Friday, June 26, 2009

TMZ.com ads are spreading PDF exploits too!

On Monday I posted about a PDF trojan downloaded from an ad server.

Tonight I saw another one, this time from TMZ.com.

Like last time, I took a look:

% ls -l 710.pdf
-rw-r--r-- 1 uid gid 14720 2009-06-26 02:44 710.pdf
% file 710.pdf
710.pdf: PDF document, version 1.1
% cksum 710.pdf
279936831 14720 710.pdf
% strings -a 710.pdf | less
var bd = "10%32%118%97%114%32%86%121%103%76%78%100%106%32%61%32%110%101%119...etc.
It looks very much like the last one (which I deleted), even being the same size. The var bd stuff is the payload, which is a (Javascript?) text string containing what appear to be the encoded binary exploit code.

Firefox history contained two URLs, with path components of /kn/in.php and /kn/pdf.php, both from the same server.

> host s.hhxzao.info
s.hhxzao.info has address 64.34.162.71
s.hhxzao.info has address 64.34.172.142
s.hhxzao.info has address 66.135.37.21

> host 64.34.162.71
71.162.34.64.in-addr.arpa domain name pointer sever3.adv-basesrv.net.
> host 64.34.172.142
142.172.34.64.in-addr.arpa domain name pointer server2.advert-base.net.
> host 66.135.37.21
21.37.135.66.in-addr.arpa domain name pointer server1.advert-base.net.

Look familiar? It should, it's the same outfit as last time!

Wikipedia's entry for TMZ.com say it "has major corporate backing" and names AOL/Time Warner. As I cited from Another virus infection, courtesy of Yahoo News in the prior post:
Major web sites like Yahoo.com and Boston.com are infecting thousands, if not hundred thousands of computers with trojans, back doors, and other viruses, through some of their ad service providers.
The scope and breadth of this is startling, and it's been going on for months!

What gives? Why aren't people up in arms? If the Internet trade press has covered this, please let me know; I haven't seen anything. Is scandalous news being covered up?

Update: I moved the 710.pdf file to a Windows machine and scanned it with both Trend Micro HouseCall and AVG Free and neither one found a thing.

Update 2: See Steps To Prevent Gumblar / Martuz / Nine-Ball for things you can do to stay safe.

Monday, June 22, 2009

Ad servers being used to spread exploits

Tonight I went to look at Blue's News to see what's up in gaming today. Firefox popped up a dialog wanting to save a file called 941.pdf. It's not the first time this has happened, but this time I decided, sure, since I'm on Ubuntu, let's have a look at the thing.
> ls -l 941.pdf
-rw-r--r-- 1 uid gid 14720 2009-06-22 20:14 941.pdf
> file 941.pdf
941.pdf: PDF document, version 1.1
> evince 941.pdf
Error: PDF file is damaged - attempting to reconstruct xref table...
>
Sure looks fishy.

Running 'strings -a' showed some Javascript that included a long string containing the payload. Next I looked into the machine that served up the file.
> host w.eaaxra.info
w.eaaxra.info has address 64.34.162.71
w.eaaxra.info has address 64.34.172.142
w.eaaxra.info has address 66.135.37.21
> host 64.34.162.71
71.162.34.64.in-addr.arpa domain name pointer sever3.adv-basesrv.net.
> host 64.34.172.142
142.172.34.64.in-addr.arpa domain name pointer server2.advert-base.net.
> host 66.135.37.21
21.37.135.66.in-addr.arpa domain name pointer server1.advert-base.net.
Searching on adv-basesrv.net didn't turn up much, but a search on advert-base.net led to this blog from April 9th, Another virus infection, courtesy of Yahoo News which opens:
Major web sites like Yahoo.com and Boston.com are infecting thousands, if not hundred thousands of computers with trojans, back doors, and other viruses, through some of their ad service providers. When will the people in charge of these web sites wake up and start screening the ads that they are serving?
Apparently the blogger over there was infected, and after cleaning up he traced his infection back to good old advert-base.net.

So after two and a half months, this advertising outfit is still spreading exploits in addition to the ads. Why is such an irresponsible company still in business?

Friday, June 19, 2009

To think that censorship stunts art, it helps to not have seen Hitchcock's Psycho

In The nascent art form, in which Dustin Sklavos asks "Are video games art?", he also writes:

I'm not one of those "old films are the best films" blah blah jackasses; for my own enjoyment and education, I generally don't watch anything made before 1970.

But one of my favorite examples is in a French film I watched in one of my classes, Francois Truffaut's Shoot the Piano Player from 1960. There's a scene in the bedroom where the main character has just had relations with a prostitute, they're lying in bed together, and her breasts are exposed. They're having a conversation, and the prostitute says something to the effect of "look at me, I'm an American" before covering up her breasts with the sheet. Keep in mind that in 1960 with the Hays Code still active, this scene would never have made it to America. So if anything, what you learn from this bit—in context—is that censorship stunts art, and the French will mock us for it.

[My bold.]

Or they might mock someone for not having seen Alfred Hitchcock's Psycho, with its infamous shower scene, which is also from 1960. The shower scene has its own lengthy section in Wikipedia's page for Psycho where it's described as "one of the most famous scenes in cinema history". (Indeed, searching for hitchcock psycho shower scene returns about 242,000 hits on Google.) The shower scene alone utterly demolishes any notion that censorship stunts art.

That limitations can spark creativity might not occur to someone arguing that, while there's plenty of violence, what games currently lack is more sexual content.

Shamefully, Slashdot used the Sklavos piece as the basis for its story Censored Video Game Content Stifles Artistry.