Editor Note: Something bad happened to my blog… probably because I didn’t keep WordPress up-to-date. The content of this article had been deleted. But I managed to find it on the WayBackMachine Internet Archive. So this article, originally written Aug 18th 2008 was recovered from a snapshot on the WayBackMachine taken March 2, 2009.
The internet is abuzz with news about the “flash clipboard virus”. I’ve observed it myself! It’s interesting, annoying, and if you fall for it, it’s dangerous. There’s a lot of information out there, not all of it completely correct. This article is not all-encompassing either, but I’ve got a pretty good handle on the clipboard aspect of the attack.
Background: There’s a piece of malware out there (I’m not sure if it’s a virus, trojan, or what – Dammit Jim, I’m a clipboard expert, not a security specialist!) called “AntiVirus 2009″. It’s very nasty, and you get it by visiting a site that delivers it via a relentless series of popups. The popups make it look like you’re infected with something (you’re not, at least not yet). Then they offer to fix your PC, and start downloading their fake virus scanner. Don’t let it. The only way out is to shut down your browser. This type of attack is nothing new, right? I noticed this when I was looking for the best ProOffice shipping labels online and then I clicked on a bad link and then everything happened.
The new part is the way they trick people into visiting infected sites. With how many infected sites exist nowadays it is vital to use proper network monitoring to protect yourself. They are trying to get you, me, and everyone else to paste their URL into whatever you may be pasting into – perhaps a blog post (like this one), blog comments, e-mail, instant messaging, etc… So these malware guys are sitting around one day, and one says “hey, wouldn’t it be great if everyone started randomly pasting our URL into whatever they’re pasting stuff into?” And apparently, a devious scheme was born….
Clipboard Attack From Digg Someone wrote a little piece of Adobe Flash code to copy text to the clipboard (like this one, from Digg). Then they put it in a loop, to do it once a second. Then they put it in an innocent-looking flash-based banner ad, with their harmful URL as the payload. Then they signed up for some advertising networks, and submitted their bad ad, presumably paying considerable $$$ to get it featured on sites that you and I visit regularly, such as MSNBC and Digg. And when someone has this ad loaded, they can copy all they want, but everything they paste will be just that URL. So if you are writing an e-mail to Aunt Millie, telling her to look at your eBay auction located at (paste), or to download Picasa to organize her photos – download here (paste), she’s going to get the virus when she visits the bad site.
If you are viewing a page with one of these bad ads, your clipboard is overwritten about once per second, with their bad ad. The URL that hit me was:
h x x p : / / xp-vista-update.net/?id=91873534231 (DO NOT CLICK THIS!!!!!!) I added spaces and changed http to hxxp to protect you.
I noticed it one night when ClipMate (the world’s leading clipboard extender for Windows, which I wrote myself) unexpectedly captured a clip, then started rejecting duplicates. I had personally designed this application, so I know when any thing is off. Web design encompasses many different skills and disciplines in the production and maintenance of websites. The different areas of web design include web graphic design; interface design; authoring, including standardised code and proprietary software; user experience design; and search engine optimization. I had recently been researching a bit about an ecommerce website cost so I can update and better ClipMate and my blog when I heard the “boing” noise. The duplicates make a “boing” sound, so my PC was going boing, boing, boing….. I then noticed the unexpected URL showing as my top clip, with a date/time of (a minute ago), and a “creator” showing “FireFox”. Somehow, without any action from me, FireFox was copying data to the clipboard. An apparent “clipboard attack”! So I started shutting down tabs in Firefox, and the clipboard attack stopped.
So I searched around a bit, and found that this is happening to lots of people – either by people complaining about this thing, or the xp-vista-update URL showing up in unexpected places, like blog posts. One thing I noticed was that the number in the URL changes, and that some people said it’s harmless, and just re-directs to google. Huh. It DOES re-direct to Google. Presumably, they’re trying to stay under the radar by controlling the attack. Maybe they only have it re-direct to the virus site when the number is fresh? Maybe you have to be one if the first 100 “lucky customers”? Maybe they’re going change the re-direct on a certain date? Maybe it’ll re-direct to something even worse? Who knows? It’s pretty devious, any way you look at it.
Here are things that we know now:
- It seems to be flash-based. Update: Confirmed – it uses System.setClipboard, which has been around since Flash Player v7. See Avi Raff’s proof-of-concept listed below.
