"The rogue link remains even after the user copies a new batch of text. The only way to remove it is to reboot the computer."

That the problem can't be resolved by less drastic means, such as logging off, user switching, or killing the offending process seems... unlikely. In fact, according to at least one poster, they solved the problem by killing the firefox process. I suspect that the attack works by running a loop which continuously inserts the malicious link into the copy and paste buffer. This is supported by another poster reporting that they can, in fact, copy and paste another block of text, assuming they do it very very quickly.

If I had more time today, I'd fire up a virtual machine and go looking for a copy of this exploit myself; it looks like it would be fun to disect.

-Daniel

...at least, according to the links posted (which I actually read; did the author? ;)). Trouble is, if true this isn't really a bug, it's correct functionality being abused. One for advertising vendors, perhaps, not browser developers.

A user came by with a laptop, then later a desktop, where the clipboard wasn't functional and would only paste a similar link yesterday.

A fresh Ad-Aware install + Avast found nothing, rebooted and things were fine. Haven't seen it since.

Playing with a bit of wget and changing the user agent to Firefox/IE, the quoted exploit site appears to just redirect me to Google's home page. Does this mean that someone's already clobbered the target site? Or is it looking for some bit of cleverness that I failed to duplicate? I run NoScript on Firefox so if that's the vector then I'm not likely to find out by accident.

I've received a lot of spam email today, supposedly from MSNBC Breaking News. Actual return email addresses vary.

Is this how the virus/trojan/malware is being spread?

I have recently had to write JavaScript code that reads and writes the clipboard, and making it work for Mozilla is painful. You need about 30 lines of gobbledegook, and even then it doesn't work unless you change a security setting in about:config, and you then still get a warning when the code first runs.

The interesting thing is that permission to access the clipboard is covered by the same setting as the most serious types of access, such as reading and writing local files. So it's not impossible that the hole that's being exploited here could be put to more unpleasant purposes.

But if it's flash, perhaps things are different.

If what you say is true, then it's not a browser bug, nor an OS bug.

Looks like I'll be firing up Lynx over the weekend. :-)

...why websites (or Flash for that matter) should have access to the clipboard at all.

Providing scripts with read-write access (in IE at least) to a buffer that may well contain confidential data is just asking for trouble in so many ways... So many people copy/paste passwords, CC numbers, etc...

This week I have had a fair number of msnbc news updates in my spam as well as nearly as many cnn news updates.

Most likely it is a small Flash (SWF) embedded object on the page. It continuously copies data to the clipboard.

I encountered this once when taking an opinion survey.

to google with iceweasel under linux or telnetting to web site. Connects to internetscanner2009.com if running under XP and tries to get user to install the program AV2009Install_77011807.exe by lying about infected system. I will try and find the method/advert used to get link into the clipboard. could take sometime.

This happened to me on July 29th while browsing technology and news sites (so nothing I expected to be particularly dangerous) with Firefox 2 and Linux. I then pasted the link, I saved the AV2009... file and tested it with an online virus scanner. It tested negative. The day after, it tested positive.

At the time I could not find information about this on the web, but this exact attack has been in the wild for at least two weeks.

I managed to initially misread the headline as "Mystery web attack hijacks your cupboard". Man, even my sugar isn't safe from hackers any more...:)

I just ignored the MSNBC spam assuming it was piggybacking on the CNN top ten junk from last week.

Also redirected to google here, running MSIE6 in Windows XP inside virtualbox. Searching google for the site name turns up a URL with some token on the end of it, which did work.

Nasty bit of extortionware that they're trying to push, too. It 'found' 41 really dangerous-sounding bits of malware on a completely fresh install of XP and just will NOT go away.

Not sure it's related but a lot of the sites listed in the forums have had tons and tons of spam sent out in their names in the past several days... yesterday alone our spam server recorded over 7,000 emails from "MSNBC".

Coincidence? Probably.

Flash is full of obnoxious features ripe for abuse by malvertisements. If it's not the clipboard access, or cookies you can't block with the normal browser controls, it's the mundane irritation of pop-ups, surprise LOUD auto-playing sound and CPU-killing animations.

The Firefox Flashblock extension - or some similar means of disabling such plug-ins by default in other browsers - is the only sensible response.

i use vista, so i am immune, jah?

fnarr fnarr

I have been getting these emails for weeks, was originally CNN news, now MSNBC, straight to my Yahoo spam (well apart from a few that ended up in my inbox). Using XP, Firefox 3 and Avast, Lavasoft SE, nothing picked up, although superantispyware did pick up quite abit

After spending an hour setting up a new VM and over 2 hours browsing News and social networking sites (shudder), I just could not get infected, had clipboard viewer up all the time not a single bite. What this exercise has made me realise is how absolutely vital NoScript and AdBlock are to browsing. I was amazed at the amount of flashing junk and pop ups dominating websites, especially the American news sites. It's a shame I didn't find the swf or script that does this, I am curious how this is done. I will have another try tomorrow.

