New Scary Computer Virus?
- Nanohedron
- Moderatorer
- Posts: 38239
- Joined: Wed Dec 18, 2002 6:00 pm
- antispam: No
- Please enter the next number in sequence: 8
- Tell us something.: Been a fluter, citternist, and uilleann piper; committed now to the way of the harp.
Oh, yeah: also a mod here, not a spammer. A matter of opinion, perhaps. - Location: Lefse country
New Scary Computer Virus?
Anyone heard or know anything about this latest?
Could someone explain more about this, and how worried should I be?
Could someone explain more about this, and how worried should I be?
"If you take music out of this world, you will have nothing but a ball of fire." - Balochi musician
can you run flash?
are you still on dial up?
do you know what flash is?
can I find one to show you?
oh, sure..... http://www.flashearth.com
are you still on dial up?
do you know what flash is?
can I find one to show you?
oh, sure..... http://www.flashearth.com
- Nanohedron
- Moderatorer
- Posts: 38239
- Joined: Wed Dec 18, 2002 6:00 pm
- antispam: No
- Please enter the next number in sequence: 8
- Tell us something.: Been a fluter, citternist, and uilleann piper; committed now to the way of the harp.
Oh, yeah: also a mod here, not a spammer. A matter of opinion, perhaps. - Location: Lefse country
No, I'm on wireless now. I think I have Flash. I guess I must have, as your link worked just fine and dandy.Denny wrote:can you run flash?
are you still on dial up?
do you know what flash is?
can I find one to show you?
oh, sure..... http://www.flashearth.com
"If you take music out of this world, you will have nothing but a ball of fire." - Balochi musician
- MTGuru
- Posts: 18663
- Joined: Sat Sep 30, 2006 12:45 pm
- antispam: No
- Please enter the next number in sequence: 8
- Location: San Diego, CA
Oh my Flash man he's a Yankee
With his hair cropped short behind
He wears a pair of red-top boots
And spends his days online ...
With his hair cropped short behind
He wears a pair of red-top boots
And spends his days online ...
Last edited by MTGuru on Tue Aug 19, 2008 4:21 pm, edited 2 times in total.
Vivat diabolus in musica! MTGuru's (old) GG Clips / Blackbird Clips
Joel Barish: Is there any risk of brain damage?
Dr. Mierzwiak: Well, technically speaking, the procedure is brain damage.
Joel Barish: Is there any risk of brain damage?
Dr. Mierzwiak: Well, technically speaking, the procedure is brain damage.
- Nanohedron
- Moderatorer
- Posts: 38239
- Joined: Wed Dec 18, 2002 6:00 pm
- antispam: No
- Please enter the next number in sequence: 8
- Tell us something.: Been a fluter, citternist, and uilleann piper; committed now to the way of the harp.
Oh, yeah: also a mod here, not a spammer. A matter of opinion, perhaps. - Location: Lefse country
- Nanohedron
- Moderatorer
- Posts: 38239
- Joined: Wed Dec 18, 2002 6:00 pm
- antispam: No
- Please enter the next number in sequence: 8
- Tell us something.: Been a fluter, citternist, and uilleann piper; committed now to the way of the harp.
Oh, yeah: also a mod here, not a spammer. A matter of opinion, perhaps. - Location: Lefse country
- MTGuru
- Posts: 18663
- Joined: Sat Sep 30, 2006 12:45 pm
- antispam: No
- Please enter the next number in sequence: 8
- Location: San Diego, CA
Vivat diabolus in musica! MTGuru's (old) GG Clips / Blackbird Clips
Joel Barish: Is there any risk of brain damage?
Dr. Mierzwiak: Well, technically speaking, the procedure is brain damage.
Joel Barish: Is there any risk of brain damage?
Dr. Mierzwiak: Well, technically speaking, the procedure is brain damage.
- s1m0n
- Posts: 10069
- Joined: Wed Oct 06, 2004 12:17 am
- antispam: No
- Please enter the next number in sequence: 10
- Location: The Inside Passage
http://www.clipboardextender.com/defect ... -dangerous
The internet is abuzz with news about the “clipboard virus”. I’ve observed it myself! It’s interesting, annoying, and if you fall for it, it’s dangerous. There’s a lot of information out there, not all of it completely correct. This article is not all-encompassing either, but I’ve got a pretty good handle on the clipboard aspect of the attack.
Background: There’s a piece of malware out there (I’m not sure if it’s a virus, trojan, or what - Dammit Jim, I’m a clipboard expert, not a security specialist!) called “AntiVirus 2009″. It’s very nasty, and you get it by visiting a site that delivers it via a relentless series of popups. The popups make it look like you’re infected with something (you’re not, at least not yet). Then they offer to fix your PC, and start downloading their fake virus scanner. Don’t let it. The only way out is to shut down your browser. This type of attack is nothing new, right?
The new part is the way they trick people into visiting infected sites. They are trying to get you, me, and everyone else to paste their URL into whatever you may be pasting into - perhaps a blog post (like this one), blog comments, e-mail, instant messaging, etc… So these malware guys are sitting around one day, and one says “hey, wouldn’t it be great if everyone started randomly pasting our URL into whatever they’re pasting stuff into?” And apparently, a devious scheme was born….
