Incident Response, Network Security, Patch/Configuration Management, TDR, Vulnerability Management

Ads on Facebook serve up adware

An alleged adware distributor is placing ads on the popular Facebooksocial networking website that download spyware onto unpatched Windows computers.

Roger Thompson, chief technology officer at Exploit Prevention Labs, revealed the exploit in a blog post. He noted that he "was reading a friend's FaceBook blog when Internet Explorer displayed a message noting that a webpage was trying to start RDS (remote data services) services, and would I allow it."

"I clicked 'no,' then thought, 'Hang on . . . it shouldn't have been starting RDS!' So I started a goat machine, retraced my steps, and about a minute later . . . blam . . . programs dropped and executed on my machine," he said on the Exploit Prevention Labs blog.

After rebooting the unpatched PC, numerous copies of his browser started with ads being served. A check of whois, he told SCMagazineUS.com, revealed the adware was coming from a website that was downloading adware and spyware to vulnerable machines.

"You'd normally expect to see this sort of stuff if visiting websites of ill repute, such as pornographic websites," Thompson told SCMagazineUS.com. "You wouldn't expect to see them on something innocent."

Windows PCs without Microsoft patches MS06-140 and MS-06-142 from September 2006 are vulnerable to the exploit, according to Thompson. Those patches cleared up a variety of remote data services exploits.

"Anybody who is patched is perfectly safe," Thompson said, adding that many organizations do not patch automatically.

In these situations, "People checking their Facebook pages at work could easily get adware on their PC," he said.

"The issue is the web is the emerging battleground," Thompson said. "People need to be aware that others are trying to get into their computer that way. The underlying message: Make sure you're automatically patching your computer, and it's a good idea to install something like anti-exploit software."

A Facebook representative told SCMagazineUS.com that the adware-dispensing ad is no longer active.

"The ad in question violated Facebook's ad guidelines and was removed from the site," he said. "Facebook is also working closely with the international ad network that served the ad to ensure that future ads meet its strict guidelines for appropriate and safe advertising."

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.