My window to the world

Cleaning up the Metservice infection

By Mauricio Freitas, in , posted: 18-Aug-2011 10:02

During the Great New Zealand Snowstorm 2011 the MetService web site was probably one of the most visited in the country. Unfortunately someone thought it would also be a great time to break into Metservice's online advertising platform and plant a little Trojan horse.

What happened is that when serving the ads the MetService web site was also unknowingly distributing a third party piece of code. This little piece of code would be executed by the users' web browser and silently download and install malware on the visitors' computers.

To make it clear: you wouldn't need to click an ad to load this malware, as its code was being loaded directly from the ad server and executed by your browser. The infection wasn't delivered by an ad. In the delivery method could be applied to any other database driven website. It's not an "online advertising problem".

Here is the official MetService email I received when they started the clean up process on their server:

At around 8pm last night, Tuesday 16 August, MetService's web support team identified an issue with its ad server. The ad server was immediately shut down to protect client browsers and prevent further problems; at no time was unavailable to the public. Prior to this we had received no reports of any issues.We now know that the ad server was compromised by a malicious attack, through a vulnerability which allowed someone to upload a binary file into the database. This file contained JavaScript code which redirects the browser to a website which downloads malware files to the client machine.

Over the past week, MetService's website has experienced record numbers of visitors due to the severe weather being experienced across the country. The site has handled this record traffic well. The popularity of the site no doubt made it a target for this attack.

An upgrade incorporating a fix is now being installed in order to resolve the issue. The ad server database is also in the process of being cleaned and rebuilt. We have responded to tweets on the issue starting just before 10am this morning, and will continue to respond to users' concerns as they arise.

While there's still an ongoing discussion on Geekzone (where it seems it was first reported), at least one of the installed malware is Personal Shield Pro, a fake security program that will collect personal information, all while pretending to be a legitimate program - and at some point might even ask for credit card details to unlock the "cleaning" feature, obviously not doing anything.

It seems the malware was planted through the execution of a Javascript code that would call a Java program (Javascript and Java are two different things). The Java program seemed to take advantage of a known vulnerability and use it to load the final program into the computer. It looks like the program itself would not be loaded directly by the browser, so it had to do it through Java. In this case it seems people running old versions of Java were the ones infected.

It's also not clear the third party software was distributing one, two or more variants of malware - it's possible that the software could be installing different types of malware depending on what browser was being used, or what operating system version the PC is running, etc.

From the information we managed to collect on Geekzone, the main infection was really Personal Shield Pro. This can be removed with Malwarebytes, a free software (although with a Pro paid version with more features).

To remove the Personal Shield Pro follow these steps:

  • Reboot your PC and press F8 just before Windows starts running
  • On the boot options screen select "Safe Mode with Network"
  • Download Malwarebytes and install
  • Run a full scan and accept its suggestions

This should clear the infection.

Obviously your PC could get contaminated again with the same thing if it stumbles upon another web sites carrying the same or similar code. Here are some tips to keep it safe:

  • Make sure your Windows PC is always up-to-date with the latest patches and browser versions. If you are running Windows XP make sure you have Service Pack 3 installed and all Windows Updates after that. If you are running Windows 7 make sure you have Service Pack 1 and all Windows Updates after that. You should check for new Windows Updates every second Wednesday (New Zealand time), which is the day Microsoft releases those updates. You should actually set Windows Update to automatically download and install updates.
  • If you are running Internet Explorer on Windows XP you should have Internet Explorer 8. If you are running Internet Explorer on Windows 7 you should have Internet Explorer 9.
  • If you are running other browser (Chrome, Firefox, Opera, Safari) you should check that you are running their latest updates.
  • If you are running any other program (specially ones that plug into your browser) make sure you always have all updates installed. This includes Java runtime, Skype plugins, Toolbars and any other program that changes the browser behaviour.
  • You should install one antivirus program (free or paid) but not more than one. Multiple antivirus programs on the same PC will cause problems.
  • Earlier this year I posted a blog entry with links to a list of free security programs and you should read it.

If anyone is in the security community and could add or update any information posted here about this specific incident, please contact me. I'm also blocking comments in this blog post to avoid the predictable "Windows vs Mac OS vs Linux vs " or "Internet Explorer vs Firefox vs Chrome" flame wars.

UPDATE: for those interested in finding out how the Metservice ad server was compromised, this is a good read.

UPDATE: Although the JAVA runtime is multi platform, the final payload affected only Windows PCs. All of you running Mac OS X, Linux, iPads and other devices will not be affected.

Other related posts:
Geekzone data analytics with Power BI
Now with more fibre
Unlimited is not unlimited: Vodafone cable going gigabit

comments powered by Disqus

freitasm's profile

Mauricio Freitas
New Zealand

I live in New Zealand and my interests include mobile devices, good books, movies and food of course! 

I'm the Geekzone admin. On Geekzone we publish news, reviews and articles on technology topics. The site also has some busy forums.

Subscribe now to my blog RSS feed or the Geekzone RSS feed.

If you want to contact me, please use this page or email me Note this email is not for technical support. I don't give technical support. You can use our Geekzone Forums for community discussions on technical issues.

Here's is my full disclosure post.

A couple of blog posts you should read:

Social networks presence

View Mauricio Freitas's profile on LinkedIn

My Blog by tags...

State of Browsers...
Viral Marketing...
Web Performance Optimization...
Windows Phone...

Other recent posts in my blog

If the headlines indicate the ...
Geekzone data analytics with P...
State of browsers Geekzone Mar...
2Cheap Cars discussion...
Now with more fibre...
Unlimited is not unlimited: Vo...
How bad is Vodafone cable at t...
Frustrated with Microsoft Fami...
State of browsers Geekzone Mar...
You are still a pirate accordi...

New posts on Geekzone