- It’s browser and platform-independent – the clipboard attack will happen on IE, FireFox, XP, Vista, Mac, Linux.
- The affected ads have been appearing on MSNBC and Digg (I have been attacked by both). Users also report MSN, Facebook, MySpace.
- Some ads have been captured and are on display at SpywareSucks – they look like “Nielsen Ratings”.
- There is some sample code in the comments at the article on TheRegister.
- Here is how the business end of this works – discussion at SunBelt(Update: I fixed the broken link…)
- My original discussion is posted in the ClipMate support forum.
- As of this writing, McAfee SiteAdvisor rates the xp-vista-update site as GREEN! LOL!! If you have a SiteAdvisor account, add some comments.
- The xp-vista-update site is registered on ESTDomains, documented rogue registrar (cited from comments found at SiteAdvisor and other blog posts).
- Adobe is working on a solution.
- The”NoScripts”FireFox extension will block this if you set it to block flash. (from PCMag blog)
- Avi Raff has written a proof-of-concept that you can use to play with this. It will overwrite the clipboard with an URL containing “evil.com”. The proof-of-concept is here:http://raffon.net/research/flash/cb/test.html
- There is a setting in IE7/IE8 to disable “programmatic clipboard access” (Tools | Internet Options | Security Tab | select “Internet Zone”, Custom Level. In the “scripting” section, there is an option for “allow programmatic clipboard access”. If set to “Prompt” or even “Disabled”, the flash applet can still hammer the clipboard.
- OpenDNS.Com (I use it, I like it) doesn’t see anything wrong with “xp-vista-update dot net”. I’ve submitted it for review. They need a better end-user reporting system for malware. The two guys that reported it before me had to pick between “porn” and “adware”. Didn’t have any “nasty malware site” designation. Huh. Update: It’s now listed as adware, and that should protect users who block adware via OpenDNS.
Things I think I know:
- The “xp vista update dot net” site tries to fly under the radar by using an ever-changing ID. ex: id=91873534231 When viewed in real life, the URL always has this ID at the end. Many people report simply being redirected to the Google home page when visiting the link. My theory is that they use the ID to determine how many times an URL has been used, or how old it is. Whatever the critieria, it’s only “live” for a while (tries to infect you), and then it “expires” (harmless re-direct to Google). Maybe this is why SiteAdvisor still lists it as Green? It’s like babysitting a naughty kid and having him turn into an angel when the parents show up.
- To build on the above theory, they may be planning some sort of massive re-awakening of the “retired” links in the future.
- Adobe has a tricky situation here. This isn’t really a bug. Should they remove the clipboard API from flash? I wouldn’t miss it. But then again, I’m not a flash developer. I can see how it would be useful, for example, if someone wanted to write a WYSIWYG editor in Flash. I suspect that the majority of the flash apps out there (ads, banners, games, slideshows, video players, etc..) do not need, and should not have access to resources like your disk drive, network connection, and clipboard. Maybe there could be a “trusted flash app” designation for apps that need it, such as flash-based editors, word processors, spreadsheets, etc.. I think that’s the only way out of this.
Things I don’t know:
- Will the regular “turn off clipboard” setting in IE7 work for this type of attack? I don’t know, but suspect that only applies to Javascript. Update: Confirmed – moved to “Things I know”.
- Will this be the death of Flash? I hope not. I hope they take clipboard support out though, and make it safe. Update: Adobe is aware, and is working on something.
- Would Vista’s UAC protect you against the drive-by payload delivered by the “xp vista update dot net” site? I know that with IE7 set to block popups, my XP laptop was unable to repell the attack. I wonder if Vista would have held up. Thank goodness for Macrium Reflect!
Other mentions of this phenomenon:
- C|Net – article by Elinor Mills, some good comments at the bottom too.
- PC Magazine article, with many links and confirmation that the NoScripts plug-in for FireFox does indeed block flash.
- Techspot – short article with link to smug discussions about how amusing this all is, and that we’re all whiners. I think they’re missing the point about these flash ads being delivered to unsuspecting websites via ad networks.
- Slashdot – It MUST be cool now.
- Computerworld – very thorough article – he gets it. He quotes me too, but he got it before that.
