Wayback Machine
DEC MAR JUL
Previous capture 2 Next capture
2008 2009 2010
9 captures
23 Aug 08 - 22 Jul 10
sparklines
Close Help
  • Home
  • End-User Articles
  • Developer Notes
  • About

Clipboard Extender Dot Com

Clipboard resources for end-users and developers.

Feed on
Posts
Comments

Clipboard Virus? Not exactly, but still dangerous.

Aug 18th, 2008 by Chris Thornton

The internet is abuzz with news about the “flash clipboard virus”.  I’ve observed it myself!  It’s interesting, annoying, and if you fall for it, it’s dangerous.  There’s a lot of information out there, not all of it completely correct.  This article is not all-encompassing either, but I’ve got a pretty good handle on the clipboard aspect of the attack.

Background:  There’s a piece of malware out there (I’m not sure if it’s a virus, trojan, or what - Dammit Jim, I’m a clipboard expert, not a security specialist!) called “AntiVirus 2009″. It’s very nasty, and you get it by visiting a site that delivers it via a relentless series of popups.  The popups make it look like you’re infected with something (you’re not, at least not yet). Then they offer to fix your PC, and start downloading their fake virus scanner.  Don’t let it.  The only way out is to shut down your browser.  This type of attack is nothing new, right?

The new part is the way they trick people into visiting infected sites.  They are trying to get you, me, and everyone else to paste their URL into whatever you may be pasting into - perhaps a blog post (like this one), blog comments, e-mail, instant messaging, etc…   So these malware guys are sitting around one day, and one says “hey, wouldn’t it be great if everyone started randomly pasting our URL into whatever they’re pasting stuff into?”  And apparently, a devious scheme was born….

Clipboard Attack From Digg Someone wrote a little piece of Adobe Flash code to copy text to the clipboard (like this one, from Digg). Then they put it in a loop, to do it once a second. Then they put it in an innocent-looking flash-based banner ad, with their harmful URL as the payload.  Then they signed up for some advertising networks, and submitted their bad ad, presumably paying considerable $$$ to get it featured on sites that you and I visit regularly, such as MSNBC and Digg.  And when someone has this ad loaded, they can copy all they want, but everything they paste will be just that URL.   So if you are writing an e-mail to Aunt Millie, telling her to look at your eBay auction located at (paste), or to download Picasa to organize her photos - download here (paste), she’s going to get the virus when she visits the bad site.

If you are viewing a page with one of these bad ads, your clipboard is overwritten about once per second, with their bad ad.  The URL that hit me was:
h x x p : / / xp-vista-update.net/?id=91873534231   (DO NOT CLICK THIS!!!!!!)  I added spaces and changed http to hxxp to protect you.

I noticed it one night when ClipMate (the world’s leading clipboard extender for Windows, which I wrote myself) unexpectedly captured a clip, then started rejecting duplicates.  The duplicates make a “boing” sound, so my PC was going boing, boing, boing….. I then noticed the unexpected URL showing as my top clip, with a date/time of (a minute ago), and a “creator” showing “FireFox”.   Somehow, without any action from me, FireFox was copying data to the clipboard.  An apparent “clipboard attack”!  So I started shutting down tabs in Firefox, and the clipboard attack stopped.

So I searched around a bit, and found that this is happening to lots of people - either by people complaining about this thing, or the xp-vista-update URL showing up in unexpected places, like blog posts.  One thing I noticed was that the number in the URL changes, and that some people said it’s harmless, and just re-directs to google.  Huh. It DOES re-direct to Google. Presumably, they’re trying to stay under the radar by controlling the attack.  Maybe they only have it re-direct to the virus site when the number is fresh? Maybe you have to be one if the first 100 “lucky customers”?  Maybe they’re going change the re-direct on a certain date?  Maybe it’ll re-direct to something even worse?  Who knows?  It’s pretty devious, any way you look at it.

