Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Attackers Infect Ads With Old Adobe Vulnerability

kdawson posted more than 5 years ago | from the old-bugs-are-the-best dept.

Security 70

thethibs writes "eWeek is reporting that just as everyone is buzzing about the latest Adobe vulnerability, someone poisoned ads hosted by Ziff-Davis with an older Adobe exploit (affecting versions 8.12 and earlier, and long since patched). Z-D fixed the problem less than 24 hours after its first appearance. The interesting bit of this is that a bunch of people probably got hit with the old Trojan when they browsed to a story about the new one."

Sorry! There are no comments related to the filter you selected.

In related news... (-1, Offtopic)

Luke727 (547923) | more than 5 years ago | (#26978513)

Jews did 9/11.

Adobe what? (5, Informative)

Anonymous Coward | more than 5 years ago | (#26978525)

While it's fairly evident that they're talking about Adobe Reader, nowhere in the summary does it state which Adobe product this affects. Adobe is a company, not a product, even if it's not called Adobe Acrobat anymore!

Re:Adobe what? (2, Interesting)

RPoet (20693) | more than 5 years ago | (#26979557)

I find that most people who just say "Adobe" mean Adobe Photoshop. Apparently this guy meant Adobe Acrobat Reader. I suspected perhaps he meant Adobe Flash Player. Oh well.

Re:Adobe what? (1)

RudeIota (1131331) | more than 5 years ago | (#26981385)

Just based on the summary, 'poisoned ads' make me think it has nothing to do with Reader and everything to do with Flash.

PDF ads... There's an interesting thought.

another good reason...... (4, Interesting)

Nossie (753694) | more than 5 years ago | (#26978537)

to run scripts selectively ....

Which I do, and with no script the way I have... *shrugs* the little extra hassle is worth all the benefits!

Re:another good reason...... (4, Insightful)

Anonymous Coward | more than 5 years ago | (#26978621)

Yeah, because people like you (running noscript) are so likely to be running a 2-years-old version of Reader.

Re:another good reason...... (-1, Offtopic)

Nossie (753694) | more than 5 years ago | (#26978679)

huh? who just paid you off today then?

Re:another good reason...... (-1, Offtopic)

The End Of Days (1243248) | more than 5 years ago | (#26979207)

I did. He earned every dime.

Re:another good reason...... (3, Informative)

ion.simon.c (1183967) | more than 5 years ago | (#26979771)

Heh. If they're anything like *me*, they won't be running *any* Adobe software at all. :D

Re:another good reason...... (3, Informative)

iztehsux (1339985) | more than 5 years ago | (#26978671)

Agreed. NoScript isn't a bad option. You could also fix up your hosts file to strip out the banner ads using a list like the one at [http://www.mvps.org/winhelp2002/hosts.txt" or even better, just use Lynx!

Re:another good reason...... (5, Informative)

Phroggy (441) | more than 5 years ago | (#26978685)

Blocking scripts isn't guaranteed to protect you from this kind of attack, since the article specifically mentioned that the attack used iframes. Loading a PDF into an iframe can be done with no scripting; this will either trigger a file download or will invoke the Adobe Reader plug-in (or whatever other plug-in your browser is configured to use to display PDF files).

However, if the iframe is inserted into the DOM by a script (not uncommon with advertisements these days), then yeah, blocking scripts would prevent it.

Of course, I imagine the attempt to install a rogue application would trigger a UAC prompt on VIsta, protecting anyone on that platform who isn't a moron.

Re:another good reason...... (4, Informative)

Spy der Mann (805235) | more than 5 years ago | (#26978725)

Blocking scripts isn't guaranteed to protect you from this kind of attack, since the article specifically mentioned that the attack used iframes.

Let me remind you that NoScript (TM) not only protects you from scripts. It also protects you from clickjacking (iframes or not), in-iframe browsing, embedded objects and other nuisances.

With noscript installed, the only way I could be hit with malicious code would be through an html or css buffer overflow vulnerability - and that's why I keep my distro up to date.

