Webmaster Forum Rules | Posting Guide | Contact Us | Testimonials | Contributing Geek Program | Advertise on Geek/Talk
Welcome to the GeekTalk Webmaster Discussion Forums from GeekVillage.com

Click Here To Register. It's Free!

Go Back   geek/talk: Signature-free discourse for serious web publishers > YOUR REVENUE: Making Money On The Internet > Making Money with CPC and/or CPM Programs
User Name
Password
Register FAQ Calendar Search Today's Posts Mark Forums Read

Closed Thread
 
Thread Tools Display Modes
Old 09-12-2003, 01:39 PM   #1
Sashman
Registered User
 
Join Date: Aug 2002
Location: Dulles Virginia
Posts: 590
Default Popup Warning!

Watch out, Standard Internet is running a "TOP SITES OF THE HOUR" popup - URL SNIPPED (Don't Click). This popup is showing up with the Trojan.JS.Seeker exploit. It may be a revised version as it's changing the homepage without a restart and the patch that was supposed to fix it doesn't appear to work.
--------------------------------------------------
DEFINITION :
This script written in JavaScript language quietly changes a browser's home page and search page without user confirmation.

The script uses an MS Internet Explorer 5.0 Typelib security vulnerability to create an HTA file in the Windows start-up directory. This file automatically runs upon the next Windows start-up, at which point the script gains control.

The script in the HTA file modifies the system registy keys where the home and search page addresses are specified (before modifying the keys, the script stores their values into BACKUP1.REG and BACKUP2.REG files in the Windows directory). After this, the script deletes the HTA file (and itself).

Last edited by Sashman; 09-13-2003 at 11:44 AM.
Sashman is offline  
Old 09-12-2003, 02:27 PM   #2
Robert from SI
I am a Contributing Geek. Are You?
 
Robert from SI's Avatar
 
Join Date: Jan 2001
Location: Marlton, NJ USA
Posts: 1,126
Default

This is a brokered ad. We've contacted the advertiser and the broker.

It changed my home page too. I changed it back.
__________________
It's all just ones and zeros.
Robert from SI is offline  
Old 09-12-2003, 03:42 PM   #3
acventures
Registered User
 
Join Date: May 2002
Posts: 33
Default

The obfuscated code is actually:

Thank you but others will use this code to do nasty things. Code removed by Admin. Thanks for your anticipate cooperation.

This is what sets your startpage.



Respectively. Kinda I quickly wrote some software to decode this kind of junk. Email me if you are interested in it.

Chuck@nospammerwelcome.viastudio.com

Last edited by Steve_S; 09-12-2003 at 04:58 PM.
acventures is offline  
Old 09-12-2003, 04:28 PM   #4
Sashman
Registered User
 
Join Date: Aug 2002
Location: Dulles Virginia
Posts: 590
Default

Thanks for removing the ad so quickly. Getting an HTA to run through a webpage can be bad news.

FYI. I did a little more digging (including looking at the HTA) to make sure it wasn't doing anything more malicious then just changing the home page. Luckily it wasn't, but it could have been.

EDIT : Btw acventures, if you can kindly remove the code it would be appreciated. I'm going to pop the link myself and do some more testing on what security it can bypass. Microsoft had this same vulnerability about a year ago, and you could do some fugly things through it .. including formatting a HD.

EDIT #2 : OMG !! .. I'm emailing Microsoft.

Last edited by Sashman; 09-15-2003 at 12:49 PM.
Sashman is offline  
Old 09-13-2003, 10:26 AM   #5
Sashman
Registered User
 
Join Date: Aug 2002
Location: Dulles Virginia
Posts: 590
Default

Robert,

The ad is still running on your network and continues to set people's homepages to a site that spawns 'popup death'. The fact that your company would openly criticize me http://sictalk.com/forum/showthread....threadid=11602 for posting this here and take this problem so lightly is shocking in the least.

This is a SERIOUS PROBLEM and one that would have been easily caught by watching your own network. This popup has complete control over a fully patched machine by using this new exploit. Just because "all" he is doing is hacking a registry entry is not a defense. The point is, that he can do anything he wants to virtually anyones computer and SI continues to display his ad.

This is absolutely ridiculous, and in all my years in the computer field quite honestly the scariest thing I have ever seen.

