ReveNews
-
NAVIGATION
-
TOPICS
-
THE REVENEWS BLOGGERS
-
QUICK CONTACT
The Fix on Winfixer via AOL- The Latest Tricks Exposed
Microsoft IE Security MVP, Sandi Hardmeier, pinged me earlier this weekend over yet another problematic advertisement in a big network. She blogs again on the elusive “Winfixer”, or you can pick a name among many, for this deceptive software scam. I noted this at Revenews after the discovery of the “scareware” being served up through Windows Live Messenger (previously known as MSN IM) and I commented on MSFT’s negative eCPM…I have analyzed the Groups Case fragments sent to me by others, but they are not conclusive or cohesive enough to make a determination- only some guesses. Not enougn information, but I will comment. Perhaps others have insight.
Microsoft Groups Case
Let’s revisit this incident with a small picture of the technical action. In this case I am going on a 3rd party trace and a capture of the packets in a heavily cropped .PNG file from Menthix.net used with permission (Thank You Johan). It is interesting, but very slim to go on.
View Capture of Traffic Analysis (Cropped PNG)
rads.msn.com appears to be MSFT’s ad server for MSN.
(NASDAQ: MSFT)
clk.atdmt.com would be Atlas- owned by Seattle based, aQuantive Inc.
(NASDAQ: AQNT)
img-cdn.mediaplex.com- owned by ValueClick.
(NASDAQ: VCLK)
aQuantive owns a number of digital businesses including Avenue A | Razorfish, Atlas and DRIVEpm.
ValueClick, also a powerhouse, owns Commission Junction, Fastclick, Inc., Web Marketing Holdings, Inc. E-Babylon, Inc. and Shopping.net among other business units.
The first thing that pops out as a little odd is the use of two ad serving platforms- direct competitors. VCLK network ads are normally served off their ValueClick network, but not always. Is it possible the party was trying to obscure the action in this way?. I am speculating here, but I am guessing since MediaPlex (VCLK) leased their ad server technology- that leaves aQuantive in the mix as serving up an that made a call to VCLK?.. Did they lease out Atlas or did they buy a ton of bulk inventory and resell some of it?
Not enough information from this small snippet, but it appears Flash and ActiveScript might be involved.
Speculation and ActiveScript
A network like DRIVEpm, or any other large network for that matter, will buy huge amounts of inventory on a CPM basis. Given ROS inventory in large networks is often sold at $1.00 to $2.00 CPM, one can probably estimate that properties like Windows Live Messenger and Microsoft Groups are less than stellar buys and probably came along with a deal- low value inventory. I would estimate the CPM is probably pennies per impression. The network that does the large buy at MSN and monetizes what they can. Even then they are probably left with excess inventory.
In turn they might farm that inventory out on a CPA basis or any other type of deal structure or to resellers e.g. brokering, because the inventory is unfilled and from their view it is better to get something rather than nothing. In this case the “something” turns out to be more than nothing if you are on the receiving end of one of these ads. This is really bad if it jeopardizes your strategic relationships.
There is no way to prove it all conclusively, I don’t have all the pieces, or know for sure how it got through the system of checks and balances that should be, and usually are in place, but it is possible it came through obfuscated or encrypted ActionScript and Flash ads. I will get to that…
Winfixer and MVPs on The Trail
This time Sandi finally has a conclusive packet capture of the “Winfixer” family of software in action- complete with the deceptive screenshots. This time it isn’t via MSFT but coming in via AOL. In Microsoft’s case it was seen served via Windows Live Messenger, pulled rapidly and then a week later came through MSN groups through what appears to be low-value ROS ads.
Sandi notes on it on the Money AOL section, although it appears to be served from DoubleClick Inc., who owns performics, and later pops up in the WinAmp forums, serving through atwola.com domains- AOL.
Sandi writes in this entry:
I’ve posted a couple of times on this blog about how visits to AOL pages were redirecting at random to the scareware/malware commonly known as Winfixer (aka SystemDoctor and ErrorSafe aka several other names). On previous occasions I did not have network monitors running, and therefore could only offer screenshots and my word as “proof” of the incidents.
(http://msmvps.com/blogs/spywaresucks/archive/2007/03/22/701346.aspx)
(http://msmvps.com/blogs/spywaresucks/archive/2007/03/21/697330.aspx)
This time, however, Microsoft Network Monitor was running when I visited the AOL page (http://money.aol.com/news/articles/_a/technical-goof-wipes-out-38-billion/20070320140609990001) and was redirected to an ErrorSafe page.
