Friday, September 14, 2007

Ad vendor serving exploits thru Facebook

Hi folks,

Last night I was reading a friend's blog on FaceBook, and IE popped up a message saying that the webpage was trying to start RDS (Remote Data Services) services, and would I allow it. I clicked "No", and then thought "Hang on... it shouldn't have been starting RDS!" (It was late and I was a bit slow), so I opened up a goat machine, retraced my steps, and about a minute later.... blam... programs dropped and executed on my machine.

No rootkit, and no detection from any avs that I had access to, but after a reboot, I found that now, when I started IE and went to my home page, I got extra copies of the browser starting, and ads being served.

It’s hard to sort out, but here’s the critical sequence of connections …
Facebook calls to bannerconnect
208_67_70_3 Referer: http://ads.ak.facebook.com/ads [snip] ,Host: ad.bannerconnect.net
bannerconnect calls to yieldmanager
208_67_70_3 Referer: http://ad.bannerconnect.net/st?ad_t [snip] ,Host: ad.yieldmanager.com 208_67_70_3 Referer: http://ad.bannerconnect.net/st?ad_t [snip] ,Host: ad.yieldmanager.com
yieldmanager calls to valuead
69_63_219_104 Referer: http://ad.yieldmanager.com/iframe3? [snip] ,Host: reduxads.valuead.com 69_63_219_104 Referer: http://ad.yieldmanager.com/iframe3? [snip] ,Host: reduxads.valuead.com
valuead calls to megapromition, which throws an exploit (MS06-014), which runs an adware installer85_17_161_17 Referer: http://reduxads.valuead.com/test?pi [snip] ,Host: www.megapromition.net
After reboot, an Internet Explorer launch that should just show google looked like this …



It might well be an old exploit, but adware vendors shouldn't be doing it.

Cheers

Roger

3 Comments:

At 8:23 PM, Blogger Jeremy-James said...

This is interesting, i too have had this problem with new browser consoles opening miscillaneous windows with adds for expensive spyware and random ringtones and other oddities. It annoys me that processor potential is drained and its running lines of unwanted script, as i use the pc as i deem responsible.
have you any ideas of finding this bogus unwanted corruptions? the appeared in a similar way as to symptoms u have described, i have no idea where they are located or wot settings have been changed? can u help me resurrect my browsers ?

 
At 8:27 PM, Blogger Jeremy-James said...

my problems are with spylocked ? and rightonadz ?

 
At 7:30 AM, Blogger Roger Thompson said...

Hi Jeremy,

I think you've already got stuff running on your system, and it won't go away by itself. Unless you're prepared to, and able to reload your system, and restore your data, your best bet is to try multiple antispies and see if they can fix it.

After that, it's probably a good idea to install LinkScanner to help stop it from happening again.

Cheers

Roger

 

Post a Comment

<< Home