Re:another good reason...... (5, Insightful)

Akzo (1079039) | more than 5 years ago | (#26979385)

Unless the malicious code was placed on any one of the authors sites or another trusted site.

Re:another good reason...... (0)

Anonymous Coward | more than 5 years ago | (#26983399)

That's why I never surf trusted sites when using NoScript. I use Internet Explorer for that.

Re:another good reason...... (1)

hesaigo999ca (786966) | more than 5 years ago | (#26981029)

I think he meant no script allowed, and not actually NoScript the product though...

Re:another good reason...... (4, Informative)

Anonymous Coward | more than 5 years ago | (#26978767)

Noscript blocks iframes, but not default enabled. You have to drill through preferences, which I do anyway, but some might not.
Perhaps it's time to default-enable security enhancing features and if it BREAKS something, turn them off selectively, instead of the converse.
Or is it more work to click through a menu than to reformat and reinstall because you got hosed?

Re:another good reason...... (1)

Logic Worshiper (1480539) | more than 5 years ago | (#26979605)

I use a default deny policy when browsing the internet. There are only a few sites that have any business running scrips or giving me cookies. Everyone else is blocked.

Re:another good reason...... (2, Informative)

hairyfeet (841228) | more than 5 years ago | (#26981837)

That is why I use Adblock Plus WITH Noscript. Some may think it is overkill, but with Adblock Plus and Noscript I don't have to worry about nastiness like this, as anything one doesn't catch the other will.

Re:another good reason...... (0, Redundant)

FlyingBishop (1293238) | more than 5 years ago | (#26978803)

I open PDF's in an external window, using Evince.

But then that's Linux...

Of course, you can do the same with Foxit or whatnot. I'll just stick with my system with sane, built-in sandboxing.

Block scripting in Adobe Acrobat Reader instead... (0)

Anonymous Coward | more than 5 years ago | (#26985111)

"Blocking scripts isn't guaranteed to protect you from this kind of attack - by Phroggy (441) on Tuesday February 24, @11:39PM (#26978685) Homepage

Correction: It is - but, it depends on WHERE (what app, specifically here) you blocking scripting @!

(AND, in this case? It's better to do in Adobe Acrobat Reader, itself, vs. your webbrowsers in this case)

SO... how to do that?

See here, 1st post @ the top of this page:

HOW TO SECURE Windows 2000/XP/Server 2003 & even VISTA, plus, make it "fun-to-do", via CIS Tool Guidance (&, beyond):

http://www.tcmagazine.com/forums/index.php?s=c4108cb7c8260643f003b1737cc429e4&showtopic=2662&st=25&start=25 [tcmagazine.com]

----

SALIENT QUOTE/EXCERPT/DETAILS etc. et al:

(HOW TO TURN OFF JAVASCRIPT USAGE IN ADOBE ACROBAT READER)

1.) Use Adobe Acrobat's EDIT menu

2.) PREFERENCES submenu

3.) Javascript section (in left-hand side column of options)

4.) & uncheck "Enable Acrobat Javascript" in the right-hand side option for that.

----

THUS - By disabling scripting in Adobe Acrobat Reader, of most ANY (@ least recent) versions of it (&, I KNOW that versions 8 & 9 allow this, @ least)? You stall this type of attack, easily...

( &, no "chancing it" by ONLY using NoScript's DEFAULTS (which are NOT as "stringent" as it CAN be) or other means in a browser alone (though, layering those methods ontop of this one cannot hurt)).

----

IMPORTANT NOTE/EDITING MY ORIGINAL POST I INTENDED TO PUT UP W/ SAID "WORK-AROUND" METHOD I PUT UP ABOVE:

There IS a "home brewed patch" out there now, developed by a 3rd party via a HACKED DLL (filename -> AcroRdv9-Patch.zip -> http://www.snort.org/vrt/tools/AcroRdv9-Patch.zip [snort.org] ), for Adobe Acrobat 9 ONLY, but... he's also NOT guaranteeing it vs. other variants of THIS type of attack (run by Adobe's javascripting engines in Acrobat Reader), NOR, in earlier versions of Adobe Acrobat!