Below are snippets of relevant network data - the full logs are available for inspection and use by the appropriate authorities…
and she goes on to make this editorial comment…
Editorial: It is well and truly time for MSN, MS, AOL and any other big name that has had their advertising networks infiltrated by the crud that is commonly known as Winfixer to go after Winfixer, its affiliates, and the sites that host the malware by using every legal avenue open to them, and with no holds barred. I say join forces and go after those behind Winfixer, those who host it, and those who spread it, with everything legal weapon at your disposal. Shut them down, and shut them down for good!
It is amazing outfits like this can thrive for so long? I shudder to guess at their ROI- my guess these “outfits” generate thousands if not tens of thousands of dollars or more per day. Maybe more if they don’t pay their I/Os?
Civil Suit Filed
It would appear there is some private litigation underway as detailed by this rather interesting blog connecting the outfit to “ByteHosting” and one Marc Cohen who is being named in the action [PDF Link]. We will have to wait and see how those cards play.
Concerted Effort to Strike Back Needed
Sandi also writes in this later entry dated March 25, 2005:
I was in Seattle not long ago for the MVP Summit. While I was there I had a short meeting with a Director of Community & Intelligence, Security Research & Response at Microsoft who has been dealing with the fall-out of the Winfixer infiltration of the Windows Live Messenger banner ad network. The primary purpose of the meeting was to discuss my concern that the fact that winfixer had managed to infiltrate the MS/MSN ad network once meant that it would happen again.
Microsoft certainly understands the risks being faced by users of their software which includes advertisements - whether it be Windows Live Messenger, or Windows Mail Desktop with its advertisement pane, or MSN, or Hotmail. But unfortunately, although I am pleased at the high level of collaboration I am seeing at MS/MSN as a result of the Winfixer outbreak, I am not confident that another outbreak will not occur.
As long as advertising networks do not directly host creatives they will be at risk of bait and switch. Winfixer is popping up in so many places, we cannot be sure that *any* Web site that displays dynamic advertisements will be safe. So what can we, as users, do about this problem, considering the advertising networks seem to be unable to control the problem by themselves?
Yes, we can get rid of Flash. We can use ad blockers. We can use Mike Burgess’s hosts file to redirect known advert and URLs to localhost. We can disable active x completely. I’ll fight against users having to cripple their Web browsers and sacrifice access to content such as Flash and active x in an attempt to avoid malware. Mike Burgess’s HOSTS file, on the other hand, is what I recommend - block the adware content without crippling your browser or sacrificing Flash.
Web site owners and those running advert networks must surely understand the risk to their revenue streams as more and more people actively block advertisements as a self defence mechanism against malware. If we, the visitors, don’t see the adverts we are not going to click on them. If we don’t click on the adverts, there is no income. Maybe once the advertising networks realise they are at risk of losing more and more viewers, the cost of directly hosting creatives will become less prohibitive - after all, it is better to have a lowered income than no income at all.
Well said.
Strong Response is Needed
I have to agree with Sandi, and other MVPs and security guns I talk too, and I have added emphasis to her most important words in the quote. Why is it that the large network superpowers have trouble keeping this out of their advertising mix? Microsoft was quick to respond, yet reaching AOL seems problematic per Sandi’s post- I will certainly ping people I know. Again I find it troubling that roving MSFT MVPs, security forums, and everyday grassroot activists are doing the Network Quality checks in 2007.
I imagine there might be all kinds of cross-country trails that make it hard to determine the exact origin of the final parties. This is often called “partner sprawl”, but there should be an I/O, there should be a paper trail…somewhere along the line someone has to be accountable.
Let’s move on to how-to’s and a blog I find per Sandi’s site that I think has some great, and blunt advice.
Mike On Ads and ActionScript
Mikeonads, I think Mike works for RightMedia. RightMedia recently received an investment from Yahoo! for those curious. Mike goes on to demonstrate just how tricky some of the tactics can be in this detailed and educational entry. You can also check out some of the “bait and switch” creatives and flash advertising trickery.
When I see Obfuscation or Encryption- I Always Wonder What and Why it is Hidden…
This trickery is accomplished by embeddeding encrypted or obfuscated ActionScript. The examples he cites have been “decompiled” so I do not know for sure, but I note there is a subtle difference between obfuscation and encryption. The nefarious Actionscript is injected inside of the flash ads- often via creatives spoofing legitimate, big-name advertisers. Who would question these names?
