I originally spotted this article thanks to Harry Waldron's blog, and what I read there saddens me.

Many of us have known for a while that the primary reason the bad guys infect our computers has changed from "I've got the biggest schwang because I infected the most PCs" script kiddy bragging to financially and criminally motivated goals.  The bad guys want to 0wn our computers so that they can use our broadband connections to distribute spam, so that our computers can be used as involuntary hosts of warez and other crud, and to harness our computers to be used as zombies in attacks against various Web sites.

I know that computer owners do not realise their lovely new machines may be used to score points in a political war on distant shores, but that is the reality of the Internet world - and I hate it.  What happened to the brave visions for "the Internet" back when it was a babe? What happened to the visions of the global good - the ease of communication, the spreading knowledge, and education - empowering users, teaching them and strengthening them?

I've heard some analysts suggest that up to 98% of all spam is being sent via infected computers, and the bad guys don't care if those computers are owned by business, or grandma and grandad in the local retirement home.  You can be a passifist, you can be anti-war, you can be pro-peace, you can be on the other side of the world and completely unaware of what is going on in distant countries you never think of and will never visit, but your computer may still be used in somebody else's "war".

I wish for the "good old days" when malware did no more than add a toolbar to IE, change your Search Engine and home page, and throw up pop-up windows advertising stuff you wouldn't buy anyway.

Unrest in Estonia:
http://www.f-secure.com/weblog/archives/archive-042007.html#00001181

Update on the Estonian DDoS attacks:
http://www.f-secure.com/weblog/archives/archive-042007.html#00001183

I love this little programme, which is a free RSS plugin for IE7.  It adds an icon to your system tray and displays when you have unread posts in your subscribed RSS feeds.  It can be downloaded here:
http://www.wictorwilen.se/msfeedicon.aspx

msfeedicon offers the following features:

• Icon in the system tray indicating status of you feed subscriptions
• Displays notifications when a feed contains new posts (customisable)
• Automatically marks a feed as read (customisable)
• Force an update on all feeds
• Star a notification for later reading
• Mark as read without viewing the feed
• Cancel subscription from notification window
• Searching the new posts for specific Tags so you can select which posts are interesting to you
• Feed statistics
• Install and uninstall program
• Shows notifications when a new version of msfeedicon exists (customisable)
• Enable or disable the automatic synchronization of Windows RSS platform
• Presentation mode aware (Windows Vista only)

Personally I prefer msfeedicon to Feeds Plus (even though Feeds Plus was developed by the IE RSS team) because Feeds Plus just didn't behave well on my system and it isn't as feature rich as msfeedicon, but if you want to compare the products, Feeds Plus can be downloaded here:
http://www.enhanceie.com/ie/feedsplus.asp

You can find my previous comments about Feeds plus here:
http://msmvps.com/blogs/spywaresucks/archive/2007/01/26/521121.aspx

Update: the ieak.microsoft.com/1.0/... links are M.I.A as at 5.59pm 29 April, Perth local time.

Go here:
http://www.microsoft.com/technet/prodtechnol/ie/ieak/license/default.mspx

Click on "look up customization code" to go here:
http://ieak.microsoft.com/1.0/lookupcode.asp

Then click on "License and Registration Page" link:
http://ieak.microsoft.com/1.0/newlicensee.asp

The following has been inserted into the page's source code:

<body onload="document.body.innerHTML='<p align=center><font size=7>Own3d by Cyber-Terrorist</font><img src=http://c2000.com/gifs/billgates.jpg><p align=center><font size=7>--Cyb3rT--</font></p>

The code results in what looks like a redirect, but isn't. What you see instead of the Microsoft's intended content for the page is:

As far as I can tell, this incident was originally reported in the blogosphere by: http://www.alex-smith.me.uk/?p=76

Too funny:
http://www.irintech.com/x1/blogarchive.php?id=954

I have just finished reading the latest entry on the McAfee Site Advisor blog that says, as introduction:

"For the past couple of weeks, we've been seeing an increase in spam advertising a fake application called WinFixer."

Yay them. I've been noticing a massive increase in spamming, especially via blog comments, for several months.

McAfee then go on to say:

"Another variant of the same application goes under the name of PrivacyProtector. The PrivacyProtector website is currently rated green by SiteAdvisor, because it hasn't had any downloads for us to test. However, we'll be overriding that to red shortly, based on its association with WinFixer."

Ok, so here's a problem with McAfee's Site Advisor, something that has bothered me for a long time.  Site Advisor's reputation tests suffer from a very basic flaw if a rip-off site like PrivacyProtector is not listed simply because it has no downloads available for testing.  What about the fact that PrivacyProtector shares an IP address with some very shonky sites?  Check this out:

Pinging www.errorsafe.com [66.244.254.64]

Pinging www.winantispyware.com [66.244.254.64]

Pinging www.winantivirus.com [66.244.254.63]

Pinging www.privacyprotector.com [66.244.254.63]

At the time of writing, McAfee Site Advisor is *still* listing PrivacyProtector as green, whereas Trend's competitor product, TrendProtect, is listing the site as red.