HOWEVER - the method I am extolling?

I, however/conversely, DO guarantee it works!

(AND, should even w/ Adobe Acrobat Reader Browser plugins/addons if any, assuming they too, utilize said .DLL/lib's function calls, & odds are in today's "Document Centric Model" & Object-Oriented designs? It does because MOST coders, myself included?? Don't "reinvent the wheel" generally to save time & effort - we USE these prebuilt lib/dll function calls when possible... & HOPE there are no bugs, like this lib/dll has)

Simply too, via the method noted above, & on THIS & other variants of this nature of attack (that exploit faults in Adobe Acrobat's native internal javascript parsing + processing methods) in this application, even in older models that support disabling of javascripting in Acrobat's .pdf extensioned (Windows) docs.

STILL, the "ideal" thing to HOPE & wait for? A patch from Adobe, of course... not workarounds like this.

APK

P.S.=> See, it's ONLY that I had the benefit/advantage of seeing this one coming a LONG time ago (more than a year ago @ least), as well as attacks being used via Adobe Acrobat Reader in the past (like many of you no doubt ALSO have) before this instance of it happening...

(& thus, I put up a SIMPLE method for anybody to utilize, in HOW to stall it @ THE SOURCE, above, more than 1 yr. ago wherever I posted that guide online in late 2007...)

AND, guys? IT WORKS, because "IF YOU CANNOT GO INTO THE scripted KITCHEN, YOU CANNOT GET BURNED" type thinking... apk

Re:Block scripting in Adobe Acrobat Reader instead (1)

SmurfButcher Bob (313810) | more than 5 years ago | (#26985967)

I guess you didn't bother reading Secunia yesterday.

Scripting disable is irrelevant.

Re:Block scripting in Adobe Acrobat Reader instead (0)

Anonymous Coward | more than 5 years ago | (#26986827)

"I guess you didn't bother reading Secunia yesterday. - by SmurfButcher Bob (313810) on Wednesday February 25, @03:11PM (#26985967)

That's NOT quite true... read on!

See this quote, regarding the disabling of javascripting in Adobe:

----

http://secunia.com/blog/44/ [secunia.com]

"While this does prevent many of the currently seen exploits from successfully executing arbitrary code (as they rely on JavaScript), it does not protect against the actual vulnerability."

----

AND, I admit - it's JUST turning off the USE of the .DLL (lib) that has the problem, but, NOT FIXING IT!

(in disabling javascripting in Adobe Acrobat 9.x... you don't call on its functions, & especially with malicious script? NO problems SHOULD result).

(& who says it's NOT javascript inside these malicious .pdf files? AND YES, sure - admittedly, there ARE other ways to take advantage of a buffer overflow, but why, when javascripting is the easiest route, for MOST folks vs. say, firing up debug & compiling data in a memory address space afforded by a buffer overflow, for example (poor one)?)

After all - Javascript?

Hey, it IS the engine .pdf files run from Adobe Acrobat actually USE, in order to execute their macros ("arbitrary code", as 1 possible here, just like in a malicious word .doc file)!

----

AND STRAIGHT FROM ADOBE THEMSELVES:

http://www.adobe.com/support/security/advisories/apsa09-01.html [adobe.com]

"Reports have been published that disabling JavaScript in Adobe Reader and Acrobat can protect users from this issue. Disabling JavaScript provides protection against currently known attacks. However, the vulnerability is not in the scripting engine and, therefore, disabling JavaScript does not eliminate all risk"

----

Thus, you can see, they DO admit it helps... even here, just NOT against "all possibles" (such as other means of exploiting buffer overflows I noted above)...

BUT, they do admit, however, that it DOES stall out the ability to execute arbitrary code (of the malware makers' choosing) & guess what? THAT IS THE ACTUAL MALWARE PAYLOAD detonator, in scripting, & in MOST of the attacks online, today...

----

IMPORTANT:

Also note, that later on in my post?

I do point folks to a FIXED .DLL file for this... but, it too, is NOT guaranteed as a permanent cure & it's NOT for any Adobe Acrobat versions earlier than 9.x though...