Last edited by Sashman; 09-13-2003 at 10:38 AM.
Sashman is offline  
Old 09-13-2003, 10:54 AM   #6
lwrules
Registered User
 
Join Date: Jan 2000
Location: Richboro, PA, USA
Posts: 82
Default interesting

Interesting that you take issue with this, when YOUR distributed code (on adoutput.com), designed to override users' pop-up-block preferences could be the reason somebody gets it. Your actions try to intentionally force something on people against their will, and then you criticize an ad campaign looking to do the same thing in your eyes (and which does NOT do anything malicious according to your own investigation). The important part - and the part you left out - is that the site that ultimately runs these pops, only takes action and serves that page if the end user's computer meet certain criteria as defined in pre-agreed terms of service - which is CLEARLY laid out and disclosed.
lwrules is offline  
Old 09-13-2003, 11:08 AM   #7
lwrules
Registered User
 
Join Date: Jan 2000
Location: Richboro, PA, USA
Posts: 82
Default You're whole post was innacurate

>This script written in JavaScript language quietly changes a
>browser's home page and search page without user
>confirmation.

It does not change any search page - why did you write that?

>The script uses an MS Internet Explorer 5.0 Typelib security
>vulnerability to create an HTA file in the Windows start-up
>directory. This file automatically runs upon the next Windows
>start-up, at which point the script gains control.

It does not place any files anywhere.
It does not cause anything to run on startup.
Why did you write that? Are you making things up simply to scare people and make your rant louder? Are you jealous or something to the point where you outright LIE about this?

>The script in the HTA file modifies the system registy keys where
>the home and search page addresses are specified (before
>modifying the keys, the script stores their values into
>BACKUP1.REG and BACKUP2.REG files in the Windows directory).
>After this, the script deletes the HTA file (and itself).

NONE of that is correct. NONE. Did you literally MAKE THIS STUFF UP? All it does is change the default homepage without any lock - so users can change it back with one click - and it checks to see if users AGREED to these actions in terms of service on freeware that they installed (like kazaa or on the site that serves the ads, etc.)

If you have a problem with an IE EXPLOIT, write to microsoft. You can't get angry at Robert for running an ad (THAT IF CODED MALICIOUSLY COULD HAVE DONE SOMETHING MALICIOUS WHICH IT DOESNT DO). That's like bashing a sales person for selling a Viper because it COULD go 200 miles per hour and kill people. Write to Dodge and tell them to make a safer car - write to microsoft and tell them to fix their browsers.
lwrules is offline  
Old 09-13-2003, 11:16 AM   #8
Sashman
Registered User
 
Join Date: Aug 2002
Location: Dulles Virginia
Posts: 590
Default

I've had second thoughts about my own position on by-passing blocks. There are good arguments on both sides, which is why I've never released my newest version of the js rotator that had it built in. I also bypass no settings or change the browser in any way. I still think the detection of popup blockers is important, but for purposes of serving a different ad type.

I've always had issues with companies running dirty ads. If it wasn't for these ads, there probably wouldn't be much of a market for popup blockers.

Quote:
and which does NOT do anything malicious according to your own investigation
Reread what I said. I'd consider hacking my registry, and ejecting my cds malicious. Not to mention what is on the page you get redirected to.
Sashman is offline  
Old 09-13-2003, 11:18 AM   #9
lwrules
Registered User
 
Join Date: Jan 2000
Location: Richboro, PA, USA
Posts: 82
Default popup death

Sorry to post three times but I take such issue with your posts.

The "popup death" to which you refer is BLOCKED by pop-up blockers. If, the site however decided to use YOUR ADVERTISED code to serve the pop-ups, the end user would have been hit with several pop-ups that they specifically took action to stop. I would suggest YOU stop taking actions to force things upon unwilling recipients and THEN come back and argue your points about other sites trying to push advertising in more creative, pre-agreed-upon methods leveraging the current technological environment.
lwrules is offline  
Old 09-13-2003, 11:19 AM   #10
Sashman
Registered User
 
Join Date: Aug 2002
Location: Dulles Virginia
Posts: 590
Default Re: You're whole post was innacurate

Quote:
Originally posted by lwrules
It does not place any files anywhere.
It does not cause anything to run on startup.
Why did you write that? Are you making things up simply to scare people and make your rant louder? Are you jealous or something to the point where you outright LIE about this?
This is the McAffee's definition of the Trojan.JS.Seeker exploit if you bothered to look it up. As I said, this is a variation. It uses a similar HTA exploit, which is why it's picked up by every virus checker out there.
Sashman is offline  
Old 09-13-2003, 11:23 AM   #11
Sashman
Registered User
 
Join Date: Aug 2002
Location: Dulles Virginia
Posts: 590
Default Re: popup death

Quote:
Originally posted by lwrules
Sorry to post three times but I take such issue with your posts.

