The Register® — Biting the hand that feeds IT

Comments on: Mystery web attack hijacks your clipboard

Interesting, but not an OS exploit 

Posted Friday 15th August 2008 18:21 GMT

Stop

"The rogue link remains even after the user copies a new batch of text. The only way to remove it is to reboot the computer."

That the problem can't be resolved by less drastic means, such as logging off, user switching, or killing the offending process seems... unlikely. In fact, according to at least one poster, they solved the problem by killing the firefox process. I suspect that the attack works by running a loop which continuously inserts the malicious link into the copy and paste buffer. This is supported by another poster reporting that they can, in fact, copy and paste another block of text, assuming they do it very very quickly.

If I had more time today, I'd fire up a virtual machine and go looking for a copy of this exploit myself; it looks like it would be fun to disect.

-Daniel

Daniel is right 

Posted Friday 15th August 2008 18:37 GMT

...at least, according to the links posted (which I actually read; did the author? ;)). Trouble is, if true this isn't really a bug, it's correct functionality being abused. One for advertising vendors, perhaps, not browser developers.

Seen this 

Posted Friday 15th August 2008 18:55 GMT

A user came by with a laptop, then later a desktop, where the clipboard wasn't functional and would only paste a similar link yesterday.

A fresh Ad-Aware install + Avast found nothing, rebooted and things were fine. Haven't seen it since.

Redirects to Google 

Posted Friday 15th August 2008 18:59 GMT

Playing with a bit of wget and changing the user agent to Firefox/IE, the quoted exploit site appears to just redirect me to Google's home page. Does this mean that someone's already clobbered the target site? Or is it looking for some bit of cleverness that I failed to duplicate? I run NoScript on Firefox so if that's the vector then I'm not likely to find out by accident.

MSNBC Breaking News 

Posted Friday 15th August 2008 19:02 GMT

I've received a lot of spam email today, supposedly from MSNBC Breaking News. Actual return email addresses vary.

Is this how the virus/trojan/malware is being spread?

Clipboard access in Mozilla is painful 

Posted Friday 15th August 2008 19:07 GMT

I have recently had to write JavaScript code that reads and writes the clipboard, and making it work for Mozilla is painful. You need about 30 lines of gobbledegook, and even then it doesn't work unless you change a security setting in about:config, and you then still get a warning when the code first runs.

The interesting thing is that permission to access the clipboard is covered by the same setting as the most serious types of access, such as reading and writing local files. So it's not impossible that the hole that's being exploited here could be put to more unpleasant purposes.

But if it's flash, perhaps things are different.

Surely not! 

Posted Friday 15th August 2008 19:08 GMT

Flame

If what you say is true, then it's not a browser bug, nor an OS bug.

Looks like I'll be firing up Lynx over the weekend. :-)

I can see no valid reason... 

Posted Friday 15th August 2008 19:15 GMT

Stop

...why websites (or Flash for that matter) should have access to the clipboard at all.

Providing scripts with read-write access (in IE at least) to a buffer that may well contain confidential data is just asking for trouble in so many ways... So many people copy/paste passwords, CC numbers, etc...

Same as Frank 

Posted Friday 15th August 2008 19:25 GMT

This week I have had a fair number of msnbc news updates in my spam as well as nearly as many cnn news updates.

Almost definitely Flash-based 

Posted Friday 15th August 2008 19:26 GMT

Most likely it is a small Flash (SWF) embedded object on the page. It continuously copies data to the clipboard.

I encountered this once when taking an opinion survey.

redirects 

Posted Friday 15th August 2008 19:43 GMT

to google with iceweasel under linux or telnetting to web site. Connects to internetscanner2009.com if running under XP and tries to get user to install the program AV2009Install_77011807.exe by lying about infected system. I will try and find the method/advert used to get link into the clipboard. could take sometime.

Happened two weeks ago, Linux too 

Posted Friday 15th August 2008 20:14 GMT

This happened to me on July 29th while browsing technology and news sites (so nothing I expected to be particularly dangerous) with Firefox 2 and Linux. I then pasted the link, I saved the AV2009... file and tested it with an online virus scanner. It tested negative. The day after, it tested positive.

At the time I could not find information about this on the web, but this exact attack has been in the wild for at least two weeks.

Cupboard? 

Posted Friday 15th August 2008 20:33 GMT

Paris Hilton

I managed to initially misread the headline as "Mystery web attack hijacks your cupboard". Man, even my sugar isn't safe from hackers any more...:)

CNN Top 10 

Posted Friday 15th August 2008 20:40 GMT

I just ignored the MSNBC spam assuming it was piggybacking on the CNN top ten junk from last week.

weird 

Posted Friday 15th August 2008 20:41 GMT

Pirate

Also redirected to google here, running MSIE6 in Windows XP inside virtualbox. Searching google for the site name turns up a URL with some token on the end of it, which did work.

