Spotify Adsystem spreads malware

Discussion in 'malware problems & news' started by Ibrad, Mar 25, 2011.

Thread Status:
Not open for further replies.
  1. Ibrad

    Ibrad Registered Member

    Joined:
    Dec 8, 2009
    Posts:
    1,949
  2. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,855
    Wow.. that's pretty serious. Especially considering the ads seemed to be hand picked for Spotify in specific you'd think that would get noticed. Oh well, glad I have a no-ad subscription.

    Good thing I don't install Java on machines anymore I guess.
     
  3. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,516
    That's one of the reasons I always block ads.
     
  4. dw426

    dw426 Registered Member

    Joined:
    Jan 3, 2007
    Posts:
    5,543
    Those of us in the U.S don't have to worry about it, thankfully. The way things are going with the delays in launching here, we may never have to.
     
  5. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,855
    Is the "name" of the threat documented anywhere?
     
  6. 3x0gR13N

    3x0gR13N Registered Member

    Joined:
    May 1, 2008
    Posts:
    754
    A cocktail of them:
    http://www.securelist.com/en/blog/6158/Malvertizing_Continued_Spotify_s_Ad_Networks_Outed
     
  7. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Even if many people would be protected against the exploits, if they were using ClearCloud DNS, access to those domains in the .cc TLD would be blocked.

    ClearCloud DNS blocks access to ALL .cc TLD.
    * I need to verify something. I hope I'm not confusing with *.co.cc - Yes, it was my confusion... I associated .cc with co.cc (because the service is -http://www.co.cc). I apologize for the confusion. :(

    By the way, I'm trying to find out which domains. Has anyone found a source mentioning them?
     
    Last edited: Mar 25, 2011
  8. Ibrad

    Ibrad Registered Member

    Joined:
    Dec 8, 2009
    Posts:
    1,949
  9. Essentials

    Essentials Registered Member

    Joined:
    Mar 21, 2011
    Posts:
    49
    Hi all,

    I think I have been infected by spotify, this morning my microsoft security essentials catched something so I did a quick scan and these is what I have:
    http://img689.imageshack.us/i/sinttuloqh.png/

    I have EMET monitoring javaw.exe, did it stop the attack or I am really infected? I use MSE 2.0 and Malwarebytes PRO(active).
     
  10. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Hello Essentials

    Hopefully, both EMET and MSE prevented what they had to prevent, but be aware that EMET is not foolproof, and it will fail, at some point. Look here https://www.wilderssecurity.com/showpost.php?p=1831563&postcount=43
     
  11. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,855
    Don't know if it makes a difference but I'm going to add Spotify to EMET on machines from now on.
     
  12. mick92z

    mick92z Registered Member

    Joined:
    Apr 27, 2007
    Posts:
    499
    Location:
    Nottingham
    I always force spotify to run in sandoxie :thumb:
     
  13. doktornotor

    doktornotor Registered Member

    Joined:
    Jul 19, 2008
    Posts:
    2,047
    Hmmmm... I noticed that in certain setups even proxy autodiscovery appears quite dangerous when combined with bad DNS wildcard records and moronic webhosting provider.

    Well, whatever. What is going on is basically that:

    - you have DHCP enabled
    - your browser searches for proxy configuration via proxy autodiscovery, doing that, they query wpad hostname for configuration file location. The file is - per RFC - called wpad.dat
    - the domain name your IT added your machine to is appended to the lookup, so that you get wpad.example.com query
    - your DNS has a wildcard DNS record that points to the moronic webhosting provider (mkay, wildcard records are bad... yet still commonplace *:p)
    - the webhosting for whatever reason happily serves the same parking index page no matter what your try to GET - instead of proper 404 Not Found code :rolleyes:

    You can see this setup in action @ GoDaddy.com

    Yeah, they happily serve their stupid parking page including third-party ads for any request you send.

    If you are lucky, your AV catches that and aborts the connection... otherwise, congratulations, you just got infected by doing nothing else than starting your browser. :argh:
     
  14. boonie

    boonie Registered Member

    Joined:
    Aug 5, 2007
    Posts:
    238
  15. drkoopz

    drkoopz Registered Member

    Joined:
    Mar 4, 2006
    Posts:
    74
    Malverts are probably one of the most common ways i've seen friends and family get infected with fake av and other trojans. My mom personally got malverts almost daily from a program called Paltalk on her computer that she used. Eventually I uninstalled the program and had her use Paltalk Express using Google Chrome which was much safer.

    I personally pay and use ad muncher so i've really never run into malicious advertisements, but it just reaffirms my decision to block advertisements until web companies can work to make their revenue model safer and less intrusive.
     
Loading...
Thread Status:
Not open for further replies.