So why is Trend ahead of the game on this one?  Because Trend is a "real time" service, and it uses additional checks not included by McAfee when assessing a site's reputation. 

When people ask me what service I advise be used as an additional layer of reputation information to compliment to IE7's phishing filter and extended validation certificate support, I direct them to TrendProtect (available at http://www.trendsecure.com/portal/en-US/free_security_tools/trendprotect.php?page=download)

Just what does this say about Japan's education standards, at least when it comes to what is a sheep, and what is a dog...

Thousands of Japanese have been swindled in a scam in which they were sold Australian and British sheep and told they were poodles.

The scam was uncovered when Japanese film star Maiko Kawamaki went on a talk-show and wondered why her new pet would not bark or eat dog food.

She was crestfallen when told it was a sheep.

Source: http://www.news.com.au/story/0,23599,21629305-2,00.html

Open to the public for preview and feedback purposes:
http://www.microsoft.com/security/portal/

More important security related announcements from Microsoft here:
http://blogs.technet.com/rhalbheer/archive/2007/04/25/three-microsoft-announcements.aspx

For heavens sake, just withdraw the charges and have done with it!

Julie Amero's sentencing has been delayed, for the third time, this time until 18 May.  Apparently the reason for the latest delay is that "The state has not completed a full examination of all the issues which may affect its position at the sentencing hearing,".

Source: http://www.norwichbulletin.com/apps/pbcs.dll/article?AID=/20070425/NEWS01/704250301

My regular readers will remember my various articles about the Winfixer infiltration of the AOL and MSN advertising networks that happened not long ago.  Winfixer infiltration of Web site advertising (as well as forum and comment spam) continues to be problematic, and one name that keeps on popping up over and over again is adfarm.mediaplex.com (Mediaplex is owned by ValueClick).  The problem seems to be so endemic that any web site, forum or Web comment that utilises links that redirect to adfarm.mediaplex.com are potentially placing their visitors at risk of a Winfixer infection.

Over the past couple of months I have had in-person and telephone conferences with representatives and technical staff at MSN and AOL as a direct result of the Winfixer infilitrations of various advertising networks.  They have learned a lot from the events of the past few months, as have I.  I don't think any of us realised how widespread the problem was, or just how sophisticated the bad guys were getting, until we started taking a close look.

Mike Burgess and I have been having a close look at adfarm.mediaplex.com.  I have tried to contact ValueClick regarding the adfarm.mediaplex.com problems using their “contact us” page on their Web site, but as of yet have received no response (and those of you that know me well know that a failure to respond is sure to intensify the attention that I pay to a problem advertisement network).  I will be contacting them directly via an email address given to me by an associate as soon as this article goes live, and will report on their responses, if any.

Edit 26 April: There has been no response from ValueClick

Edit 27 April: ValueClick have responded to advise they are investigating

Edit 8 May: ValueClick report that they are still investigating

Why is Winfixer bad?

The Winfixer group of products is listed as a “Rogue Security Product” in the latest Microsoft Security Response Report.  The Microsoft Security Intelligence Report can be downloaded here:
http://download.microsoft.com/download/f/d/a/fda5850e-269f-40a3-9708-c60eb837456f/MS_Security_Report_Jul-Dec06.pdf

Microsoft’s definition of “Rogue Security Products” is:

A worrying statistic from the Rogue Security Products table that specifically mentions Winfixer products is that 55% of users who have WinSoftware.WinAntiVirus installed, and 31.3% of users who have WinSoftware.WinAntiSpyware installed chose to *ignore* the detection, with only 30.6% and 37.6% respectively choosing to remove the software.  I can only assume that the victims of these products are choosing to believe that the various Winfixer offerings are legitimate products instead of heeding the warning being given by Windows Defender. 

In contrast, 75.7% of Windows Defender users choose to remove the “potentially unwanted software” C2.LOP (aka C2Media, aka Circle Distribution, and the software commonly known as the Messenger Plus! Sponsor Program).

Now, all of us are entitled to earn an income, all of us are entitled to advertise, and companies such as Mediaplex and ValueClick are entitled to offer a service to advertisers.  BUT, I believe that a line is crossed when deceit is practiced – when the advertisers that Mediaplex and ValueClick are "enabling" via their services try to automatically download and install their product on to your system (thank heaven for IE’s info bar that stops such things from happening automatically), when an advertisement tries to trick you into thinking that your computer system is having issues or that your privacy is at risk, or when the software being touted falsely reports infections where none exists – companies such as ValueClick and Mediaplex should run, screaming, from such clients.  Slowly but surely I'm seeing a move towards forcing advertisers, and those who use their services, to ensure that those they associate and do business with are ethical and above board, as distinct to just making sure that their own actions are ok.  In short, saying "but it wasn't me" and "but I didn't know" isn't the end-of-responsibility argument that it used to be.

