Spam and malware


Scienceblogs is currently suffering from a rogue ad that hijacks your browser and whisks you off to some wretched commercial site trying to sell you software to prevent your browser from being hijacked. It is evil, stupid, and obnoxious, and please do not purchase the software they are trying to extort from you. The sciencebloggers are all weeping and howling in frustration in our backchannel network, and we’re firing up urgent flares begging our technical people to come purge the vileness…but it’s a weekend, the tech people are all in New York, and unlike those of us living in Morris, Minnesota, they seem to have more exciting things to do than fuss over computers.

Patience. The ad will be destroyed. The advertiser will be turned over to an angry mob of science nerds who have been contemplating interesting punishments all weekend long. Karmic balance will be restored.

Comments

  1. Caldfyr says

    What good is it to dream up the more entertaining forms of punishment if Karma will just balance it up again?

  2. Bunjo says

    Their ‘skillz’ must be pretty poor – all I got was a banner headline. Of course I’m using Opera as a browser which tends to limit some of the exploits.

  3. Schwa says

    I recommend that everybody use a decent HOSTS file. I have no idea if this is possible on Macs, but it’s very, very useful for PCs.

  4. paul01 says

    I noticed it twice in the last day. But it is not just on scienceblogs. I have seen it countless times over the last couple of years.

  5. Rheinhard says

    Using Camino on Mac OS X, and don’t seem to have a problem… (have pop up blocking turned on with only selected sites such as my work domain allowed)

  6. says

    I’m using Firefox, so I’ve only heard of these “ad” things. I understand they used to be fairly innocuous, but those weren’t surviving well, so they evolved to be flashy, to camouflage them selves as operating system windows, and got started making sound to get attention. Now it sounds like they’ve evolved to fill a different webocologial niche.

    Either that, or this is one of those IE browser hijacks. Hate those, too.

  7. tomh says

    Geral wrote: Using Firefox with Adblock plus. This site has ads?

    Firefox has nothing to do with it. IE with any simple adblocker gives the same result.

  8. talapus says

    I just got hit by this. It seems to infect Flash banners and is showing up in a bunch of perfectly legit sites. It is already being picked up by some malware detection (e.g., ETrust, I don’t know about the others).

    For those that are interested: http://www.dynamoo.com/diary/malware-scan-newbieadguide-com-hijack.htm has a good description of the problem. WARNING: Do not click on the links in the site.

    If you are running a Windows machine, I would suggest removing Adobe Flash in the control panel until this little pandemic runs its course. Your functionality might be limited for a while, but at least you’ll be safe.

  9. Hank says

    Adblockers are great, at least if you don’t care about the long term survival of the sites you visit.

    Personally, I tend to turn off ads if they’re annoying, with sounds, flashing (or in this case, a rogue redirect), otherwise not.

  10. says

    Funny, I got hit with this last night and just a moment ago (from Pharyngula or Living the Scientific Life). I was just now about to let you know.

    Kill the Malware!

    I’m running Linux, so it is a mere annoyance and not a threat. But it is very annoying.

    Please let us know who the sponsor of the ad is so we can all avoid their products for, as they say, a clam’s life. (400 years).

    G

  11. Moses says

    I’d put in some pseudo-Libertarian snark, because this is exactly the kind of crap you’d be dealing with every second on a “Libertarian” Internet (though they’d never build one, but that’s just one of the many flaws of Libertarianism they conveniently ignore).

    But after two days of reading, and making a few rather annoyed posts, regarding the Libertarian Fundies I don’t find anything funny about Libertarians.

  12. says

    Note, for your reading pleasure, the logical inaccuracy in comment #9. If a person claims that Firefox is blocking ads, then indeed, Firefox “has something to do with it”, even if a different browser has the same ability.

    /pedantry

    FWIW, I use Firefox and have not had the problem described.

  13. says

    Porteous looked at the envelope. He studied the return address. Morris, Minnesota. He looked at a map. The town was two hours from Fargo, North Dakota. Population: 5,200. He opened the letter, and after peering inside for powders, he read it. It barely made sense. It was a rambling confession of finding the answer to a “famous unsolved caper” that would make a great movie–and one only Ephron could direct, because she had “heart.” She could call this movie Bashful in Seattle–because the main character in the caper lived near Seattle. Skipp thought, Strange, yes; dangerous, no. So he hailed a cab, rode over to Ephron’s building on East 79th, and left the letter with her doorman. Ephron got the letter. She opened it and looked at it and put it down on the kitchen counter. It stayed there for some time. Then it disappeared. “I don’t know what happened to it,” she says.