The "popup death" to which you refer is BLOCKED by pop-up blockers. If, the site however decided to use YOUR ADVERTISED code to serve the pop-ups, the end user would have been hit with several pop-ups that they specifically took action to stop.
Incorrect again. My bypass only works if the user clicks to enter the site. This is a good compromise, because if someone enters a trash/trick site not worth a second glance, the would receive no popups. If they enter a site they are interested in and click past the first page, they would receive a popup.

Perhaps if you did some reading and stopped jumping to conclusions, you would better be able to participate in a conversation.

Last edited by Sashman; 09-13-2003 at 11:27 AM.
Sashman is offline  
Old 09-13-2003, 11:24 AM   #12
lwrules
Registered User
 
Join Date: Jan 2000
Location: Richboro, PA, USA
Posts: 82
Default lwrules

Anybody with half a brain would read your first post and believe you are accusing Robert of running an ad that did those things -- so let the record be straight - the ad on Robert's network does NONE of those things - so STOP attacking Robert in any way shape or form. Once again, if you have a problem, write to Microsoft and stop attacking good business people who are simply doing THEIR job. If in fact the page DID do the thing you implied it did, OF COURSE he wouldn't run it - because that would be distributing a WORM which is clearly illegal.
lwrules is offline  
Old 09-13-2003, 11:38 AM   #13
Sashman
Registered User
 
Join Date: Aug 2002
Location: Dulles Virginia
Posts: 590
Default Re: lwrules

Quote:
Originally posted by lwrules
Once again, if you have a problem, write to Microsoft and stop attacking good business people who are simply doing THEIR job. If in fact the page DID do the thing you implied it did, OF COURSE he wouldn't run it - because that would be distributing a WORM which is clearly illegal.
The ad is distributing an HTA file (a file that can be executed without security) onto a user's machine and then running it. This is a exploit, and this is exactly what is happening with the ad. A good number of email viruses are written as an HTA file. The program is hacking into a machine's registry and changing a setting. This is malicious. Therefore, by your definition, SI is doing something clearly illegal.

I personally wouldn't go that far, as it's not SI's ad.

As for microsoft, we have been in contact with them yesterday and today. Bugtraq gets it next week.

Lastly, you make it sound like I'm gaining something by this thread. Unless of course you consider getting banned from SI (two mins ago), losing my 3rd tier popup default, and $27 gaining something.

Last edited by Sashman; 09-14-2003 at 07:07 PM.
Sashman is offline  
Old 09-13-2003, 12:35 PM   #14
Lil_Red
Registered User
 
Lil_Red's Avatar
 
Join Date: Dec 2000
Posts: 1,579
Default Re: Re: lwrules

Quote:
Originally posted by Sashman
Lastly, you make it sound like I'm gaining something by this thread. Unless of course you consider getting banned from SI (two mins ago), losing my 3rd tier popup default, and $27 gaining something.
Out of curiosity which part of their TOS did you break to get the boot? Or is it simply a case of vindictiveness?
Lil_Red is offline  
Old 09-13-2003, 12:40 PM   #15
lwrules
Registered User
 
Join Date: Jan 2000
Location: Richboro, PA, USA
Posts: 82
Default Consider it a lesson

If you publicly accuse a company and don't state the facts CLEARLY then you open yourself up to problems.

Even in your last post, you STILL neglect to mention that the "malicious" actions are based on a PRE-AGREED terms of service (similar to the justification you use for your own preference switching script) which is fully disclosed on the advertiser's site.
lwrules is offline  
Closed Thread

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Popup suggestions scnofx Making Money with CPC and/or CPM Programs 2 06-02-2001 10:15 AM
frameless popup script + popup = fully loaded popup demae Making Money with CPC and/or CPM Programs 2 05-29-2001 09:17 PM
Script to manage multiple popup companies Darkness Web Design and Webmaster Issues 1 04-23-2001 12:00 PM
This tricky popup demae Making Money with CPC and/or CPM Programs 4 04-01-2001 07:11 AM
new popup script Knix Web Design and Webmaster Issues 8 08-05-2000 11:02 PM

Please support our advertisers. They ensure our survival.

All times are GMT -5. The time now is 03:08 AM.


GeekVillage.com is copyright © 1998-2015 Curiosity Cave - Science gifts for clever kids. All rights reserved.
Powered by vBulletin® Version 3.7.4
Copyright ©2000 - 2018, Jelsoft Enterprises Ltd.