Topic: Security

Fake Antivirus XP pops-up at Cleveland.com

Summary: Have we reached the phrase when targeted advertising would equal evasive malware campaigns pushed through third-party ad networks, to a geolocated set of visitors only? Could be.

By Dancho Danchev for Zero Day | February 10, 2009 -- 04:11 GMT (20:11 PST)

Follow @danchodanchev

Have we reached the phrase when targeted advertising would equal evasive malware campaigns pushed through third-party ad networks, to a geolocated set of visitors only? Could be. During the weekend, rogue antivirus XP pop-ups were served to visitors of Cleveland.com, according to visitors' complaints which I also managed to verify.

Investigating further reveals that the very same ad network that was used to serve similar Antivirus 2009 pop-ups at AllRecipes.com in November, appears to have been the one (tacoda.net) that cybercriminals once again used in Cleveland.com's case.

With efficiency-centered ad networks in terms of allowing publishers faster access to their networks, every cybercriminal, no matter the ad network in question, can easily become a publisher - the basics of malvertising whose key advantage from the cybecriminal's perspective remains the opportunity to target high trafficked web sites which aren't susceptible to common exploitation tactics.

What ad networks should set as a priority is establishing a more transparent process about what measures -- if any -- have they undertaken to verify that the publisher's sites aren't disseminating malware or client-side exploits. For instance, plain simple cross-checking (for starters) of the rogue security software domains that appeared at Cleveland.com against Google's Safebrowsing database, indicates that they're already marked as harmful.

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

46 comments

Log in or register to join the discussion

something needs to be done about antivirus 2009

I click on a url link from a legit site and this page with anti-virus 2009 popped up.

The only way to get rid of it was to turn off my PC and restart.

Randalllind
10 February, 2009 07:39

Reply Vote
- Lucky... and smart
  
  Actually you're lucky and smart. One thing never to do is click on anything in those ads. In most of the any button you press - even "Cancel" does the same thing as saying "install me". Killing IE would of most likely helped as well.
  
  Try changing your DNS to OpenDNS. They've blocked the Antivirus XP/2008/2009 sites - which helps.
  
  Gis Bun
  10 February, 2009 07:50
  
  Reply Vote
  - Lucky... and smart????
    
    How does clicking on something in your browser install software on your computer? Is there some sort of unpatched vulnerability in your operating system?
    
    Alan(UK)
    10 February, 2009 09:46
    
    Reply Vote
    - It does not matter.
      
      Clicking "cancel" in a browser is like clicking "OK." It's the same effect, no matter if you've patched Windows.
      
      Grayson Peddie
      10 February, 2009 10:18
      
      Reply Vote
      - It does not matter???
        
        Really! A feature, not a bug. Surely Windows cannot be that bad? Isn't there some way to turn it off? Is it enabled by default?
        
        Alan(UK)
        10 February, 2009 12:13
        
        Reply Vote
      - Their trick...
        
        ...is to use an image link that looks exactly like a default Windows XP dialog box.
        
        Since it's an image/link displayed in a browser window, every last pixel of that dialog will steer you to their "download". Cancel, OK, control buttons in upper corner, title bar, little triangle/exclamation point icon, text, etc., you may click on will produce the same effect.
        
        In these guys case, it's malware city for clicking on their "link"...
        
        svpaladin@...
        10 February, 2009 17:54
        
        Reply Vote
      - So basically
        
        The picture is a link to their site..
        
        How is this a problem, unless you are using IE and they employ some kind of drive-by installation? In any other browser wouldn't you be asked before the site is allowed to download a file and run it?
        
        AzuMao
        11 February, 2009 16:27
        
        Reply Vote
      - Dose not matter what web browser you use
        
        I work computer support at my university and AntiViruse 2009 is biggest problem we have when it comes to mailware. I have ran test in virtual machines and found that in both IE and Firefox that if you click the link it is able to install its self the con artist that writes this maleware is pretty clever in the exploits he/she uses.
        
        japrovo88
        11 February, 2009 17:06
        
        Reply Vote
      - Okay
        
        So he found a drive-by exploit that works for IE [i]and[/i] Firefox? Still not a problem, since any sane Firefox user will have Adblock and NoScript, so the ad containing it won't even load to begin with.
        