The Actionscript launches popups and Active-x installs for the malware. ActionScript is a scripting language, based on the ECMAScript standard, and primarily used to develop software for Adobe Flash. I have seen a lot of nasty things with obfuscated or encrypted Javascript in general- I can think of the World Cup Javascript Page Header Injection or the ancient Spazbox case, as being incredibly complex and nasty examples. However, I have to admit that using advertising networks themselves as “virtual botnets” via ROS or remnant CPM buys and fancy Javascript is disgustingly clever and it really shocks me this can even happen. I mean I can see it from ad networks that act as “fronts”, but big established ones?
The Risky Thrill of Outside Creatives
If you work in a large network and accept outside creatives I highly suggest you build automated systems to decompile flash creatives and analyze and record what is happening in the advertisement. Mike suggests Adam Judson’s Tamper Data, FireFox plug-in. This allows you to view and modify HTTP/HTTPS headers and post parameters and well as trace and time http response/requests. You can also try Action Script Viewer.This might not scale for large networks, but for now- the front line of defense is a good offense. If you see any obfuscated or encrypted ActionScript- put a hold right there. It is not hard to spot when you crack into these creatives. It doesn’t mean there is something bad for sure, but it is just a banner creative- so why the mystery?
Another Clarion Call
I do like Mike’s call to action for executives:
Executives in the ad industry:
Take a 1-strike approach to all partners that assist in this scam
Be accountable if your organization promotes this scam
Take legal action against partners that abuse you to promote the scam
One strike…I think many people would forgive ad networks if they just spent resources going after and bringing back the bad parties to pay. Publicly traded companies have the resources, and certainly they have brands to guard. However, it is not only the smart thing to do, but the right thing to do.
The Fall Out Hurts Everyone
If networks don’t step up, if they continue to let it happen, if they don’t strike back, if ad network employees do not have the sophisticated tools and training to screen outside creative… you cannot blame failure on “banner blindness”. One can only blame it on “banner sickness”. Short term gains are not worth the long term casulties to the people that you serve: your customers, merchants, and end-users.
It is not right by end-users, and it damages the reputation of everyone involved, especially the quality publishers you serve. This is not a problem end-users SHOULD HAVE to combat- this rests firmly within the hands of advertising networks.
Sometimes I feel like a broken record. I wonder if bringing this information to advertisers, merchants, and affiliates has the effect I hope for. Sure it is good for research and understanding the latest games malware writers are up to, but ultimately I want to malware go away and the integrity of fair advertising allow people to work, create content, and serve people to help them meet their needs.
I think T.V. advertising is dated and the Internet has the great promise to deliver a whole lot more in terms of interactivity, social media, and even better advertising. Then again, one’s television set is not invaded time and time again by the commercials they run. I have never heard of a plasma T.V. “pwning” anyone.
Final Word- Drop By, Learn More, Reach Out
Chris Boyd and I gave a presentation at the RSA 2007 show a few weeks ago. In this show we covered two cases we followed- The Q8 Army and Carder Botnet- and opened the doors to a shadowy world to give people glimpses at things they may not have imagined before. Apparently it went over well since we are doing a “compressed” encore presentation at FaceTime Communications- via WebEx. There is no cost- please come on in and register, but time is almost up. I can’t promise we will be super engaging, however I would like people to consider some of the ideas we advocate and the cases I think NQ people will find fascinating.
One idea I like to advocate is security firms, legitimate advertising networks, and law enforcement working together to sythesize information faster so we actually dent the problem. I am not sure how that happens and I have been talking to many network quality departments and people seem open to the idea of dialogue, many honestly do care…that is as far as it has come in all of my talks. But money and malware go together- well known.
Security firms see the malware (and we often work with our competitors and volunteers because it is a daunting task), networks know about the money- law enforcement- well it all depends on who you get and how it is presented.
Drop on by and if you have ideas- feel free to contact either of us. I am wide open for ideas and to share them…this “blight” has gone on long enough, and it will take honest collaboration to solve some even the part of the problem.
9 Comments
Leave a comment
-
We Support New York Affiliates
-
Subscribe to ReveNews
Wayne,
You’re right — I should have said ‘obfuscated’ actionscript, not ‘encrypted’. I also do work for Right Media =).
I had a non-obfuscated version of the actionscript a while back, I’ll see if I can dig it up and post it as it shows exactly what they’re doing. In essence, there are two key things the flash files do:
#1 - Check the geo of the user. Since GeoIP databases are too large to store, the file has to request this info from a third-party server.
#2 - Uses javascript to check all sorts of browser parameters. E.g., the timezone of the browser. If the buy is with a US based ad-network, no browser with a US timezone would trigger the active-x.