Someone wrote a little piece of Adobe Flash code to copy text to the clipboard. Then they put it in a loop, to do it once a second. Then they put it in an innocent-looking flash-based banner ad, with their harmful URL as the payload. Then they signed up for some advertising networks, and submitted their bad ad, presumably paying considerable $$$ to get it featured on sites that you and I visit regularly, such as MSNBC and Digg. And when someone has this ad loaded, they can copy all they want, but everything they paste will be just that URL. So if you are writing an e-mail to Aunt Millie, telling her to look at your eBay auction located at (paste), or to download Picasa to organize her photos - download here (paste), she’s going to get the virus when she visits the bad site.
If you are viewing a page with one of these bad ads, your clipboard is overwritten about once per second, with their bad ad. The URL that hit me was:
h x x p : / / xp-vista-update.net/?id=91873534231 (DO NOT CLICK THIS!!!!!!) I added spaces and changed http to hxxp to protect you.
I noticed it one night when ClipMate (the world’s leading clipboard extender for Windows, which I wrote myself) unexpectedly captured a clip, then started rejecting duplicates. The duplicates make a “boing” sound, so my PC was going boing, boing, boing….. I then noticed the unexpected URL showing as my top clip, with a date/time of (a minute ago), and a “creator” showing “FireFox”. Somehow, without any action from me, FireFox was copying data to the clipboard. An apparent “clipboard attack”! So I started shutting down tabs in Firefox, and the clipboard attack stopped.
So I searched around a bit, and found that this is happening to lots of people - either by people complaining about this thing, or the xp-vista-update URL showing up in unexpected places, like blog posts. One thing I noticed was that the number in the URL changes, and that some people said it’s harmless, and just re-directs to google. Huh. It DOES re-direct to Google. Presumably, they’re trying to stay under the radar by controlling the attack. Maybe they only have it re-direct to the virus site when the number is fresh? Maybe you have to be one if the first 100 “lucky customers”? Maybe they’re going change the re-direct on a certain date? Maybe it’ll re-direct to something even worse? Who knows? It’s pretty devious, any way you look at it.
Here are things that we know now:
It seems to be flash-based.
It’s browser and platform-independent - the clipboard attack will happen on IE, FireFox, XP, Vista, Mac, Linux.
Some ads have been captured and are on display at SpywareSucks - they look like “Nielsen Ratings”.
There is some sample code in the comments at the article on TheRegister.
Here is how the business end of this works - discussion at SunBelt.
My original discussion is posted in the ClipMate support forum.
As of this writing, McAfee SiteAdvisor rates the xp-vista-update site as GREEN! LOL!! If you have a SiteAdvisor account, add some comments.
The xp-vista-update site is registered on ESTDomains, documented rogue registrar (cited from comments found at SiteAdvisor and other blog posts).
Things I don’t know:
Will the regular “turn off clipboard” setting in IE7 work for this type of attack? I don’t know.
Will the “noscripts” FireFox extension block this? I doubt it. I think you have to turn off Flash.
Will this be the death of Flash? I hope not. I hope they take clipboard support out though, and make it safe.
Comments? Add your comments. Please, no dangerous URLS without saying what they are and altering by munging the http:// into hxxp: / / or similar.
And now there was no doubt that the trees were really moving - moving in and out through one another as if in a complicated country dance. ('And I suppose,' thought Lucy, 'when trees dance, it must be a very, very country dance indeed.')
C.S. Lewis
C.S. Lewis
- Nanohedron
- Moderatorer
- Posts: 38239
- Joined: Wed Dec 18, 2002 6:00 pm
- antispam: No
- Please enter the next number in sequence: 8
- Tell us something.: Been a fluter, citternist, and uilleann piper; committed now to the way of the harp.
Oh, yeah: also a mod here, not a spammer. A matter of opinion, perhaps. - Location: Lefse country
Fiddling while Rome burns, as it were. Have you no shame?
Thanks for the info, s1m0n. I have to say that much of it meant little to me, though. If someone could put together a scenario in layman's terms, I'd appreciate it.
"If you take music out of this world, you will have nothing but a ball of fire." - Balochi musician
- MusicalADD
- Posts: 300
- Joined: Sat Mar 15, 2008 9:40 pm
- antispam: No
- Location: Upstate New York
This is the first I've heard of this.
I have the Firefox Noscript extension on the pc at work, but I haven't gotten around to installing it at home... my casual impression is that Noscript might indeed be effective. I mean, at work, if I visit a page with flash content -- usually, embedded youtube video -- Noscript blocks the embedded video. So, I'm guessing that Noscript is blocking flash?
This makes me long for the good ol' days. Lynx, now THERE was a browser!
I have the Firefox Noscript extension on the pc at work, but I haven't gotten around to installing it at home... my casual impression is that Noscript might indeed be effective. I mean, at work, if I visit a page with flash content -- usually, embedded youtube video -- Noscript blocks the embedded video. So, I'm guessing that Noscript is blocking flash?
This makes me long for the good ol' days. Lynx, now THERE was a browser!