Topic: Scareware package planted in ITV.com adsPop-up programme peril

[Clive]

Users visiting the website of UK broadcaster ITV risk exposure to a scareware package. Malware-laced banner ads that lead to download sites for the Cleanator scare package have also been served up on the Radio Times website.

Radio Times confirmed that it removed the offending ad late Wednesday morning, following initial reports of the problem on Tuesday. The cleanliness or otherwise of the ITV website is unclear at the time of writing.

Cleanator is a rogue security program that shows false warning messages and misleading scan results in a ruse designed to scare punters into purchasing a "full" version of the package. Aggressive advertising tactics - including the use of Trojan downloaders - are used to distribute the software. Several security vendors (including Sophos (here), CA (here) and EMSI (here)) list Cleanator as a pest.

The attack on both ITV and Radio Times was not made from either site "directly, but via malicious scripts by way of third party adverts. Other as yet unidentified sites may also be affected.

The presence of tainted ads on the ITV website was brought to our attention by Reg reader Gavin, who was prompted to install Cleanator after watching a video clip on the ITV website. "After wanting to watch a video, I was informed I had no DRM software and that I needed to install it. I reluctantly clicked yes only to be given this prompt that asks me to install 'Cleanator'," he reports.

Preliminary analysis by anti-virus experts at Sophos suggests that a PHP redirect to an Cleanator affiliate site was injected into advert traffic served up by ITV.com via third party agencies. Malware is thought to feature in the attack.

"One of ITV's affiliated advertisement sites contained a link to Gida-B. Gida-B is malicious shockwave file that in turn loads another copy of itself which loads a script to redirect you to a cleanator site," explained Graham Cluley, senior technology consultant at Sophos.

Once they land on the Cleanator affiliate site, users are liable to get stuck in a pop-up loop that's difficult to escape. Sophos reckons the people behind the attack are the same group who recently punted the Mac Sweeper scareware package, based on similarities between the two attacks.

El Reg contacted webmasters at ITV.com to warn them of the potential problem. ®

http://www.theregister.co.uk/2008/02/21/itv_scareware_peril/

[Simon]

[GillE]

Damn! I wondered how I'd picked up the Cleanator virus  .  I check the Radio Times website each day and it must have been there.  My AVG antivirus hasn't acted on it yet, though.

Thanks for this snippet, Clive - very helpful.

[Simon]

I don't want to knock AVG for the sake of it, but of all the AV programs available, we do seem to hear of AVG letting things though, more than any of the others.  I wonder how it fares on detection rate comparisons with other brands?

[chorleydave]

To be fair to AVG, I was caught in one of those pop-up loops while trying to watch National Geographic via a website.  AVG popped up, told me it had healed an infection, and when I looked in the virus vault there was some Trojan Downloader thingy in there.

[Simon]

The problem is, there's no guarantee of safety even when visiting known and fully legit sites, such as the Radio Times, so AV protection really has to be spot on, and as close to 100% reliable as possible.

[gmax]

I don't want to knock AVG for the sake of it, but of all the AV programs available, we do seem to hear of AVG letting things though, more than any of the others.  I wonder how it fares on detection rate comparisons with other brands?

Here you go,  http://www.av-comparatives.org/

I'm glad i dumped AVG, the results speak for themselves

[Clive]

Oh that's very useful gmax! 

[Simon]

Not brilliant, is it?  I was quite surprised at the high percentage Avira got.  It's one of the few I haven't tried, but it might be worth a look, as it's quite highly respected on Wilders too.  To be fair though, the test used AVG Anti-Malware, which is a spyware program, isn't it?  Also, they didn't say if it was the Free or Pro version.

[gmax]

Simon, I think you should have another look," AVG Anti-Malware 7.5 " is Anti-Virus & Anti-Spyware it is not the free version.
I now use" NOD32 Anti-Virus ", no more slow scans or fake alerts

[Rik]

You can't get better than NOD imo...

[gmax]

I know, but its hard convincing all the AVG fanboys

[sam]

avg anti-malware - im sure thats not the same package as their main free antivirus tool

[Simon]

I thought they were separate packages too, Sam, but I think they do a suite as well, which would presumably encompass all.

[Reno]

The reason you hear about AVG letting more stuff through is because more people use it then most of the others. No virus scanner will protect you 100%.

There's also the problem of people lumping spyware in with virus. It seems like people don't understand that virus protection is for viruses and spyware protection is for spyware. Paid for virus softwares nowadays come with a spyware scanner because those companies understand that people don't give a s**t about the difference, they just want their computer to work.