Sunday, 27 February 2011

London Stock Exchange hit by malware

The London Stock Exchange website exposed some visitors to drive-by malware attacks today. Merely viewing the homepage at www.londonstockexchange.com (without clicking on anything) caused my Windows computer to be compromised by malware. This malware was apparently delivered through third-party advertisements which appeared on the site.

The malware was a classic spoof antivirus program which used a software vulnerability to download and install native executable code. The spoof program appeared in the system tray and prevented other processes such as Task Manager being run, falsely claiming that they were infected with a virus. The malware then tried to extort payment to fix the artificial problem it had created. It also replaced the wallpaper image with the following message:

Google's Safe Browsing diagnostic page for www.londonstockexchange.com also confirmed the presence of suspicious content on the LSE website today:

Of the 281 pages we tested on the site over the past 90 days, 65 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2011-02-27, and the last time suspicious content was found on this site was on 2011-02-27.

Malicious software includes 2 scripting exploit(s), 2 trojan(s), 1 exploit(s). Successful infection resulted in an average of 5 new process(es) on the target machine.

Accordingly, the site ended up being blocked by the Chrome and Firefox web browsers, which both make use of Google's malware blocklist.

LSE have now disabled the affected adverts from appearing on their site, thus preventing malware reaching its visitors. For clarity, the LSE website itself was not compromised. Because the malware was distributed via an advertising network, many other sites may also have been affected.

Unanimis, which hosted adverts used on the LSE website, subsequently issued the following statement:

Malware was detected on the Unanimis network which affected some advertisements on our network. Other than the banner advertisements in question, the malware does not impact or affect any other parts of a website. The affected advertisements have been removed and all sites continue to operate normally. For clarity the LSE website was not impacted by this Malware, not did it propagate malware.

Posted by at

50 comments:

  1. Can you explain in detail how this ad trojan manages to penetrate a patched google chrome browser. Is it using any 0day exploits? Is it using a known vulnerability? Yes I appreciate the people responsible have managed to gain access to Ad servers used by major websites but that does not explain how a secure and patched browser like chrome has been torn to shreds with ease. Exploit does not appear to make use of stack code execution or heap corruption vulnerabilities, I'm very curious as to how it gets through a sandboxed browser?

    Araz Fazal

    ReplyDelete

  2. I got hit with this malware on 2/26/11 as well. What is the solution to remove it? My computer is practically useless since it took place. Is there a patch or download to fix the problem? Thanks.

    Dan S.

    ReplyDelete

  3. simple method ->
    Boot into safe mode, doa system restore, then patch up all the holes in your browser using browsercheck.qualys.com.

    ReplyDelete

  4. I picked this one up on Saturday 26th from the AA's routeplanner site. System restore in safe mode followed by a clean-up with Fixit Utilities seemed to do the trick.

    ReplyDelete

  5. Can you please confirm which web browsers were susceptible to this malware? Did Chrome really not stop it and allow a PC to be infected?

    ReplyDelete

  6. Roham Lumer, chrome itself is not likely to have been exploited. From my research into this matter it appears as though it gets through using a drive by download exploit, probably a java run time exploit. many people still have an old version of JRE installed. Google are offering $20k for anyone who can break chromes security so it is not likely to have been exploited directly. Very unlikely.

    Araz Fazal

    ReplyDelete

  7. Exactly the same thing happened to me on Sunday 27th. I was on the Autotrader.co.uk site, using Firefox. I didn't click on any advert displayed on the site but still managed to get infected.

    ReplyDelete

  8. This got me too! Sunday 27th, and i was simply going through Hotmail. I had NO suspicious mail, Just simple facebook notifications and some work email. I imagine it got through the adverts on hotmail perhaps? Anyway, I had no restore point, so had to wipe the computer and everything on it. Fortunately i'd moved my 4000+ photo's on a memory stick only a month ago!

    ReplyDelete

  9. Firefox and Ad-Block plus, saves time and for better security, e3specially for Dial-up

    ReplyDelete

  10. My friend got hit with this on Sunday too .Start the PC up in safemode (f8) and run malwarebytes ,you might need to install it from a flash pen but it will get rid of it.Malwarebytes can be safely downloaded from cnet at download.com

    ReplyDelete

  11. I was hit by this today. I was using Chrome and had visited my Hotmail and Facebook, not clicking on anything other than a couple of messages on Hotmail. I've found 6 or 7 other people hit today all with diferent virus controls which have all been knocked out. I'm not able to use that PC yet.