APK

P.S.=> AND, what I am noting here? Hey - This is NOT a 'cure', it's a protective work-around... as is the secondary method I noted, of a FIXED .DLL available from a 3rd party, also, as an alternative for Adobe Acrobat 9.x users... apk

So what exactly happened? (4, Interesting)

Phroggy (441) | more than 5 years ago | (#26978627)

So what servers were actually compromised by hackers? According to the article, Stephen Wellman, director of community and content for Ziff Davis Enterprise, says no ZD web sites were compromised and it "was not our fault." Whose fault was it? Does ZD use a third-party advertising service? If so, does anyone else use that same advertising service? If ZD runs its own ad servers, how is this not ZD's fault?

Re:So what exactly happened? (0)

Anonymous Coward | more than 5 years ago | (#26978887)

I loaded eweek in Firefox, and adblock stopped ads from Doubleclick, Googlesyndication, and Atdmt.com. I'm guess it came from the last one.

Re:So what exactly happened? (4, Insightful)

Phroggy (441) | more than 5 years ago | (#26979229)

I loaded eweek in Firefox, and adblock stopped ads from Doubleclick, Googlesyndication, and Atdmt.com. I'm guess it came from the last one.

These are huge advertisers (atdmt.com is Microsoft, and you probably know that Google bought DoubleClick). Was one of them hacked? If so, what does this have to do with ZD at all?

Re:So what exactly happened? (2, Informative)

NJRoadfan (1254248) | more than 5 years ago | (#26980567)

I've always wondered how so many machines were getting hit with the Vundo trojan even though the user was only browsing "safe" websites in Firefox. Its likely because many of the major ad providers are running "poisoned" ads. Ad-block Plus is surprisingly effective against this one attack vector.

Re:So what exactly happened? (1)

ion.simon.c (1183967) | more than 5 years ago | (#26983715)

But don't you see? Your favorite sites are going to have to shut down if you use AdBlock, 'cause then you're stealing their content! You're really going to just have to take one for the team.

Re:So what exactly happened? (1)

virtual_mps (62997) | more than 5 years ago | (#26981115)

Ad servers have been distributing malware for years. The way it works is that the "big name" ad server posts content directing your browser to a "partner" who has paid them money. That "partner" could be a legitimate advertiser, or it could be a sleazy malware purveyor who will launch an exploit to install junk on your computer. (No, I'm not sure how you distinguish between "legitimate" and "sleazy" advertisers.) The "big name" ad company doesn't care, they've already been paid. What does this have to do with ZD (or any of the other web sites that have ads)? One might ask whether they've got a "due diligence" requirement to ensure that visitors to their site aren't exposed to malware via their ad server "partner". Unfortunately, the ads are controlled by the business guys, not the technical guys, and there's way too much money involved.

This is why it's ridiculous when microsoft mentions "attacker would have to convince user to visit a web site" as a mitigating factor. This is code for "attack is only viable if user visits web sites with ads". That sure mitigates exposure, doesn't it?

Re:So what exactly happened? (1)

cffrost (885375) | more than 5 years ago | (#26983851)

So what servers were actually compromised by hackers?

Adobe.

Whose fault was it?

Adobe!

Does ZD use a third-party advertising service?

8.12. Adobe, 8.12!

If so, does anyone else use that same advertising service?

Adobe.

If ZD runs its own ad servers, how is this not ZD's fault?

Ad.. adobe?

Work computers (2, Funny)

Sporkinum (655143) | more than 5 years ago | (#26978639)

Our computers at work will probably get trashed from this. They only use Adobe reader, some old unpatched version, and only IE without any adblocking. Microsoft shop don't you know.

Re:Work computers (2, Insightful)

Ilgaz (86384) | more than 5 years ago | (#26980709)

I understand the resistance to upgrade a major version (9) but if one, especially a company doesn't apply a free update to same major version, that system is not managed and should be taken off the internet.

As far as I know Adobe uses the ultra paranoid microsoft installer on Windows and it has excellent admin options like rollback and deployment.

