Announcements
The Spotify Stars Program: Celebrating Values Week!

Help Wizard

Step 1

NEXT STEP

Spotify Ads infected by viruses?

Spotify Ads infected by viruses?

Hello, just today I got an ad in spotify that was a fake windows security window (in the ad box) and said my computer was infected. I know virus fake that and am not saying my computer is infected. At first I just dismissed it cause it disappeared and said oh maybe my laptop has a virus (I don't have security on that laptop cause I hardly use it) and went on with my day. Just a few moments ago I saw an ad in spotify (on my secured Desktop) with a web address that said "failed to load..." I dont remember the full message but it listed a URL that looked very suspicious. Shortly after that ad disappeard Norton had come up and said 3 malicious attacks were blocked. This raised concern because it happened on a secure computer too. Luckily norton stopped the attacks. Could other users confirm whether this is happening to you as well or if it's just me. Please look into this Spotify as this is a security concern not only for me but I assume other users as well.

 

Thanks,

Brandon

 

EDIT!: I have dug into Norton and found the Web Address as well as the IP that tried attacking my computer. The web address blocked is the same as the one that popped up in my Spotify Ad bar at the bottom of the screen. Attached are the details from Norton.

 

[UPDATE - 2.09.2013]: We're happy to say we haven't seen any new or reoccurring reports of this so we're going to lock this thread. If you're experiencing any new issues, feel free to post a new thread in the appropriate board. Thanks everyone!

 

spotifyattacks.png
Reply
34 Replies

calvert wrote:

Either way, an alert coming from a randomly generated subdomain name is suspicious. This is more to let you know what your software might have a problem. The rest of us will just block that domain and move on.

Definitely a wise move to block the domain.  TBH, I didn't see the ad, nor was I warned by Avast.  I didn't have my player on much yesterday, and my hosts file may or may not have blocked it had it reached me.

 

What I also see as suspicious is that only AVG and Norton identified the problem.  If this were indeed a threat, I would expect more than only those two programs to pick it up.

 

I wouldn't be so quick to blame Spotify directly, but more likely doubleclick.net, the supplier of most of the ads.  When you add all of their various domain names to your hosts file, you'll see a blank space where the ad would be, and the URL is listed in the space.  I feel comfortable with my hosts file adding an extra layer of protection to the AV software.  If doubleclick.net was indeed the source, hosts would have caught if before it reached the AV scan.  And maybe it did, for all I know.

 

And it wouldn't be a bad idea to run scans using both Malwarebytes and SuperAntiSpyware to be on the safe side.  I'm going to do that myself.  Both have free editions and remove any infections 99% of the time.

I just received an AV warning.  Avast said it was from freefilesdownloader dot com.  Some googling didn't lead me to anything definitive, but there is a 2 page thread on it at an avast support site.  It also mentions myvnc.com.  The case is ongoing, last post yesterday, currently unresolved.  The poster apparently received the suspected infection from Facebook while playing Farmville.

 

http://forum.avast.com/index.php?topic=130268.15

 

Maybe someone smarter than me can draw some conclusions.

 

I opened the freefilesdownloader site in a sandboxed browser, and it prompted me to download a file, api_downloader.exe. 

 

I got to the above thread by searching for that filename on yahoo.com.  I didn't save the file, though I probably should have in order to scan it.  The experts at Avast seemed to think MAY be a rootkit of some sort, but again, NOTHING DEFINITIVE, still ongoing.  Everything in my sandbox scanned clean.

 

I might go back to download that file and run it to see what happens.  If anyone else chooses to do this, make certain you do so in a SANDBOXED ENVIRONMENT ONLY.

Ok so just so I was on Spotify and my anti virus popped up and this is the msg I got on the bottom. I really want to remove Spotify at this moment 


Category: Intrusion Prevention
Date & Time,Risk,Activity,Status,Recommended Action,IPS Alert Name,Default Action,Action Taken,Attacking Computer,Attacker URL,Destination Address,Source Address,Traffic Description
8/2/2013 3:39:17 PM,High,An intrusion attempt by yacrubn.myvnc.com was blocked.,Blocked,No Action Required,Web Attack: Malicious Website Accessed 2,No Action Required,No Action Required,"yacrubn.myvnc.com (212.7.195.120, 80)",yacrubn.myvnc.com/index.php?c=RaENOjEayDF925cOxP3ACC60zajgAjCTlcK0liAaKtvDheVQzm+YhzfWz1MPnw1S6zBdyf4decWlyaN3Dgb24q6ByoM=,"IANMAYO (192.168.0.10, 55335)",212.7.195.120 (212.7.195.120),"TCP, www-http"
Network traffic from <b>yacrubn.myvnc.com/index.php?c=RaENOjEayDF925cOxP3ACC60zajgAjCTlcK0liAaKtvDheVQzm+YhzfWz1MPnw1S6zBdyf4decWlyaN3Dgb24q6ByoM=</b> matches the signature of a known attack.  The attack was resulted from \DEVICE\HARDDISKVOLUME5\USERS\IAN TROLOLO MAYO\APPDATA\ROAMING\SPOTIFY\SPOTIFY.EXE.  To stop being notified for this type of traffic, in the <b>Actions</b> panel, click <b>Stop Notifying Me</b>.