Flash can only write to the clipboard, with a simple

System.copyToClipboard()

call. It cant read the clipboard.

While using Facebook on Safari recently, with no other sites open, I got a pop-up window with an xp-vista-update.net URL. I can only guess it was due to a malicious ad served on Facebook. Looks like these goons have more than one vector.

If a website can run code that loops and continuously inserts a link, who's to say it can't run a loop that continuously copies data from your clipboard and sends it off to a bot?

Yep, I know, which is why I clarified my moan about read access with "(in IE at least)" because since version 5, it can read the clipboard contents (provided it's text) with an equally simple.

var clipContents = window.clipboardData.getData("text");

I believe Opera has clipboard access too. Attempting to read the contents of the clipboard will at least throw up a warning in IE7 but since when has a silly security prompt stopped the majority of users from clicking OK?

SmitFraudFix BugHunt 2.2 HijackThis and a GOOD (read: not Norton or McAfee) AV scanner. Works for me. I work in remote support and have been seeing this for a while now (3 weeks IIRC) and there are 3 versions that I know of.

1) This version is a pain in the ass but can be gotten rid of by the above mentioned tools if run in safe mode.

2) This version is a dick. Spent 6 hours trying to figure this little bugger out to no avail. This one (for lack of a better way of putting it) appears to remove everything from the start menu and prevent many hotkeys from working. I have since given up trying to fix the damage and just restore the system cause im not gonna bother wasting my time or the customers.

3) This final one that I have seen is rather new. Above mentioned programs work, at least so it appears. Everything appears to be fine for about 15 minutes after cleaning the system and then it started to goto hell again. I have experienced this happening more frequently lately. Gave it 2 hours of work trying to fix/remove the problem child without ever finding it. (No I love Karen but meh I personally like making customers suffer) So I default to restore system.

As far as I have seen this 3rd one is becoming more and more frequent. Now stop infecting yourselves. For those that dont know you can get infected by clicking link in email/going to webpages/installing everything pushed on you/reading email/running programs/opening files/sex/farting sideways/eating/sleeping/having a pet/having a child/having a job/going to work/getting up in the morning/turning computer on/coffee/drinking coffee/small children/peanut butter and jelly sandwiches/. . .<ENTERING RECURSIVE LOOP>

<joke>

Sorry about that all you out there in Register Central. Our latest attempt at mind cont...erm a marketable program appears to still have a few bugs in it. Heh get it? A few bugs? Anyway please help us beta test it so that we can continue beta testing bugs like this to prevent this in the future. Just click this link http://notavirus.com/*nix_fanboi_or_m$_fanboi_or_apple_fanboi/fuck_your computer_up_and_steal_all_your_money_including_identity/vista_*nix_osx/ great_sparkling_magic_notofthisearth_super_uber_amazing_supercalifragilisticexpialidocious_antivirus2009/your_boned.exe to help us test for bugs like this in the future. Thank you for your time.

Or for an easier time if your keyboard isnt working just use this tinyurl:

http://tinyurl.com/fuckupyourcomputer.exe

Again thank you.

</joke>

Sorry if the formatting sucks tried my best.

/mines the one with the penicillin in the pocket.

This will probably get ignored, but anyway.

The overwriting firefox/IE clipboard has been available for a long time. I imagine these users, (although I haven't read all the four forums and subsequent links for each post)

had a window hidden from them or a frame around a webpage. The only change is to use it for spamming links which is a nice human touch to spreading spam, lots of people Ctrl-C-V without thinking.

It overwrites anything you have in clipboard without requiring any action such as clicking or selecting, you do need flash and javascript running which 99% do.

For an example,

clipboard.swf is (I think from decompiling it)

// Action script...

