE at least)" because since version 5, it can read the clipboard contents (provided it's text) with an equally simple.
var clipContents = window.clipboardData.getData("text");
I believe Opera has clipboard access too. Attempting to read the contents of the clipboard will at least throw up a warning in IE7 but since when has a silly security prompt stopped the majority of users from clicking OK?
Posted Saturday 16th August 2008 09:54 GMT
tell IE not to allow access to the clipboard - it's just a tickbox. I do it on any IE I setup since browsers and webpages have no right to my clipboard.
Mine's the one with 'SMUG' pasted on the back
Posted Saturday 16th August 2008 12:41 GMT
Nahh, that's just the same-old-same-old Storm worm spam. Don't worry about it.
Posted Saturday 16th August 2008 14:31 GMT
I don't get why it's even allowed. Can anyone think of a solid program design that needs access to the clipboard? I mean do we really need "copy this" buttons when they are built into the interface. They ought to just remove the ability from the object model.
Posted Saturday 16th August 2008 15:06 GMT
This is the code from clipboard.swf:
// Action script...
// [Action in Frame 1]
saveToClipboard = function (str)
{
System.setClipboard(str);
flash.external.ExternalInterface.call("copy_success");
};
flash.external.ExternalInterface.addCallback("setClipboard", this, saveToClipboard);
//END
So a Java function called via the onload command of a page or pop up would paste a url passed to the function to the clipboard.
Not as devious as I thought, however this will only copy to clip once, I expect some looping java script is what accomplishes the constant refreshing.
This does not seem to work with the clipbook service disabled, as I have on my work machine.
Posted Saturday 16th August 2008 17:12 GMT
Browsing Digg - Can only paste xp-vista....
Close Digg tab - Can paste anything
Only happens on some digg pages - Infected ad?
Posted Saturday 16th August 2008 17:12 GMT
Care to expand, is it apparent with safari, firefox oe what?
Posted Saturday 16th August 2008 18:00 GMT
I browsed Digg but didn't get infected, any chance of a link to an infecting page?
Posted Saturday 16th August 2008 18:00 GMT
It is the same malware/crapware as "XP antivirus 2008". I've seen Google ads for this gem, that is worse than a real virus infection. They demand money to fix a problem they caused. Oh the joys of windows.
I did a quick Whois on the domains : xpantivrus.com, xp-vista-update.net, internetscanner2009.com. All registered under estdomains.com, in Delaware, US. The latter 2 use estdomains' DNS. Doing some more digging, some of the DNS servers come back to eosads, in the Motherland:
Registrant Name: Daniel Adams
Registrant Organization: eosads
Registrant Address1: 13 Baterman Street
Registrant City: London
Registrant State/Province: London
Registrant Postal Code: W1D 3AF
Registrant Country: UNITED KINGDOM
Registrant Country Code: GB
This forum:
http://www.bluetack.co.uk/forums/index.php?s=950ad5e6359847c4dfb715d9e753bfcf&showtopic=18064&st=60&p=87715&#entry87715
shows that this stuff has been going down since April or so.
So, maybe you Brits need to go door-knocking?
Posted Saturday 16th August 2008 18:33 GMT
...on a G4 with OSX "Leopard" and Firefox running "naked". No luck replicating the clipboard attack. Still, I can't see how this could be a threat to my system if I go to use my Clipboard and see some skanky URL that I never copied into it and think, "huh, that looks skanky, lemme just quit Firefox and force it to flush my cookies and my cache and see if that works" -- instead of being one of those kids who had to wear a helmet in school, and just pasting away with it.
I did, however, out of sheer curiosity, try the link in this article and oh, the hilarity that ensued. It was pure cheap laffs gold, watching the site I was redirected to run its fake Flash cartoon pretending to be a Windows virus scanner, scanning files which were obviously DOS/Win files and not living on my hard disk at all, and then presenting me with a Windows dialog -- also obviously fake -- screaming that my system -- a Mac, mind you -- was infected and that I had to buy their fake AV product lickety-quick, to avoid certain disaster.
Wiping the tears of hysteria from my eyes, I "flushed" Firefox, turned NoScript and AdBlock back on, restarted Firefox, and went back to the Finder to trash the totally impotent .exe files which hit my desktop. Then I realized that the one possible threat this "virus" could pose to my Mac was perhaps accidental hardware damage, from inadvertantly knocking my G4 over in a fit of uncontrollable laughter watching this retarded malware site try to scare me by pretending to run a goddamn' fake Windows virus scanner on my Mac.
(Steve Jobs with a halo, only because I've been a Mac OS fan since 1985, and you have no replica of the old little "smiling Mac" MacOS bootup icon, and despite the fact that Jobs has been a real friggin' prick recently.)
Posted Saturday 16th August 2008 18:33 GMT
...if what people have been writing is true. Yet another reason for not infecting one's computer with the plague that is Flash, or at least coercing browser developers to provide decent control over Flash utilisation, rather than having it enabled for all sites, all irritating animated adverts, and all potential exploits associated with trusting the binary payload of a proprietary software vendor.
