View Single Post
Old 08-13-2006, 04:26 PM   #1
fatale
Registered User
 
fatale's Avatar
 
Join Date: Nov 2000
Posts: 231
Angry FastClick/ValueClick serving a virus!

There's a virus/spyware being served from one of FastClick/ValueClicky ad campaigns. We have received several user complaints today, so naturally I went to investigate and I was just able to catch it on our website myself (my virus scanner was tripped). I was unable to identify the actual ad campaign (manual review of all running campaigns didn't trip my anti-virus), but here's the info in case someone else can. All potentially dangerous links are mangled so they don't turn into actual links -- make sure you have the latest anti-virus running if you are brave enough to load any of them (at your own risk of course!!!).

The actual exploit/virus is being detected in the following file:
_http://64.34.181.44/adrun/exp.wmf

The ad (gif) on the page that was displayed when it happens is loaded from (this should be safe to view):
http://g.websponsors.com/graphics/93909/468x60.gif

The browser log file ("Live HTTP headers" plug-in for Mozilla Firefox) shows that the actual ad code was served by the following file:
_http://www.searchplain.com/ADSAdClient37/GetAd/J43/TF=_NEW/1011/SC=LG/LOC=R/ID=0006BFFD968BB8AD/

Which tries to load a number of different files that try to exploit various Windows vulnerabilities:
_http://64.34.181.44/adrun/c.html
_http://64.34.181.44/adrun/index2.html
_http://64.34.166.182/webnetcounters/pps.html
_http://64.34.181.44/adrun/in.html
_http://64.34.166.182/webnetcounters/pl_load.js
_http://64.34.181.44/adrun/ct.html

The IP addresses above all resolve to searchplain.com servers.

Needless to say I removed all FastClick banners from our site until this can be resolved. Judging by the user complaints, this has been going on this whole weekend. I've e-mailed FastClick of course, but the form says it can take them 1-2 _business_ days to reply, so I thought I'll warn everyone here as well.
fatale is offline   Reply With Quote