// [Action in Frame 1]

if (clipboard.length)

{

System.setClipboard(clipboard);

} // end if

The script is, according to google search

#

function copy(inElement) {

#

if (inElement.createTextRange) {

#

var range = inElement.createTextRange();

#

if (range && BodyLoaded==1)

#

range.execCommand('Copy');

#

} else {

#

var flashcopier = 'flashcopier';

#

if(!document.getElementById(flashcopier)) {

#

var divholder = document.createElement('div');

#

divholder.id = flashcopier;

#

document.body.appendChild(divholder);

#

}

#

document.getElementById(flashcopier).innerHTML = '';

#

var divinfo = '<embed src="_clipboard.swf" FlashVars="clipboard='+escape(inElement.value)+'" width="0" height="0" type="application/x-shockwave-flash"></embed>';

#

document.getElementById(flashcopier).innerHTML = divinfo;

#

}

#

}

In 2005

http://www.jeffothy.com/weblog/clipboard-copy/

http://ajaxian.com/archives/auto-copy-to-clipboard

http://www.rodsdot.com/ee/cross_browser_clipboard_copy_with_pop_over_message.asp

I'm 90% certain I got hit on the Ars Technica site. I was using IE7 and the only strange thing I noticed was one of the ads was making some kind of clicking sound. My network folks scanned my comp. but didn't see any malware.

Possibily, they are just hoping that someone will paste a link and go to it.

tell IE not to allow access to the clipboard - it's just a tickbox. I do it on any IE I setup since browsers and webpages have no right to my clipboard.

Mine's the one with 'SMUG' pasted on the back

Nahh, that's just the same-old-same-old Storm worm spam. Don't worry about it.

I don't get why it's even allowed. Can anyone think of a solid program design that needs access to the clipboard? I mean do we really need "copy this" buttons when they are built into the interface. They ought to just remove the ability from the object model.

This is the code from clipboard.swf:

// Action script...

// [Action in Frame 1]

saveToClipboard = function (str)

{

System.setClipboard(str);

flash.external.ExternalInterface.call("copy_success");

};

flash.external.ExternalInterface.addCallback("setClipboard", this, saveToClipboard);

//END

So a Java function called via the onload command of a page or pop up would paste a url passed to the function to the clipboard.

Not as devious as I thought, however this will only copy to clip once, I expect some looping java script is what accomplishes the constant refreshing.

This does not seem to work with the clipbook service disabled, as I have on my work machine.

Browsing Digg - Can only paste xp-vista....

Close Digg tab - Can paste anything

Only happens on some digg pages - Infected ad?

Care to expand, is it apparent with safari, firefox oe what?

...on a G4 with OSX "Leopard" and Firefox running "naked". No luck replicating the clipboard attack. Still, I can't see how this could be a threat to my system if I go to use my Clipboard and see some skanky URL that I never copied into it and think, "huh, that looks skanky, lemme just quit Firefox and force it to flush my cookies and my cache and see if that works" -- instead of being one of those kids who had to wear a helmet in school, and just pasting away with it.

I did, however, out of sheer curiosity, try the link in this article and oh, the hilarity that ensued. It was pure cheap laffs gold, watching the site I was redirected to run its fake Flash cartoon pretending to be a Windows virus scanner, scanning files which were obviously DOS/Win files and not living on my hard disk at all, and then presenting me with a Windows dialog -- also obviously fake -- screaming that my system -- a Mac, mind you -- was infected and that I had to buy their fake AV product lickety-quick, to avoid certain disaster.

Wiping the tears of hysteria from my eyes, I "flushed" Firefox, turned NoScript and AdBlock back on, restarted Firefox, and went back to the Finder to trash the totally impotent .exe files which hit my desktop. Then I realized that the one possible threat this "virus" could pose to my Mac was perhaps accidental hardware damage, from inadvertantly knocking my G4 over in a fit of uncontrollable laughter watching this retarded malware site try to scare me by pretending to run a goddamn' fake Windows virus scanner on my Mac.

(Steve Jobs with a halo, only because I've been a Mac OS fan since 1985, and you have no replica of the old little "smiling Mac" MacOS bootup icon, and despite the fact that Jobs has been a real friggin' prick recently.)

I browsed Digg but didn't get infected, any chance of a link to an infecting page?

It is the same malware/crapware as "XP antivirus 2008". I've seen Google ads for this gem, that is worse than a real virus infection. They demand money to fix a problem they caused. Oh the joys of windows.

I did a quick Whois on the domains : xpantivrus.com, xp-vista-update.net, internetscanner2009.com. All registered under estdomains.com, in Delaware, US. The latter 2 use estdomains' DNS. Doing some more digging, some of the DNS servers come back to eosads, in the Motherland:

Registrant Name: Daniel Adams

Registrant Organization: eosads

Registrant Address1: 13 Baterman Street

Registrant City: London

Registrant State/Province: London

Registrant Postal Code: W1D 3AF

Registrant Country: UNITED KINGDOM

Registrant Country Code: GB

This forum:

http://www.bluetack.co.uk/forums/index.php?s=950ad5e6359847c4dfb715d9e753bfcf&showtopic=18064&st=60&p=87715&#entry87715

shows that this stuff has been going down since April or so.

So, maybe you Brits need to go door-knocking?

