Monday, December 01, 2008

Is StarTribune Handing Out Antivirus XP Malware Spyware On StarTribune.Com?

Twice last week my PC's web browser appeared to be taken over in an effort to get me to install the malware called Antivirus XP 2009. The web browser changes to a website called proscanner-online or something like that. I was able to clean it off the PC but was puzzled because I don't go to websites known to hand out spyware. I would never have thought that StarTribune.Com would be handing out malware like Antivirus XP 2009 but sure enough, tonight while reading my email I noticed my browser switched sites and went to some proscanner-online site with a popup box that Antivirus XP 2009 puts out trying to trick you into installing the malware. I killed the iexplore.exe process and went to the living room. Then my wife says hey this spyware thing is back on StarTribune sure enough within minutes because both PC's were sitting on the Star Tribune website the browsers were redirected to a website trying to hand out Antivirus XP 2009 Spyware. I'm going to keep watching this to try and determine if it's one of the many advertisements on StarTribune.Com or maybe it's the website of the Star Tribune itsself handing out Antivirus XP 2009.
Update 12/2/08 as a test I left a browser with just the StarTribune website up overnight. Sure enough I turn on my monitors this morning and see this on my screen.

I killed the iexplore.exe process again and have been working all morning on non-startribune websites and have not seen this so i'm getting closer to deducing that something on the star tribune website is doing a browser hijack and trying to get the user to install Antivirus XP 2009.
Update 12/2/2008 In doing some more testing I found that my cliboard on yet another Pc had been hijacked and when I pasted a url would appear that if clicked would take you to a website that would try and install antivirus XP 2009. A great explanation of what is going on at StarTribune.Com is here. It appears that this is flash based banner ads on Star Tribune's website that exploit flaws in certain versions of flash. It hijacks the clipboard and either the user pastes the nasty url in places or somehow it also hijacks the browser and sends the visitor from Star Tribune to the Antivirus XP 2009 affiliate. Star Tribune isn't alone in putting banners on their site that exploit the visitors flash plugin, other media sites have done the same without their knowledge.