Adverts can poison you

This week, companies have been advised to properly secure their users' Web activity following the discovery of poisoned adverts affecting high-profile Web sites.

"Sophos has confirmed reports that the Web site of BBC competitor ITV has been the victim of a poisoned Web advert campaign, designed to deliver scare-ware to Windows and Mac users," says Brett Myroff, CEO of Sophos distributor, Netxactics.

A posting on the Web site of The Radio Times, Britain's leading TV listing magazine, confirms that a similar offending advert was removed from its site.

A Macromedia Flash file, detected as Troj/Gida-B, was injected into traffic served up by ITV.com via third-party advertising agencies. The adverts are designed to promote a program called Cleanator (on Windows), or MacSweeper (on Apple Macs). "Both programs claim to detect 'compromising files' on your computer, and encourage users to purchase a full version of the package," Myroff says.

TV viewers might be accustomed to adverts getting in the way of what they want to watch, but they are probably not as used to adverts on their favourite TV Web sites delivering unwanted code straight to their desktops. "The worrying thing is that it's quite likely that it is not just these Web sites that are affected - other Web sites could be carrying poisoned adverts."

According to Myroff, low to medium malware threats this week include W32/Looked-EE, a pre-pending virus and network worm for the Windows platform. It spreads by infecting Windows-executable files on the local computer and on shared network drives.

"Its main side effects include downloading code from the Internet and installing itself in the registry," he says.

The Troj/DwnLdr-HBK Trojan has also been detected and affects the Windows platform.

The WCE/Meiti-A Spyware worm is also making the rounds on Windows systems. It steals information, downloads code from the Internet and reduces system security, he adds.

WCE/Meiti-A, a worm for the Windows Mobile platform, has also been noted. It arrives bundled with the different legitimate applications including games and Google maps, for example, explains Myroff.

The W32/Sohana-AS worm is also affecting Windows users, while Mal/Zlob-J, detected as one of the Zlob family Trojans, has been identified for malicious behaviour.

"Malicious behaviour describes an executable file that displays characteristics or behaviour found exclusively within malware, and blocked to prevent likely intrusion," Myroff says.

Sophos has seen an explosion in the use of the Web to spread malware, adware and spyware, and companies need to take appropriate measures or risk having unauthorised code running on their employees' computers.

"Web site owners should be on the alert for adverts that might contain malicious content or unsavoury links. They should ask the third-party agencies they use what procedures they have implemented to positively vet the adverts that they deliver," Myroff adds.

"Companies that wish to protect their users from visiting what they may consider to be perfectly legitimate Web sites need to start scanning for malicious code at the Web gateway, just as they would at the e-mail perimeter or on the desktop."