Rogue Flash ads hijack your clipboard

There is a new twist with Malvertising (malicious advertising), as first reported here. These latest banner ads contain malicious ActionScript code which has access to your system’s clipboard - and it’s not a bug, it’s a feature.

Since ActionScript 1.0, there is a method which puts a specified text string onto the clipboard (replacing other text content). The malware authors now use this feature and crafted banner ads which contains such ActionScript code to overwrite your clipboard’s content with their fraudulent messages. They run the code in a loop so that even if a user copies new content to the clipboard, it will be over-written again and again. Imagine you’re on some legitimate website, copying an interesting snippet of text, and then you want to post it to your blog, a forum or elsewhere. What you may be accidentially posting instead is the content that the malicious ad banner has written to your clipboard in the meantime. The only solution to stop the ghost in your clipboard is to shut down the browser which runs the malicious Flash video.

There are reports that high-traffic, popular web sites have been tricked to run such advertisments and the users of these sites accidentally posted message and comments with links to bad sites under the control of the malware authors. At the moment these links promote so-called Rogue-AntiSpyware products which try to scare the user by presenting him a fake system scan and telling that the computer is infected by malware. If the user follows the lure and installs the promoted scanner, in fact he installs the real threat.

Earlier this year, an article in the Virus Bulletin magazine showed the inner working of such rogue banner ads.

Inside Rogue Flash Ads, January 2008, Virus Bulletin Magazine. Copyright is held by Virus Bulletin Ltd, but is made available on this site for personal use free of charge by permission of Virus Bulletin.

Back