Saturday, February 18, 2006

How spyware gets installed

Search (using, for example, Google) for "midi file." One of the suggested destinations is musicrobot.com.

musicrobotTo make some money, musicrobot works with "advertising networks." Note, for example, the Google ads down the right side.

The banner at the top is a Macromedia Flash presentation from the advertising network FASTCLICK.COM.

When the musicrobot home page was opened, a pop-under ad window was also opened.


The pop-under ad is also a Macromedia Flash presentation from the advertising network FASTCLICK.COM.
popunder
(Note: Whenever you encounter an ad like this, always close the window using the "X" in the upper right-hand corner.)

FASTCLICK.COM provided to musicrobot the following HTML code to include on their web page:




[!-- FASTCLICK.COM POP-UNDER CODE v1.8 for musicrobot.com (12 hour) --]
[script language="javascript"][!--
var dc=document; var date_ob=new Date();
dc.cookie='h2=o; path=/;';var bust=date_ob.getSeconds();
if(dc.cookie.indexOf('e=llo') [= 0 && dc.cookie.indexOf('2=o') ] 0){
dc.write('[scr'+'ipt language="javascript" src="http://media.fastclick.net');
dc.write('/w/pop.cgi?sid=2924&m=2&tp=2&v=1.8&c='+bust+'"][/scr'+'ipt]');
date_ob.setTime(date_ob.getTime()+43200000);
dc.cookie='he=llo; path=/; expires='+ date_ob.toGMTString();} // --]
[/script]
[!-- FASTCLICK.COM POP-UNDER CODE v1.8 for musicrobot.com --]

[/head]
[body bgcolor="#FFFFFF" text="#000000" onload="document.forms[0].terms.focus()"]
[center]
[center]
[!-- FASTCLICK.COM 728x90 and 468x60 BANNER CODE for musicrobot.com --]
[script language="javascript" src="http://media.fastclick.net/w/get.media?sid=2924&m=1&tp=5&d=j&t=n"][/script]
[noscript][a href="http://media.fastclick.net/w/click.here?sid=2924&m=1&c=1" target="_blank"]
[img src="http://media.fastclick.net/w/get.media?sid=2924&m=1&tp=5&d=s&c=1"
width=728 height=90 border=1][/a][/noscript]
[!-- FASTCLICK.COM 728x90 and 468x60 BANNER CODE for musicrobot.com --]
[/center][br]

All you need to recognize is that musicrobot.com is running javascript that links you to fastclick.com.



If you use musicrobot to search for "we will rock you", the among the results is a link to http://www.geocities.com/SouthBeach/Strand/2372/soundmidi.html. By itself, this web site is harmless.
The actual link from musicrobot.com is of the form http://media.fastclick.net/w/get.media?sid=2924&m=5&url=http%3A//www.geocities.com/SouthBeach/Strand/2372/soundmidi.html


That is, you are sent to media.fastclick.net first, where you are confronted with an offer from cdn.fastclick.net, the same source as the earlier pop-under ad. The fastclick.net ad is usually for smileys, ecards, cursors, screensavers or some other thing cute and not obviously malicious.

If you accept the offer, you are asked if you want to install this software. Carefully review what you are accepting. The terms will insist that the software does not gather any personally identifiable information. The terms will also say that the software gathers your IP address. You should know that the IP address is used to identify you and your habits. Carefully consider whether you consider this to be personal identification.

0 Comments:

Post a Comment

<< Home