Old computer isn't an excuse, they are being real lazy. I mean one should use advantages of the platform if they are stuck with it.

Re:Work computers (1)

cbiltcliffe (186293) | more than 5 years ago | (#26984423)

I've got a customer that's using software - not legacy software, mind you - that requires, get this....Acrobat Reader 4.0. Install anything newer, and it won't work.

Acrobat 4 being the antique POS that it is, it doesn't work on XP as anything other than admin.

Because they have to run in an AD domain environment, that means the receptionist at the front desk has write access to \\server\C$. Brilliant. And the company that writes this crap software doesn't see this as a problem. And because this customer is a franchisee, they have to use whatever software head office mandates, and they don't see it as a problem, either.

Sometime soon I'm going to monitor and see what files and registry keys this thing has to write to, so I can drop everybody to at least a power user, but that's going to be a crapload of work.

Re:Work computers (1)

Ilgaz (86384) | more than 5 years ago | (#26994213)

That is awful but it is really the original software's genius developer to blame.

I wonder how he managed to do it since Acrobat is more like Quicktime in terms of way it is developed. You know, if a program is coded without massive hacks and depends on quicktime in 4.0 ages, you can update Quicktime to 7 and expect it to keep working as usual. I actually have couple of software even working with added performance in such situation.

Documents are not applications (5, Insightful)

Gothmolly (148874) | more than 5 years ago | (#26978683)

If a "document" wants to _do_ anything, then it is not a document, and should be given the same trust as other programs. The Microsoftification of the world must stop.

Re:Documents are not applications (0)

Anonymous Coward | more than 5 years ago | (#26978769)

Microsoftification

Don't you mean Microsoftening?

Re:Documents are not applications (0)

Anonymous Coward | more than 5 years ago | (#26979749)

Microsofturbation

Re:Documents are not applications (1, Interesting)

Anonymous Coward | more than 5 years ago | (#26978837)

Actually, the early history of the evolution of the graphical web browser--after NCSA Mosaic was first released--tends to show the first ones to try to make an otherwise static HTML document have state (via cookies) and dynamic content (via LiveScript which later became JavaScript) would have been the ones who brought those features to the web in a *Netscape Navigator* release version.

So I tend to go ahead and blame them for de-facto planting the early seeds that allowed for privacy risks and web page vulnerabilities as the technology evolved and also got extended in various ways, rather than improperly blaming Microsoft.

Re:Documents are not applications (3, Insightful)

Gadget_Guy (627405) | more than 5 years ago | (#26979053)

Microsoft predates this with their stupid decision to have macros in Word 6.0 back in 1993. The first time that I read about that feature (that the macros could be saved in the document) I said that it would get used for making a virus. It actually took a surprisingly long time for the first virus to be released.

I imagine that there must have been some similar "feature" in spreadsheets before that.

Word macros arent really the problem. (3, Insightful)

TiggertheMad (556308) | more than 5 years ago | (#26979731)

Its the decision to allow the macro script do other things outside of a word doc that is the problem.

Who cares if accountants have macros that autosum three pages of figures. I just want to punch the idiot who thought that its ok to have a macro alter/save files other than the active file, or connect to outside data sources (e.g. teh intarwebz) without a big freaking' popup asking for a manual confirmation.

What probably happened is some clever punk thought it would be smart to just tie it to the VBScript engine, and let anything happen, rather than developing a special macro language for office.

Re:Documents are not applications (4, Funny)

artor3 (1344997) | more than 5 years ago | (#26979071)

... rather than improperly blaming Microsoft

Woah, woah, woah.... just where do you think you are?

Re:Documents are not applications (3, Interesting)

mcrbids (148650) | more than 5 years ago | (#26979217)

You mean, like when a text file starts behaving like a program? What about simple text files with '#! /bin/sh' on the first line?

Unix had it right: everything is a file. Period. Programs, data ports, IP connections, shell scripts. All files. simple, human-understandable permissions. This isn't anything to do with Microsoft, it's just the natural order of developers scratching their itch.

