[Alert!] Infected FastClick Pop-Behind

[Mbarb]

Hello,

Today I receive a repot from one of my sites visitors that one of our pop behind ads had triggered their anti virus software. Of course they were not sure what ad had caused the problem. I went to the campaigns page and started looking at sample ads. When I opened the DiscountAirfare ad my antivirus software triggered. The ad is aparently trying to change the users start page to one of it's own. I've included a link to some additional information about what the ad is trying to do. I've also contacted FastClick with the information. I would recommend removing it from your rotation.

http://vil.nai.com/vil/virusSummary.asp?virus_k=99066

[maddeningcrowds]

Thanks for the info mbarb

[NiteTrader]

I also received an e-mail from one of my customers yesterday alerting me to that JS/IEStart virus which was being transmitted by one of my ads.

The difference is I use OrbitCycle to rotate my ads and they insert one of their ads every 10th time. One of them is evidently doing this. I don't know whether it is that particular advertiser. I'm going to notify them as well.

[Czar]

Thank you so very much for bringing this to our attention.

Fortunately, the campaign seems to have had a comparitively limited run thus far, but it's still scary to see that several hundred of my visitors have had to battle this menace while visiting my FastClick member sites. I'd hate to think what perception they now have of my site (and whether any complaints have been filed against those of us who have run this campaign).

[PWR_Paul_Banker]

Could someone from FastClick comment on this... I wonder how this could have possibly gotten past their content screeners?

Thank you Mbarb for posting this, I turned off the camgaign immediatley. I just hate to think of the hundreds of visitors who got served that ad.. :: sigh ::

[Czar]

Hopefully Alexis will comment when she drops by next. Until then, I'll see if Steve's interested in assigning the thread with 'Sticky' status so that Geeks and lurkers - at the very least - will be made aware of this serious issue.

That's two strikes against FastClick's content screeners in as many weeks. Hopefully not an ominous sign...

[Steve_S]

Under direct orders from General Czar this thread is sticky


Can you geeks please send me email contacts AND or phone and fax numbers for this merchant via PM? Names also. All the way up the food chain please. I will try and reach them on behalf of the Community.

[Czar]

Just to the rest of you know, I've sent Alexis, Jeff and Dave's email addresses to Steve, as well as the general phone and fax numbers associated with the company (along with Alexis' extension number), so these don't need to be PMed. Any increasingly specific contacts would still be welcome, I imagine.

Thanks for your time.

[Mbarb]

Good morning.

Just a update from me. I have not received a reply to my e-mail, the ad is still available and is still trying to change Internet Explorer start pages. Luckily I only showed the ad about 50 times before I was alerted, it could have been much worse. Hopefully Czar or Steve_S can get a response from Fastclick. I'm going to be sending a e-mail to the ISP hosting the ad, maybe I can get something done. This just shows the importance of running good antivirus software and keeping it up to date.

[Fastclick.com]

Hi Everyone,

I apologize for the delay in response, and appreciate members of this forum contacting me directly.

Unfortunately, when the creative was reviewed, the effect some users are experiencing did not occur with our browsers. If anyone has further information, or can duplicate the effect, please email any relevant code to me at agbrown@fastclick.com.

We are in the process of contacting the Advertiser for further details, and if any viruses or inappropriate behavior is discovered, we will terminate their account. This type of shenanigan violates Fastclick's Terms and Conditions.

Thanks, again, to the members of this forum!

Best,
Alexis

[Mbarb]

I've isolated the text in the page that is causing the problems, I don't really watnt to be sending the file even though I renamed it as a text file. I can say with 100% certenty that they have added the code to the page. Let me know how you want me to procede.
This text is only part of the code...


<Admin note. great thread but others may use the code the wrong way and with the wrong intent so I better snip it. I'm not really a coder and have a copy of the original for safe keeping. Hope you guys understand. Strangers can view this stuff. Thanks members for the heads up.>

[Fastclick.com]

Ugh. It looks like this code was added into the creative after we approved it. It's unfortunate, and hopefully we didn't upset too many users. The campaign is currently offline, and will remain as such until we can get further information from the Advertiser.

We're also taking further steps to ensure that this type of violation does not happen in the future, increasing our checks and scans of all creative.

We do our best to monitor the network as a whole, but additionally rely on Publisers to let us know the moment anything seems awry. Thank you for your help!

Alexis

[Mbarb]

Thanks for pulling the ad...Just to add a bit of fuel to the fire, whoever added the script to this page did not want the casual viewer to find it. Looking back to my example you can see the it uses
<SCRIPT language="JScript.Encode">#@~^HxcAAA==@&@!"R

I was curious what this was about so I did my normal google search and found this interesting bit of information.

Quote:

The Windows Script Encoder (screnc.exe) is a Microsoft tool that can be used to encode your scripts (i.e. JScript, ASP pages, VBScript

You can read the rest at your leisure...

http://www.astalavista.com/code/vb/scrdec.shtml

Once again thanks for everybody's help in getting to the bottom of this...

Matt

[Mbarb]

Sorry.. I just had to see what this thig was really doing. I found a decoder for the encoded script. I'll paste parts of it below as PHP. Please note the I have changed parts of the script so it will no longer function

PHP Code:

AddToDesktop(DispName, SiteURL)
{
  AddFavLnk(desktop, DispName, SiteURL);
**

function SetupHomepage(homeurl)
{
  var old_hp, new_hp;

  try{
    old_hp = Shl.RegRead("HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Internet Explorer\\AboutURLs\\orighomepage");
  **catch(e){
    if(debug)
      alert("Error:" + e.description);
    old_hp = Shl.RegRead("HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\Start Page");
    Shl.RegWrite






  ** 
  if(old_hp.toLowerCase() == 'about:homepage'){
    old_hp = 'about:blank';
  **

  new_hp = 


And then this part where it looks to be trying to ad some casino site to

PHP Code:

START OF GENERATED FUNCTION CALLS

      AddToDesktop("Discount Travel Home Page", "http://www.discountairfares.com/indexf.htm");
      AddLnk("Favorites", "Discount Travel Home Page", "http://www.discountairfares.com/indexf.htm");
      AddLnk("Favorites/Links", "Discount Travel Home Page", "http://www.discountairfares.com/indexf.htm");
      AddLnk("Favorites/Travel", "Discount Travel Home Page", "http://www.discountairfares.com/indexf.htm");

      // END OF GENERATED FUNCTION CALLS
      //      SetupHomepage("http://www.discountairfares.com/");
      //      SetupCanceled();
      //      AddToProgramMenu('Casino', 'Install', 'http://www.netgaming.com/downloads/indexds.html');
      //      AddToProgramMenu('Casino', 'Home', 'http://www.netgaming.com/');








{
  setTimeout("f()", 1000);
**

init();
-->
</SCRIPT> 


<Admin note. great thread but others may use the code the wrong way and with the wrong intent so I better snip it. I'm not really a coder and have a copy of the original for safe keeping. Hope you guys understand. Strangers can view this stuff. Thanks members for the heads up.>

Hmmm...I really need to go back to work

[Fastclick.com]

Very odd. I'm going to send all of this information to our CTO.