Saturday, March 24, 2007 7:35 AM
sandi
GOTCHA! Winfixer and AOL
I've posted a couple of times on this blog about how visits to AOL pages were redirecting at random to the scareware/malware commonly known as Winfixer (aka SystemDoctor and ErrorSafe aka several other names). On previous occasions I did not have network monitors running, and therefore could only offer screenshots and my word as "proof" of the incidents.
(http://msmvps.com/blogs/spywaresucks/archive/2007/03/22/701346.aspx)
(http://msmvps.com/blogs/spywaresucks/archive/2007/03/21/697330.aspx)
This time, however, Microsoft Network Monitor was running when I visited the AOL page (http://money.aol.com/news/articles/_a/technical-goof-wipes-out-38-billion/20070320140609990001) and was redirected to an ErrorSafe page.
Below are snippets of relevant network data - the full logs are available for inspection and use by the appropriate authorities 
BTW, some of you may find this URL interesting - http://locator.contentsvc.com/sites/winantivirus.com/main/img/en/flash_world_end.swf
I have included a description of what happens when we are redirected to http://www.errorsafe.com/pages/scanner/index.php?aid=oflikely&lid=728&ax=1&ex=1&ed=2 (with screenshots) at the end of this article.
Editorial: It is well and truly time for MSN, MS, AOL and any other big name that has had their advertising networks infiltrated by the crud that is commonly known as Winfixer to go after Winfixer, its affiliates, and the sites that host the malware by using every legal avenue open to them, and with no holds barred. I say join forces and go after those behind Winfixer, those who host it, and those who spread it, with everything legal weapon at your disposal. Shut them down, and shut them down for good!
What is Winfixer and why is it so bad?
Winfixer is betrayware and scareware. Detailed information about ErrorSafe, the winfixer example cited in this article, is here:
http://research.sunbelt-software.com/threatdisplay.aspx?name=ErrorSafe&threatid=42636
More information is available at Wikipedia:
http://en.wikipedia.org/wiki/WinFixer
Rogue Antispyware (also known as Betrayware):
http://www.spywarewarrior.com/rogue_anti-spyware.htm
DISCLAIMER: PLEASE DO NOT VISIT THE URLS IN THIS ARTICLE UNLESS YOU ARE USING A COMPUTER THAT IS WELL SECURED, YOU ARE RUNNING THE LATEST VERSION OF YOUR WEB BROWSER, AND YOU HAVE INSTALLED ALL SECURITY PATCHES RELEVANT TO YOUR SYSTEM AND SOFTWARE, AND YOU KNOW WHAT YOU ARE DOING - SOME OF THE FOLLOWING URLS *WILL* TRY TO INSTALL ERRORSAFE ON TO YOUR COMPUTER.
Network captures....
- HTTP: Request, GET http://www.errorsafe.com/pages/scanner/index.php
Command: GET
- URI: http://www.errorsafe.com/pages/scanner/index.php?aid=oflikely&lid=728&ax=1&ex=1&ed=2
Location: http://www.errorsafe.com/pages/scanner/index.php
aid: oflikely
lid: 728
ax: 1
ex: 1
ed: 2
ProtocolVersion: HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-ms-application, application/vnd.ms-xpsdocument, application/xaml+xml, application/x-ms-xbap, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x
Accept-Language: en-US
Referer: http://2mdn.aolcdn.com/1413639/MS_swf_728x90_En-AOL3.swf?clickTag=http%3A//twx.doubleclick.net/click%253Bh%3Dv8/353a/3/0/%252a/j%253B9113498
ContentType: application/x-www-form-urlencoded
UA-CPU: x86
Accept-Encoding: gzip, deflate
UserAgent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; WOW64; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.0.04506; InfoPath.2)
Host: http://www.errorsafe.com/
Proxy-Connection: Keep-Alive
Cookie: lang=en; aid=oflikely; lid=728; cnt=AU; lng=en
HeaderEnd: CRLF
- HTTP: Request, GET http://www.errorsafe.com/pages/scanner/index.php
Command: GET
- URI: http://www.errorsafe.com/pages/scanner/index.php?aid=oflikely&lid=728&ax=1&ex=1&ed=2
Location: http://www.errorsafe.com/pages/scanner/index.php
aid: oflikely
lid: 728
ax: 1
ex: 1
ed: 2
