Webmaster Forum Rules | Posting Guide | Contact Us | Testimonials | Contributing Geek Program | Advertise on Geek/Talk
Welcome to the GeekTalk Webmaster Discussion Forums from GeekVillage.com

Click Here To Register. It's Free!

Go Back   geek/talk: Signature-free discourse for serious web publishers > YOUR REVENUE: Making Money On The Internet > Making Money with CPC and/or CPM Programs
User Name
Password
Register FAQ Calendar Search Today's Posts Mark Forums Read

Reply
 
Thread Tools Display Modes
Old 08-13-2006, 04:26 PM   #1
fatale
Registered User
 
fatale's Avatar
 
Join Date: Nov 2000
Posts: 231
Angry FastClick/ValueClick serving a virus!

There's a virus/spyware being served from one of FastClick/ValueClicky ad campaigns. We have received several user complaints today, so naturally I went to investigate and I was just able to catch it on our website myself (my virus scanner was tripped). I was unable to identify the actual ad campaign (manual review of all running campaigns didn't trip my anti-virus), but here's the info in case someone else can. All potentially dangerous links are mangled so they don't turn into actual links -- make sure you have the latest anti-virus running if you are brave enough to load any of them (at your own risk of course!!!).

The actual exploit/virus is being detected in the following file:
_http://64.34.181.44/adrun/exp.wmf

The ad (gif) on the page that was displayed when it happens is loaded from (this should be safe to view):
http://g.websponsors.com/graphics/93909/468x60.gif

The browser log file ("Live HTTP headers" plug-in for Mozilla Firefox) shows that the actual ad code was served by the following file:
_http://www.searchplain.com/ADSAdClient37/GetAd/J43/TF=_NEW/1011/SC=LG/LOC=R/ID=0006BFFD968BB8AD/

Which tries to load a number of different files that try to exploit various Windows vulnerabilities:
_http://64.34.181.44/adrun/c.html
_http://64.34.181.44/adrun/index2.html
_http://64.34.166.182/webnetcounters/pps.html
_http://64.34.181.44/adrun/in.html
_http://64.34.166.182/webnetcounters/pl_load.js
_http://64.34.181.44/adrun/ct.html

The IP addresses above all resolve to searchplain.com servers.

Needless to say I removed all FastClick banners from our site until this can be resolved. Judging by the user complaints, this has been going on this whole weekend. I've e-mailed FastClick of course, but the form says it can take them 1-2 _business_ days to reply, so I thought I'll warn everyone here as well.
fatale is offline   Reply With Quote
Old 08-13-2006, 04:58 PM   #2
fatale
Registered User
 
fatale's Avatar
 
Join Date: Nov 2000
Posts: 231
Default Found it!

I found the ad campaign that seems to be responsible for this -- it's titled "Emanace - Free Xbox". I was taking a closer look at all 468x60 campaigns and noticed that one of them wasn't clickable. Very odd, I thought -- who ever heard of a banner advertiser not interested in users clicking on their ad?? When I right-clicked on the picture in the ad to get the location of where it is served from, I saw something very familiar:
_http://www.searchplain.com/ADSAdClient37/GetAd/J43/TF=_NEW/1011/SC=LG/LOC=R/ID=0006BFFD968BB8AD/
I guess they are using the referer string to load a clean ad when viewed in the FastClick publisher interface and a virus carrying version for the rest of websites.
fatale is offline   Reply With Quote
Old 08-13-2006, 05:41 PM   #3
masm50
Registered User
 
masm50's Avatar
 
Join Date: May 2001
Location: UK
Posts: 822
Default

Good find.

I've blocked the ad. Have you told Valueclick about this?

Tim
masm50 is offline   Reply With Quote
Old 08-14-2006, 01:49 AM   #4
fireklown
Registered User
 
Join Date: Dec 2003
Posts: 563
Default

sigh, this is the 3rd month in a row that there has been a virus in one of their ads
fireklown is offline   Reply With Quote
Old 08-14-2006, 02:07 AM   #5
Jan

Administrator
 
Join Date: May 2001
Location: Beautiful Darwin
Posts: 4,753
Default

Darned if I could find Emanace - Free Xbox Is that listed as one of the new ones?
Jan is offline   Reply With Quote
Old 08-14-2006, 02:53 AM   #6
praveen


 
praveen's Avatar
 
Join Date: Jul 2002
Location: In a Distant land far away from reality
Posts: 431
Default

Quote:
Originally Posted by Jan
Darned if I could find Emanace - Free Xbox Is that listed as one of the new ones?
couldnt find it in my list as well..
praveen is offline   Reply With Quote
Old 08-14-2006, 03:35 AM   #7
Matt Sherman - ValueClick Media
I am a Contributing Geek. Are You?
 