        AzuMao
        11 February, 2009 17:11
        
        Reply Vote
      - Not realy
        
        It can be that the whole thing is in fact just one big "OK" button.
        
        Also, what a button say, and what it does realy don't need to be the same thing.
        You can very easily have a "Cancel" button that realy is an "OK" button.
        Even the close button of a window can be rigged to do something else than cleaning up and close the application, like installing some malware in a background task.
        
        Kualinar
        12 February, 2009 12:33
        
        Reply Vote
  - Alt-F4
    
    Just use the Widows shortcut Alt-F4 to close the advert window. Don't use the mouse. They have all mouse events wired to basically click OK
    
    AiR_GuNNeR
    12 February, 2009 05:23
    
    Reply Vote
    - thanks for Alt-F4
      
      Thanks for telling us that. I wish I had known that before automatically trying to cancel it with the red X. Now, how to get rid of it?
      
      hizaleus
      12 February, 2009 09:19
      
      Reply Vote
    - It to can be usurpated
      
      The safest way is to use the task manager and kill the process.
      
      The Alt-F shortcut calls the shut down process of the programm running in the window.
      That process normaly do some house cleaning tasks before exiting.
      It can also do all sorts of other thing. What if that "house cleaning" goes on to actualy install some stuff?
      
      Kualinar
      12 February, 2009 12:39
      
      Reply Vote
    - Don't need Alt+F4
      
      Just use Firefox and set it not to allow javascript to disable window controls. "Problem" solved!
      
      AzuMao
      14 February, 2009 16:46
      
      Reply Vote
- Antivirus 2009 complications
  
  I got bagged on a home machine that was running AVG. The popup has the AVG logo in the top left corner, and I thought it was AVG reacting to a virus. Mistake. This thing is so insidious, it's nearly impossible to get out once it's in there. I ended up getting virtumond and smitfraud before I pulled the 'net connection, and every combination of Spybot, Ad-Aware and AVG scans I throw at them are useless. They get cleaned out, you reboot and they're back, even WITHOUT an internet connection. It ended up wiping out some init files, and I couldn't get past the XP login screen (google "XP logon/logoff problem" and you'll see). I did a "repair" install of XP from the original discs, and the login problem was fixed, but I lost access to one of my RAID channels. This thing has grown into a full-blown disaster. If you see that screen popup, PULL THE PLUG. Crash your system, then start scanning to see if it stuck. I've been doing this stuff since 286s were around, and this is as bad as I've ever had to deal with.
  
  Good luck all.
  
  elt100
  12 February, 2009 07:04
  
  Reply Vote
- Zdnet sponsored by antivirus 2009?
  
  on the previous screen, under sponsored links, there was a link to Antivirus 2009 - so even Zdnet is being sponsored by Antivirus 2009??????? I saved a screenshot, because I could not believe my eyes!!!! The link underneath the ad read "www-download24.com"
  
  Dekkerfan
  12 February, 2009 07:37
  
  Reply Vote
  - Silly
    
    It has nothing to do with ZDNet or any other website. It's being served up by the ad servers. If you use a decent browser like Firefox and block the ads you won't see it anymore.
    
    AzuMao
    14 February, 2009 16:49
    
    Reply Vote
RE: Fake Antivirus XP pops-up at Cleveland.com

Removing this from a friend's pc, I spend considerable time until I found a download that did the job for free

http://www.bleepingcomputer.com/malware-removal/remove-antivirus-pro-2009

arensteinmarc@...
10 February, 2009 07:50

Reply Vote
But but..

If I only go to well known sites, I'm safe!!!

</sarcasm>

rpmyers1
10 February, 2009 08:22

Reply Vote
- Ummm.... No.
  
  The way I go about surfing is I treat every and any site as a potential to serve malware.
  
  The one and only, Cylon Centurion
  10 February, 2009 15:45
  
  Reply Vote