...if what people have been writing is true. Yet another reason for not infecting one's computer with the plague that is Flash, or at least coercing browser developers to provide decent control over Flash utilisation, rather than having it enabled for all sites, all irritating animated adverts, and all potential exploits associated with trusting the binary payload of a proprietary software vendor.

Flash isn't "the Web" despite what the fanboys and "embedded multimedia" idiots would have you believe.

I don't know any browser/OS combination that would be immune, except for one without flash, though this only directs to a malware page, Linux/OSX* will almost certainly be immune to the .exe file even if its successfully pushed hrough firefox/opera/safari.

*Not necessarily from conventional security, but because these people will go for the biggest target.

I'll pop round to the address tomorrow

I'll let you know who I meet

Paul

Had an odd thing the other day possibly linked with this. I couldn't open FF, said it was already running. Checked the processes and sure enough there it was but no visible instance. Killed the process and we were back in business. Sounds similar to how this exploit operates but I didn't notice anything odd with the clipboard, that said I can't recall if I used the clipboard.

Stranger still, I run NOSCRIPT and this still appears to keep FF running, although maybe it didn't hijack my clipboard....

combatwombat: it's no use looking at any of the whois information in these cases. The addresses given are invariably either:

a. completely made up

b. just copied from some other entity's address

c. mailboxes/forwarding companies

The people behind these fake anti-virus apps are Russian hackers coming from the AWM scene (and others in the Russian satellites). The registrar Estdomains (aka Esthost, Inhoster, UkrTelegroup, Cernel, Rove Digital and a multitude of other aliases) are themselves blackhats, directly in on the porn->exploit/fake-codec->trojan/fake-AV-install game. So they're not too fussy about correct whois details.

You could complain to ICANN and get the domain revoked in, what, six months. But these guys constantly change their names and register hundreds of new domains, so it's kind of pointless.

Did you check out some of the "xploits" that are listed by the "virus scanner" (scanning my linux box with a very nice imitation of an XP dialog of course)

Spyware.EI.Monster.b

ZLob.PornAdvertise.Xplisit

Trojan. InfoStealer.Banker.s

They forgot, of course;

Malware.WifeStealer.CockSucker

XP.PasswordCracker.Attack

and of course my all time favourite

All.MyVirusAreBelong2.You

Using malwarebytes and spybot for a few registery settings that malwarebytes misses gets rid of it. At least in the 10 or so cases I've cleaned in the past 2 or 3 weeks, although I haven't seen any with the 2009 version which might have a few differences from Winav2008.

I have analyzed this case, please read

http://malware-test-lab.blogspot.com/2008/08/analysis-of-mystery-eb-attack-hijacks.html

The "bad" is superfluous, as there can be no "good" in that context.

Another point for adblock I suppose. Soon flash ads will have made it impossible to make money out of a free to view website because everyone will have adblocked everything.

"i use vista, so i am immune, jah?

fnarr fnarr"

Umm.. nope, exactly the opposite in fact, as it tries to download a windows exe I'm pretty sure you are screwed if you are on vista.

I knew that IE was capable of reading the clipboard contents, i have a small piece of code on several sites which reads the clipboard contents and requests /clip.php?text=<clipboard contents here>

You can get some really weird stuff from peoples clipboard...

I didn't know you could actually set someone's clipboard, but i would consider that far less serious than being able to read the contents of it (which might contain private data).

Aren't there some programs that monitor the Clipboard for downloadable links? something like wget?? autowget?? or winwget??

Im sure there are more...

Potentially more of a hazard with auto download... wonder if they auto execute also??

Of course, it would be far too difficult to expand the redirect page to check what OS you're running and provide an OS-based scan, or to offer a Mac download? The whole point is that it scares users into downloading something they don't need, pay for something they don't need (ie put their card details into the site, so not just paying for one thing), and possibly screw their PC by downloading it. If a user is prepared to download and run something, once they run it and get told it might be unsafe they'll probably still run it won't they?

Even worse, there's not going to be any AV on a Mac already to pick it up as dangerous. I'm not the biggest fan of Macs, but you have to be able to see that there is roughly the same (high) percentage of naive Mac users as PC users. As Macs get more popular, it's only a matter of time before a scam like this is adapted for Macs, it just makes sense.

Because many of today's IT managment products are using browser based interfaces. For those Sysadmins using them you end end up doing a lot of cut and paste as a time saving maneuver to make sure you have a) entered the information in correctly and b) you can add more then one entry at once or you are adding multiple lines to queries/functions.

@ C Benjamin

I would like to believe that at least the majority of IT managers are familiar with copy and paste keyboard shortcuts.