Here are things that we know now:

  • It seems to be flash-based.  Update: Confirmed - it uses System.setClipboard, which has been around since Flash Player v7.  See Avi Raff’s proof-of-concept listed below.
  • It’s browser and platform-independent - the clipboard attack will happen on IE, FireFox, XP, Vista, Mac, Linux.
  • The affected ads have been appearing on MSNBC and Digg (I have been attacked by both).  Users also report MSN, Facebook, MySpace.
  • Some ads have been captured and are on display at SpywareSucks - they look like “Nielsen Ratings”.
  • There is some sample code in the comments at the article on TheRegister.
  • Here is how the business end of this works - discussion at SunBelt (Update: I fixed the broken link…)
  • My original discussion is  posted in the ClipMate support forum.
  • As of this writing, McAfee SiteAdvisor rates the xp-vista-update site as GREEN!  LOL!! If you have a SiteAdvisor account, add some comments.
  • The xp-vista-update site is registered on ESTDomains, documented rogue registrar (cited from comments found at SiteAdvisor and other blog posts).
  • Adobe is working on a solution.
  • The”NoScripts”FireFox extension will block this if you set it to block flash. (from PCMag  blog)
  • Avi Raff has written a proof-of-concept that  you can use to play with this.  It will overwrite the clipboard with an URL containing “evil.com”.  The proof-of-concept is here: http://raffon.net/research/flash/cb/test.html
  • There is a setting in IE7/IE8 to disable “programmatic clipboard access” (Tools | Internet Options | Security Tab | select “Internet Zone”, Custom Level.  In the “scripting” section, there is an option for “allow programmatic clipboard access”. If set to “Prompt” or even “Disabled”, the flash applet can still hammer the clipboard.
  • OpenDNS.Com (I use it, I like it) doesn’t see anything wrong with “xp-vista-update dot net”.  I’ve submitted it for review.  They need a better end-user reporting system for malware.  The two guys that reported it before me had to pick between “porn” and “adware”.  Didn’t have any “nasty malware site” designation. Huh.  Update: It’s now listed as adware, and that should protect users who block adware via OpenDNS.

Things I think I know:

  • The “xp vista update dot net” site tries to fly under the radar by using an ever-changing ID.  ex:  id=91873534231  When viewed in real life, the URL always has this ID at the end.  Many people report simply being redirected to the Google home page when visiting the link. My theory is that they use the ID to determine how many times an URL has been used, or how old it is. Whatever the critieria, it’s only “live” for a while (tries to infect you), and then it “expires” (harmless re-direct to Google).  Maybe this is why SiteAdvisor still lists it as Green?  It’s like babysitting a naughty kid and having him turn into an angel when the parents show up.
  • To build on the above theory, they may be planning some sort of massive re-awakening of the “retired” links in the future.
  • Adobe has a tricky situation here. This isn’t really a bug.  Should they remove the clipboard API from flash?  I wouldn’t miss it.  But then again, I’m not a flash developer. I can see how it would be useful, for example, if someone wanted to write a WYSIWYG editor in Flash.  I suspect that the majority of the flash apps out there (ads, banners, games, slideshows, video players, etc..) do not need, and should not have access to resources like your disk drive, network connection, and clipboard.  Maybe there could be a “trusted flash app” designation for apps that need it, such as flash-based editors, word processors, spreadsheets, etc..  I think that’s the only way out of this.

Things I don’t know:

  • Will the regular “turn off clipboard” setting in IE7 work for this type of attack?  I don’t know, but suspect that only applies to Javascript.  Update: Confirmed - moved to “Things I know”.
  • Will this be the death of Flash?  I hope not.  I hope they take clipboard support out though, and make it safe.  Update: Adobe is aware, and is working on something.
  • Would Vista’s UAC protect you against the drive-by payload delivered by the “xp vista update dot net” site?  I know that with IE7 set to block popups, my XP laptop was unable to repell the attack. I wonder if Vista would have held up. Thank goodness for Macrium Reflect!

