Malicious Flash ads attack, spread via clipboard

A new type of Internet-based attack is spreading in which Flash-based ads seize control of a Web surfer's clipboard and paste in a link to a malicious site in the hopes that it will be spread from there into e-mails, blogs, and instant messages.

The ads have been spotted on MSNBC.com, Newsweek.com, and Digg.com, and victims have reported on numerous forums and blogs that they appear to be fake alerts that a virus has been detected on the computer and offer to clean it up, according to antivirus vendor Sophos.

The malicious link, which includes "xp-vista-update" in the URL, is copied into the clipboard and can not be over-written by copying new text to the clipboard. Users must reboot the computer to remove the link, The Register reports.

The malware appears to affect Mac, Windows, and Linux machines and Firefox, Internet Explorer, and Safari browsers, according to ZD Net's Zero Day blog.

Chris Thornton, who created the "ClipMate" clipboard extender for Windows, gave an interesting description of the situation on his Clipboard Extender Dot Com blog:

"Someone wrote a little piece of Adobe Flash code to copy text to the clipboard. Then they put it in a loop, to do it once a second. Then they put it in an innocent-looking flash-based banner ad, with their harmful URL as the payload. Then they signed up for some advertising networks, and submitted their bad ad, presumably paying considerable $$$ to get it featured on sites that you and I visit regularly, such as MSNBC and Digg. And when someone has this ad loaded, they can copy all they want, but everything they paste will be just that URL. So if you are writing an e-mail to Aunt Millie, telling her to look at your eBay auction located at (paste), or to download Picasa to organize her photos - download here (paste), she's going to get the virus when she visits the bad site."

[Michichael]

That's pretty nasty. Killing that flash process doesn't stop the loop? Sounds like a security hole in Flash to me - they're not closing their program's calls properly.

[Maccess]

That flash is getting to be very dangerous. It all started when Adobe enabled it to go beyond the ad box, and grant it access to the camera and microphone, but also disabled everything but the most basic settings from the user. (i.e. I would like to set all to "no looping" and to "low" quality so it doesn't slow down the computer, but Adobe only grants that privilege to the creator, not the user on whose computer flash runs.) Now, it has access to the clipboard, and takes it over.

I think it's time to start thinking of disabling flash. It's becoming to big of a security risk because of Adobe's preference for the authors instead of the users.

[mjconver]

What's the big deal? Firefox + Flashblock = Safety.

[gsmiller88]

I loathe Adobe Flash, plain and simple.

[theveggiedude]

Hmmm, another reason to keep it off the iPhone.

[cdotspace]

Has Adobe commented on this yet?

[magicmaster]

@cdotspace

Not yet. But hopefully this vulnerability was to be addressed quickly...I loved the flash for its versatility, but I must not compromise the security on my computer....

[cdotspace]

I'm a Flash developer. I understand people's paranoia about Flash (and the unknown in general) and feel that, until now, Adobe (and Macromedia) have done a very good job at keeping this software safe and secure. I hate to see this happen. I really hope they address this quickly with a statement and later a fix.

[cdotspace]

From an Adobe blog:

We are aware of recent press reports about a potential ?Clipboard attack? issue that involves Flash Player. Adobe is currently investigating potential solutions to this issue and will update customers as soon as we have more information to provide.

This posting is provided ?AS IS? with no warranties and confers no rights

http://blogs.adobe.com/psirt/2008/08/clipboard_attack.html

[nocircleno]

This story is mostly fud. Journalism is dead on the web! Flash has been able to write to the clipboard for many years. It is a feature, not an exploit. You do NOT need to restart your computer. A flash movie can only write to the clipboard while it is running on page where it is embedded. If you navigate away from the page with the (evil) Flash file can no longer bug your clipboard and you can copy new text.

[xilonic]

I have a friend who is a Flash developer too - she loves it (it's her paycheck, after all), I hate it because Flash is abused (too many annoying ads, too much intrusion and now this!). So Firefox + Flashblock has been the norm for me for years - when I load a page, all Flash content is off, if I want to see it, I'll click on it.

[cdotspace]

I also hate Flash ads as much as I hate animated gif ads. I agree Flash is abused and misused. I talk a good handful of my clients out of using Flash because it just isn't necessary. (They want to use Flash for the sake of using Flash)

To be honest, this exploit is just annoying, It's not really unsafe or dangerous. I mean really. Is a person going to say "hum, why is this URL in my clipboard? I think I'll visit this web site and buy something..."

At its best, this MIGHT be a sign that other issues exist that Adobe needs to address.

[MatthewFabb]

To those who are wondering if Adobe has addressed this yet, they have:
http://blogs.adobe.com/psirt/2008/08/clipboard_attack.html

However, they currently aren't saying anything right now beyond the fact that they are looking into it.

Also that blog is Adobe's security blog that deals with any security issues with any Adobe products. It's too bad not many reporters seem unaware of it, as this isn't the first time Adobe has mentioned they are looking into an issue or have already have a solution and it goes unmentioned in articles.

Also both the ZD Net's Zero Day blog and the Clipboard Extender Dot Com blog report that all you just need to close to browser to stop this behavior. It's a user on a forum who claimed they had to reboot their computer to get it to stop, but they might have not been technically savvy enough to try closing down the browser first. As soon as a Flash file it shut off they have no access to your clipboard.

Also website ad suppliers really need to start testing their ads, to make sure they are safe, rather than just running ads blindly.

[fokkwp]

Another reason to always run an ad-blocker. On Firefox use Adblock Plus with an active subscription. It's free and you can finally start seeing the content of pages without all the distracting garbage, and you won't get screwed by this latest, either.

[alegr]

Now, if Youtube could be used without Flash...

[retsoced]

Flash is not the problem. The Ad Networks not having done their due diligence is part, people using the web is another. If you're pasting a link in an email and it's supposed to be picasa.google.com, and comes out http://im.gonna.hack.your.computer.ru/eviljavascriptfile/ then maybe someone should... notice? Besides, there are about a bazillion other ways of doing the same thing. So is everyone going to turn off everything? No flash, javascript, Silverlight, Shockwave, probably even Quicktime.

The real issue here is that these guys are now getting into ad networks, and presumably paying to spread a virus or trojan.... that's the scary part.

[bradadad]

After hearing this I started using the Lynx browser and i feel much more at ease. I'm considering carrier pigeons.

[rcabe2000]

I agree with alegr. I have two friends who picked up viruses by just watching youtube videos. Does anybody know of some type of scanner for .FLV files? Or maybe a flash player that operates outside the browser?