  14. Leni says

    I use Firefox and did get redirected, but Norton caught it pretty much right away. I was kind of surprised. Truth be told I never expected Norton to actually work that fast.

    I think Google also identified the redirect page as malicious and has disabled it.

  15. says

    FWIW, I DO use firefox, and it DID happen to me. I am not sure if your use of Firefox/not Fire fox is as important as other issues, the most important being if the ad is actually showing at the time you actually are looking at the site.

    I’ve got popups set to no-popups, and scienceblogs.com is not listed as a “trusted site.” Yet, I got the infernal things poppin up all over my screen.

  16. Ian H Spedding FCD says

    It got me but it was pretty obviously a dodgy site. Persistent little bugger, though, I had to shut down IE. Luckily, it happened just before I ran my regular spyware and antivirus sweeps and defrag.

  17. says

    When my son’s pc was still running Windows he snagged a similar malware; the writer disguised it as antivirus software. He had not intended to click it, but he did while trying to close it. I spent the better part of three hours getting rid of it.

    It effectively disabled Firefox, SeaMonkey, Safari for Windows, Crazy Browser (the safe way to ride on IE7) and then IE7. I cleaned it out, but then a sneakier one hijacked port 80 and we couldn’t access through any browsers at all.

    His pc is now running Linux/Ubuntu. I had had enough.

    I have a friend who just picked up his laptop from the shop after a virus wiped his BIOS. The same thing attacked his desktop.

  18. says

    Adblockers are great, at least if you don’t care about the long term survival of the sites you visit.

    Not really correct. Most ad sites that I’m aware of only count clicks, not views. Even if they do count views, AdBlock (as I understand it) still downloads the ads, just doesn’t display them. So from the point of view of the advertiser, the use of AdBlock is completely transparent; he can’t tell if a viewer is using it or not.

    It’s analagous to saying that getting up to go the bathroom during a TV commercial break works if you don’t care about the longevity of the TV networks you watch. The TV advertiser knows even less about his ad impressions than the Web advertiser, and I haven’t seen any networks going out of business lately.

  19. says

    Narc,

    Listen to yourself now … if everybody (everybody!) always got up and went to the bathroom during TV ads, aside from the obvious difficulties the city wastewater treatment facilities might have from saltational inflow, then ads would no longer work. Thus, they would no longer be paid for. I think that is the “long term” we’re talking about here.

    I used to use an ad blocker but at last at that time, I found that they were so ineffective and caused me to do so much adjusting that it was no longer worth it. Now, I simply avoid sites that have obnoxious ads, and I try not to point people to them either. You’ll notice on my blog that I sometimes give a reference but not a link. That is either to a site that requires registration or a site that has extra nasty ads.

    Fortunately, scienceblogs.com rarely has obnoxious ads, and the sciencebloggers seem to jump in and make them go away.

    G

  20. Interrobang says

    if everybody (everybody!) always got up and went to the bathroom during TV ads … then ads would no longer work.

    Maaaybe, except that I’m told by marketing people I trust (as far as I’m wont to trust any marketing people) that the funny thing with ad metrics is that you can tell that, say, 30% of your ads work. Nailing down which 30% is the part that’s pretty much impossible. Given further that most companies that advertise on tv also advertise in other media, even if everyone did all go to the bathroom during the commercials, those of you who watch tv would likely still be plagued with commercials ad infinitum.

    Me, I would prefer to see a lot fewer ads cluttering up the world, but we seem to be collectively suffering from a plague of clever suits who have no qualms whatsoever about putting as many commercial messages as they can wherever they can.

    I haven’t seen the ad, either…

  21. craig says

    adblockers are hard to use? I dunno. With frefox, adblock plus, and a subscription to a good adbock plus update, I’ve never had to do anything besides install them.

    I also use noscript which I recommend, though some might be anoyed by it as you have to click to allow sites you trust onto your whitelist and that can take a second or two before you realize you need to,

  22. says

    if everybody always got up and went to the bathroom during TV ads … then ads would no longer work. Thus, they would no longer be paid for.

    I disagree. The only feedback a TV advertiser has about the success of his ads is whether or not people purchase the product. He can sort of measure ad “impressions” via Neilsen ratings, but that’s it.

    The only way “ads would no longer work” in your scenario is if sales of the product went down. And I suspect a company’s response to flagging sales would be *more* TV advertising, not less.

  23. says

    I light candles and wave some happy anti-virus crystals in front of my computer. Then, I burn some incense and bite the head off a live rodent.