Other mentions of this phenomenon:

  • C|Net - article by Elinor Mills, some good comments at the bottom too.
  • PC Magazine article, with many links and confirmation that the NoScripts plug-in for FireFox does indeed block flash.
  • Techspot - short article with link to smug discussions about how amusing this all is, and that we’re all whiners.  I think they’re missing the point about these flash ads being delivered to unsuspecting websites via ad networks.
  • Slashdot - It MUST be cool now.
  • Computerworld - very thorough article - he gets it.  He quotes me too, but he got it before that.
  • Sophos writes about the attack: http://www.sophos.com/security/blog/2008/08/1671.html
  • Chris Thornton was interviewed about this on Ira Victor’s Data Security Podcast.

Bottom Line:  If you are allowing flash to load in your browser, you can get hit with the “clipboard attack”.  It doesn’t matter what platform you’re on, or what browser you use.  It will simply keep overwriting your clipboard with the nasty URL, about once per second.  It may seem like you can’t delete it - that’s not the case. You can delete it by copying something else. But unless you’re Batman or that Bolt guy from Jamaica, it will be overwritten again before you can paste it anywhere.  Closing the tab with the offending ad will stop the behavior.  The real danger is visiting the web site that the flash ad is trying to spread - so please look at what you’re pasting.  This whole scheme depends on people being careless.  If you send a virus link to your mother, you’re going to have to fix her PC!

Comments? Add your comments. Please, no dangerous URLS without saying what they are and altering by munging the http:// into hxxp:  / / or similar.

Digg This!  Digg needs to know that some of their ads are poison!

