Digital Social Listening Detects a Global Attack of One of the Webs Largest Software Sites!
Reports began coming in September 14th that TuCow’s (AMEX: TCX) may have been affected via Ad Malware from blog sphere reports as detected by Adreka, Inc, using social digital listing tools. Tucows (originally an acronym for The Ultimate Collection of Winsock Software, a name which has long since been dropped) has been is one of the few companies that survived the destruction of the dot bombs, only to now fall victim to a new enemy, 3rd party malware, which their systems are, at this moment, currently distributing, possibly either undetected or not being discussed by their management given their publicly traded status. At this hour, the company has not made any statements, shutdown their Ad Servers, or hosting network.
Compounding the danger, TwoCows is perhaps best known for its popular website directory of shareware, freeware, and demo software packages available to download. A system of mirror sites is maintained to allow the traffic to the site to be distributed among several worldwide server locations. The 3rdparty Malware may have effected it’s an extensive reseller network, which services over ten million domain names, millions of mailboxes for a network of over 10,000 web hosts, ISPs (Internet Service Providers), and other resellers around the world. It can only be speculated that in the past 48 hours, TuCows, may have inadvertently infected millions of computers of Windows visitors to their software, email, and associated websites though a vendibility exploited via a 3rd party advert being served across TuCow’s entire network. The exploit will download and run a malicious file, a variant of the Bredolab Trojan. Upon execution it will unpack its code and try to connect to various remote addresses through the HTTP protocol for downloading and executing other Trojans, which results in a pop up frenzy of advertisements then usually fake antivirus or antispyware scanners (like PC Antispyware 2010). This potentially leads to a second problem of potential credit card fraud.
This is not the first time we see a high-traffic website being used to distribute malware. The bad guys always go for Achilles’ heel, and what looks like an innocuous advert can trigger a wave of nasties. This is why for networks big and small, third-party advertisements must be verified carefully, otherwise this is the kind of things that can happen. Though the lack of response, admittance, or lack of actions on behalf of TuCow’s is very unsettling. As of this evening TuCow’s systems still remain affected with the Malware spreading, and TuCow’s traffic base is exponentially decreasing as virus scanners and web browsers begins to alert web traffic of the potential danager. As a publicly traded company, news travels from the social sphere, to consumers, to Wall Street fast than most think.
Hi John,
I work for Tucows and I'd like to clarify some of the information in your post.
You are correct that, like many sites, tucows.com uses the OpenX open source ad server software.
You are also correct that, once again like many other sites, we where exposed to a vulnerability through OpenX for a period of time (hours, not days) before we became aware of the situation.
Luckily, the same day we noticed the exploit (September 14th) the OpenX community released a patch that resolved the exploit.
There was then another short period of time (the evening of the 15th) before we realized that during the exploit several additional backdoors had been opened on the server.
We have now done a complete rebuild of the server using the latest version of everything and we believe that we are now fully secure.
It is important to note that this exploit was specific to OpenX and is in no way related to Tucows or to any of the software downloads available through our site. Similarly, this server is in no way connected to our content mirror sites, our reseller network, or to any of the domains we provide through that reseller network.
As for the impact to site visitors, it's probably best to look at what needs to have happened for them to have an issue.
If someone came to our site and IF they did it during that particular period of time and IF they went to a page with an ad served by OpenX and IF the exploit tried to download malware to their machine and IF that machine was running Windows XP and IF they didn't have recent security patches on their machine and IF they weren't running anti-virus software, then they may have had malware downloaded to their machine. If that is the case, they'll want to update their software and check to see if their machine was affected.
So the length of time and the scope of the vulnerability is dramatically different than what you have estimated. Of course we're seriously sorry that there was ANY period of time that we were vulnerable and we're redoubling our efforts to make sure this sort of thing doesn't happen in the future.
BTW, we rarely let our finance and corporate communications teams work on our ad servers so the fact we have a share buyback happening doesn't really have anything to do with us working on security patches. 🙂
Cheers,
Ken.