Possible FastClick Malware (UPDATED)
Another so-called “content provider” appears to be using malicious code to spread its advertising. I’ve confirmed that code currently hosted on FastClick.Net (curiously, by FastClick.com, Inc.) bypasses several popular pop-up blockers, and initial evidence indicates that there may be malicious code contained within these scripts. More details as they become available.
For now, I’d encourage all users to block FastClick.com and FastClick.net via HOSTS, IP filtering, or other counter-measures, to avoid the privacy-violating scumware.
My investigation of the FastClick malware would seem to indicate that my suspicion was slightly overblown. It is certainly malicious — the malware detects and circumvents several different pop-up blocking mechanisms. However, it is not readily obvious that users face any threat (beyond annoyance) from this piece of code.
The code seems to get around the pop-up blocking of various applications by carefully interweaving parent/child object relationships and certain input events. In the case of Internet Explorer, however, the code is considerably more aggressive. It invokes four COM objects, presumably in an attempt to dodge pop-up blocking applications.
The four CLSIDs used by this nuisance code are as follows:
Microsoft DHTML Edit Control
And finally, two unidentified classes that initial investigation suggests are tied to Microsoft Office:
The Google Toolbar control is invoked as a test, because the script’s behavior varies slightly when the toolbar is detected. The DHTML Edit Control is one method apparently used to bypass Internet Explorer’s pop-up blocking. This is presumably the purpose of the latter two controls as well.
I’d like to reiterate at this time that there’s no indication the software is overtly malicious… only that it is a pest. Users concerned about the unwanted pop-ups can block FastClick’s code by using the following line in a HOSTS file:
For the most certain security, I’d recommend that all requests to the fastclick.com and fastclick.net domains be blocked.