Nasty bit of extortionware that they're trying to push, too. It 'found' 41 really dangerous-sounding bits of malware on a completely fresh install of XP and just will NOT go away.

Infected Sites 

Posted Friday 15th August 2008 20:59 GMT

Not sure it's related but a lot of the sites listed in the forums have had tons and tons of spam sent out in their names in the past several days... yesterday alone our spam server recorded over 7,000 emails from "MSNBC".

Coincidence? Probably.

Flashblock it 

Posted Friday 15th August 2008 21:05 GMT

Flash is full of obnoxious features ripe for abuse by malvertisements. If it's not the clipboard access, or cookies you can't block with the normal browser controls, it's the mundane irritation of pop-ups, surprise LOUD auto-playing sound and CPU-killing animations.

The Firefox Flashblock extension - or some similar means of disabling such plug-ins by default in other browsers - is the only sensible response.

suck on that, mac bois 

Posted Friday 15th August 2008 22:00 GMT

Happy

i use vista, so i am immune, jah?

fnarr fnarr

Arghh 

Posted Friday 15th August 2008 22:19 GMT

Flame

I have been getting these emails for weeks, was originally CNN news, now MSNBC, straight to my Yahoo spam (well apart from a few that ended up in my inbox). Using XP, Firefox 3 and Avast, Lavasoft SE, nothing picked up, although superantispyware did pick up quite abit

No luck 

Posted Friday 15th August 2008 22:25 GMT

After spending an hour setting up a new VM and over 2 hours browsing News and social networking sites (shudder), I just could not get infected, had clipboard viewer up all the time not a single bite. What this exercise has made me realise is how absolutely vital NoScript and AdBlock are to browsing. I was amazed at the amount of flashing junk and pop ups dominating websites, especially the American news sites. It's a shame I didn't find the swf or script that does this, I am curious how this is done. I will have another try tomorrow.

@AC, Jeremy 

Posted Friday 15th August 2008 22:26 GMT

Flash can only write to the clipboard, with a simple

System.copyToClipboard()

call. It cant read the clipboard.

Facebook 

Posted Friday 15th August 2008 22:55 GMT

While using Facebook on Safari recently, with no other sites open, I got a pop-up window with an xp-vista-update.net URL. I can only guess it was due to a malicious ad served on Facebook. Looks like these goons have more than one vector.

Keylogger 2.0 

Posted Friday 15th August 2008 23:07 GMT

Thumb Down

If a website can run code that loops and continuously inserts a link, who's to say it can't run a loop that continuously copies data from your clipboard and sends it off to a bot?

@AC2 

Posted Saturday 16th August 2008 02:08 GMT

Yep, I know, which is why I clarified my moan about read access with "(in IE at least)" because since version 5, it can read the clipboard contents (provided it's text) with an equally simple.

var clipContents = window.clipboardData.getData("text");

I believe Opera has clipboard access too. Attempting to read the contents of the clipboard will at least throw up a warning in IE7 but since when has a silly security prompt stopped the majority of users from clicking OK?

Fools all of you :) 

Posted Saturday 16th August 2008 04:56 GMT

Coat

SmitFraudFix BugHunt 2.2 HijackThis and a GOOD (read: not Norton or McAfee) AV scanner. Works for me. I work in remote support and have been seeing this for a while now (3 weeks IIRC) and there are 3 versions that I know of.

1) This version is a pain in the ass but can be gotten rid of by the above mentioned tools if run in safe mode.

2) This version is a dick. Spent 6 hours trying to figure this little bugger out to no avail. This one (for lack of a better way of putting it) appears to remove everything from the start menu and prevent many hotkeys from working. I have since given up trying to fix the damage and just restore the system cause im not gonna bother wasting my time or the customers.

3) This final one that I have seen is rather new. Above mentioned programs work, at least so it appears. Everything appears to be fine for about 15 minutes after cleaning the system and then it started to goto hell again. I have experienced this happening more frequently lately. Gave it 2 hours of work trying to fix/remove the problem child without ever finding it. (No I love Karen but meh I personally like making customers suffer) So I default to restore system.

