Unintended consequences and Fuse Kit

Fuse Kit is a cool utility to create animations in Flash. Unfortunately, it’s popular with malware distributors, who are using it to create malicious advertisements.

These malicious advertisements get served on sites — even mainstream sites. They push malware. (Just to make sure there’s no confusion, this is not a drive-by exploit.

Typically the user will see a fake “system scan” message that “Your system is infected!”. If the user actually believes it and clicks “OK”, and then downloads and installs the “security software”, the infection will occur. However, it’s not to lighten the effect — it’s very devious social engineering.)

More from Sandi Hardmieir, who has been doing just about the best job of tracking these:

I am seeing reports of the malicious redirects remaining dormant for a week before visitors to victim web sites are hijacked and redirected to fraudware sites. Web sites simply *must* increase their due diligence checks with any new advertiser.

It is going to take time, and it is going to cost money, but what alternative do web sites have if they want to protect and keep their readership, and if they want to avoid the inevitable end result of malvertizing, which is that more and more of visitors to their sites are going to block all advertising.

That being said, it is not all doom and gloom - not yet. There is something that you can watch out for, even if a particular advertisement passes the adopstools test, and passes other security tests.

You see, even if the hijacking behavior of a malvertizement is "dormant" there are still subtle hints of trouble ahead that you can see if you know where to look.

For example, in the case of the newsweek malvertizement, by leaving network traffic capture software (or Fiddler) running when the advertisement displays on a web page, we see that the following URL is touched - adoptserver.info/state_.gif?url=[removed] and that the malvertizement is the referrer.adoptserver.info is a known "bad actor". Its name servers are supplied by the now infamous "estboxes". Any advertisement that leads to such a domain being touched should be suspended, no questions asked. Don't wait for the complaints to start.

More here.