During the Great New Zealand Snowstorm 2011 the MetService web site was probably one of the most visited in the country. Unfortunately someone thought it would also be a great time to break into Metservice's online advertising platform and plant a little Trojan horse.
What happened is that when serving the ads the MetService web site was also unknowingly distributing a third party piece of code. This little piece of code would be executed by the users' web browser and silently download and install malware on the visitors' computers.
To make it clear: you wouldn't need to click an ad to load this malware, as its code was being loaded directly from the ad server and executed by your browser. The infection wasn't delivered by an ad. In the delivery method could be applied to any other database driven website. It's not an "online advertising problem".
Here is the official MetService email I received when they started the clean up process on their server:
Over the past week, MetService's website has experienced record numbers of visitors due to the severe weather being experienced across the country. The site has handled this record traffic well. The popularity of the site no doubt made it a target for this attack.
An upgrade incorporating a fix is now being installed in order to resolve the issue. The ad server database is also in the process of being cleaned and rebuilt. We have responded to tweets on the issue starting just before 10am this morning, and will continue to respond to users' concerns as they arise.
While there's still an ongoing discussion on Geekzone (where it seems it was first reported), at least one of the installed malware is Personal Shield Pro, a fake security program that will collect personal information, all while pretending to be a legitimate program - and at some point might even ask for credit card details to unlock the "cleaning" feature, obviously not doing anything.
It's also not clear the third party software was distributing one, two or more variants of malware - it's possible that the software could be installing different types of malware depending on what browser was being used, or what operating system version the PC is running, etc.
From the information we managed to collect on Geekzone, the main infection was really Personal Shield Pro. This can be removed with Malwarebytes, a free software (although with a Pro paid version with more features).
To remove the Personal Shield Pro follow these steps:
- Reboot your PC and press F8 just before Windows starts running
- On the boot options screen select "Safe Mode with Network"
- Download Malwarebytes and install
- Run a full scan and accept its suggestions
This should clear the infection.
Obviously your PC could get contaminated again with the same thing if it stumbles upon another web sites carrying the same or similar code. Here are some tips to keep it safe:
- Make sure your Windows PC is always up-to-date with the latest patches and browser versions. If you are running Windows XP make sure you have Service Pack 3 installed and all Windows Updates after that. If you are running Windows 7 make sure you have Service Pack 1 and all Windows Updates after that. You should check for new Windows Updates every second Wednesday (New Zealand time), which is the day Microsoft releases those updates. You should actually set Windows Update to automatically download and install updates.
- If you are running Internet Explorer on Windows XP you should have Internet Explorer 8. If you are running Internet Explorer on Windows 7 you should have Internet Explorer 9.
- If you are running other browser (Chrome, Firefox, Opera, Safari) you should check that you are running their latest updates.
- If you are running any other program (specially ones that plug into your browser) make sure you always have all updates installed. This includes Java runtime, Skype plugins, Toolbars and any other program that changes the browser behaviour.
- You should install one antivirus program (free or paid) but not more than one. Multiple antivirus programs on the same PC will cause problems.
- Earlier this year I posted a blog entry with links to a list of free security programs and you should read it.
If anyone is in the security community and could add or update any information posted here about this specific incident, please contact me. I'm also blocking comments in this blog post to avoid the predictable "Windows vs Mac OS vs Linux vs " or "Internet Explorer vs Firefox vs Chrome" flame wars.
UPDATE: for those interested in finding out how the Metservice ad server was compromised, this is a good read.
UPDATE: Although the JAVA runtime is multi platform, the final payload affected only Windows PCs. All of you running Mac OS X, Linux, iPads and other devices will not be affected.
Other related posts:
Geekzone data analytics with Power BI
Now with more fibre
Unlimited is not unlimited: Vodafone cable going gigabit
comments powered by Disqus