Re:Documents are not applications (0)

Anonymous Coward | more than 5 years ago | (#26981087)

Are you saying that there aren't any Unix applications that load documents that contain executable code or script? I'm sure there are quite a few of these types of things on the Unix platform. And I would bet that in those cases the code is running with the privileges of the application and not the document (same as on Windows).

Re:Documents are not applications (0)

Anonymous Coward | more than 5 years ago | (#26981953)

Unix did get it right. If a text file doesn't have an execute bit, it is just a data file.

(Well, for the most part. Unix config files tend to have a lot of software/macro logic built into them, unlike the Windows Registry, for example, which makes them susceptible to doing things like Word macro documents can do. Except if you are not running as admin, then there should be no way to exploit them.)

Re:Documents are not applications (1)

GF678 (1453005) | more than 5 years ago | (#26979645)

If a "document" wants to _do_ anything, then it is not a document, and should be given the same trust as other programs. The Microsoftification of the world must stop.

If we followed your logic, we'd never have web apps.

Re:Documents are not applications (0)

Anonymous Coward | more than 5 years ago | (#26980407)

good

Re:Documents are not applications (0)

Anonymous Coward | more than 5 years ago | (#26983045)

AndNothingOfValueWasLost

Re:Documents are not applications (0)

Anonymous Coward | more than 5 years ago | (#26987787)

If a "document" wants to _do_ anything, then it is not a document, and should be given the same trust as other programs. The Microsoftification of the world must stop.

If we followed your logic, we'd never have web apps.

...and?

Re:Documents are not applications (0)

Anonymous Coward | more than 5 years ago | (#26981473)

If a "document" wants to _do_ anything, then it is not a document, and should be given the same trust as other programs. The Microsoftification of the world must stop.

But I thought information *wants* to be free.

The company is vulnerable? (2, Funny)

ThrowAwaySociety (1351793) | more than 5 years ago | (#26978841)

I see no mention in the summary of a specific product. Since I'm not going to RTFA, should I just assume that, since I don't own Adobe stock, I'm not affected?

Yes please ban all the hacker archives from view (0)

Anonymous Coward | more than 5 years ago | (#26978857)

yup the UHA is laughing at you all now.
OH sorry but you have banned and filtered out the site, guess you cant look into the past and KNOW whats coming next can you.

GOOD ON THEM ALL AND DESERVEDLY SO

P.S. just to let your readership know there about 10 GOOD exploits a year that come back to life, and by good i mean those with really sweet luscious effects

Don't use AR. If you must use AR, turn of JS. (4, Insightful)

bcrowell (177657) | more than 5 years ago | (#26978885)

Don't have anonymous sex with strangers in bath-houses. Or if you must have anonymous sex with strangers in bath-houses use a condom. This has been a public service message.

In other words, don't use AR. Use Evince (on Linux) or Sumatra PDF (Windows). If you must use AR, go to Edit, Preferences, JavaScript, and uncheck "Enable Acrobat JavaScript".

No, none of this has much to do with PDF's merits as a file format. Embedding JS in PDF was a mistake. The mistake won't hurt you if you take these elementary precautions.

Re:Don't use AR. If you must use AR, turn of JS. (1)

jez9999 (618189) | more than 5 years ago | (#26980005)

Wait; back up.

How do I have sex with a PDF again?

Re:Don't use AR. If you must use AR, turn of JS. (0)

Anonymous Coward | more than 5 years ago | (#26980029)

He means you have sex with a PDFile.

Re:Don't use AR. If you must use AR, turn of JS. (1)

thePowerOfGrayskull (905905) | more than 5 years ago | (#26983923)

Also, disable the embedded reader for PDFs... that way no documents can be opened without your knowledge.

Interesting (1)

binaryseraph (955557) | more than 5 years ago | (#26978915)

Ads through most of Ziff-Davis are run through an Ad serving system called DART- made by Double Click and owned by Google. What is interesting is that DART has an internal checker that scans rich media and .swf files for security vulnerabilities. It is surprising that these were not caught from the start.

