Editor Note: Something bad happened to my blog… probably because I didn’t keep WordPress up-to-date.  The content of this article had been deleted. But I managed to find it on the WayBackMachine Internet Archive.  So this article, originally written Aug 18th 2008 was recovered from a snapshot on the WayBackMachine taken March 2, 2009.

The internet is abuzz with news about the “flash clipboard virus”.  I’ve observed it myself!  It’s interesting, annoying, and if you fall for it, it’s dangerous.  There’s a lot of information out there, not all of it completely correct.  This article is not all-encompassing either, but I’ve got a pretty good handle on the clipboard aspect of the attack.

Background:  There’s a piece of malware out there (I’m not sure if it’s a virus, trojan, or what – Dammit Jim, I’m a clipboard expert, not a security specialist!) called “AntiVirus 2009″. It’s very nasty, and you get it by visiting a site that delivers it via a relentless series of popups.  The popups make it look like you’re infected with something (you’re not, at least not yet). Then they offer to fix your PC, and start downloading their fake virus scanner.  Don’t let it.  The only way out is to shut down your browser.  This type of attack is nothing new, right?

The new part is the way they trick people into visiting infected sites.  They are trying to get you, me, and everyone else to paste their URL into whatever you may be pasting into – perhaps a blog post (like this one), blog comments, e-mail, instant messaging, etc…   So these malware guys are sitting around one day, and one says “hey, wouldn’t it be great if everyone started randomly pasting our URL into whatever they’re pasting stuff into?”  And apparently, a devious scheme was born….

Clipboard Attack From Digg Someone wrote a little piece of Adobe Flash code to copy text to the clipboard (like this one, from Digg). Then they put it in a loop, to do it once a second. Then they put it in an innocent-looking flash-based banner ad, with their harmful URL as the payload.  Then they signed up for some advertising networks, and submitted their bad ad, presumably paying considerable $$$ to get it featured on sites that you and I visit regularly, such as MSNBC and Digg.  And when someone has this ad loaded, they can copy all they want, but everything they paste will be just that URL.   So if you are writing an e-mail to Aunt Millie, telling her to look at your eBay auction located at (paste), or to download Picasa to organize her photos – download here (paste), she’s going to get the virus when she visits the bad site.

If you are viewing a page with one of these bad ads, your clipboard is overwritten about once per second, with their bad ad.  The URL that hit me was:
h x x p : / / xp-vista-update.net/?id=91873534231   (DO NOT CLICK THIS!!!!!!)  I added spaces and changed http to hxxp to protect you.

I noticed it one night when ClipMate (the world’s leading clipboard extender for Windows, which I wrote myself) unexpectedly captured a clip, then started rejecting duplicates.  The duplicates make a “boing” sound, so my PC was going boing, boing, boing….. I then noticed the unexpected URL showing as my top clip, with a date/time of (a minute ago), and a “creator” showing “FireFox”.   Somehow, without any action from me, FireFox was copying data to the clipboard.  An apparent “clipboard attack”!  So I started shutting down tabs in Firefox, and the clipboard attack stopped.

So I searched around a bit, and found that this is happening to lots of people – either by people complaining about this thing, or the xp-vista-update URL showing up in unexpected places, like blog posts.  One thing I noticed was that the number in the URL changes, and that some people said it’s harmless, and just re-directs to google.  Huh. It DOES re-direct to Google. Presumably, they’re trying to stay under the radar by controlling the attack.  Maybe they only have it re-direct to the virus site when the number is fresh? Maybe you have to be one if the first 100 “lucky customers”?  Maybe they’re going change the re-direct on a certain date?  Maybe it’ll re-direct to something even worse?  Who knows?  It’s pretty devious, any way you look at it.

Here are things that we know now:

