Halloween Hack – How to check if you were exposed
For 83 minutes on Halloween night 2015, some hackers succeeding at getting malware to spread over part of the pagefair analytics network. We provided detailed information on this attack here.
In about 75% of cases, clicking OK on the above dialog would do nothing. However, in 25% of cases, it would have initiated a download of an executable that contained malware. Note that this malware could only affect users of Microsoft Windows, and to become infected the user would still need to run the executable and dismiss warning dialogs.
How many were affected?
The malware only succeeded in downloading onto a fraction of computers, could only affect Windows, required the user to run it despite warnings, and could be detected by various antiviruses. As a result, our current estimate is than less than 2% of visitors to the 501 publishers affected during the attack were at risk, and that a much smaller percentage are likely to have had the malware installed by running it.
Was I Affected?
If you were one of the 25% of users who received a download after seeing the alert download above, that does not mean you are infected. To become infected, you need to be running Microsoft Windows, and to have doubleclicked on the downloaded file to open it.
Furthermore, you will have had to deal with a Security Warning provided by Windows telling you that the file is not trusted.
Windows 8 and Windows 10
If you tried to run the malware executable on Windows 8 and above, you would have seen a message from Windows SmartScreen trying to prevent you from continuing. This would have looked like this:
To have succeeded in running the executable, you would have had to click on the “more info” link to find a hidden option to “Run Anyway”.
Windows XP, Vista and Windows 7
On Windows 7 and below, attempting to run the malware executable would have displayed a Security Warning similar to this one:
To run the executable, you would have needed to click the “Run” button.
Impact of Malware
This kind of malware can be used to remote monitor or control computers. In this instance, there is evidence that it was customised for bitcoin mining. The hacker may also have intended use compromised computers for ad fraud, by automatically making browser requests to websites to generate fake ad traffic.
The hackers’ access to compromised computers was terminated on Tuesday 3rd November, so anyone whose computer had this malware installed on it has been safe since then.
I think I ran the malware – What should I do?
If you are worried that you might have been exposed, you can email us and we will confirm if the server logs say the hackers displayed the alert message to you.
Send the following two pieces of information to us in an email to [email protected]:
- Your IP address. You can find this out by visiting WhatIsMyIP.com.
- Your Microsoft Windows version. Only Microsoft Windows users are at risk, and the version of your operating system matters. Tell us if you are using Windows XP, Windows Vista, Windows 7, Windows 8 or Windows 10.
We will get back to you as soon as we can to tell you whether anyone at your IP address was shown the fake message about Adobe Flash.
What Can I Do Right Now?
Even at the time of the attack, many anti-virus tools correctly identified and protected against this new malware program. If you run any of the following, you will not have become infected:
Kaspersky, McAfee, Sophos, ESET-NOD32, Fortinet, Baidu, Ikarus, Rising Antivirus, VIPRE.
Within 2 days of the attack, the vast majority of other antivirus companies created updates to detect and clean this malware. If you have any of the following antivirus programs, you should update them and run a full scan. This should completely resolve the problem.
- Microsoft antivirus
If you do not have any antivirus installed and you use Windows, you should choose one of the antivirus products listed above and perform a full system scan. AVG is a popular and effective free antivirus program.