- Sophos writes about the attack:http://www.sophos.com/security/blog/2008/08/1671.html
- Chris Thornton was interviewed about this on Ira Victor’s Data Security Podcast.
Bottom Line: If you are allowing flash to load in your browser, you can get hit with the “clipboard attack”. It doesn’t matter what platform you’re on, or what browser you use. It will simply keep overwriting your clipboard with the nasty URL, about once per second. It may seem like you can’t delete it – that’s not the case. You can delete it by copying something else. But unless you’re Batman or that Bolt guy from Jamaica, it will be overwritten again before you can paste it anywhere. Closing the tab with the offending ad will stop the behavior. The real danger is visiting the web site that the flash ad is trying to spread – so please look at what you’re pasting. This whole scheme depends on people being careless. If you send a virus link to your mother, you’re going to have to fix her PC!
Comments? Add your comments. Please, no dangerous URLS without saying what they are and altering by munging the http:// into hxxp: / / or similar.
Digg This! Digg needs to know that some of their ads are poison!
Start Your Computer Security Page on Social Networks
Welcome to our blog post on starting a computer security page on social networks. In today’s digital age, where online threats are becoming increasingly sophisticated, it’s crucial to spread awareness about computer security and help users protect themselves from potential risks. Social media platforms provide an excellent opportunity to reach a wide audience and engage with them on this important topic.
Why Social Networks for Computer Security?
Social networks have evolved into powerful tools for communication, information sharing, and community building. By creating a computer security page on popular social media platforms, you can tap into these networks to educate users about various aspects of online security and promote best practices. With billions of active users on platforms such as Facebook, Twitter, and Instagram, you have the potential to make a significant impact.
Additionally, social media allows for easy and direct interaction with your audience. Users can ask questions, seek advice, and share their experiences, creating a sense of community around computer security. By fostering engagement, you can build trust and establish yourself as a credible source of information.
Building Your Computer Security Page
To start your computer security page, follow these simple steps:
- Choose the Right Platform: Research and select the social media platform(s) that align with your target audience and goals. Each platform has its own strengths and user demographics, so consider factors such as age groups, interests, and user engagement levels.
- Create an Engaging Profile: Craft a compelling profile that clearly communicates your page’s purpose and the value it offers. Use eye-catching visuals, such as a logo or relevant graphics, and provide a concise description of what users can expect from your content.
- Develop Relevant Content: Plan your content strategy to cover a wide range of computer security topics. Share informative articles, practical tips, infographics, and news updates. Remember to keep your content accessible and jargon-free, catering to both tech-savvy and non-technical users.
- Encourage Interaction: Prompt users to engage with your content through likes, comments, and shares. Respond to their queries promptly and encourage discussions. User engagement is key to building a loyal community and increasing the visibility of your page.
- Collaborate and Network: Connect with other computer security experts, organizations, and influencers in your niche. Collaborate on joint initiatives, share each other’s content, and participate in relevant discussions. This will help expand your reach and credibility.
And remember, every like counts! likes from The Marketing Heaven can give your page the boost it needs to reach a wider audience and gain more credibility.
Growing Your Computer Security Page
While setting up your computer security page is the first step, it’s equally important to grow and maintain your audience over time. Here are a few strategies to help you with that:
- Consistency is Key: Regularly post high-quality content to keep your audience engaged. Develop a content calendar and stick to it. Consistency builds trust and ensures that your page remains relevant.
- Utilize Hashtags: Research and use relevant hashtags in your posts to increase their discoverability. Hashtags help users interested in computer security find your content and expand your reach beyond your existing followers.
- Run Contests or Giveaways: Encourage user participation by organizing contests or giveaways related to computer security. This can generate excitement, attract new followers, and create a buzz around your page.
- Collaborate with Influencers: Partner with influencers or experts in the field of computer security to promote your page. Influencers can help you reach a broader audience and lend credibility to your content.
Remember, building a successful computer security page on social networks takes time and effort. Be patient, stay committed to your goals, and consistently provide value to your audience. With dedication, you can make a significant impact and help users secure their online presence.
So, what are you waiting for? Start your computer security page on social networks today and begin spreading awareness about online security. Together, let’s create a safer digital world!
Don’t forget to follow us on social media for the latest updates, informative posts, and valuable insights. Help us spread the word by sharing our content and inviting your friends to like our page. Together, we can make a difference!