• It seems to be flash-based.  Update: Confirmed – it uses System.setClipboard, which has been around since Flash Player v7.  See Avi Raff’s proof-of-concept listed below.
• It’s browser and platform-independent – the clipboard attack will happen on IE, FireFox, XP, Vista, Mac, Linux.
• The affected ads have been appearing on MSNBC and Digg (I have been attacked by both).  Users also report MSN, Facebook, MySpace.
• Some ads have been captured and are on display at SpywareSucks - they look like “Nielsen Ratings”.
• There is some sample code in the comments at the article onTheRegister.
• Here is how the business end of this works - discussion at SunBelt(Update: I fixed the broken link…)
• My original discussion is  posted in the ClipMate support forum.
• As of this writing, McAfee SiteAdvisor rates the xp-vista-update site as GREEN!  LOL!! If you have a SiteAdvisor account, add some comments.
• The xp-vista-update site is registered on ESTDomains, documented rogue registrar (cited from comments found at SiteAdvisor and other blog posts).
• Adobe is working on a solution.
• The”NoScripts”FireFox extension will block this if you set it to block flash. (from PCMag  blog)
• Avi Raff has written a proof-of-concept that  you can use to play with this.  It will overwrite the clipboard with an URL containing “evil.com”.  The proof-of-concept is here:http://raffon.net/research/flash/cb/test.html
• There is a setting in IE7/IE8 to disable “programmatic clipboard access” (Tools | Internet Options | Security Tab | select “Internet Zone”, Custom Level.  In the “scripting” section, there is an option for “allow programmatic clipboard access”. If set to “Prompt” or even “Disabled”, the flash applet can still hammer the clipboard.
• OpenDNS.Com (I use it, I like it) doesn’t see anything wrong with “xp-vista-update dot net”.  I’ve submitted it for review.  They need a better end-user reporting system for malware.  The two guys that reported it before me had to pick between “porn” and “adware”.  Didn’t have any “nasty malware site” designation. Huh.  Update: It’s now listed as adware, and that should protect users who block adware via OpenDNS.

Things I think I know:

• The “xp vista update dot net” site tries to fly under the radar by using an ever-changing ID.  ex:  id=91873534231  When viewed in real life, the URL always has this ID at the end.  Many people report simply being redirected to the Google home page when visiting the link. My theory is that they use the ID to determine how many times an URL has been used, or how old it is. Whatever the critieria, it’s only “live” for a while (tries to infect you), and then it “expires” (harmless re-direct to Google).  Maybe this is why SiteAdvisor still lists it as Green?  It’s like babysitting a naughty kid and having him turn into an angel when the parents show up.
• To build on the above theory, they may be planning some sort of massive re-awakening of the “retired” links in the future.
• Adobe has a tricky situation here. This isn’t really a bug.  Should they remove the clipboard API from flash?  I wouldn’t miss it.  But then again, I’m not a flash developer. I can see how it would be useful, for example, if someone wanted to write a WYSIWYG editor in Flash.  I suspect that the majority of the flash apps out there (ads, banners, games, slideshows, video players, etc..) do not need, and should not have access to resources like your disk drive, network connection, and clipboard.  Maybe there could be a “trusted flash app” designation for apps that need it, such as flash-based editors, word processors, spreadsheets, etc..  I think that’s the only way out of this.

Things I don’t know:

• Will the regular “turn off clipboard” setting in IE7 work for this type of attack?  I don’t know, but suspect that only applies to Javascript.  Update: Confirmed – moved to “Things I know”.
• Will this be the death of Flash?  I hope not.  I hope they take clipboard support out though, and make it safe.  Update: Adobe is aware, and is working on something.
• Would Vista’s UAC protect you against the drive-by payload delivered by the “xp vista update dot net” site?  I know that with IE7 set to block popups, my XP laptop was unable to repell the attack. I wonder if Vista would have held up. Thank goodness for Macrium Reflect!

Other mentions of this phenomenon:

• C|Net – article by Elinor Mills, some good comments at the bottom too.
• PC Magazine article, with many links and confirmation that the NoScripts plug-in for FireFox does indeed block flash.
• Techspot - short article with link to smug discussions about how amusing this all is, and that we’re all whiners.  I think they’re missing the point about these flash ads being delivered to unsuspecting websites via ad networks.
• Slashdot - It MUST be cool now.
• Computerworld - very thorough article – he gets it.  He quotes me too, but he got it before that.
• Sophos writes about the attack:http://www.sophos.com/security/blog/2008/08/1671.html
• Chris Thornton was interviewed about this on Ira Victor’s Data Security Podcast.

Bottom Line:  If you are allowing flash to load in your browser, you can get hit with the “clipboard attack”.  It doesn’t matter what platform you’re on, or what browser you use.  It will simply keep overwriting your clipboard with the nasty URL, about once per second.  It may seem like you can’t delete it – that’s not the case. You can delete it by copying something else. But unless you’re Batman or that Bolt guy from Jamaica, it will be overwritten again before you can paste it anywhere.  Closing the tab with the offending ad will stop the behavior.  The real danger is visiting the web site that the flash ad is trying to spread – so please look at what you’re pasting.  This whole scheme depends on people being careless.  If you send a virus link to your mother, you’re going to have to fix her PC!

Comments? Add your comments. Please, no dangerous URLS without saying what they are and altering by munging the http:// into hxxp:  / / or similar.

Digg This! Digg needs to know that some of their ads are poison!

