mysecPremium
join:2005-11-29
kudos:4 | reply to Doctor Four
Re: Malvertisement on MSNBC.com using clipboard (copy/paste) said by Doctor Four:Sandi Hardmeier, in her Spyware Sucks blog, is warning of a new type of malvertisement that overwrites Windows' clipboard,
Has anyone seen the source code that shows how this is done?
|
|
 therube
join:2004-11-11
Randallstown, MD
1 edit | quote:
This should be blocked by setting Internet Options, Security, Internet Zone, Scripting, "Allow programmatic Clipboard access" to Disable.
I would be curious if this setting failed to block this vector.
»msmvps.com/blogs/spywaresucks/ar···062.aspx
So it appears this would be a vector in IE that is being exploited? In my case (& I don't use IE) Clipboard access is set to "prompt". (Wonder what a prompt looks like or how I would respond to it if I were prompted?)
And then this, Rogue ads pushing malware -- how it works, describes simply Refreshing the MLB web page & the popups start appearing? Which kind of doesn't make sense?
So combine the two & perhaps Flash related? JavaScript related? JS being allowed to run in Flash?
And there must be some code somewhere on an infected web site that allows the clipboard overwrite to take place. Again perhaps via Flash & JavaScript?
(How can anyone say that using a Mozilla browser & NoScript does not have the potential to help is browsing safely.)
EDIT:
So perhaps MLB was injected with code, using a META tag to force malware page to open. Something like this:
<META NAME="Keywords" CONTENT="handycamz, videos, pictures, camz, adult, porn, bla, bla, bla"><meta http-equiv="Refresh" content="0; url=http://winantivirus2008.org/freescan/?id=68">
|
|
|
|
therube
join:2004-11-11
Randallstown, MD
2 edits | And it looks like we're coming back to ActiveX too. And IE. IE being a "trusted" application, of course.
Why might one have "Clipboard access" enabled? Well, because MS tells you to do so.
quote:
ActiveX controls are used for certain functionality in Microsoft Office Project Professional 2007 and in Microsoft Office Project Web Access. In order for the ActiveX controls to work properly, the Office Project Web Access Web site must be added to the list of trusted sites in Internet Explorer. There are additional security settings that can be configured, but they are optional.
»technet.microsoft.com/en-us/libr···703.aspx
Perhaps this cannot even be disabled in IE6?
Disable Allow This Webpage to Access Your Clipboard Pop-Up Warning Message in IE7
Picture here of what the prompt would look like, »msdn.microsoft.com/en-us/library···85).aspx
Appears you can disable this in IE6 too, »forums.spybot.info/archive/index···665.html.
That post includes a link to a site that retrieves your clipboard information, »www.sourcecodesworld.com/special···oard.asp. |
|
mysecPremium
join:2005-11-29
kudos:4 | Thanks for the information. Unfortunately, links from this site explaining the script code for cut, copy, paste, bring up "Content not found"
»msdn.microsoft.com/en-us/library···85).aspx
|
|
2 edits | reply to mysec
Removed my response/question from last night as no longer relevant.
Just realized this was an old thread brought to the top again. |
|