Are you using free spotify with ads? If so, it sounds like you're seeing what others are repoting in this thread. Please confirm one way or another so I can move your post to the other thread as it will help to keep similar issues together.

 

Spotify is aware of the reports and is investigating.

I just had the same problem

IP Addres - vproaft.myvnc.com (212.7.195.120)

vproaft.myvnc.com/index.php?c=RaENOjEayDF925cOxP3CC60zajgAjCT

 

Ok cool. I was really concerned and yes im using th free version

Thanks for coming back 🙂

Man, I haven't used spotify in days aaah

 

You guys should use the Spotify Player online to avoid any other damage these cursed ads will do to your PC. There's no image ads, just audio. It's pretty convenient.

Maybe an ad moratorium is in order.  There must be an on/off switch somewhere.  😉

 

Anyone reading this thread should add the following lines to their hosts file, whether you've run across the ad or not.

 

127.0.0.1 www. freefilesdownloader.com
127.0.0.1 www. myvnc.com
127.0.0.1 www. anyfiledownloader.com
127.0.0.1 3.webfilesdownloader.com
127.0.0.1 www. anyfiledownloader.com
127.0.0.1 www. downloadfileshere.com
127.0.0.1 www. downloadfileshere.co
127.0.0.1 www. filezdownloader.com
127.0.0.1 195.66.79.27

TAKE OUT THE SPACE AFTER THE "WWW."

EDIT:  Added these from the posts above

127.0.0.1 yacrubn.myvnc.com
127.0.0.1 vproaft.myvnc.com
127.0.0.1 212.7.195.120

 

 

In XP the hosts file is located in c:\windows\system32\drivers\etc

Should be somewhere similar in the newer versions

 

Edit the file in notepad, and make sure you save the file as "hosts" with no extension, and NOT hosts.txt.  DOUBLE CHECK THE FILE EXTENSION.  IT CAN'T HAVE ONE IN ORDER TO WORK.  AT ALL.

 

I downloaded and ran the infected file in question the other day, sandboxed of course, and you'll get your browser home page hijacked, your default search engine changed, and some weird file downloader program called iPumper installed.  They don't seem to cause any serious damage, but like a lot of spyware/malware, these are tough to clean.

 

I didn't catch a screenshot of the ad, but it had a graphic that looked like this.2013-08-01_155525_cr.jpg

If you see it and your virus protection doesn't catch it, immediately hit the reset switch on your computer.  I have no idea if it downloads automatically or if you actually have to click on the ad.  My AV caught it.

 

Only Free Users should be affected by this.  I sent a more detailed report to Peter.  Everyone is well aware of what's going on.  Spotify is working to remedy the problem.  [I still like the on/off switch idea though]

 

Yes, I know, no one should get this in the first place, but lets not escalate the situation.

 

keep-calm-and-edit-your-hosts-file.jpg

Thanks Rollo. Hopefully, Spotify will have some news on this issue "soon".

How soon do you suppose soon is? This should have been taken care of the moment they realized it was happening. It's Thursday morning PST and I just got a warning from AVG today about this myvnc.com - There are a lot of angry people blowing up that myvnc.com thread on the AVG website and I don't blame them. I know I could get a premium and not worry about the ads, but it's really unfair to force people to have to buy premium so they don't have to wory about their computers being infested and possibly ruined. I'd like to think they care about that, but I'm having misgivings.

Hello folks. Spotify here. We thought we'd give you another update to let you know that we're looking into this with our ad operations team. We haven't been able to replicate this but rest assured we're still investigating. We'll be back shortly with an update. 

And in the meantime, modify your host file as I suggested on the previous page [assuming you read other posts before starting to rant].  This will block them before they even hit your AV software.  Yes, its a problem that shouldn't happen but come on guys, its a group effort here.  I figured it out and I'm an old fart.

 

In the time you spend writing a gripe post in the forum you could have your hosts file editted.

 


@Rorey wrote:

Hello folks. Spotify here. We thought we'd give you another update to let you know that we're looking into this with our ad operations team. We haven't been able to replicate this but rest assured we're still investigating. We'll be back shortly with an update. 


Hey everyone. We believe we may have improved this since last week. Can anyone let us know if you're still experiencing this issue?

 

 

We're happy to say we haven't seen any new or reoccurring reports of this so we're going to lock this thread. If you're experiencing any new issues, feel free to post a new thread in the appropriate board. Thanks everyone!

Suggested posts