Re:Interesting (2, Informative)

andy.ruddock (821066) | more than 5 years ago | (#26979433)

The ads, as served from Ziff-Davis, performed redirects to a third-party site. It was this third-party site which was hosting the malicious pdf files. They probably escaped automatic checking in this manner.
Any advertiser is going to want a click to end up as a vist to their site, one way or another - and once there it's out of Ziff-Davis' hands.

Re:Interesting (1)

gad_zuki! (70830) | more than 5 years ago | (#26983395)

If dart can be compromised to serve up malicious files then chances are it can be compromised to disable this scan too.

That Trojan came full circle and INFECTed (0)

davidsyes (765062) | more than 5 years ago | (#26979033)

their ads....

Haven't they heard of protection? They should yousd tube of some adstroglide. I bet someone's ads will be busted. Talk about exPLOITUS enterRUPTus...

What ads? (0, Redundant)

actionbastard (1206160) | more than 5 years ago | (#26979043)

Jeez people, get with the program [adblockplus.org] already.

Gotta case, right here (1, Informative)

Anonymous Coward | more than 5 years ago | (#26979073)

Yup, this happened to me. Browsed to one of their pages using Firefox. Immediately, without any user interaction, a file called doc.pdf was downloaded from feelyouinside.com. Since I was using Firefox 10 with evince, everything stopped there. --AA

Re:Gotta case, right here (1)

andy.ruddock (821066) | more than 5 years ago | (#26979463)

Maybe Ziff-Davis, and other site owners, should be insisting on sanitized ads. An image, some text, an html link - why should an advertiser require more?

Re:Gotta case, right here (0)

Anonymous Coward | more than 5 years ago | (#26979821)

Firefox 10? Is it worth upgrading from 3?

I got hit by a very similar one (3, Informative)

Anonymous Coward | more than 5 years ago | (#26979445)

I got hit before the weekend by a very similar one, but not exactly the same.

Browsing with fully patched FF & WinXP. But yeah, I have the little puppy updater from Adobe disabled (because it tries to shit everywhere). Why can't people make an updater that is just an updater and doesn't try to sneak in other shit?

Anyways, I was looking for some guitar cases, and a pop-under showed up (apparently this is another problem that can not be fixed a 100%...), and then a crash message saying "~.exe" had crashed. You try to google ~.exe, and see what you find...

Okay, so I realize this is not good and bring up task manager and see a task named "4.pr". Fuck, this is really not good.

So I unplug, go to another machine and figure some stuff out. There's two files in the c: root directory: p3.bat and 4.pr. Looks like also some rogue version of wdmaud.sys.

Looks like the crash caused the trojan to not install successfully, but still, this is the first time in my > 20 years messing with computers that I got p0wned.

So I'm mad as hell, and sure, I'm stupid. I know FF loads certain plugins automagically (which is something I really don't like) but I didn't really think of it loading AR... Normally I download PDFs first. As a matter of fact, I DON'T WANT to use AR as a plugin.

In any case, I've decided a couple of things:
- I will never install Acrobat Reader again. I will advise anyone that listens to do the same. Either find an alternative, or just forget about viewing the content. It can't be that important.
- For other plugins, especially those that are hard to do without like Flash, I will search for Open Source alternatives.
- VMs. I never liked VMs, but it seems like there's no way around it. I'm thinking three VMs: one for crazy browsing, one for the normal stuff (eBay/slashdot) and one for sensitive stuff (banks/paypal). The big advantage is that you can snapshot them, so that if one gets hit, you aren't immediately dead in the water. Instead you fire up the old snapshot.
- Again review what can be done to have a reasonable browsing experience while having plugins disabled by default.
- All (remotely) sensitive data goes on a truecrypt drive that automatically dismounts. I've been using it for really sensitive data and it works great.

But the other thing I have to say though: PLEASE Firefox developers, have a mode that does NOT load any plugins, but displays their content as an empty square first. Then if you want to see it, I can click on it or something. Maybe noscript is the thing; last time I looked it was too tedious to use. Maybe now I'll feel differently.

btw. Just for shits an grins, you should look at what plugins are installed for Firefox: Tools->Add-ons->Plugins tab. I was surprised to say the least.

