Possible FastClick Malware (UPDATED)

Another so-called “content provider” appears to be using malicious code to spread its advertising. I’ve confirmed that code currently hosted on FastClick.Net (curiously, by FastClick.com, Inc.) bypasses several popular pop-up blockers, and initial evidence indicates that there may be malicious code contained within these scripts. More details as they become available.

For now, I’d encourage all users to block FastClick.com and FastClick.net via HOSTS, IP filtering, or other counter-measures, to avoid the privacy-violating scumware.

UPDATE

My investigation of the FastClick malware would seem to indicate that my suspicion was slightly overblown. It is certainly malicious — the malware detects and circumvents several different pop-up blocking mechanisms. However, it is not readily obvious that users face any threat (beyond annoyance) from this piece of code.

The code seems to get around the pop-up blocking of various applications by carefully interweaving parent/child object relationships and certain input events. In the case of Internet Explorer, however, the code is considerably more aggressive. It invokes four COM objects, presumably in an attempt to dodge pop-up blocking applications.

The four CLSIDs used by this nuisance code are as follows:

Microsoft DHTML Edit Control
{2D360201-FFF5-11D1-8D03-00A0C959BC0A}

Google Toolbar
{00EF2092-6AC5-47c0-BD25-CF2D5D657FEB}

And finally, two unidentified classes that initial investigation suggests are tied to Microsoft Office:

{D2BD7935-05FC-11D2-9059-00C04FD7A1BD}
{9E30754B-29A9-41CE-8892-70E9E07D15DC}

The Google Toolbar control is invoked as a test, because the script’s behavior varies slightly when the toolbar is detected. The DHTML Edit Control is one method apparently used to bypass Internet Explorer’s pop-up blocking. This is presumably the purpose of the latter two controls as well.

I’d like to reiterate at this time that there’s no indication the software is overtly malicious… only that it is a pest. Users concerned about the unwanted pop-ups can block FastClick’s code by using the following line in a HOSTS file:

127.0.0.1 media.fastclick.net

For the most certain security, I’d recommend that all requests to the fastclick.com and fastclick.net domains be blocked.

Share
  • http://www.BeyondSecurity.com aviram

    Can you expand on what the malware does?
    Also, how does it bypass the pop-up blocker? Is that a vulnerability in those applications?

  • Matthew Murphy

    Aviram,

    I am currently investigating the exact function of the malware I’ve uncovered. I’ve confirmed that it bypasses most known pop-up blockers in their default configurations (IE w/ XP SP2, Firefox, Google Toolbar, etc.). The code that achieves this is *HEAVILY* obfuscated and contains a lot of noise, so the dissection effort is taking some time.

    I haven’t confirmed that the code I’ve found actually compromises security, but the delivery of the pop-up is sufficient for me to classify it as an invasion of privacy. The obfuscation also seems to suggest that there may be further malicious functionality hidden beneath the surface of this code. At the very least, what’s there is clearly intentional. When I know exactly what it is doing, I’ll edit the post to keep everyone posted. (No pun intended)

  • http://www.BeyondSecurity.com Lev

    The clsid {D2BD7935-05FC-11D2-9059-00C04FD7A1BD} appears to be “owned” by the ocget.dll provided by Microsoft which appears to be related to requests being sent to http://activex.microsoft.com/objects/ocget.dll

    I am not sure why these requests are sent there, or what this DLL does, but it sounds fishy that a we page would use this clsid for the feat of bypassing the popup blocker protection.

    Additional details on this DLL (from Microsoft’s web site) can be found here … information is quite scarce to what this DLL does BTW … http://support.microsoft.com/default.aspx?scid=kb%3ben-us%3b323207

  • don fong

    thanks for the tip about adding those sites to /etc/hosts .

  • Pingback: malware blocker