• ex:  echo “hello, world!” | clip
• ex: dir | clip
• ex: clip < readme.txt

Again, this is available on Vista.  If you are using older versions of Windows, you can use our Dos2Clip program, which will do the same thing, but only with one line.  You can get it here, and it’s free to use.

1) Copy something benign – just highlight any harmless text from any program, press Ctrl+C, and you’ve just overwritten the clipboard with that benign word. 

2) Press the PrintScreen key – this puts a bitmap onto the clipboard, overwriting whatever was there previously.  Web sites can’t paste an image, and if a co-worker is sitting at your desktop, they can see what’s on your screen anyway.  You CAN paste the image into an image editor such as Microsoft Paint, but unless you’ve got sensitive or “naughty” stuff on the screen, this is probably the quickest way.

If your goal is to save memory, use option #1.  Any program that claims to “clear your clipboard, thereby saving memory) is going to use more memory than whatever little thing you’re copying to overwrite what was there.

This tip brought to you by the people who make ClipMate!

So I went to CompUSA, looking for another board/CPU combo. Since the old board was Pentium-D, I wanted something more efficient (and quieter/cooler), so I picked up a brand-name MoBo, an AMD X2 CPU, and some nice Corsair DDR2 RAM. I made the mistake of not looking for the Vista certification on the MoBo. More on that later…

I had expected to swap components, and hopefully let Vista find the new drivers when it booted. After all, we’ve had the “hardware abstraction layer” (HAL) since NT 3.5, right?  So I threw my faith in HAL, Plug-n-Play, Plug-n-PRAY, etc.. Sure enough, immediate blue-screen, followed by endless reboot/BSOD/reboot cycle.

If you’ve found this in google, you know what that’s all about. I’ll make the long story short – I was unsuccessful in booting from my Vista HD. Vista was unsuccessful in “repairing” the old installation. I ended up re-installing Vista (twice, because MSFT sends me “upgrade” disks because I’m in the “Action Pack” program). Grrrrr. I needed a better way.  Next time, I vowed to do better.

Well, that MoBo turned out to be a sweet Linux or XP board, but it wasn’t Vista certified, and I was experiencing daily lockups. No BSOD, just a freeze, requiring a power-off. I tried BIOS updates, new drivers, etc.. No good. My retailer (CompUSA) is going out of business (should have used NewEgg!!) and wasn’t interested in getting it back. I wasn’t interested in spending hours on hold with the MFG to RMA it and get an identical (non-working-on-Vista) board. So for $79, I found a nice Gigabyte board on NewEgg.

This time, I found a write-up that talked about removing drivers on the old board, prior to shutting down. This makes the board “driver agnostic”.  Long story short, it didn’t work. I think my PnP loaded the old drivers anyway, before I could shut down the machine.

The Lifeboat 

Looking for another solution, I found a comment on Lockergnome that talked about a “lifeboat” disk adaptor card.  Hmmmm…   Basically, you install a cheap IDE/SATA card into the machine before the MoBo swap. Let Vista (should work on XP too) load the drivers. At this point, Vista has drivers to run that card, no matter what chipset the MoBo has.  Then swap the MoBo, and plug your HD (Temporarily) into the new card. Load Windows, let PnP detect the new hardware, load drivers, etc.. Now you can reboot and switch back to the MoBo IDE/SATA ports, and remove the “lifeboat” card.  It sounded great, so I thought I’d give it a try!

I purchased a cheap IDE/SATA card (PCI interface) from NewEgg. For $20, I got this:

http://www.newegg.com/Product/Product.aspx?Item=N82E16816132009

It’s got both IDE and SATA ports, and runs on Vista. Great. 

Next, I installed it into my PC, running the old Motherboard.  Vista asked for drivers, I gave it the CD that came with the board.

Then I shut down and swapped the motherboard, and transplanted the Rosewill board from the old motherboard onto the new one.  This time, I connected the SATA drive to the Rosewill card. I probably should have connected the IDE cable for the DVD drive, as that would have saved a reboot later on.  But I left it disconnected.

Now I powered on and Vista loaded!  No BSOD. It came up with generic drivers, and did its PnP thing and loaded drivers that worked with the Motherboard. Here is where it may have been good to have the DVD plugged into the Rosewill card, to get a better set of drivers from the Gigabyte CD. No harm though, the Windows drivers worked.

Now I shut down, removed the rosewill card, and connected the IDE and SATA to the MoBo. Upon power-up, Vista loaded again, and I was able to update drivers from the Gigabyte CD.