    ReplyDelete

  12. While there are websites which check that you have the latest version of software and so on, is there a site that will actually do its best to install and execute a harmless, fully removable program using known exploits? While this won't protect against undiscovered vulnerabilities, it would be useful.

    ReplyDelete

  13. For heaven's sakes people. If you have either Windows 7 Pro or Windows 7 Ultimate (great for shifting from English to French), run Windows as a virtual most of the time. If you are using XP, at least use Microsoft's DropMyRights for your Internet facing apps):

    http://securemecca.com/public/DropMyRights.7z
    http://securemecca.com/public/DropMyRights.zip

    Given the fact that Chrome is already sand-boxed (but I do run Chrome started with DropMyRights on XP) this may not help here. But the filters that I have that work in all browsers blocked all but one ad-server host at all the sites listed:

    http://hostsfile.org
    http://securemecca.com

    Firefox of course has AdBlockPlus, and Chrome also has an AdBlock plugin of its own. I am adding the lone host I didn'g block and expanding one of the IP rules in the PAC filter to cover it and any others in that range. There is one big difference between what I have (the PAC filter) and these other filters. I have an anti-malware priority as well and because of it do not block as many of the ads in the PAC filter and instead use the blocking hosts file to take up the slack. But ABP is superior in blocking ads with either the EasyList + EasyPrivacy or FanBoy-AdBlock + Fanboy-Tracking subscriptions. Blocking malware is a higher priority than blocking ads for me.

    ReplyDelete

  14. so i try to use the F8 button to do a system restore in safe mode but the f8 button does nothing; will it have affected that too?

    ReplyDelete

  15. To remove the Malware, follow this sequence:

    • Start computer IN SAFE MODE (press and hold F8 during start up) →
    • Follow instructions to “open in SAFE MODE”
    • Ensure “SAFE MODE” appears in blue in bottom LH corner of screen.
    • When your desk top appears →
    • Double click “ My computer”
    • Go to Tools
    • Go to Folder options
    • Go to “View” tab
    • Tick or spot “show hidden files/folders” (from “do not show etc)
    • If any warnings appear just press yes/O.K. etc.
    • Untick “hide protected files/folders extensions etc”
    • Tick “show protected files, extensions etc”
    • Click Apply
    • Press O.K to close that box
    • Double click to Open “c “drive
    • Go to Documents and settings
    • Go to All users
    • Go to Application data
    • FIND THE FILE (mine was around 12 numbers/letters in upper and lower case. If you are not certain which file it is, copy and paste the suspected one to desktop and open it.
    • Delete the file.
    • Restart in normal mode
    • If all is O.K. go to “my computer” an follow the sequence (from 2 above) to re-tick and re-spot the correct / recommended boxes
    • download and install free version of “malwarebytes”
    • run a complete c-drive scan and quarantine any corrupted files.

    ReplyDelete

  16. My father got hit with this one over last weekend, and it took me the best bit of 4 hours to remove it.
    He was using Firefox, without AdBlock Plus and he hadn't updated his anti-virus in weeks, despite my warnings.

    To remove it I followed this guide here: http://www.bleepingcomputer.com/virus-removal/remove-system-tool
    The registry key you find may be slightly different from the one in the guide, but the format is the same. Once the registry key is removed with Hijackthis it stops the malware starting with Windows, reinstates your own anti-virus and allows you to install Malwarebytes Anti-Malware to remove it.

    ReplyDelete

  17. "so i try to use the F8 button to do a system restore in safe mode but the f8 button does nothing; will it have affected that too? "

    It's unlikely to have been affected. If you haven't used F8 boot before, be aware that you have to press the key at the right moment while booting. The easiest way is simply to tap the F8 key continuously during boot.

    ReplyDelete

  18. So I did as anonymous 3rd march suggests and sure enough F8 worked this time; got to do a system restore in safe mode and problem sorted; thanks for the help.

    ReplyDelete
  19. Shelley Asquith4 March 2011 at 07:54

    I got hit by this one from being on facebook. It's my work laptop so silver lining and all that :o)

    ReplyDelete

  20. Hi. Windows user here. I'm considering switching to Ubuntu Linux. Please tell me can I get infected with this malware on Linux? Thanks.

    ReplyDelete

  21. I picked this one up on Saturday 26th from the AA's routeplanner site. System restore in safe mode followed by a clean-up with Fixit Utilities seemed to do the trick.

