View Single Post
Old 08-13-2006, 04:26 PM   #1
Registered User
fatale's Avatar
Join Date: Nov 2000
Posts: 231
Angry FastClick/ValueClick serving a virus!

There's a virus/spyware being served from one of FastClick/ValueClicky ad campaigns. We have received several user complaints today, so naturally I went to investigate and I was just able to catch it on our website myself (my virus scanner was tripped). I was unable to identify the actual ad campaign (manual review of all running campaigns didn't trip my anti-virus), but here's the info in case someone else can. All potentially dangerous links are mangled so they don't turn into actual links -- make sure you have the latest anti-virus running if you are brave enough to load any of them (at your own risk of course!!!).

The actual exploit/virus is being detected in the following file:

The ad (gif) on the page that was displayed when it happens is loaded from (this should be safe to view):

The browser log file ("Live HTTP headers" plug-in for Mozilla Firefox) shows that the actual ad code was served by the following file:

Which tries to load a number of different files that try to exploit various Windows vulnerabilities:

The IP addresses above all resolve to servers.

Needless to say I removed all FastClick banners from our site until this can be resolved. Judging by the user complaints, this has been going on this whole weekend. I've e-mailed FastClick of course, but the form says it can take them 1-2 _business_ days to reply, so I thought I'll warn everyone here as well.
fatale is offline   Reply With Quote