    So, aside from rabies, I’m virus free.

    Yay!

  24. says

    This hasn’t happened to me, not that it would matter much since I run Linux and the malware is, apparently, a Windross-only executable.

    Actually, maybe it has happened. Every now and then I see something trying to startup and then explode (die), similar to what happens when a unsupported Flash movie format/version tries to start. The Flash player I have is ancient and doesn’t play modern Flash movies. This is Ok with me. I hate Flash, so I’ve never bothered to upgrade the player.

    (FWIW, I normally use an older version of Firefox to visit this site, mostly so I can use the mozex plugin to easily edit my comments with a real (external) editor. Otherwise, I tend to use Opera.)

  25. Crudely Wrott says

    I use the latest Firefox version on a WindowsXP-Home platform. Firewall is on. Within Firefox I take advantage of AdBlock and FlashBlock. I have other software security software running in the background. (Full disclosure: I have brand loyalty only in cigarettes and tools.)

    The single most effective means of avoiding mischief I have found is to not click on ads, period. Just as if I were reading a magazine, if I see something interesting I jot down the name and pursue the matter later and separate from my reading of whatever article. It’s easy and the requisite pen and paper are normally close at hand. This practice eliminates most of the problems with ads, so why run adblockers and other add-ons or stand-alone programs?

    I just began using FlashBlock this week and its major benefit became evident right away; by not downloading all those cinematic thumbnails full of buttons and video controls, pages load faster, I can begin scrolling sooner, and the page is a bit easier to navigate with the lack of distraction. After all, I don’t have unlimited amounts of bandwidth or time.

    Hope this current intrusion turns out to be a mere inconvenience.

  26. says

    Narc, Narc, Narc. Listen. Say you are a company and you can put your money into a) advertising or b) lowering your prices and let the free market push your product. Within the advertizing budget, you can put it into different markets, like radio, billboards, TV, the internet, etc.

    Then one day you found out that the internet was not working for you becauase everyone is using Firefox and Firefox (in this scenario) comes with adblocker turned on. Then why would you put more money into Firefox?

    Actually, you could, and there would be two scenarios then: Companies that pulled their internet ads and those that did not. The former would stop funding the internet, the latter would go out of business and, ah, well, stop funding the internet.

    Don’t get me wrong. I applaud you for using the ad blocker and thus ruining it for the rest of us. My preference is an entirely different system where we have no ads. Just information and fun stuff.

    In the blogosphere, you don’t need ads. Companies can all contribute to keeping the internet alive and free in the same way they currently contribute to OpenSource software. We bloggers and commenters on blogs will keep the information about the products flowing. Trust us. No kidding.

    Craig: I’m sure you are right. My experience was with the Firefox first version of it, and I needed to keep telling it “this is and ad. And so is this. And so is this” until finally there were not any ads. Fine. But I was using Windows, which meant that every few months for one reason or another I’d lose all my configurations, and there is enough crap to do every time that happens, so the ad blocker never went back in.

  27. Phil says

    find the coolwebsearch remover. It’s a really insidious virus that Norton won’t remove, it comes via active x on MSN. dump it and go to firefox or opera.

  28. David Marjanović, OM says

    When my son’s pc was still running Windows he snagged a similar malware; the writer disguised it as antivirus software. He had not intended to click it, but he did while trying to close it. I spent the better part of three hours getting rid of it.

    Yep, never click “Cancel” in a window that asks you to install malware. It might be, and apparently is, a lie. Close the window instead — that can’t be faked.

  29. David Marjanović, OM says

    When my son’s pc was still running Windows he snagged a similar malware; the writer disguised it as antivirus software. He had not intended to click it, but he did while trying to close it. I spent the better part of three hours getting rid of it.

    Yep, never click “Cancel” in a window that asks you to install malware. It might be, and apparently is, a lie. Close the window instead — that can’t be faked.

  30. says

    I use Firefox but was still getting hit with these, thanks for letting us know it’s being addressed. It did motivate me to update all my virus defs and do a spysweep on my computer, though, sometimes a little annoyance like that is a boon in the long run if it reminds you to be more vigilant, some silver lining I guess.

  31. Ichthyic says

    I just tried out that ad-blocker plus for Firefox.

    I feel a little bad in that I understand the purpose of ad banner rotations, but still…

    whee!

    btw, I never would have bothered if the company managing the ad rotations for seed had done a better job.