Flash isn't "the Web" despite what the fanboys and "embedded multimedia" idiots would have you believe.
Posted Saturday 16th August 2008 18:33 GMT
I don't know any browser/OS combination that would be immune, except for one without flash, though this only directs to a malware page, Linux/OSX* will almost certainly be immune to the .exe file even if its successfully pushed hrough firefox/opera/safari.
*Not necessarily from conventional security, but because these people will go for the biggest target.
Posted Sunday 17th August 2008 03:23 GMT
I'll pop round to the address tomorrow
I'll let you know who I meet
Paul
This post has been deleted by a moderator
Posted Sunday 17th August 2008 09:47 GMT
Had an odd thing the other day possibly linked with this. I couldn't open FF, said it was already running. Checked the processes and sure enough there it was but no visible instance. Killed the process and we were back in business. Sounds similar to how this exploit operates but I didn't notice anything odd with the clipboard, that said I can't recall if I used the clipboard.
Stranger still, I run NOSCRIPT and this still appears to keep FF running, although maybe it didn't hijack my clipboard....
Posted Sunday 17th August 2008 13:34 GMT
combatwombat: it's no use looking at any of the whois information in these cases. The addresses given are invariably either:
a. completely made up
b. just copied from some other entity's address
c. mailboxes/forwarding companies
The people behind these fake anti-virus apps are Russian hackers coming from the AWM scene (and others in the Russian satellites). The registrar Estdomains (aka Esthost, Inhoster, UkrTelegroup, Cernel, Rove Digital and a multitude of other aliases) are themselves blackhats, directly in on the porn->exploit/fake-codec->trojan/fake-AV-install game. So they're not too fussy about correct whois details.
You could complain to ICANN and get the domain revoked in, what, six months. But these guys constantly change their names and register hundreds of new domains, so it's kind of pointless.
Posted Sunday 17th August 2008 13:34 GMT
Did you check out some of the "xploits" that are listed by the "virus scanner" (scanning my linux box with a very nice imitation of an XP dialog of course)
Spyware.EI.Monster.b
ZLob.PornAdvertise.Xplisit
Trojan. InfoStealer.Banker.s
They forgot, of course;
Malware.WifeStealer.CockSucker
XP.PasswordCracker.Attack
and of course my all time favourite
All.MyVirusAreBelong2.You
Posted Sunday 17th August 2008 22:33 GMT
Using malwarebytes and spybot for a few registery settings that malwarebytes misses gets rid of it. At least in the 10 or so cases I've cleaned in the past 2 or 3 weeks, although I haven't seen any with the 2009 version which might have a few differences from Winav2008.
Posted Monday 18th August 2008 04:45 GMT
I have analyzed this case, please read
http://malware-test-lab.blogspot.com/2008/08/analysis-of-mystery-eb-attack-hijacks.html
Posted Monday 18th August 2008 09:13 GMT
The "bad" is superfluous, as there can be no "good" in that context.
Another point for adblock I suppose. Soon flash ads will have made it impossible to make money out of a free to view website because everyone will have adblocked everything.
Posted Monday 18th August 2008 10:10 GMT
"i use vista, so i am immune, jah?
fnarr fnarr"
Umm.. nope, exactly the opposite in fact, as it tries to download a windows exe I'm pretty sure you are screwed if you are on vista.
Posted Monday 18th August 2008 10:25 GMT
I knew that IE was capable of reading the clipboard contents, i have a small piece of code on several sites which reads the clipboard contents and requests /clip.php?text=<clipboard contents here>
You can get some really weird stuff from peoples clipboard...
I didn't know you could actually set someone's clipboard, but i would consider that far less serious than being able to read the contents of it (which might contain private data).
Posted Monday 18th August 2008 11:21 GMT
Aren't there some programs that monitor the Clipboard for downloadable links? something like wget?? autowget?? or winwget??
Im sure there are more...
Potentially more of a hazard with auto download... wonder if they auto execute also??
Posted Monday 18th August 2008 12:24 GMT
Of course, it would be far too difficult to expand the redirect page to check what OS you're running and provide an OS-based scan, or to offer a Mac download? The whole point is that it scares users into downloading something they don't need, pay for something they don't need (ie put their card details into the site, so not just paying for one thing), and possibly screw their PC by downloading it. If a user is prepared to download and run something, once they run it and get told it might be unsafe they'll probably still run it won't they?
Even worse, there's not going to be any AV on a Mac already to pick it up as dangerous. I'm not the biggest fan of Macs, but you have to be able to see that there is roughly the same (high) percentage of naive Mac users as PC users. As Macs get more popular, it's only a matter of time before a scam like this is adapted for Macs, it just makes sense.
Sign up, sign up for The Register's weekly IT security newsletter - click here
Back to the article
