Sunday, 27 February 2011

London Stock Exchange hit by malware

The London Stock Exchange website exposed some visitors to drive-by malware attacks today. Merely viewing the homepage at www.londonstockexchange.com (without clicking on anything) caused my Windows computer to be compromised by malware. This malware was apparently delivered through third-party advertisements which appeared on the site.

The malware was a classic spoof antivirus program which used a software vulnerability to download and install native executable code. The spoof program appeared in the system tray and prevented other processes such as Task Manager being run, falsely claiming that they were infected with a virus. The malware then tried to extort payment to fix the artificial problem it had created. It also replaced the wallpaper image with the following message:

Google's Safe Browsing diagnostic page for www.londonstockexchange.com also confirmed the presence of suspicious content on the LSE website today:

Of the 281 pages we tested on the site over the past 90 days, 65 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2011-02-27, and the last time suspicious content was found on this site was on 2011-02-27.

Malicious software includes 2 scripting exploit(s), 2 trojan(s), 1 exploit(s). Successful infection resulted in an average of 5 new process(es) on the target machine.

Accordingly, the site ended up being blocked by the Chrome and Firefox web browsers, which both make use of Google's malware blocklist.

LSE have now disabled the affected adverts from appearing on their site, thus preventing malware reaching its visitors. For clarity, the LSE website itself was not compromised. Because the malware was distributed via an advertising network, many other sites may also have been affected.

Unanimis, which hosted adverts used on the LSE website, subsequently issued the following statement:

Malware was detected on the Unanimis network which affected some advertisements on our network. Other than the banner advertisements in question, the malware does not impact or affect any other parts of a website. The affected advertisements have been removed and all sites continue to operate normally. For clarity the LSE website was not impacted by this Malware, not did it propagate malware.

24 comments:

  1. Can you explain in detail how this ad trojan manages to penetrate a patched google chrome browser. Is it using any 0day exploits? Is it using a known vulnerability? Yes I appreciate the people responsible have managed to gain access to Ad servers used by major websites but that does not explain how a secure and patched browser like chrome has been torn to shreds with ease. Exploit does not appear to make use of stack code execution or heap corruption vulnerabilities, I'm very curious as to how it gets through a sandboxed browser?

    Araz Fazal

    ReplyDelete
  2. I got hit with this malware on 2/26/11 as well. What is the solution to remove it? My computer is practically useless since it took place. Is there a patch or download to fix the problem? Thanks.

    Dan S.

    ReplyDelete
  3. simple method ->
    Boot into safe mode, doa system restore, then patch up all the holes in your browser using browsercheck.qualys.com.

    ReplyDelete
  4. I picked this one up on Saturday 26th from the AA's routeplanner site. System restore in safe mode followed by a clean-up with Fixit Utilities seemed to do the trick.

    ReplyDelete
  5. Can you please confirm which web browsers were susceptible to this malware? Did Chrome really not stop it and allow a PC to be infected?

    ReplyDelete
  6. Roham Lumer, chrome itself is not likely to have been exploited. From my research into this matter it appears as though it gets through using a drive by download exploit, probably a java run time exploit. many people still have an old version of JRE installed. Google are offering $20k for anyone who can break chromes security so it is not likely to have been exploited directly. Very unlikely.

    Araz Fazal

    ReplyDelete
  7. Exactly the same thing happened to me on Sunday 27th. I was on the Autotrader.co.uk site, using Firefox. I didn't click on any advert displayed on the site but still managed to get infected.

    ReplyDelete
  8. This got me too! Sunday 27th, and i was simply going through Hotmail. I had NO suspicious mail, Just simple facebook notifications and some work email. I imagine it got through the adverts on hotmail perhaps? Anyway, I had no restore point, so had to wipe the computer and everything on it. Fortunately i'd moved my 4000+ photo's on a memory stick only a month ago!

    ReplyDelete
  9. Firefox and Ad-Block plus, saves time and for better security, e3specially for Dial-up

    ReplyDelete
  10. My friend got hit with this on Sunday too .Start the PC up in safemode (f8) and run malwarebytes ,you might need to install it from a flash pen but it will get rid of it.Malwarebytes can be safely downloaded from cnet at download.com

    ReplyDelete
  11. I was hit by this today. I was using Chrome and had visited my Hotmail and Facebook, not clicking on anything other than a couple of messages on Hotmail. I've found 6 or 7 other people hit today all with diferent virus controls which have all been knocked out. I'm not able to use that PC yet.

    ReplyDelete
  12. While there are websites which check that you have the latest version of software and so on, is there a site that will actually do its best to install and execute a harmless, fully removable program using known exploits? While this won't protect against undiscovered vulnerabilities, it would be useful.

