Re: Is yahoo.com serving malware? [Was: More High Profile Sites IFRAME Injected]

["Blatant Lier" <blatantlier () gmail com>]

Pat, thanks for your comments.

I do want to point out that this was a false alarm, triggered in one
of my monitoring systems. The threat was analyzed and no real
compromise was found. Please disregard my previous comment and accept
my apologies.

But the scenario is , nonetheless, scary.

BL

On Mon, Mar 17, 2008 at 5:57 PM, Pat <hermens.p () gmail com> wrote:
> *.adrevolver.com is part of the BlueLithium network, which is "a premier
> behavioral targeting ad network" which was acquired by Yahoo in mid-2007 - I
> wouldn't say "malware" or use the word "attack" (especially considering it's
> now a sister company), however unethical or intrusive this sort of thing may
> be...
>
> This is almost like the Omniture debacle a couple of months ago
> (http://www.derkeiler.com/Mailing-Lists/Full-Disclosure/2008-01/msg00202.html,
> among many others dating back to 2002/03) which is used for user-tracking in
> and around certain sites to check page hits, time spent between clicks,
> referring servers, etc.
>
> If this is upsetting you on a personal level, maybe you should try some of
> the workarounds, including the ad-blocking extensions in Firefox, or
> host-file modifications on Windows systems...?
>
>
>
> On 18/03/2008, Blatant Lier <blatantlier () gmail com> wrote:
> > On Wed, Mar 12, 2008 at 7:51 AM, Dancho Danchev
> > <dancho.danchev () gmail com> wrote:
> > > lib.ncsu.edu; fulldownloads.us; cso.ie; dblife.cs.wisc.edu;
> > > www-history.mcs.st-andrews.ac.uk; ehawaii.gov; timeanddate.com;
> > > boisestate.edu; aoa.gov; gustavus.edu; archive.org;
> > > gsbapps.stanford.edu; bushtorrent.com; ccie.com; uvm.edu; thehipp.org;
> > > mnsu.edu; camajorityreport.com; medicare.gov; usamriid.army.mil
> http://ddanchev.blogspot.com/2008/03/more-high-profile-sites-iframe-injected.html
> > >
> >
> > It would look as if yahoo.com is serving malware. I got this little
> fellow:
> > http://media.adrevolver.com/{---remove
> > this---}adrevolver/trace?sip=103&cpy=1205797527644342&bt=AAAEEIGsMo0L
> > [note that the link has been purposefully broken with "{---remove
> this---}"]
> > while hitting yahoo at 4:45pm EDT. As of this time it is still there.
> >
> > Considering that yahoo.com is one of the top destination these days, I
> > believe we can expect this attack to be fairly successful.
> >
> > BL
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/