As far as I have seen this 3rd one is becoming more and more frequent. Now stop infecting yourselves. For those that dont know you can get infected by clicking link in email/going to webpages/installing everything pushed on you/reading email/running programs/opening files/sex/farting sideways/eating/sleeping/having a pet/having a child/having a job/going to work/getting up in the morning/turning computer on/coffee/drinking coffee/small children/peanut butter and jelly sandwiches/. . .<ENTERING RECURSIVE LOOP>

<joke>

Sorry about that all you out there in Register Central. Our latest attempt at mind cont...erm a marketable program appears to still have a few bugs in it. Heh get it? A few bugs? Anyway please help us beta test it so that we can continue beta testing bugs like this to prevent this in the future. Just click this link http://notavirus.com/*nix_fanboi_or_m$_fanboi_or_apple_fanboi/fuck_your computer_up_and_steal_all_your_money_including_identity/vista_*nix_osx/ great_sparkling_magic_notofthisearth_super_uber_amazing_supercalifragilisticexpialidocious_antivirus2009/your_boned.exe to help us test for bugs like this in the future. Thank you for your time.

Or for an easier time if your keyboard isnt working just use this tinyurl:

http://tinyurl.com/fuckupyourcomputer.exe

Again thank you.

</joke>

Sorry if the formatting sucks tried my best.

/mines the one with the penicillin in the pocket.

Flashbacks 

Posted Saturday 16th August 2008 06:28 GMT

Boffin

This will probably get ignored, but anyway.

The overwriting firefox/IE clipboard has been available for a long time. I imagine these users, (although I haven't read all the four forums and subsequent links for each post)

had a window hidden from them or a frame around a webpage. The only change is to use it for spamming links which is a nice human touch to spreading spam, lots of people Ctrl-C-V without thinking.

It overwrites anything you have in clipboard without requiring any action such as clicking or selecting, you do need flash and javascript running which 99% do.

For an example,

clipboard.swf is (I think from decompiling it)

// Action script...

// [Action in Frame 1]

if (clipboard.length)

{

System.setClipboard(clipboard);

} // end if

The script is, according to google search

#

function copy(inElement) {

#

if (inElement.createTextRange) {

#

var range = inElement.createTextRange();

#

if (range && BodyLoaded==1)

#

range.execCommand('Copy');

#

} else {

#

var flashcopier = 'flashcopier';

#

if(!document.getElementById(flashcopier)) {

#

var divholder = document.createElement('div');

#

divholder.id = flashcopier;

#

document.body.appendChild(divholder);

#

}

#

document.getElementById(flashcopier).innerHTML = '';

#

var divinfo = '<embed src="_clipboard.swf" FlashVars="clipboard='+escape(inElement.value)+'" width="0" height="0" type="application/x-shockwave-flash"></embed>';

#

document.getElementById(flashcopier).innerHTML = divinfo;

#

}

#

}

In 2005

http://www.jeffothy.com/weblog/clipboard-copy/

http://ajaxian.com/archives/auto-copy-to-clipboard

http://www.rodsdot.com/ee/cross_browser_clipboard_copy_with_pop_over_message.asp

hit on Ars Technica site 

Posted Saturday 16th August 2008 07:14 GMT

I'm 90% certain I got hit on the Ars Technica site. I was using IE7 and the only strange thing I noticed was one of the ads was making some kind of clicking sound. My network folks scanned my comp. but didn't see any malware.

Possibily, they are just hoping that someone will paste a link and go to it.

Why not just 

Posted Saturday 16th August 2008 09:36 GMT

Coat

tell IE not to allow access to the clipboard - it's just a tickbox. I do it on any IE I setup since browsers and webpages have no right to my clipboard.

Mine's the one with 'SMUG' pasted on the back

@MSNBC Breaking News 

Posted Saturday 16th August 2008 11:38 GMT

Pirate

Nahh, that's just the same-old-same-old Storm worm spam. Don't worry about it.

*sigh* 

Posted Saturday 16th August 2008 13:14 GMT

Gates Halo

I don't get why it's even allowed. Can anyone think of a solid program design that needs access to the clipboard? I mean do we really need "copy this" buttons when they are built into the interface. They ought to just remove the ability from the object model.

@Peter 

Posted Saturday 16th August 2008 15:00 GMT

This is the code from clipboard.swf:

// Action script...

// [Action in Frame 1]

saveToClipboard = function (str)

{

System.setClipboard(str);

flash.external.ExternalInterface.call("copy_success");

};

flash.external.ExternalInterface.addCallback("setClipboard", this, saveToClipboard);

//END

So a Java function called via the onload command of a page or pop up would paste a url passed to the function to the clipboard.

Not as devious as I thought, however this will only copy to clip once, I expect some looping java script is what accomplishes the constant refreshing.

This does not seem to work with the clipbook service disabled, as I have on my work machine.

Digg Infected? 

Posted Saturday 16th August 2008 15:15 GMT

Browsing Digg - Can only paste xp-vista....