Purchase Shallaki
Cheap Geriforte
Buy Evecare
Order Lexapro
Order Cialis
Buy Arimidex
Purchase Sumycin
Buy Lorazepam
Chitosan
Buy Cialis
Purchase Mobic
Detrol
Purchase Clarinex
Cheap Nolvadex
Cheap Tenormin
Order Norvasc
Purchase Diovan
Purchase Allegra
Purchase Arava
Buy Ultram
Buy Gasex
Purchase Aristocort
Cheap Kytril
Buying Adipex
Purchase Noroxin
Buy Himcospaz
Arimidex
Cheap Himcolin
Order Xeloda
Cheap Relafen
Septilin
Cardura
Lexapro
Cheap Sinequan
Buy Adipex
Cheap Penisole
Purchase Lanoxin
Purchase Mentat
Buy Bontril
Allegra
Cheap High
Purchase Famvir
Buy Xenacore
Purchase Isoptin
Lortab
Buy Cystone
Buy Percocet
Cheap Mycelex-G
Order Clomid
Buy Prometrium
Purchase Stromectol
Cheap Starlix
Purim
Purchase Pletal
Antabuse
Cozaar
Buy Nolvadex
Purchase Hyzaar
Buy Nicotinell
Cheap Loxitane
Buy Lotrisone
Buy Lotensin
Cheap Diabecon
Order Acticin
Purchase Prevacid
Eurax
Purchase Proventil
Buy Styplon
Order Prinivil
Buy Aleve
Cheap Rocaltrol
Buy Mexitil
Buy Mysoline
Order Maxaquin
Order Nonoxinol
Cheap Rimonabant
Purchase Confido
Nonoxinol
Order Aristocort
Buy Xeloda
Order Vicodin
Cheap Amoxil
Purchase Zithromax
Order Lincocin
Purchase Lasix
Order Koflet
Cheap Lorazepam
Cheap Avandamet
Purchase Emsam
Order Pravachol
Cheap Retin-A
Buy Renalka
Buy Bonnisan
Order Coreg
Cheap Cardura
Purchase Lipitor
Buy Oxytrol
Order Plendil
Order Retin-A
Aceon
Purchase Prandin
Cheap Tulasi
Nexium
Purchase Tulasi
Buy Isordil
Buy Kamagra
Buy Synthroid
Buy Ambien
Mobic
Order Mentax
Cheap Tenuate
Order Vasodilan
Purchase Plavix
Buy Desyrel
Buy Soma
Buy Sarafem
Zyrtec
Order Motrin
Cheap Quibron-T
Purchase Fosamax
Buy Femcare
Order Prometrium
Cheap Lukol
Purchase Snoroff
Aciphex
Purchase Trimox
Buy Pravachol
Buy Azulfidine
Lozol
Cheap Karela
Male Enhancement
Cheap Capoten
Nolvadex
Cheap Septilin
Purchase Azulfidine
Purchase Eurax
Tenormin
Buy Drug
Buy Elimite
Cheap Inderal
Order Lotensin
Cheap Atacand
Order Percocet
Lamisil
Lasix
Cheap Detrol
Cheap Elimite
Cheap Clomid
Copegus
Purchase Prinivil
Cheap Trandate
Wellbutrin SR
Cheap Codeine
Cheap Acyclovir
Buy Naprosyn
Buy Hytrin
Order Azulfidine
Purchase Leukeran
Purchase Propecia
Order Arava
Evecare
Order Vantin
Order Acomplia
Purchase Evista
Order Darvocet
Purchase Viagra
Buy Glucophage
Purchase Brahmi
Purchase Celebrex
Order Chitosan
Order Zyvox
Cheap Flomax
Order Purim
Cheap Confido
Order Zyprexa
Purchase Mysoline
Cheap Paxil
Xenacore
Kamagra
Purchase Zanaflex
Purchase Biaxin
Order Diarex
Buy Vantin
Cheap Abana
Cheap Cephalexin
Order Lortab
Purchase Ephedrine
Cheap Ativan
Butalbital
Cheap Myambutol
Order Tramadol
Purchase Protonix
Order Seroquel
Order Didrex
Elimite
Buy Urispas
Herbolax
Cheap Noroxin
Cheap Himcospaz
Geodon
Purchase Revia
Order Speman
Order Serophene
Buy Proscar
Purchase Cymbalta
Order Femcare
Purchase Diakof
Purchase Darvocet
Superloss Multi
Buy Trimox
Buy Emsam
Purchase CLA
Cheap Mobic
Buy Zyrtec
Purchase Aricept
Order Bupropion
Purchase Butalbital
Order Differin
Purchase Avandia
Zestril
Ventolin
Buy Zyvox
Propecia
Cheap Levitra
Lopressor
Cheap Cardizem
Cheap Shoot
Prandin
Order Gasex
Cheap Tramadol
Order Amoxil
Cheap Speman
Himplasia
Zithromax
Penisole
Rumalaya
Cheap Endep
Buy Rimonabant
Cheap Effexor
Order Aleve
Serevent
Cheap Adipex
Cheap Keftab
Purchase Desyrel
Purchase Adderall
Order Proventil
Order Lisinopril
Purchase Zyrtec
Buy Lopid
Cheap Levothroid
Buy Lanoxin
Purchase Serevent
Order Reosto
Clarinex
Purchase Prozac
Buy Ophthacare
Speman
Buy Allegra
Order Arimidex
Prilosec
Order Mentat
Coreg
Order Prandin
Cheap Phentermine
Buy Rocaltrol
Purchase Endep
Cheap Casodex
Ultram
Clonazepam
Order Diabecon
Zero Nicotine
Purchase Penisole
Cheap Oxycontin
Purchase Chitosan
Buy Canadian
Buy CLA
Buy Online
Calan
Flonase
Order Herbolax
Cheap Cystone
Buy Depakote
Purchase Menosan
Buy Zerit
Order Atarax
Order Depakote
Women’s Intimacy
Lanoxin
Cheap Ismo
Rimonabant
Cheap Ashwagandha
Order Cordarone
Order Diakof
Order Diovan
Order Avapro
Purchase Acticin
Order Lanoxin
Diakof
Zerit
Order Diflucan

Posted in Defective Apps | 10 Comments

10 Responses to “Clipboard Virus? Not exactly, but still dangerous.”

  1. on 21 Aug 2008 at 2:24 pm1Sonic Purity

    The Business end/SunBelt link is broken. Too bad… it looked interesting.