Conclusion 

It worked great!  The Rosewill card now sits on the shelf, for future emergencies.  I will use it to “innoculate” all other (non-laptop) PCs in the house, so that I can upgrade failed motherboards in the future. In case of failure, they’ll already have the Rosewill drivers, and can be simply upgraded with new motherboards/CPU.  You don’t always get to do any “prep”, especially when the hardware just dies. So I’m going to prepare all of my systems so that they’re ready, in case they need a swap.

Apparently, Apple has “invented” some sort of killer technology for the iPhone, that lets you select something, “copy” it to an internal memory buffer, and then “paste” it somewhere else.  They’re calling it the ClipBoard ™.  What next, they’ll claim to have invented phones too?  Maybe the color Yellow?

Of course, we expect that it will pale in comparision to ClipMate, the first ClipBoard EXTENDER, written way back in 1991.  Ironically, inspired by the lameness of the Mac clipboard.  Read about it here.

This blog post describes the security setting in IE7 that warns you, and tells how you can turn it off (I don’t recommend turning it off….)
http://www.mydigitallife.info/2006/09/25/disable-allow-this-webpage-to-access-your-clipboard-pop-up-warning-message-in-ie7/

Technically, it’s pretty simple. A single line of javascript on the page can read your clipboard (unless IE is set to block it).

This article describes how the javascript trick is done:
http://www.arstdesign.com/articles/clipboardexploit.html

This blog post also describes how it’s done, and has a sample link, if you’d like to see this in action, or just to test if you’re protected or not:
http://harriyott.com/2005/01/javascript-clipboard-control.aspx

As for ClipMate (our product), the vulnerability doesn’t go any further than what’s on the clipboard (the currently selected clip). Such scripts have no capability to dig into ClipMate’s database or force it to give up other clips.

Update: (Dec 7, 2007) Now it looks like an e-mail trojan is exploiting this. I suspect that it can only work if you used web-based e-mail such as squirrelmail, yahoo, gmail, etc.. If you are opening your (web-based) e-mail and your browser asks permission to use the clipboard,  DON’T!  Here’s a link to the discussion about that:
http://www.windowsbbs.com/showthread.php?t=69461

 Vista Pain In The Neck Rule #1: If you modify or create a program in the “program files” directory, or a program does it for you, Vista will play tricks on you.

This includes:

1. Editing a file yourself, even if you have administrator privleges
2. Any program that writes a data file to the program files directory (unless it’s an installer).
3. Any program that writes configuration or .ini files to the program files directory (unless that program was launched by an installer).

Here’s what I did:

I had modified a file myself, using TextPad or EmEdit (both are excellent text editors), in c:\program files\ClipMate7\Languages.  The file was called “english.lng”.  This was to test some changes for an upcoming maintenance release.  The modified file contained a version string 7.2.05.165, so I could easily check it within the program, to see if the translation was up-to-date.

A few days later (today), I installed my shiny new version 7.2.06.166.  Guess what?  English.lng contained the 7.2.05.165 version. 

I re-checked the installer and build scripts and directories. Everything was fine. As far as I could see, 7.2.06.166 was making it into the installer.  I uninstalled, rebooted, re-installed, and still had the old file.

Then I remembered the whole UAC thing, and how Vista makes some sort of “shadow” copy.  That’s what happens when Vista asks for special permission to continue with the “file save” or delete.  Yes, yes, yes indeed.  I found the old file lurking in:
C:\Users\Chris\AppData\Local\VirtualStore\Program Files\ClipMate7\Language\English.lng

I deleted it, and everything was fine.

How did this happen?

I was assuming that the installer would be able to clean up any such problems, but apparently, while the special UAC privlege for installers only allows them to install/delete files in the program files directory, it does NOT have provisions for reconciling newly-installed files with older files that are lurking in the VirtualStore directory.  Even though the installer supplied a new version of english.lng, Vista showed me the old one.

Lessons Learned To Date:

1. If a program file needs to write important data to its own directory, install it somewhere else. I have set up D:\Apps, for this purpose.
2. If you are backing up a program that seems to store its data in its own directory, and you didn’t follow #1 above, don’t count on the backup actually having the right files.
3. If you install a program and it offers to “run program now”?  Don’t. Just let the installer quit, and then run the program yourself. Otherwise you’ll run the risk of the program running with elevated privleges, and creating data and configuration files that cannot be updated later.
4. And today’s lesson: If you edit anything in the Program Files directory, you’re asking for trouble.  Be sure to check the VirtualStore cache.
5. The Virtual Store resides in: C:\Users\<userid>\AppData\Local\VirtualStore\Program Files\ClipMate7\Language\English.lng

References and helpful links:

• Vista and User Virtualization
• What is UAC? (And how to turn off those annoying prompts!)