Join Date: Jun 2002
Location: ValueClick Media
Posts: 55
Default

This campaign has been set to off and is currently under review.

Regards,
Matt Sherman
Manager of Media
ValueClick Media

Last edited by Matt Sherman - ValueClick Media; 08-14-2006 at 03:38 AM.
Matt Sherman - ValueClick Media is offline   Reply With Quote
Old 08-14-2006, 05:47 AM   #8
Jan

Administrator
 
Join Date: May 2001
Location: Beautiful Darwin
Posts: 4,753
Default

Thanks for that Matt Good to see a prompt response yet again
Jan is offline   Reply With Quote
Old 08-14-2006, 06:35 AM   #9
praveen


 
praveen's Avatar
 
Join Date: Jul 2002
Location: In a Distant land far away from reality
Posts: 431
Default

Quote:
Originally Posted by Jan
Thanks for that Matt Good to see a prompt response yet again
what he said
praveen is offline   Reply With Quote
Old 08-14-2006, 06:42 AM   #10
Jan

Administrator
 
Join Date: May 2001
Location: Beautiful Darwin
Posts: 4,753
Default

*cough* Who ya calling a he?
Jan is offline   Reply With Quote
Old 08-14-2006, 07:24 AM   #11
praveen


 
praveen's Avatar
 
Join Date: Jul 2002
Location: In a Distant land far away from reality
Posts: 431
Default

Quote:
Originally Posted by Jan
*cough* Who ya calling a he?



thats what happens when one tries to do many things at once

praveen is offline   Reply With Quote
Old 08-15-2006, 11:10 PM   #12
Alex|Canep Media
I am a Contributing Geek. Are You?
 
Join Date: Apr 2006
Location: USA
Posts: 361
Default

Jan, I think your Avatar with the smoking man gives some people false impressions of your gender. You should get a special icon made for you.
Alex|Canep Media is offline   Reply With Quote
Old 08-15-2006, 11:16 PM   #13
Jan

Administrator
 
Join Date: May 2001
Location: Beautiful Darwin
Posts: 4,753
Default

That was suggested earlier for myself and Tyme, but nothing came of it for reasons I can't rightly recall.
Jan is offline   Reply With Quote
Old 08-16-2006, 11:03 AM   #14
gophergas
Registered User
 
gophergas's Avatar
 
Join Date: Nov 2003
Location: Knoxville, TN
Posts: 374
Default

Oh, wow --- so it wasn't just me that got confused. I was under the impression that you must be one of those furriners that thought Jan was a boy's name.

Yeah, a new avatar might make things a little clearer. On the other hand, it never hurts to keep people guessing.
gophergas is offline   Reply With Quote
Old 03-22-2012, 06:38 PM   #15
emilsudak
Registered User
 
Join Date: Mar 2012
Posts: 7
Default

lol Jan is a male Polish name for John. No wonder Polish ppl get confused

Last edited by emilsudak; 03-22-2012 at 06:40 PM.
emilsudak is offline   Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
New Taliban Virus sdarken geek/yak 5 10-24-2001 11:59 PM
Engage shutting down ad serving RaviJP Making Money with CPC and/or CPM Programs 9 09-17-2001 03:32 PM
Free Real Media ad serving Voltaire Archives of old posts from Let's Barter/Trade, Buy, & Sell 2 07-09-2001 12:01 PM
Virus Warning! demae geek/yak 2 05-31-2001 07:32 PM
Contentzone not serving banners, not updating stats. SomeRandomGuy Making Money with CPC and/or CPM Programs 1 07-02-2000 09:44 PM

Please support our advertisers. They ensure our survival.

All times are GMT -5. The time now is 06:20 AM.


GeekVillage.com is copyright © 1998-2014 iOnline Web Design. All rights reserved.
Powered by vBulletin® Version 3.7.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.