14 DAY TRIAL // Since the middle of July, users around the web started reporting a strange persistent link present in their clipboard. First, it was believed it was a new Windows-related malware; however, soon after, people using Mac OS X started reporting the same problem, and then, Linux users followed. The culprit seems to be a malvertizement (malware advertisement) that is served through flash or javascript ads on popular websites like MSNBC.
The problem with malware being served through advertisements is starting to become a serious one, with attackers seeming to enjoy it more and more because websites are not rushing to take steps to prevent it. Preventing it would imply a more careful inspection of the advertising networks they choose, which means more money invested. However, if this spreads at this rate, companies will have to enforce a stricter policy in order not to lose their daily visitors.
This particular attack is copying a link to the computer clipboard, which seems to be persistent and cannot be removed by simple means, in most cases a computer reboot being necessary. The link in question redirects the user to a website that promotes a rogue antivirus program that is itself a spyware application.
Being persistent in the clipboard, this link gets pasted along with any chunk of text, exposing users to the risk of propagating it unintentionally by inserting it in e-mails, blog articles and comments, documents etc. This malvertizement seems to be spread over several popular news websites.
First reported by IE users on Windows, due to its flexible spreading method, the same behavior was then reported later by Mac and Linux users using Firefox. This means it could affect other browsers and operating systems as well.
Having the "Allow programmatic Clipboard Access" set to "Prompt" under Internet Options > Security > Internet Zone > Scripting, in Internet Explorer doesn't seem to block this attack. However, people reported that setting the Pop-up Blocker to "High" does have an impact. Regarding Firefox, the use of the popular NoScript extension is recommended, not only for blocking this attack, but for malicious web scripts in general.
Even though this clipboard hijack affects Mac OS X and Linux too, the fake security software being spammed works on Windows only. However, Sandi Hardmeier, Microsoft MVP, notes on her blog: "I am well aware that the current crop of fraudware software making the rounds targets Windows, but reality is that there is also fraudware in circulation that targets the MAC and it is only a matter of time before there is an offering for Linux - after all, Linux users are just as at risk from social engineering as anybody else."