Spyware Sucks

A contact at Microsoft put me in touch with the appropriate people at AOL this morning - an advertising tech lead and a gentleman involved in policy and compliance.  Thanks to a network capture that I gave to AOL they were finally able to track down the rogue advertiser who had infiltrated the AOL ad network to serve up winfixer malware advertisements and shut the ads down.

Once the guys at AOL and I actually hooked up, it only took a few hours to get the account shut down.  Damned if I know why it took so long for us to connect, but it did.

AOL's official statement on the incident is:

"We use a wide range of technical and policy measures to prevent malware distributors from placing advertisements on our networks, but apparently one was able to circumvent those measures.  We have blocked this ad campaign and [are] working with our technical and legal teams to take additional steps to block similar issues in future."

Not long ago Winfixer also infiltrated the MSN advertisement network.  At the time MS issued the following answers to questions put to them:

1. What are Microsoft's policies on what is acceptable in terms of content in ads?
Microsoft's advertising policy states that our customers' online experience is protected from deceptive and misleading advertisements. We also have a high standard for the content that appears in ads. Some categories of advertisements-such as pornography, gambling or spyware/malware-are simply not appropriate for our audience. Additionally, we also exclude our competitors from running ads on our network and on specific sites.

2. What are Microsoft's policies and practices around content in ads on the Live/MSN properties?
Microsoft's Creative Acceptance Policy dictates the type of content ads that are appropriate for the MSN and Windows Live network. According to the policy, Microsoft follows three core guidelines when reviewing ads for MSN and Windows Live properties:
*       Images and text must accurately represent the product or services.
*       Cross media campaigns must deliver consistent imagery and messaging.
*       Offers and sweepstakes must clearly identify the appropriate actions necessary.
To ensure that advertisements meet our standards, ads are visually reviewed for compliance with the Creative Acceptance Policy.

Microsoft have not issued a formal statement to me about the Winfixer outbreak on their network per se, but I did have a one-on-one meeting with a Director in Community & Intelligence, Security Research and Response about the incident and what needs to happen going forward.  The primary point of the meeting was to discuss my concern that historically, once winfixer manages to infiltrate a network once, they continue to do so.

Reality is that the problem of "bait and switch", and other deceitful practices that the bad guys employ to prevent discovery, is not going to go away.  We can write all the policies and procedures that we want, and lay down rule after rule, but if the bad guys ignore said policies and procedures and rules and do what they can to circumvent them and minimise detection, then our only hope is to catch them in the act - and that, gentle reader, is far easier said than done.

When I see talk of policies and procedures, and rules and regulations, being used to police and control the bad guys I can't help but reflect on the fact that the bad guys don't care about, and invariably ignore, such rules and regulations, policies and procedures.  We are not dealing with gentlemen, working by gentleman's rules, who are bound by morals and ethics that control their actions.  The persons behind malware such as winfixer are not constrained by such things as morals or ules. Until we accept this basic reality we will continue to be outwitted by the bad guys.

I am not confident that MS and AOL and the advertising networks they use are going to be able to block the bad guys going forward, not unless they make the difficult (and financially penalising) decision to host their own creatives, thereby preventing bait and switch.  Technical safety measures are failing and as long as we allow third parties to host the content that we display on your networks, we are at risk.

It's an arms race out there. The bad guys get in - we learn from the incident - we plug the hole and they then try to find another way.  The bad guys try to avoid detection by their hosts by using various tricks, but reality is that sooner or later their wares must appear on a victim's computer and they are then detectable, and traceable.  

We tracked them down on the MSN network, and we tracked them down on the AOL network, and I'll continue to do what is needed to track down those behind future outbreaks.  The game is by no means over.