A banner advertisement posted on the MySpace Web site may have infected more than one million users with adware, according to security firm iDefense. The advertisement was included in user profiles on MySpace and could have been operating for about one week.
The deckoutyourdeck.com advertisement exploited a flaw in the way Microsoft  's Internet Explorer (IE) browser handles Windows Metafile (WMF) image files. Users running unpatched versions of IE would never have realized that the banner ad had silently installed programs that generate pop-up ads on their system .
"This is a criminal act," said Hemanshu Nigam, chief security office at MySpace, in a statement. "This ad is being delivered by ad networks who distribute these ads to over a thousand sites across the Internet in addition to ours. We are working to have these ad networks remove this ad so that they do not appear on our site."
Banner Patch
An iDefense spyware analyst, Michael La Pilla, told The Washington Post that he discovered the attack on Sunday as he browsed the MySpace site. When he came across a page with the offending ad, he received a message from his browser asking him if he wanted to open a file named exp.wmf.
After a brief investigation, La Pilla found out that the spyware installation program contacted a Russian-language Web server in Turkey that tracks the PCs on which the program has been installed. The tally had climbed to 1.07 million machines, though La Pilla said the seven Internet addresses contacted by the downloader seem to be inactive now.
According to La Pilla, the ad also attempted to infect users of Webshots.com, a photo-sharing site. Though he cannot pinpoint the date the ads began sending out their spyware, it is believed that it coincided with the occurrence on MySpace on July 12.
The WMF vulnerability was originally discovered last December after hackers exploited the flaw using a specially created WMF image distributed via e-mail, instant message links, and Web sites. When users opened the image, the hacker could take control of the infected PC. Microsoft released a patch for the bug back in January, but many people did not install the patch.
PCs with unpatched systems can become infected simply by accessing a Web page with the deckoutyourdeck.com ad. The exp.wmf Trojan horse program could upload automatically without the warning prompt that La Pilla received. (continued...)
|