    ReplyDelete

  22. I don't know how to download malware. Please tell me details can i get this malware on windows 8.1. Please let's go to the maryland courier link to know best courier service website.

    ReplyDelete

  23. Oups ... Thank you so much for taking the time to share this information. A great read. I’ll certainly be back.

    ReplyDelete

  25. Different infections, for example, worms can move rapidly, and may make it hard for hostile to infection programming without anyone else to be viable. To build infection insurance, you can include things, for example, firewalls, spyware shields and programmed overhauls to expand your security.http://how-to-remove.org/malware/

    ReplyDelete

  26. Different infections, for example, worms can move rapidly, and may make it hard for hostile to infection programming without anyone else to be viable. To build infection insurance, you can include things, for example, firewalls, spyware shields and programmed overhauls to expand your security.https://how-to-remove.org/malware/

    ReplyDelete

  27. Different infections, for example, worms can move rapidly, and may make it hard for hostile to infection programming without anyone else to be viable. To build infection insurance, you can include things, for example, firewalls, spyware shields and programmed overhauls to expand your security. https://how-to-remove.org/malware/

    ReplyDelete

  28. Different infections, for example, worms can move rapidly, and may make it hard for hostile to infection programming without anyone else to be viable. To build infection insurance, you can include things, for example, firewalls, spyware shields and programmed overhauls to expand your security. https://how-to-remove.org/malware/

    ReplyDelete

  30. A stock scanner that will help you find the best stocks to buy today . Apply various filters and rank stocks by performance, dividends, etc, and learn which are the best stocks to buy now. Best stocks to buy now

    ReplyDelete

  31. There are stock exchanges all around our world. As you begin to learn about the stock market it will benefit you to know where these stock exchanges are and a little bit of information about each of them.best penny stocks

    ReplyDelete

  33. Should you require your investment back within just a couple of years, then it will be much better to consider another investment channel. cryptocurrency compariso

    ReplyDelete

  34. Kamu mungkin bertanya-tanya, kenapa kitchen set murah berkualitas bandung yang dibeli di warung makan lebih enak ketimbang yang kamu masak sendiri? Selain karena perlengkapan kitchen set bandung Sebenarnya tidak masalah menempatkan suatu barang itu di toko furniture murah di bandung, tetapi biar dapur enak dilihat dan terlihat lega, harga sofa minimalis di bandung memberikan trik jitunya. Berikut trik furniture minimalis murah bandung Kamu harus tahu kalau sebenarnya kita cukup paham 3 bumbu dasar saja untuk menguasai seluruh masakan yang ada, terutama masakan Indonesia.

    Kalau kamu sudah menguasainya, toko furniture murah bandung apapun gampang! Cara membuat bumbu dasar ini sangat mudah klo sama ahli kitchen set bandung, tinggal dihaluskan, lalu ditumis sebentar, kemudian simpan di tempat jual sambal roa di manado. Komposisi tiap bahan bisa kamu sesuaikan tergantung seberapa banyak kamu ingin membuatnya ya! Kenyataan ini akan dihadapi oleh orang-orang yang merasa sudah berusaha keras untuk jual sambal ikan roa di jakarta, tapi entah kenapa selalu gagal dan nggak pernah puas dengan hasil masakannya. Jika kamu memang sudah cocok dengan masakanmu sendiri, cara cepat punya anak itu pengecualian.

    ReplyDelete

  36. malware can destroy all your data, and make your brain crazy and mad
    Teen Porn | Young Porn | Teen Sex | Teen Fuck

    ReplyDelete

  37. In any case, an investor who searches forward for removing greatest tries to accumulate increasingly learning regarding the matter of 'stock market'.stock market reviews

    ReplyDelete

  39. Provide information and prices for 2475 сryptocurrencies: cryptocurrency converter

    ReplyDelete

  42. In the first place, auto title advances might be viewed as a secured advance since it requires a vow. In getting such advances, a borrower is required to give the title of his or her auto as guarantee. car title loans chicago

    ReplyDelete

  43. Jual Obat Aborsi ,
    Obat Aborsi http://jualobat-aborsi.com Obat Penggugur Kandungan,

    Obat Aborsi ,
    Jual Cytotec Asli http://jualpilcytotecasli.com Jual Obat Aborsi ,

    ReplyDelete

Subscribe to: Post Comments (Atom)