![]() |
Webmaster Forum Rules | Posting Guide | Contact Us | Testimonials | Contributing Geek Program | Advertise on Geek/Talk |
|
|
![]() |
|
Thread Tools | Display Modes |
![]() |
#1 |
Registered User
Join Date: Nov 2000
Posts: 231
|
![]()
There's a virus/spyware being served from one of FastClick/ValueClicky ad campaigns. We have received several user complaints today, so naturally I went to investigate and I was just able to catch it on our website myself (my virus scanner was tripped). I was unable to identify the actual ad campaign (manual review of all running campaigns didn't trip my anti-virus), but here's the info in case someone else can. All potentially dangerous links are mangled so they don't turn into actual links -- make sure you have the latest anti-virus running if you are brave enough to load any of them (at your own risk of course!!!).
The actual exploit/virus is being detected in the following file: _http://64.34.181.44/adrun/exp.wmf The ad (gif) on the page that was displayed when it happens is loaded from (this should be safe to view): http://g.websponsors.com/graphics/93909/468x60.gif The browser log file ("Live HTTP headers" plug-in for Mozilla Firefox) shows that the actual ad code was served by the following file: _http://www.searchplain.com/ADSAdClient37/GetAd/J43/TF=_NEW/1011/SC=LG/LOC=R/ID=0006BFFD968BB8AD/ Which tries to load a number of different files that try to exploit various Windows vulnerabilities: _http://64.34.181.44/adrun/c.html _http://64.34.181.44/adrun/index2.html _http://64.34.166.182/webnetcounters/pps.html _http://64.34.181.44/adrun/in.html _http://64.34.166.182/webnetcounters/pl_load.js _http://64.34.181.44/adrun/ct.html The IP addresses above all resolve to searchplain.com servers. Needless to say I removed all FastClick banners from our site until this can be resolved. Judging by the user complaints, this has been going on this whole weekend. I've e-mailed FastClick of course, but the form says it can take them 1-2 _business_ days to reply, so I thought I'll warn everyone here as well. |
![]() |
![]() |
![]() |
#2 |
Registered User
Join Date: Nov 2000
Posts: 231
|
![]()
I found the ad campaign that seems to be responsible for this -- it's titled "Emanace - Free Xbox". I was taking a closer look at all 468x60 campaigns and noticed that one of them wasn't clickable. Very odd, I thought -- who ever heard of a banner advertiser not interested in users clicking on their ad?? When I right-clicked on the picture in the ad to get the location of where it is served from, I saw something very familiar:
_http://www.searchplain.com/ADSAdClient37/GetAd/J43/TF=_NEW/1011/SC=LG/LOC=R/ID=0006BFFD968BB8AD/ I guess they are using the referer string to load a clean ad when viewed in the FastClick publisher interface and a virus carrying version for the rest of websites. |
![]() |
![]() |
![]() |
#3 |
Registered User
Join Date: May 2001
Location: UK
Posts: 822
|
![]()
Good find.
I've blocked the ad. Have you told Valueclick about this? Tim |
![]() |
![]() |
![]() |
#4 |
Registered User
Join Date: Dec 2003
Posts: 563
|
![]()
sigh, this is the 3rd month in a row that there has been a virus in one of their ads
|
![]() |
![]() |
![]() |
#5 |
![]() Join Date: May 2001
Location: Beautiful Darwin
Posts: 4,753
|
![]()
Darned if I could find Emanace - Free Xbox
![]()
__________________
Darwin NT World Travel Forum ![]() ![]() ![]() ![]() ![]() ![]() |
![]() |
![]() |
![]() |
#6 | |
![]() Join Date: Jul 2002
Location: In a Distant land far away from reality
Posts: 431
|
![]() Quote:
![]() |
|
![]() |
![]() |
![]() |
#7 |
Join Date: Jun 2002
Location: ValueClick Media
Posts: 55
|
![]()
This campaign has been set to off and is currently under review.
Regards, Matt Sherman Manager of Media ValueClick Media Last edited by Matt Sherman - ValueClick Media; 08-14-2006 at 03:38 AM. |
![]() |
![]() |
![]() |
#8 |
![]() Join Date: May 2001
Location: Beautiful Darwin
Posts: 4,753
|
![]()
Thanks for that Matt
![]() ![]()
__________________
Darwin NT World Travel Forum ![]() ![]() ![]() ![]() ![]() ![]() |
![]() |
![]() |
![]() |
#9 | |
![]() Join Date: Jul 2002
Location: In a Distant land far away from reality
Posts: 431
|
![]() Quote:
![]() |
|
![]() |
![]() |
![]() |
#10 |
![]() Join Date: May 2001
Location: Beautiful Darwin
Posts: 4,753
|
![]()
*cough* Who ya calling a he?
![]()
__________________
Darwin NT World Travel Forum ![]() ![]() ![]() ![]() ![]() ![]() |
![]() |
![]() |
![]() |
#11 | |
![]() Join Date: Jul 2002
Location: In a Distant land far away from reality
Posts: 431
|
![]() Quote:
![]() thats what happens when one tries to do many things at once ![]() ![]() ![]() |
|
![]() |
![]() |
![]() |
#12 |
Join Date: Apr 2006
Location: USA
Posts: 361
|
![]()
Jan, I think your Avatar with the smoking man gives some people false impressions of your gender. You should get a special icon made for you.
|
![]() |
![]() |
![]() |
#13 |
![]() Join Date: May 2001
Location: Beautiful Darwin
Posts: 4,753
|
![]() ![]()
__________________
Darwin NT World Travel Forum ![]() ![]() ![]() ![]() ![]() ![]() |
![]() |
![]() |
![]() |
#14 |
Registered User
Join Date: Nov 2003
Location: Knoxville, TN
Posts: 374
|
![]()
Oh, wow --- so it wasn't just me that got confused. I was under the impression that you must be one of those furriners that thought Jan was a boy's name.
Yeah, a new avatar might make things a little clearer. On the other hand, it never hurts to keep people guessing. |
![]() |
![]() |
![]() |
#15 |
Registered User
Join Date: Mar 2012
Posts: 7
|
![]()
lol Jan is a male Polish name for John. No wonder Polish ppl get confused
![]() Last edited by emilsudak; 03-22-2012 at 06:40 PM. |
![]() |
![]() |
![]() |
Bookmarks |
Thread Tools | |
Display Modes | |
|
|
![]() |
||||
Thread | Thread Starter | Forum | Replies | Last Post |
New Taliban Virus | sdarken | geek/yak | 5 | 10-24-2001 11:59 PM |
Engage shutting down ad serving | RaviJP | Making Money with CPC and/or CPM Programs | 9 | 09-17-2001 03:32 PM |
Free Real Media ad serving | Voltaire | Archives of old posts from Let's Barter/Trade, Buy, & Sell | 2 | 07-09-2001 12:01 PM |
Virus Warning! | demae | geek/yak | 2 | 05-31-2001 07:32 PM |
Contentzone not serving banners, not updating stats. | SomeRandomGuy | Making Money with CPC and/or CPM Programs | 1 | 07-02-2000 09:44 PM |