Pwning the clipboard – latest trick used in FakeAlert distribution

There are certain notorious threats for which the mere mention of their name can make malware analysts groan – Zlob, Pushdo, Dorf (aka Storm) to name but a few. Just recently, a new class of malware is starting to have that same effect – we are seeing an abundance of ‘fake alert’ trojans. This is malware designed to scam the victim into paying money to remove non-existent threats [1,2].

If the professional looking sites that are being used to distribute this fake alert malware are anything to go by, the criminals behind it are very organized. They are making significant efforts to evade detection and filtering – using polymorphic packing techniques and hosting the content on numerous domains.

They are using aggressive techniques to infect victims as well – for example large spam campaigns and compromised web sites. At the end of last week another interesting technique was discovered – they were clobbering the contents of the user clipboard with the URL of their distribution site. Numerous postings to various forums reported similar issues, for example [3]:

I’m going crazy here. Any time I copy a url by selecting it, then pressing ctrl+c, the next time I paste something it comes up with this link: http://[removed].net /?id=… (link intentionally broken) … Probably spam/virus link … I wouldn’t click on it.

For instance, I copy “” onto window’s clipboard and what I paste is the former url. I had this happen a week ago, so I scanned my drives with AVG (found nothing). So, I reformatted my harddrive and reinstalled windows. Now, a week later, it’s doing it again. Does anyone have _any_ idea what this is coming from?

So, the attackers are overwriting the victim clipboard in the hope that the victim subsequently pastes the URL somewhere that may result in traffic to their site. Not that unlikely, users frequently copy and paste links to each other via email, IM, or comment postings.

A nasty little trick – but is it anything new? No, techniques to automatically copy data to the system clipboard using common scripting languages (Javascript and ActionScript) are well known.

The fact that victims report experiencing these issues after browsing legitimate, popular sites, suggests that malicious Flash is the culprit. The attackers are probably using the setClipboard() method [4] within ActionScript embedded in Flash content. Maybe the attackers have poisoned some ad-stream as a way of hitting large volumes of users?

At the time of writing, I am aware of the victim clipboard getting overwritten with either of two URLs. In each case browsing to the URL will result in the fake system scan running on the victim machine, very similar to that reported here.

I guess we should be glad the Adobe folks were wise enough to not provide the corresponding getClipboard() method!