Malware-Laced Banner Ads At MySpace, Excite

Actually, the file is not downloaded. AE flags the attempted download to the temp directory as indicated in the Alert, but checking that directory reveals that the file was not downloaded.

You can check by attempting to download a large installer, maybe 2 MB, for example. AE flags immediately, not waiting until the file is downloaded.

The reason AE can do this is that code analysis is one of its checks.

Blue and I discussed this in another thread quite awhile back. He came up with an idea of how AE checks this, but I can't find the particular post.

I've found that if you watch the temp directory you can see the file briefly appear, and then it goes away. You have to be quick!

I've noticed that in Opera's cache, sometimes the filename remains, but it is always 0 bytes.

As Aigle discovered with the spoofed extensions, most HIPS will let the file download and then block its execution. If AE's copy protection is enabled, the file cannot download (download = copy from the internet to disk).

If you disable copy protection, the file will download, but you cannot execute it.

----
rich

 

What a program. Thank you Rich.

 

This confirms again the importance of Adblock+ and Noscript (when using Firefox).

And it confirms an analysis by Finjan that 80% of all malware is delivered through online ads - see http://www.pcworld.com/article/id,130129-pg,1/article.html

 

Keep all your software fully patched and run only in limited user accounts.