Re:I got hit by a very similar one (1)

Logic Worshiper (1480539) | more than 5 years ago | (#26979661)

Install noscript, and use it to turn off plug ins except where you want them. My computer is set with a default deny policy for browsing the internet. I have noscript, I block everything untrusted, including flash and iframe, I also have CookieSafe, and I block all cookies except those I want, and I have adblock plus to block all adds, and malicious tracking sites. NoScript will block almost all active content in Firefox. If that's not good enough install Opera, and configure it how you want it (Opera is easier to configure to block all content than Firefox).

You can always install Linux. That'll give you better security then taking your XP box off-line and transferring data with a flash drive.

Re:I got hit by a very similar one (1)

oDDmON oUT (231200) | more than 5 years ago | (#26980495)

Just for shits an grins, you should look at what plugins are installed for Firefox: Tools->Add-ons->Plugins tab.

Okees.

So I look and I find:

  • Default Plug-in (Netscape Navigator Default Plug-in)
  • Java Embedding Plug-in
  • Quick Time Plug-in
  • Shockwave Flash
  • Shockwave for Director

Am I supposed to find something sinister here?

Just curious, because here's my typical FF Extension/Addons/Etc. Set that I run under Win and Mac FF 3:

Enabled Extensions: [16]

        * Adblock Filterset.G Updater 0.3.1.3
        * Adblock Plus 1.0.1
        * ColorZilla 2.0.2
        * Forecastbar Enhanced 0.9.6
        * Greasemonkey 0.8.20090123.1
        * MR Tech Toolkit 6.0.3.3
        * NoScript 1.9.0.6
        * ObPwd 0.1
        * Organize Search Engines 1.4
        * Source Viewer Tab 0.3.2009021201
        * Splash 2.0.2
        * SSL Blacklist 4.0.30
        * SSL Blacklist Local Database 1.0.6
        * Tab Mix Plus 0.3.7.3
        * Ubiquity 0.1.6
        * User Agent Switcher 0.6.11

Total Extensions: 19

Installed Themes: [3]

        * Default
        * GrApple Delicious (blue) 1.0.4
        * GrApple Delicious (graphite) 1.0.4

If there's something amiss with this I'd like to correct it.

Re:I got hit by a very similar one (0)

Anonymous Coward | more than 5 years ago | (#26995015)

Looks pretty reasonable.

On one of my WinXP boxes it looks like Microsoft got a little liberal:

- Google Updater
- Java(TM) Platform SE6 U11 - Java(TM) Platform SE binary
- Java(TM) Platform SE6 U11 - Java Plug-in 1.6.0_11 for Netscape Navigator (DLL Helper)
- Microsoft Office 2003
- Microsoft DRM
- Microsoft DRM
- Mozilla Default
- QuickTime
- Shockwave Flash
- Silverlight Plug-In
- Windows Genuine Advantage
- Windows Media Player Plug-in DLL
- Windows Presentation Foundation

I'm guessing at some point I ran Windows update from Firefox. Still, pretty fucked up; I only remember ok'ing a few of those.

What a relief (1)

luftrofl (1212770) | more than 5 years ago | (#26979887)

"The interesting bit of this is that a bunch of people probably got hit with the old Trojan when they browsed to a story about the new one." Is anybody else relieved that the word "interesting" was used instead of "irony?" This seems like the perfect place to misuse the word "irony."

Tech support question (0, Offtopic)

crocodill (668896) | more than 5 years ago | (#26980399)

Can someone please tell me how to change the font when I'm typing a document in microsoft?

This explains those random PDFs on my desktop (2, Interesting)

Spatial (1235392) | more than 5 years ago | (#26980901)

I have PDFs set to automatically download to my desktop in FF, since the Adobe plugin has a habit of crashing and it's very slow.

It seems that I was fortunate. I never opened them since I didn't know where they came from, they went straight to the bin.

why is there script? (0)

Anonymous Coward | more than 5 years ago | (#26983985)

Why is there scripting in an acrobat document anyway?
Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?