FastClick/ValueClick serving a virus!

[fatale]

There's a virus/spyware being served from one of FastClick/ValueClicky ad campaigns. We have received several user complaints today, so naturally I went to investigate and I was just able to catch it on our website myself (my virus scanner was tripped). I was unable to identify the actual ad campaign (manual review of all running campaigns didn't trip my anti-virus), but here's the info in case someone else can. All potentially dangerous links are mangled so they don't turn into actual links -- make sure you have the latest anti-virus running if you are brave enough to load any of them (at your own risk of course!!!).

The actual exploit/virus is being detected in the following file:
_http://64.34.181.44/adrun/exp.wmf

The ad (gif) on the page that was displayed when it happens is loaded from (this should be safe to view):
http://g.websponsors.com/graphics/93909/468x60.gif

The browser log file ("Live HTTP headers" plug-in for Mozilla Firefox) shows that the actual ad code was served by the following file:
_http://www.searchplain.com/ADSAdClient37/GetAd/J43/TF=_NEW/1011/SC=LG/LOC=R/ID=0006BFFD968BB8AD/

Which tries to load a number of different files that try to exploit various Windows vulnerabilities:
_http://64.34.181.44/adrun/c.html
_http://64.34.181.44/adrun/index2.html
_http://64.34.166.182/webnetcounters/pps.html
_http://64.34.181.44/adrun/in.html
_http://64.34.166.182/webnetcounters/pl_load.js
_http://64.34.181.44/adrun/ct.html

The IP addresses above all resolve to searchplain.com servers.

Needless to say I removed all FastClick banners from our site until this can be resolved. Judging by the user complaints, this has been going on this whole weekend. I've e-mailed FastClick of course, but the form says it can take them 1-2 _business_ days to reply, so I thought I'll warn everyone here as well.

[fatale]

I found the ad campaign that seems to be responsible for this -- it's titled "Emanace - Free Xbox". I was taking a closer look at all 468x60 campaigns and noticed that one of them wasn't clickable. Very odd, I thought -- who ever heard of a banner advertiser not interested in users clicking on their ad?? When I right-clicked on the picture in the ad to get the location of where it is served from, I saw something very familiar:
_http://www.searchplain.com/ADSAdClient37/GetAd/J43/TF=_NEW/1011/SC=LG/LOC=R/ID=0006BFFD968BB8AD/
I guess they are using the referer string to load a clean ad when viewed in the FastClick publisher interface and a virus carrying version for the rest of websites.

[masm50]

Good find.

I've blocked the ad. Have you told Valueclick about this?

Tim

[fireklown]

sigh, this is the 3rd month in a row that there has been a virus in one of their ads

[Jan]

Darned if I could find Emanace - Free Xbox Is that listed as one of the new ones?

[praveen]

Quote:

Originally Posted by Jan

Darned if I could find Emanace - Free Xbox Is that listed as one of the new ones?

couldnt find it in my list as well..

[Matt Sherman - ValueClick Media]

This campaign has been set to off and is currently under review.

Regards,
Matt Sherman
Manager of Media
ValueClick Media

[Jan]

Thanks for that Matt Good to see a prompt response yet again

[praveen]

Quote:

Originally Posted by Jan

Thanks for that Matt Good to see a prompt response yet again

what he said

[Jan]

*cough* Who ya calling a he?

[praveen]

Quote:

Originally Posted by Jan

*cough* Who ya calling a he?

thats what happens when one tries to do many things at once

[Alex|Canep Media]

Jan, I think your Avatar with the smoking man gives some people false impressions of your gender. You should get a special icon made for you.

[Jan]

That was suggested earlier for myself and Tyme, but nothing came of it for reasons I can't rightly recall.

[gophergas]

Oh, wow --- so it wasn't just me that got confused. I was under the impression that you must be one of those furriners that thought Jan was a boy's name.

Yeah, a new avatar might make things a little clearer. On the other hand, it never hurts to keep people guessing.

[emilsudak]

lol Jan is a male Polish name for John. No wonder Polish ppl get confused