  32. AlanWCan says

    I would suggest removing Adobe Flash in the control panel… Not necessary. Firefox & Flashblock extension, then you get to choose what Flash things you might actually want to see.

  33. Ichthyic says

    The single most effective means of avoiding mischief I have found is to not click on ads, period.

    in this case, it doesn’t work as the ad banners contained a redirect script.

    easy to do, but very naughty, and likely will get that particular ad company tossed from rotation permanently.

    Moreover, the fact that the ad was able to do this, and that the script wasn’t isolated from the header content of the main page, suggests that seed needs to review how it manages its banner rotation.

    hope this issue serves as a small wake-up call.

  34. DangerousDan says

    Firefox with NoScript never even noticed, and that is with Scienceblogs.com in the list of sites allowed to execute scripts. Of course, my security suite’s popup blocker might have something to do with it. I picked up the NoScript add-on because among other things, I got tired of unwanted music popping up and other bad behavior. It means that I have to take a specific step to allow a site to play certain content, but I prefer it that way. It also remembers sites which I’ve marked as allowed, which are allowed to run scripts.

  35. says

    It doesn’t sound to me like the issue is being taken care of. Why isn’t anyone on call at the Seed company?

    This kind of thing requires an immediate response, especially with the range of topics covered by the science blogs. Users without a clue to what they’re doing can easily get one of the science blog sites as a top hit on a Google search.

    Is it possible to if you’re using Windows to actually click through to the offending site to pay them or just give credit card info? That would be disastrous. I hope that this is no more than an annoyance…

    David B.

  36. Ichthyic says

    Close the window instead — that can’t be faked.

    no, but the standard close button can be hidden. Sometimes, a fake close button is even added to confuse people further.

    In those cases, for windows, it requires alt+F4 to close the window.

    sometimes, even that doesn’t work (key intercept script is running), and you have to resort to using ctl+alt+del to open up the task manager and shut it down that way.

    rare, but I’ve seen it enough times.

  37. David Marjanović, OM says

    sometimes, even that doesn’t work (key intercept script is running), and you have to resort to using ctl+alt+del to open up the task manager and shut it down that way.

    Scary. And there I was thinking I had been to pop-up hell.

  38. David Marjanović, OM says

    sometimes, even that doesn’t work (key intercept script is running), and you have to resort to using ctl+alt+del to open up the task manager and shut it down that way.

    Scary. And there I was thinking I had been to pop-up hell.

  39. melior says

    if everybody always got up and went to the bathroom during TV ads … then ads would no longer work. Thus, they would no longer be paid for.

    And if no one ever, ever clicked on a link in email spam, there would soon be no email spam.

  40. emkay says

    I had something odd happen here yesterday just reading and lurking (browser hijack) and was going to mention it, then didn’t and today I see there’s a whole thread about it. Well, I just went to comment, and the second I clicked on the ‘name’ field, the same hijacker stuff opened up, started ‘scanning my computer for malware’. How ironic.

    And just like yesterday, I had to close the browser window to get it to stop. I’m running Firefox with Adblock. As I write the little bar at the bottom of the screen shows ‘transferring data from newbieadguide.com, and has been since I logged back in here. I suppose I’ll have to go run all my adware and spybot stuff now….hope SB can get it sorted out.

  41. Ichthyic says

    I use Firefox with the noscript plugin and it works with brutal efficiency.

    have you found problems with sites that need scripts to run in order to display properly?

    Or do you just have favorite sites where you allow scripts to run on an individual basis?

  42. says

    Say you are a company and you can put your money into a) advertising or b) lowering your prices and let the free market push your product.

    First of all, when was the last time that a company cut their ad budget and lowered prices? For any medium?

    Companies that pulled their internet ads and those that did not. The former would stop funding the internet, the latter would go out of business and, ah, well, stop funding the internet.

    That’s a bit dramatic. Has the advent of the VCR, the DVD recorder, the Tivo, and the DirectTV DVR diminished the number of commercials? Have companies gone out of business because their commercials aren’t watched? Doesn’t seem that way to me.

    Let’s face it, we’ll never get to the point where *everyone* is using an ad blocker. Many websites still require registration to access even basic content (e.g. the LA Times), even though sites like bugmenot.com make that irrelevant.

  43. Ichthyic says

    Have companies gone out of business because their commercials aren’t watched?

    never looked at the data for specific companies, but if you rely on advertising to sell your product, and nobody is seeing your advertising, that logically would suggest you would be up proverbial shit creek.

