republican-creole
Search:  

 
theme to white backgroundlet page decide theme
HomeFind ServiceReviewsISP NewsFAQsForumsToolsDatabaseAbout 
 
   All ForumsHot TopicsGallery






how-to block ads


 
Forums » Up and Running » Security » Security » Malvertisement on MSNBC.com using clipboard (copy/paste)
Share Topic:
RSS topic:
toggle:
flat / full
normal / watch
Posting:
Post a:
Post a:
Links: ·Hijack This logs? ·Panda Free Tools ·Vundo Removal
Security Software Updates - 26 Sep 2008 »
« Firefox 3.0.2 Released  
mysec
Premium
join:2005-11-29

Re: Malvertisement on MSNBC.com using clipboard (copy/paste)

said by Doctor Four See Profile :

Sandi Hardmeier, in her Spyware Sucks blog, is warning of a
new type of malvertisement that overwrites Windows' clipboard,

Has anyone seen the source code that shows how this is done?

permalink · 2008-08-12 19:06:30 · Reply to this

therube

join:2004-11-11
Randallstown, MD

1 edit

Re: Malvertisement on MSNBC.com using clipboard (copy/paste)

quote:
This should be blocked by setting Internet Options, Security, Internet Zone, Scripting, "Allow programmatic Clipboard access" to Disable.

I would be curious if this setting failed to block this vector.

»msmvps.com/blogs/spywaresucks/ar···062.aspx
So it appears this would be a vector in IE that is being exploited? In my case (& I don't use IE) Clipboard access is set to "prompt". (Wonder what a prompt looks like or how I would respond to it if I were prompted?)

And then this, Rogue ads pushing malware -- how it works, describes simply Refreshing the MLB web page & the popups start appearing? Which kind of doesn't make sense?

So combine the two & perhaps Flash related? JavaScript related? JS being allowed to run in Flash?

And there must be some code somewhere on an infected web site that allows the clipboard overwrite to take place. Again perhaps via Flash & JavaScript?

(How can anyone say that using a Mozilla browser & NoScript does not have the potential to help is browsing safely.)

EDIT:
So perhaps MLB was injected with code, using a META tag to force malware page to open. Something like this:
permalink · 2008-08-13 10:37:03 · Print · Reply to this

therube

join:2004-11-11
Randallstown, MD

2 edits

Re: Malvertisement on MSNBC.com using clipboard (copy/paste)

And it looks like we're coming back to ActiveX too. And IE. IE being a "trusted" application, of course.

Why might one have "Clipboard access" enabled? Well, because MS tells you to do so.

quote:
ActiveX controls are used for certain functionality in Microsoft Office Project Professional 2007 and in Microsoft Office Project Web Access. In order for the ActiveX controls to work properly, the Office Project Web Access Web site must be added to the list of trusted sites in Internet Explorer. There are additional security settings that can be configured, but they are optional.

»technet.microsoft.com/en-us/libr···703.aspx
Perhaps this cannot even be disabled in IE6?

Disable Allow This Webpage to Access Your Clipboard Pop-Up Warning Message in IE7

Picture here of what the prompt would look like, »msdn.microsoft.com/en-us/library···85).aspx

Appears you can disable this in IE6 too, »forums.spybot.info/archive/index···665.html.

That post includes a link to a site that retrieves your clipboard information, »www.sourcecodesworld.com/special···oard.asp.
permalink · 2008-08-13 10:45:53 · Print · Reply to this
mysec
Premium
join:2005-11-29

Re: Malvertisement on MSNBC.com using clipboard (copy/paste)

Thanks for the information. Unfortunately, links from this site explaining the script code for cut, copy, paste, bring up "Content not found"

»msdn.microsoft.com/en-us/library···85).aspx

permalink · 2008-08-13 23:34:58 · Reply to this

MeanPeepsSuk
Premium
join:2004-11-21
Muddy Field
clubs:
2 edits		 Removed my response/question from last night as no longer relevant.

Just realized this was an old thread brought to the top again.
permalink · 2008-09-12 18:33:58 · Reply to this
Forums » Up and Running » Security » SecuritySecurity Software Updates - 26 Sep 2008 »
« Firefox 3.0.2 Released  

Friday, 04-Dec 01:35:53 Terms of Use | Privacy Policy | Hosting by www.nac.net - DSL,Hosting & Co-lo | feedback | contact
over 10 years online! © 1999-2009 dslreports.com.
page compression OFF
Most commented news this week
· [162] Comcast Releasing Promised Usage Meter
· [140] Avast Antivirus Has Gone Mad
· [104] Graduate Student Unveils Sprint's GPS Sharing With Feds
· [99] Comcast Makes NBC Universal Acquisition Official
· [83] Google Invades ISP, OpenDNS Turf With Google Public DNS
· [81] Latest Consumer Reports Survey Not Kind To AT&T
· [70] Baltimore To Ban Lazy Cable Installs
· [65] Sprint Defuses GPS Privacy Media Bomb
· [64] Broadband Killed The Game Console
· [58] FCC Ponders Moving From PSTN To IP Voice
Most people now reading
· False positive in Avast! or is it real? [Security]
· Warrior tank seem underpowered these days [World of Warcraft]
· Evading throttling with uTP / uTorrent 1.9a [TekSavvy]
· Maximizing Rogue DPS for ToC/ToGC (3.x) [World of Warcraft]
· Linux is terrorist - according to MS... [All Things Unix]
· What the heck is going on in SoCal - Part 3 [Road Runner]
· [Rant] Disrespect of PTO [Rants, Raves, and Praise]
· [Business] how to bridge a smc 8014 business class modem [Comcast HSI]
· [TWC] Audio/Video outage in Brooklyn [Time Warner Cable TV/Voice]
· Windows 7 boot manager editing questions [Microsoft Help]