ProtocolVersion: HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-ms-application, application/vnd.ms-xpsdocument, application/xaml+xml, application/x-ms-xbap, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x
Accept-Language: en-US
Referer: http://2mdn.aolcdn.com/1413639/MS_swf_728x90_En-AOL3.swf?clickTag=http%3A//twx.doubleclick.net/click%253Bh%3Dv8/353a/3/0/%252a/j%253B9113498
ContentType: application/x-www-form-urlencoded
UA-CPU: x86
Accept-Encoding: gzip, deflate
UserAgent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; WOW64; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.0.04506; InfoPath.2)
Host: http://www.errorsafe.com/
Proxy-Connection: Keep-Alive
Cookie: lang=en; aid=oflikely; lid=728; cnt=AU; lng=en
Proxy-Authorization: Negotiate TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAHAXAAAADw==
HeaderEnd: CRLF
- HTTP: Request, GET http://www.errorsafe.com/pages/scanner/index.php
Command: GET
- URI: http://www.errorsafe.com/pages/scanner/index.php?aid=oflikely&lid=728&ax=1&ex=1&ed=2
Location: http://www.errorsafe.com/pages/scanner/index.php
aid: oflikely
lid: 728
ax: 1
ex: 1
ed: 2
ProtocolVersion: HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-ms-application, application/vnd.ms-xpsdocument, application/xaml+xml, application/x-ms-xbap, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x
Accept-Language: en-US
Referer: http://2mdn.aolcdn.com/1413639/MS_swf_728x90_En-AOL3.swf?clickTag=http%3A//twx.doubleclick.net/click%253Bh%3Dv8/353a/3/0/%252a/j%253B9113498
ContentType: application/x-www-form-urlencoded
UA-CPU: x86
Accept-Encoding: gzip, deflate
UserAgent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; WOW64; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.0.04506; InfoPath.2)
Cookie: lang=en; aid=oflikely; lid=728; cnt=AU; lng=en
Proxy-Connection: Keep-Alive
Proxy-Authorization: Negotiate TlRMTVNTUAADAAAAGAAYAIYAAAAeAR4BngAAABoAGgBYAAAACgAKAHIAAAAKAAoAfAAAABAAEAC8AQAAFYKI4gYAcBcAAAAPsK
xKTdXkb42e5CbZCmE/GUgAQQBSAEQATQBFAEkARQBSADIAMAAwADMAcwBhAG4AZABpAEYAVABRADAANADiS3am/gxUr5ks7Z7nHPrlXntugRWVeronRvfqMZhglYzRdEj
- HTTP: Request, GET http://adfarm.mediaplex.com/ad/ck/50866
Command: GET
- URI: http://adfarm.mediaplex.com/ad/ck/50866?mpt=[CACHEBUSTER]&aid=oflikely_rdt
Location: http://adfarm.mediaplex.com/ad/ck/50866
mpt: [CACHEBUSTER]
aid: oflikely_rdt
ProtocolVersion: HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-ms-application, application/vnd.ms-xpsdocument, application/xaml+xml, application/x-ms-xbap, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x
Accept-Language: en-US
Referer: http://2mdn.aolcdn.com/1413639/MS_swf_728x90_En-AOL3.swf?clickTag=http%3A//twx.doubleclick.net/click%253Bh%3Dv8/353a/3/0/%252a/j%253B9113498
Cookie: svid=7106602301
UA-CPU: x86
Accept-Encoding: gzip, deflate
UserAgent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; WOW64; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.0.04506; InfoPath.2)
Proxy-Connection: Keep-Alive
Host: adfarm.mediaplex.com
HeaderEnd: CRLF
- HTTP: Request, GET http://www.errorsafe.com/pages/scanner/
Command: GET
- URI: http://www.errorsafe.com/pages/scanner/?p=18&ax=1&ex=1&ed=2&mpt=[CACHEBUSTER]&aid=oflikely_rdt
Location: http://www.errorsafe.com/pages/scanner/
p: 18
ax: 1
ex: 1
ed: 2
mpt: [CACHEBUSTER]
aid: oflikely_rdt
ProtocolVersion: HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-ms-application, application/vnd.ms-xpsdocument, application/xaml+xml, application/x-ms-xbap, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x
Accept-Language: en-US
Referer: http://2mdn.aolcdn.com/1413639/MS_swf_728x90_En-AOL3.swf?clickTag=http%3A//twx.doubleclick.net/click%253Bh%3Dv8/353a/3/0/%252a/j%253B9113498
Cookie: lang=en; gI=YTo0OntzOjEyOiJjb3VudHJ5X2NvZGUiO3M6MjoiQVUiO3M6NzoiY291bnRyeSI7czo5OiJhdXN0cmFsaWEiO3M6NToic3RhdGUiO3M6MTY6
Indlc3Rlcm5hdXN0cmFsaWEiO3M6NDoiY2l0eSI7czo1OiJwZXJ0aCI7fQ%3D%3D; aid=oflikely; lid=728; cnt=AU; lng=en
UA-CPU: x86
Accept-Encoding: gzip, deflate