  44. melior says

    When using noscript, I set it to block all scripts by default. Then just click on the toolbar at the bottom to “Temporarily allow (url)” when you want to allow a script to run on a site. It will reset when you close your browser session. Sites you trust and visit a lot you can use “Allow (url)” and noscript will remember it. You can also choose “Forbid (url)”.

    Here’s a little more info about the malware that emkay describes, which seems to be triggered by an infected .SWF file.

  45. Ichthyic says

    When using noscript, I set it to block all scripts by default.

    hmm, must be better than they used to be.

    the older ones I tried a few years back were a bit too draconian.

    a lot of sites I visited had entire sections broken or missing, and if they were missing, there was no easy way to tell.

    I mean, there are very few sites that use absolutely NO scripting, Java or otherwise.

  46. says

    I had this happen to me almost two months ago. It cost me a new tower and just over $1,000 to fix. Definitely do not click on anything that pops up from any site you’re not expecting pop-ups from.

  47. Dan says

    if you rely on advertising to sell your product, and nobody is seeing your advertising, that logically would suggest you would be up proverbial shit creek.

    If your products require paid-for advertising to sell it, and no other approach will work, then who cares if your company goes up shit creek? It sounds like your products are only recommended by people who you can pay to talk counter to their better judgement?

  48. Ichthyic says

    If your products require paid-for advertising to sell it, and no other approach will work, then who cares if your company goes up shit creek?

    um, the people who work for the company, maybe? Investors, maybe?

    It sounds like your products are only recommended by people who you can pay to talk counter to their better judgement?

    so all advertising functions to counter people’s better judgement?

    sounds like you aren’t using your better judgement.

  49. Timothy says

    I’ve got popups set to no-popups, and scienceblogs.com is not listed as a “trusted site.” Yet, I got the infernal things poppin up all over my screen.

    Be sure to run flashblock as well (you can still click the run icon to view the flash) as adblock. Flash-based popups are the most common for ads these days because the browser for whatever reason has no control over them. This would probably be easily fixed if Flash weren’t closed and proprietary.

  50. Charley says

    Somehow it was smart enough to penetrate the incomparable security of my wide-open Windows 2000 machine with Firefox. It’s called “MalwareAlarm”. Kind of like the mob requesting payment for “protection”.

    Hasn’t caused any mischief since I closed it an hour ago.

  51. says

    Oh. I thought I was having a senior moment: “How did I get here?”

    Fortunately, while I was blinking and going “Huh,” I saw the Windows designation in two of the things it accused my machine of having, and that machine’s a Mac. I just closed the browser. Wetware fixes are cheap when they work.

  52. bacopa says

    I’ve hit this ad a couple of times. If I miss the scrollbr the ad comes up. It gives me Windows NT frames so I know it’s fake cause I’m using Safari.

  53. says

    I’ve clicked on at least one “X” to close the box and had it take me to a link instead, so I use ALT-F$, which requires no clicking if the machine’s focus has oved to the pop-up.

  54. Carlie says

    I never, ever click on advertising banners, so I don’t see that there’s any difference from the advertiser’s point of view if I use adblock or not. Advertisers have dug their own grave with this one; if they weren’t so obnoxious visually, and if they didn’t come with malicious code more often than not, they might get a little more positive attention.

  55. Ichthyic says

    so I don’t see that there’s any difference from the advertiser’s point of view if I use adblock or not.

    nope, only from the people trying to sell the ad space to advertisers to begin with.

    kinda hard for seed to make money selling ad space if it’s apparent most perusers of seed blogs block ads.

    not saying it’s necessarily a bad thing, mind you, as I totally agree that advertising on websites has gone overboard with all the flash crap.

    I figure if you have so many ad scripts, or flash ads running, that it takes the page nearly twice as long to load as it does without them, you need to rethink your banner rotation strategy.

    Pharyngula loads MUCH faster with the banner ads blocked.

    Maybe it’s time for Seed to rethink how and who it sells ad space to.

  56. G. Tingey says

    09.13 GMT – I just got it again.
    Again, Norton eat it – even faster than before…
    But it’s still out there.

    Be careful

  57. says

    It might be worth checking out SiteMeter. They’re notorious for adding third-party cookies to their counter script. I’m 90% sure it was Sitemeter that caused this problem when I saw it before…

  58. fcc says

    Nope, doesn’t happen in my Opera.

    My kids and I used to delight in returning postage paid envelopes. I had lots of old lead flashing and we would cut a sheet of lead to fit in each envelope, compose a reply on the lead (declining their generous offer), then send it off.

    Ah, those were the days :)

    fcc

    fcc