Spreading Trojans via flash banners
Warning: be careful when placing flash banners!
Prehistory
I am the owner of a fairly popular resource. Some time ago there were several appeals requesting to place "non-harmful iframe". Such offers were refused, because karma is more important.)
Yesterday a person came up with a proposal to place a small flash banner, with a BMW club advertisement. The code was with an unpleasant Trojan "bonus."
UPD !: unsubscribed in support of Yandex . Answered. Thanked and notified that the code is sent for analysis to the relevant department. mini victory?)
rest UPD s under the cut
I will give the code in full:
')
Pay attention to the lower part of the code, more precisely to the banner function, it was she who caused the suspicion. But it was not immediately clear who should call this function. It turned out that the flash banner itself called this function and created a hidden iframe on the page, through which the users planned to load the Trojan.
Here is a story.
Be careful!
Upon request, I can provide contacts to the “hero” who offered to place a similar banner.
UPD: I ask the experts to give advice, where can I get the distributor of the Trojans?
UPD2: I give the address of the BMW club advertised by him. www.bmwclub.ua . We go to his li.ru statistics and look at the traffic sources (http://www.liveinternet.ru/stat/bmw.kiev.ua/sources.html). We find, for example, the site www.tosti.ru (attendance of more than 100k) and we see a banner with a flash trojan placed on it. I will unsubscribe to the administration of toasts, if anyone has the opportunity, comb and send the administration to other portals ( if there is no volunteer, I will do it myself in the evening ).
PS: according to the trojan distributor, he has nothing to do with the BMW club. quote: "our agency is an intermediary between the site and the advertiser."
Prehistory
I am the owner of a fairly popular resource. Some time ago there were several appeals requesting to place "non-harmful iframe". Such offers were refused, because karma is more important.)
Yesterday a person came up with a proposal to place a small flash banner, with a BMW club advertisement. The code was with an unpleasant Trojan "bonus."
UPD !: unsubscribed in support of Yandex . Answered. Thanked and notified that the code is sent for analysis to the relevant department. mini victory?)
rest UPD s under the cut
I will give the code in full:
<!-- BANER CODE -->
< div align ="center" >
< object classid ="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000" width ="100" height ="100" id ="FlashID" title ="flash" >
< param name ="movie" value ="/bmw.swf" />
< param name ="quality" value ="high" />
< param name ="wmode" value ="opaque" />
< param name ="swfversion" value ="9.0.45.0" />
< object type ="application/x-shockwave-flash" data ="/bmw.swf" width ="100" height ="100" >
< param name ="quality" value ="high" />
< param name ="wmode" value ="opaque" />
< param name ="swfversion" value ="9.0.45.0" />
< param name ="expressinstall" value ="Scripts/expressInstall.swf" />
< h4 > Content on this page requires a newer version of Adobe Flash Player. </ h4 >
< p >< a href ="http://www.adobe.com/go/getflashplayer" >< img src ="http://www.adobe.com/images/shared/download_buttons/get_flash_player.gif" alt ="Get Adobe Flash player" width ="100" height ="100" /></ a ></ p >
</ object >
</ object >
</ div >
< div >
< div align ="center" id ="res" > BMW </ div >
</ div >
< xscript type ="text/javascript" >
function banner (str){document.getElementById('res').innerHTML = str;return(str)};
</ script >
<!-- / BANER CODE -->
* This source code was highlighted with Source Code Highlighter .')
Pay attention to the lower part of the code, more precisely to the banner function, it was she who caused the suspicion. But it was not immediately clear who should call this function. It turned out that the flash banner itself called this function and created a hidden iframe on the page, through which the users planned to load the Trojan.
Here is a story.
Be careful!
Upon request, I can provide contacts to the “hero” who offered to place a similar banner.
UPD: I ask the experts to give advice, where can I get the distributor of the Trojans?
UPD2: I give the address of the BMW club advertised by him. www.bmwclub.ua . We go to his li.ru statistics and look at the traffic sources (http://www.liveinternet.ru/stat/bmw.kiev.ua/sources.html). We find, for example, the site www.tosti.ru (attendance of more than 100k) and we see a banner with a flash trojan placed on it. I will unsubscribe to the administration of toasts, if anyone has the opportunity, comb and send the administration to other portals ( if there is no volunteer, I will do it myself in the evening ).
PS: according to the trojan distributor, he has nothing to do with the BMW club. quote: "our agency is an intermediary between the site and the advertiser."
Source: https://habr.com/ru/post/80143/
All Articles