Summary: Visitors to Canada.com (not hyperlinked for obvious reasons) will have their browsers hijacked, and a series of prompts will download and attempt to install malicious software. This will happen ONLY on the first visit from an IP address. Subsequent visits to Canada.com will not experience the browser hijack.
NOTE: I have only experienced this on the Vancouver Sun section of Canada.com. I’m currently out of different IP addresses to try. I’ll try again from home to see if the rest of Canada.com is infected.
How I found The Problem: I followed a link from Bynkii.com to a Vancouver Sun story that Bynkii discussed. My browser was immediately hijacked. I visited the site again, and found no errors. I then tried from a laptop connected to our company’s wireless network (completely separate from our internal network, and through a separate ISP) and saw the hijack again. That time I got screencaps. Visiting the site through the wireless again showed no problems, leading me to believe that this displays one time per IP address. Trying multiple browsers did not result in another browser hijack, and neither did clearing cookies, making me think it’s recording IP address and attacking once per IP address.
Details:
The first time you visit Canada.com, your browser will flash through a few redirects, and then the following popup will appear:
Note that hitting either Cancel or OK appears to have the same result — you can’t get out of there. Your browser will then appear to scan your hard drive for viruses. It’s all theater; it’s not actually doing anything at this point:
It will then pop up a message (in an Windows-style message box — not sure how it did that):
If you’re on a Macintosh, it will then offer to download an EXE file. I’m not sure if it will automatically download and run the file on a Windows machine, because I’m not about to try.
I uploaded the downloaded file to virustotal.com, and it found a variety of badness there, general consensus seems to be that this file isn’t so bad by itself, but will once installed download and install an additional slew of malware and trojans of unknown potency. (I was unable to find really definitive information about this file; I’m open to suggestions for better places to look.)
File Install-MnBhY2lmaWM-a2V5aW4-a2V5a received on 11.08.2007 03:28:07 (CET)
Antivirus Version Last Update Result AhnLab-V3 2007.11.8.0 2007.11.08 - Authentium 4.93.8 2007.11.07 could be infected with an unknown virus AVG 7.5.0.503 2007.11.08 Generic9.HLR CAT-QuickHeal 9.00 2007.11.07 - DrWeb 4.44.0.09170 2007.11.07 - eTrust-Vet 31.2.5278 2007.11.07 - FileAdvisor 1 2007.11.08 - F-Prot 4.4.2.54 2007.11.07 W32/Heuristic-119!Eldorado Ikarus T3.1.1.12 2007.11.08 Virus.Win32.Renos.AE McAfee 5158 2007.11.07 BraveSentry NOD32v2 2645 2007.11.08 Win32/Hoax.Renos.PY Panda 9.0.0.4 2007.11.07 Suspicious file Rising 20.17.22.00 2007.11.07 - Sunbelt 2.2.907.0 2007.11.07 - TheHacker 6.2.9.119 2007.11.07 - VirusBuster 4.3.26:9 2007.11.07 Trojan.Renos.Gen.2
Additional information File size: 31288 bytes SHA1: ef6fce7ad9a01d6cabb84bffc3bddee6f43bfe4e
I submitted this to the Internet Storm Center, along with a malware sample, and e-mailed webmaster@canada.com with a warning.
Update November 15, 2007: Wired just wrote about the issue; apparently it affects a number of different sites, as the hijack script was distributed via the Doubleclick ad network.
Update November 16, 2007: Wired wrote about the issue again, quoting me this time.
Trackbacks & Pingbacks 1
Flash-Based Malware Ad Sneaks Onto Legit Websites Via DoubleClick…
A new malware ad has managed to sneak its way onto Doubleclick’s DART ad publishing system, which means it’s been showing up on several legitimate websites, including Major League Baseball, The Economist, and Canada.com. It doesn’t require user int…