    Thanks for your article!

    ))Sonic((

    Editor: Update: Fixed / Thanks!

  2. on 22 Aug 2008 at 12:09 pm2SirTazofMania

    IEPro is an addon for Internet Explorer and has a Flash Blocker. Not sure is this will block the Flash script allowing access to the clipboard though.

    SirTazofMania

  3. on 22 Aug 2008 at 5:28 pm3» Malicious ads attack, spread via clipboard « .: GAFNO.com - Hot World News Blog :.

    […] clipboard extender for Windows, gave an interesting description of the situation on his Clipboard Extender Dot Com blog: “Someone wrote a little piece of Adobe Flash code to copy text to the clipboard. Then […]

  4. on 22 Aug 2008 at 9:35 pm4Malicious Flash ads attack, spread via clipboard - Live FTA - Satellite Forums

    […] clipboard extender for Windows, gave an interesting description of the situation on his Clipboard Extender Dot Com blog: "Someone wrote a little piece of Adobe Flash code to copy text to the clipboard. Then they […]

  5. on 26 Aug 2008 at 1:39 am5Data Security Podcast

    […] Chris Thornton from Thornsoft Development, Inc. and the author of ClipMate, a popular clipboard extender for Windows provides an excellent resource on his blog about the Flash Clipboard Attack. […]

  6. on 12 Sep 2008 at 6:18 pm6LiteralDan

    I was hit with this when visiting Digg, and I was glad to find this page discussing my exact problem. I’ve Dugg it (and Shouted it) and Stumbled it. Thanks for gathering all this information, providing a solution, and helping me regain my sanity!

  7. on 28 Sep 2008 at 4:40 pm7Heather

    I was just hit with this while visiting Photobucket. Urgghh.

  8. on 06 Oct 2008 at 1:39 pm8Berry

    ClipGuru, a free clipboard manager from HTConsulting - http://clipguru.com - attempts to notify users of Windows clipboard hijacking. It does not prevent the attack, since it is under Windows clipboard control, but it does notify of it.

  9. on 07 Oct 2008 at 12:04 pm9UNSEEN

    Just got hit by this one and your site explained the problem. Thanks.

  10. on 07 Oct 2008 at 1:03 pm10Chris Thornton

    Update: Adobe is fixing this in the upcoming Flash Player 10, which will require user interaction before allowing clipboard access.
    http://www.heise.de/english/newsticker/news/116338
    http://blogs.zdnet.com/security/?p=1948

  • Recent Posts

    • Clipboard Virus? Not exactly, but still dangerous.
    • My FreeNAS Experience
    • Command Window Output to Clipboard in Vista
    • Deleting the Clipboard Is Easy
    • Motherboard Swap in Vista - A GOOD Solution!
    • Apple Invents The Clipboard - release coming in 2008!
    • Internet Explorer asks “Do you want to allow this webpage to access your Clipboard?”
    • Vista Program Files Hide and Seek
    • How to turn off the Office Clipboard (2000, XP, 2003)
    • How To Fix The Photoshop Clipboard (our analysis)
    • Windows Media Player 11 Interferes With Clipboard Notification

  • Pages

    • End-User Articles
      • Using The Clipboard
      • Clipboard FAQ
      • Clipboard Links (External)
    • Developer Notes
      • Common Mistakes
      • Clipboard Viewer Implementation
      • Ignoring Clipboard Updates with the CF_CLIPBOARD_VIEWER_IGNORE Clipboard Format
      • ClipMate Issues for Developers
    • About

  • Try ClipMate Free!

  • Support Our Site


    Get This Widget!

Thornsoft Development, Inc. © 2009 All Rights Reserved.

WordPress Theme made free by Web Hosting Bluebook