Tags: uac, user account control, vista

Office 2007:

• Doesn’t seem to be a problem. I haven’t seen a clipboard come up, when performing multiple copies. 

Office 2003: See these articles:

• http://malektips.com/word_2003_0025.html
• http://www.annoyances.org/exec/forum/winxp/1187382118

Office2000:

• From Microsoft: “As you copy items, the Office Clipboard automatically appears on your desktop. You can close it if you do not want it to appear automatically. After closing the toolbar three times, you are prompted to permanently close it. If you permanently close the clipboard, to redisplay it, on the View menu, click Toolbars and then click Clipboard.”
• This information is from the Microsoft Support Knowledge Base, Article: Q221190 : Using the Office 2000 Clipboard
  There is yet another way, if you want to edit the registry.  The information is in a related Knowledge Base article: Q207438 OFF2000: Preventing the Office Clipboard Toolbar from Appearing
• Here are two registry scripts that will turn off, or on, the Office2000 clipboard by adjusting the value that is mentioned in the above MS Knowledge Base article:  
  Turning it off: office2000clipboardoff.reg
  And back on again:office2000clipboardon.reg
  Just click on either of the above links above, download and run the file to update the registry. You’ll be prompted with an “are you sure” dialog, and then the registry is updated.  If you want to see what they’re doing first, just download to your hard disk and open with a text editor such as Notepad.

• Note: This registry patch won’t work in Office XP

OfficeXP Clipboard:

• OfficeXP has a clipboard that will interfere with certain ClipMate operations like PowrePaste.  Disabling it is easy.  Start WinWord, and you’ll see the “task pane” at the side of the screen.  Within the task pane, you’ll see the clipboard appear if you copy two items in a row.  Now you can turn it off for good.  Select the “Options” menu, and turn off the “Show Automatically” and “Collect without showing” options.  There is a screenshot to show this.  When you re-start WinWord, the clipboard won’t re-appear.  If you need to bring it back, you can do so via the menu at the top of the “task pane”.

• Alternately, if you see the OfficeXP clipboard icon showing in the Windows System Tray (next to the clock), you can right-click on it and select “stop collecting”.

Related Links:

•  Annoyances.Org has a page on disabling the Office Clipboard in both Office2000 and XP.

How To Fix The Photoshop Clipboard (Sept 5, 2007)

It was an interesting read for me, confirming some things I’ve suspected.  I’ve always assumed that Photoshop keeps its own, separate clipboard for internal copy/paste (just call it a “hunch”, after years of support questions…)  But it seems that you can get into a bind where Photoshop doesn’t update its internal clipboard when the external one changes. The user copies something from somewhere, and pastes it into Photoshop.. and gets something that he copied WITHIN Photoshop, half an hour ago.   Of course, users hate that.

Developers never seem to learn: don’t try to be too cute with the clipboard. When the user wants to paste, go and get the clipboard contents and paste it. Don’t try to monitor the clipboard to see if you like it, or if it has newer data than your internal buffer. If the user wants to paste, just paste from the clipboard. Smoke and mirror tricks will always end badly, when you try to account for anyting and everything that could be happening to the clipboard.

Of course, this is likely due to blind faith in the clipboard notification process.  It probably worked great in the lab though! 

Background: One of our users was having frequent clipboard disconnects. When asked to narrow it down, he found that every time he ran Windows Media Player 11, the clipboard connection dropped.  Upon investigation, it seems that Windows Media Player 11 will distrupt the clipboard connection 100% of the time! 

Tested: Windows Media Player 11.0.5721.5145 on XP

Problem: Running Windows Media Player (WMPlayer) 11 causes dropped clipboard connection

Test: You can demonstrate the same behavior with the regular XP clipboard viewer:

1) Close all programs, including WMPlayer.

2) Run the XP clipboard viewer: Start | Run | Clipbrd.Exe (if not installed, install it with add/remove windows components, in control panel).

3) Copy this line from your web browser, it should show up in the clipboard viewer.
TEST TEST TEST TEST TEST

4) Start Windows Media Player 11

5) Copy THIS LINE from the web browser. It should show up in the clipboard.
ANOTER TEST ANOTHER TEST ANOTHER TEST

If line 5 didn’t show up in the clipboard, but line 3 did, then WMPlayer is clearly interfering with the clipboard connection.

Oh boy, it’s even better. After shutting WMPlayer down, the clipboard notification chain is still busted. They have a SERIOUS problem here.

I suspect that they are registering as a clipboard viewer, but are failing to pass along the WM_DrawClipboard messages to the next viewer.  Full information on how to do this correctly is documented on our clipboard viewer page.