    ReplyDelete
  13. For heaven's sakes people. If you have either Windows 7 Pro or Windows 7 Ultimate (great for shifting from English to French), run Windows as a virtual most of the time. If you are using XP, at least use Microsoft's DropMyRights for your Internet facing apps):

    http://securemecca.com/public/DropMyRights.7z
    http://securemecca.com/public/DropMyRights.zip

    Given the fact that Chrome is already sand-boxed (but I do run Chrome started with DropMyRights on XP) this may not help here. But the filters that I have that work in all browsers blocked all but one ad-server host at all the sites listed:

    http://hostsfile.org
    http://securemecca.com

    Firefox of course has AdBlockPlus, and Chrome also has an AdBlock plugin of its own. I am adding the lone host I didn'g block and expanding one of the IP rules in the PAC filter to cover it and any others in that range. There is one big difference between what I have (the PAC filter) and these other filters. I have an anti-malware priority as well and because of it do not block as many of the ads in the PAC filter and instead use the blocking hosts file to take up the slack. But ABP is superior in blocking ads with either the EasyList + EasyPrivacy or FanBoy-AdBlock + Fanboy-Tracking subscriptions. Blocking malware is a higher priority than blocking ads for me.

    ReplyDelete
  14. so i try to use the F8 button to do a system restore in safe mode but the f8 button does nothing; will it have affected that too?

    ReplyDelete
  15. To remove the Malware, follow this sequence:

    • Start computer IN SAFE MODE (press and hold F8 during start up) →
    • Follow instructions to “open in SAFE MODE”
    • Ensure “SAFE MODE” appears in blue in bottom LH corner of screen.
    • When your desk top appears →
    • Double click “ My computer”
    • Go to Tools
    • Go to Folder options
    • Go to “View” tab
    • Tick or spot “show hidden files/folders” (from “do not show etc)
    • If any warnings appear just press yes/O.K. etc.
    • Untick “hide protected files/folders extensions etc”
    • Tick “show protected files, extensions etc”
    • Click Apply
    • Press O.K to close that box
    • Double click to Open “c “drive
    • Go to Documents and settings
    • Go to All users
    • Go to Application data
    • FIND THE FILE (mine was around 12 numbers/letters in upper and lower case. If you are not certain which file it is, copy and paste the suspected one to desktop and open it.
    • Delete the file.
    • Restart in normal mode
    • If all is O.K. go to “my computer” an follow the sequence (from 2 above) to re-tick and re-spot the correct / recommended boxes
    • download and install free version of “malwarebytes”
    • run a complete c-drive scan and quarantine any corrupted files.

    ReplyDelete
  16. My father got hit with this one over last weekend, and it took me the best bit of 4 hours to remove it.
    He was using Firefox, without AdBlock Plus and he hadn't updated his anti-virus in weeks, despite my warnings.

    To remove it I followed this guide here: http://www.bleepingcomputer.com/virus-removal/remove-system-tool
    The registry key you find may be slightly different from the one in the guide, but the format is the same. Once the registry key is removed with Hijackthis it stops the malware starting with Windows, reinstates your own anti-virus and allows you to install Malwarebytes Anti-Malware to remove it.

    ReplyDelete
  17. "so i try to use the F8 button to do a system restore in safe mode but the f8 button does nothing; will it have affected that too? "

    It's unlikely to have been affected. If you haven't used F8 boot before, be aware that you have to press the key at the right moment while booting. The easiest way is simply to tap the F8 key continuously during boot.

    ReplyDelete
  18. So I did as anonymous 3rd march suggests and sure enough F8 worked this time; got to do a system restore in safe mode and problem sorted; thanks for the help.

    ReplyDelete
  19. Shelley Asquith4 March 2011 at 07:54

    I got hit by this one from being on facebook. It's my work laptop so silver lining and all that :o)

    ReplyDelete
  20. Hi. Windows user here. I'm considering switching to Ubuntu Linux. Please tell me can I get infected with this malware on Linux? Thanks.

    ReplyDelete
  21. I picked this one up on Saturday 26th from the AA's routeplanner site. System restore in safe mode followed by a clean-up with Fixit Utilities seemed to do the trick.

    ReplyDelete
  22. At present age, This website is a great resource of financial market and very important for us.so, I like your web site. Thank's very much for this informational website. If you want more informastion about stock charts to visit stock charts Move professionals keep stock options regarding around a week a number of weeks. This particular is almost always to travel a lot more vital variations in your stock options price. This particular fair time schedule doesn't have because any element tomorrow buying and selling maps .

    ReplyDelete
  23. Thanks for taking the time to discuss this, I feel strongly about it and love learning more on this topic. If possible, as you gain expertise, would you mind updating your blog with more information? It is extremely helpful for me.

    custom logo design

    ReplyDelete
  24. I don't know how to download malware. Please tell me details can i get this malware on windows 8.1. Please let's go to the maryland courier link to know best courier service website.

    ReplyDelete