Mike,
Thanks a bunch for the response and the detailed information- that type of jS sounds very familiar- can we discuss offlist (wporter@gmail.com) well discuss more on here is better if you can- but connect via e-mail- would love to look at source of the JS, analyze and compare.
Thanks for contribution and nice sleuthing work.
regards,
Wayne
Found the unobfuscated version, and in the meantime another Errorsafe related site, ‘cannis.org’. Page updated, actionscript can be found here: canada.txt.
Best part there is perhaps is the JS that decides to pop (majorly edited & commented for clarity, see full version linked)
dt=new Date()
tz=-dt.getTimezoneOffset()/60 // load timezone
p=(n.userAgent.indexOf(’SV1′)!=-1)||(a&&(a.indexOf(’SP2′)!=-1)); // check user-agent (browser string)
if(!(tz>=”) + _root.tz_end) + “&&tz _root.strongPP = “http://www.errorsafe.com/pages/scanner/index.php?aid=cast&lid=468&ax=1&ex=1&ed=2″;
“Shut them down, and shut them down for good!”
How?
Excluding violence leaves just two options, and law enforcement does nothing. (Too busy “kicking down doors,” they tell me.)Unfortunately, private lawyers get bad press these days (let alone good karma), and no fraudware case has ever produced a penny of compensation. Hence WinFixer survives.
“It is amazing outfits like this can thrive for so long? I shudder to guess at their ROI- my guess these ‘outfits’ generate thousands if not tens of thousands of dollars or more per day.”
Your estimate is fairly well-documented from credit card charges the WinFixer geniuses left in an open directory last January. Doubtless there are other revenue streams as well. By any measure, fraudware is good for business: Ads get placed, computers get trashed, more hardware and software get sold.
The latest Congressional proposal to stop “spyware,” H.R. 1525, forbids civil suits while allocating $10m to fight the problem. (Similar proposals have failed to pass before.)
WinFixer’s fat and happy.
I’ve heard time after time at Revenews, and other affiliate hangout places, it’s “all about relationships”. Well these scumbag BHO system hijackers have some real well connected relationships with the elite of this affiliate marketing industry. The real question should be…. What’s up whit Dat?
Mike at Right Media- Thanks for sharing the information- I am getting it out to the
Joseph- you attended the Webex I believe- so I hope I answered your questions.
Mike Hyland…I wonder what you will do when VoIP and P2PTV come along full steam ahead? Don’t worry- there may not be any “links” to track.
regards,
Wayne
Wayne the newest technology will be embraced by those seeking refuge from the advertising “white noise” of those marketers hell bent on interrupting all meaningful content choices. Unfortunately no one is pushing new media opportunities equal to the privacy guarantees offered up by reading a good book. The rude and crude of the advertising industry refuse to buy the fact that at any given moment 95% of the worlds population isn’t obsessed with buying a darn thing from anyone.
No new technology will be immune from the same ol..same ol Adwhores shoving their foot into every cracked open door. As long as some desperate marketer is willing to compensate the weasels to invade the hen house the cookied link bait will be spread. Offending potential consumers using new or old media, via BHO/adware/spyware/malware, poses no moral or ethical dilemma to those ralying around the advertising industry flag.
Publishers producing domain bound customer facing content/product-service showcases need increased commission based incentives to keep on building. Not one step has been taken by the Ad/affiliate networks to perform this necessary task, since the 2000 .com bombs went off. Ever report affiliate enabled merchants paying prime exposure slotting fees or click bonuses on top of regular affiliate commissions to domain bound affiliates? Corrupting/monitizing VOIP (3rd world telemarketing) and P2PTV (copywrite Theftware) is childs play for we healed web 1.0 & 2.0 cookied link corrupters.
Campaign for real value-add to those 5% of consumers looking to buy something on the internet. That would entail rewarding those who filter/focus/ and deliver customers to the right merchant/product at the right time. Today’s crop of cookie cannons and commission thieves negate any network efforts to this end.
Please do your most basi homework for before you post again Mike. After years your flip and completely off mark replies are tiresome.
In the worlds of the HGTTG- “you will be the first up against the wall when the revolution comes.
Maybe we could get the guys at Mozilla to make Firefox block any activity on the web page and just present a text message of a few words in its place. That way we could click if we were interested or not if not. Being an avid DVR user (I never watch TV in real time), that will be the last jiggling S.O.B. trying to hype credit I’ll ever see. Either that or Google will own the whole thing by keeping it text and not throwing it in your face.