Close Digg tab - Can paste anything

Only happens on some digg pages - Infected ad?

@No, Macs are not immune 

Posted Saturday 16th August 2008 16:29 GMT

Care to expand, is it apparent with safari, firefox oe what?

Couldn't replicate this... 

Posted Saturday 16th August 2008 17:10 GMT

Jobs Halo

...on a G4 with OSX "Leopard" and Firefox running "naked". No luck replicating the clipboard attack. Still, I can't see how this could be a threat to my system if I go to use my Clipboard and see some skanky URL that I never copied into it and think, "huh, that looks skanky, lemme just quit Firefox and force it to flush my cookies and my cache and see if that works" -- instead of being one of those kids who had to wear a helmet in school, and just pasting away with it.

I did, however, out of sheer curiosity, try the link in this article and oh, the hilarity that ensued. It was pure cheap laffs gold, watching the site I was redirected to run its fake Flash cartoon pretending to be a Windows virus scanner, scanning files which were obviously DOS/Win files and not living on my hard disk at all, and then presenting me with a Windows dialog -- also obviously fake -- screaming that my system -- a Mac, mind you -- was infected and that I had to buy their fake AV product lickety-quick, to avoid certain disaster.

Wiping the tears of hysteria from my eyes, I "flushed" Firefox, turned NoScript and AdBlock back on, restarted Firefox, and went back to the Finder to trash the totally impotent .exe files which hit my desktop. Then I realized that the one possible threat this "virus" could pose to my Mac was perhaps accidental hardware damage, from inadvertantly knocking my G4 over in a fit of uncontrollable laughter watching this retarded malware site try to scare me by pretending to run a goddamn' fake Windows virus scanner on my Mac.

(Steve Jobs with a halo, only because I've been a Mac OS fan since 1985, and you have no replica of the old little "smiling Mac" MacOS bootup icon, and despite the fact that Jobs has been a real friggin' prick recently.)

@AC:Digg infected 

Posted Saturday 16th August 2008 17:31 GMT

I browsed Digg but didn't get infected, any chance of a link to an infecting page?

XP Antivirus 2008 

Posted Saturday 16th August 2008 17:37 GMT

It is the same malware/crapware as "XP antivirus 2008". I've seen Google ads for this gem, that is worse than a real virus infection. They demand money to fix a problem they caused. Oh the joys of windows.

I did a quick Whois on the domains : xpantivrus.com, xp-vista-update.net, internetscanner2009.com. All registered under estdomains.com, in Delaware, US. The latter 2 use estdomains' DNS. Doing some more digging, some of the DNS servers come back to eosads, in the Motherland:

Registrant Name: Daniel Adams

Registrant Organization: eosads

Registrant Address1: 13 Baterman Street

Registrant City: London

Registrant State/Province: London

Registrant Postal Code: W1D 3AF

Registrant Country: UNITED KINGDOM

Registrant Country Code: GB

This forum:

http://www.bluetack.co.uk/forums/index.php?s=950ad5e6359847c4dfb715d9e753bfcf&showtopic=18064&st=60&p=87715&#entry87715

shows that this stuff has been going down since April or so.

So, maybe you Brits need to go door-knocking?

Mystery *Flash* attack hijacks your clipboard 

Posted Saturday 16th August 2008 18:01 GMT

Flame

...if what people have been writing is true. Yet another reason for not infecting one's computer with the plague that is Flash, or at least coercing browser developers to provide decent control over Flash utilisation, rather than having it enabled for all sites, all irritating animated adverts, and all potential exploits associated with trusting the binary payload of a proprietary software vendor.

Flash isn't "the Web" despite what the fanboys and "embedded multimedia" idiots would have you believe.

Vulnerable systems 

Posted Saturday 16th August 2008 18:09 GMT

I don't know any browser/OS combination that would be immune, except for one without flash, though this only directs to a malware page, Linux/OSX* will almost certainly be immune to the .exe file even if its successfully pushed hrough firefox/opera/safari.

*Not necessarily from conventional security, but because these people will go for the biggest target.

Title 

Posted Saturday 16th August 2008 21:27 GMT

Go

I'll pop round to the address tomorrow

I'll let you know who I meet

Paul

Unsure about NOSCRIPT 

Posted Sunday 17th August 2008 08:52 GMT

Had an odd thing the other day possibly linked with this. I couldn't open FF, said it was already running. Checked the processes and sure enough there it was but no visible instance. Killed the process and we were back in business. Sounds similar to how this exploit operates but I didn't notice anything odd with the clipboard, that said I can't recall if I used the clipboard.