UserAgent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; WOW64; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.0.04506; InfoPath.2)
Host: www.errorsafe.com
Proxy-Connection: Keep-Alive
HeaderEnd: CRLF
Who are 2mdn.aolcdn.com? Well, here is the DNS Lookup: 2mdn.aolcdn.com A record:
Searching for 2mdn.aolcdn.com A record at k.root-servers.net [193.0.14.129]: Got referral to j.gtld-servers.net. (zone: com.) [took 77 ms]
Searching for 2mdn.aolcdn.com A record at j.gtld-servers.net. [192.48.79.30]: Got referral to dns-07.ns.aol.com. (zone: aolcdn.com.) [took 312 ms]
Searching for 2mdn.aolcdn.com A record at dns-07.ns.aol.com. [64.236.1.107]: Got CNAME of 2mdn.aolcdn.com.edgesuite.net. and referral to d.root-servers.net [took 84 ms]
Searching for 2mdn.aolcdn.com.edgesuite.net A record at a.root-servers.net [198.41.0.4]: Got referral to B.GTLD-SERVERS.net. (zone: net.) [took 30 ms]
Searching for 2mdn.aolcdn.com.edgesuite.net A record at B.GTLD-SERVERS.net. [192.33.14.30]: Got referral to ns1-137.akam.net. (zone: edgesuite.net.) [took 396 ms]
Searching for 2mdn.aolcdn.com.edgesuite.net A record at ns1-137.akam.net. [193.108.91.137]: Got CNAME of a1551.g.akamai.net. and referral to h.root-servers.net [took 5 ms]
Searching for a1551.g.akamai.net A record at h.root-servers.net [128.63.2.53]: Got referral to d.gtld-servers.net. (zone: net.) [took 29 ms]
Searching for a1551.g.akamai.net A record at d.gtld-servers.net. [192.31.80.30]: Got referral to zf.akamaitech.net. (zone: akamai.net.) [took 36 ms]
Searching for a1551.g.akamai.net A record at zf.akamaitech.net. [195.27.203.4]: Got referral to n2g.akamai.net. (zone: g.akamai.net.) [took 102 ms]
Searching for a1551.g.akamai.net A record at n2g.akamai.net. [69.31.88.58]: Got CNAME of a1551.g.akamai.net.47581f45.1.cn.akamaitech.net. and referral to g.root-servers.net [took 11 ms]
Searching for a1551.g.akamai.net.47581f45.1.cn.akamaitech.net A record at j.root-servers.net [192.58.128.30]: Got referral to I.GTLD-SERVERS.net. (zone: net.) [took 389 ms]
Searching for a1551.g.akamai.net.47581f45.1.cn.akamaitech.net A record at I.GTLD-SERVERS.net. [192.43.172.30]: Got referral to zd.akamaitech.net. (zone: akamaitech.net.) [took 110 ms]
Searching for a1551.g.akamai.net.47581f45.1.cn.akamaitech.net A record at zd.akamaitech.net. [61.200.81.116]: Got referral to n7cn.akamaitech.net. (zone: cn.akamaitech.net.) [took 372 ms]
Searching for a1551.g.akamai.net.47581f45.1.cn.akamaitech.net A record at n7cn.akamaitech.net. [72.247.127.103]: Reports a1551.g.akamai.net.47581f45.1.cn.akamaitech.net. [took 800 ms]
Following is a description of what happened when I visited http://money.aol.com/news/articles/_a/technical-goof-wipes-out-38-billion/20070320140609990001
My Web browser was redirected to http://www.errorsafe.com/pages/scanner/index.php?aid=oflikely&lid=728&ax=1&ex=1&ed=2 ?
Then, we are immediately redirected to the site at the URL below:
Clicking on the red X close button results in another redirect, this time to the page below. Note the info bar warning of an attempt to ErrorSafeNewReleaseInstall.cab, and the "Error Detected" alert. It is important to note that the close button on the "Error Detected" alert is NOT clickable. A user has three choices, click on "OK", click on "More Info" or close the page in its entirety.
Clicking on "More Info" simply closed the alert, and clicking on "OK" leads to this URL http://www.errorsafe.com/pages/scanner/download_sp1.php?aid=oflikely_rdt_au_en_ed2&lid=keyin (and triggers the two dialogue boxes that appear in the last two screenshots).
I closed the window and immediately saw another dialogue box - as always I strongly recommend AGAINST clicking on the OK or Cancel buttons. Use the red X close button instead.
I used the red close button to close that dialogue box and immediately saw the following. After clicking on the red X close button, the Web site *finally* closed.