Stranger still, I run NOSCRIPT and this still appears to keep FF running, although maybe it didn't hijack my clipboard....

whois information is false 

Posted Sunday 17th August 2008 12:19 GMT

combatwombat: it's no use looking at any of the whois information in these cases. The addresses given are invariably either:

a. completely made up

b. just copied from some other entity's address

c. mailboxes/forwarding companies

The people behind these fake anti-virus apps are Russian hackers coming from the AWM scene (and others in the Russian satellites). The registrar Estdomains (aka Esthost, Inhoster, UkrTelegroup, Cernel, Rove Digital and a multitude of other aliases) are themselves blackhats, directly in on the porn->exploit/fake-codec->trojan/fake-AV-install game. So they're not too fussy about correct whois details.

You could complain to ICANN and get the domain revoked in, what, six months. But these guys constantly change their names and register hundreds of new domains, so it's kind of pointless.

tee hee 

Posted Sunday 17th August 2008 12:37 GMT

Did you check out some of the "xploits" that are listed by the "virus scanner" (scanning my linux box with a very nice imitation of an XP dialog of course)

Spyware.EI.Monster.b

ZLob.PornAdvertise.Xplisit

Trojan. InfoStealer.Banker.s

They forgot, of course;

Malware.WifeStealer.CockSucker

XP.PasswordCracker.Attack

and of course my all time favourite

All.MyVirusAreBelong2.You

Malwarebytes gets most of this 

Posted Sunday 17th August 2008 21:22 GMT

Using malwarebytes and spybot for a few registery settings that malwarebytes misses gets rid of it. At least in the 10 or so cases I've cleaned in the past 2 or 3 weeks, although I haven't seen any with the 2009 version which might have a few differences from Winav2008.

The detail analysis for this case 

Posted Monday 18th August 2008 03:40 GMT

Happy

I have analyzed this case, please read

http://malware-test-lab.blogspot.com/2008/08/analysis-of-mystery-eb-attack-hijacks.html

"banner ads transmitting bad Adobe Flash code" 

Posted Monday 18th August 2008 08:49 GMT

The "bad" is superfluous, as there can be no "good" in that context.

Another point for adblock I suppose. Soon flash ads will have made it impossible to make money out of a free to view website because everyone will have adblocked everything.

re: suck on that, mac bois 

Posted Monday 18th August 2008 09:45 GMT

Jobs Halo

"i use vista, so i am immune, jah?

fnarr fnarr"

Umm.. nope, exactly the opposite in fact, as it tries to download a windows exe I'm pretty sure you are screwed if you are on vista.

Clipboard.. 

Posted Monday 18th August 2008 10:20 GMT

Flame

I knew that IE was capable of reading the clipboard contents, i have a small piece of code on several sites which reads the clipboard contents and requests /clip.php?text=<clipboard contents here>

You can get some really weird stuff from peoples clipboard...

I didn't know you could actually set someone's clipboard, but i would consider that far less serious than being able to read the contents of it (which might contain private data).

Clipboard Monitors.. 

Posted Monday 18th August 2008 11:13 GMT

Alert

Aren't there some programs that monitor the Clipboard for downloadable links? something like wget?? autowget?? or winwget??

Im sure there are more...

Potentially more of a hazard with auto download... wonder if they auto execute also??

@Mike Flugennock 

Posted Monday 18th August 2008 11:36 GMT

Of course, it would be far too difficult to expand the redirect page to check what OS you're running and provide an OS-based scan, or to offer a Mac download? The whole point is that it scares users into downloading something they don't need, pay for something they don't need (ie put their card details into the site, so not just paying for one thing), and possibly screw their PC by downloading it. If a user is prepared to download and run something, once they run it and get told it might be unsafe they'll probably still run it won't they?

Even worse, there's not going to be any AV on a Mac already to pick it up as dangerous. I'm not the biggest fan of Macs, but you have to be able to see that there is roughly the same (high) percentage of naive Mac users as PC users. As Macs get more popular, it's only a matter of time before a scam like this is adapted for Macs, it just makes sense.

Why cut and paste? 

Posted Monday 18th August 2008 15:02 GMT

Thumb Up

Because many of today's IT managment products are using browser based interfaces. For those Sysadmins using them you end end up doing a lot of cut and paste as a time saving maneuver to make sure you have a) entered the information in correctly and b) you can add more then one entry at once or you are adding multiple lines to queries/functions.

Re: Why cut and paste? 

Posted Tuesday 19th August 2008 07:36 GMT

Flame

@ C Benjamin

I would like to believe that at least the majority of IT managers are familiar with copy and paste keyboard shortcuts.

Resources for the Smart Protection Network