Winfixer prevalance

Just how pervasive is the spamming, pimping and touting of Winfixer domains?  How many adverts are out there pushing people to such sites, and how many potential infectees are there?  Well, let’s have a look at the Alexa Traffic Ranking of various Winfixer sites:

Drivecleaner.com:
http://www.alexa.com/data/details/traffic_details?url=www.drivecleaner.com
(rank 587) (570 on 26 April)

Systemdoctor.com:
http://www.alexa.com/data/details/traffic_details?url=www.systemdoctor.com
(ranking 966) (929 on 26 April)

Errorsafe:
http://www.alexa.com/data/details/traffic_details?url=www.errorsafe.com
(ranking 1,001) (990 on 26 April)

Winantivirus:
http://www.alexa.com/data/details/traffic_details?url=www.winantivirus.com
(ranking 1,630) (1,574 on 26 April)

Winantispyware:
http://www.alexa.com/data/details/traffic_details?url=www.winantispyware.com
(rank 4,793) (4,539 on 26 April)

Errorprotector.com:
http://www.alexa.com/data/details/traffic_details?url=www.errorprotector.com
(ranking 7,636) (6,966 on 26 April)

Gomyron.com:
http://www.alexa.com/data/details/traffic_details?url=www.gomyron.com
(ranking 214,212) (197,535 on 26 April)

By way of comparison with legitimate security products, mcafee.com has a ranking of 932 (954 on 26 April), symantec.com has a ranking of 218 (222 on 26 April), ca.com has a ranking of 3,148 (3,262 on 26 April) and trendmicro.com has a ranking of 2,335 (2,361 on 26 April).

How is ValueClick involved in the spread of Winfixer?

ValueClick owns Mediaplex, and Mediaplex is an oft-spotted contributor to the spread of Winfixer malware.

Just some adfarm.mediaplex.com URLs that redirect to Winfixer and Winfixer like sites include:

hxxp://go.errorsafe.com/MTUwNzE=/2/5590/ax=1/ed=1/ex=1/555/
redirects to:
hxxp://adfarm.mediaplex.com/ad/ck/45684?mpt=1177402585&aid=swp_ers&lid=5590&affid=pp_841427153&p=ers&ax=1&ed=1&ex=1

hxxp://go.winantivirus.com/NTIzMw==/2/3224/ax=1/ex=1//
redirects to:
hxxp://adfarm.mediaplex.com/ad/ck/45678?mpt=1177404112&aid=swp_wa7p&lid=3224&affid=pp_2131627152&ax=1&ex=1

hxxp://go.winantispyware.com/MTUwNjU=/2/5590/ax=1/ed=1/ex=1/555/
redirects to:
hxxp://adfarm.mediaplex.com/ad/ck/45682?mpt=1177473791&aid=swp_was7&lid=5590&affid=pp_117727353&p=was&ax=1&ed=1&ex=1

hxxp://go.winantispyware.com/NTY2Mg==/2/3345/ax=1/ed=1/ex=1/af6/
redirects to:
hxxp://adfarm.mediaplex.com/ad/ck/45682?mpt=1177485361&aid=swp_was7&lid=3345&affid=pp_669127382&p=was&ed=1&ex=1

hxxp://go.privacyprotector.com/MTUwNjc=/2/5590/ax=1/ed=1/ex=1/555/
redirects to:
hxxp://adfarm.mediaplex.com/ad/ck/49988?mpt=1177473894&aid=swp_pp&lid=5590&affid=pp_181027351&ax=1&ed=1&ex=1

hxxp://go.winantivirus.com/MTUwNjg=/2/5590/ax=1/ed=1/ex=1/555/
redirects to:
hxxp://adfarm.mediaplex.com/ad/ck/45678?mpt=1177474037&aid=swp_wa7p&lid=5590&affid=pp_271427354&ax=1&ed=1&ex=1

hxxp://go.drivecleaner.com/MTUwNjk=/2/5590/ax=1/ed=1/ex=1/555/
redirects to:
hxxp://adfarm.mediaplex.com/ad/ck/45688?mpt=1177474361&aid=swp_dc&lid=5590&affid=pp_469727351&ax=1&ed=1&ex=1

hxxp://go.errorprotector.com/MTUwNzA=/2/5590/ctx=1/in=1/epp=1/555/
redirects to:
hxxp://adfarm.mediaplex.com/ad/ck/49487?mpt=1177474589&aid=swp_erp&lid=5590&affid=pp_619327354&ctx=1&in=1&epp=1

hxxp://go.systemdoctor.com/MTUwNzI=/2/5590/ax=1/ed=1/ex=1/555/
redirects to:
hxxp://adfarm.mediaplex.com/ad/ck/45686?mpt=1177474773&aid=swp_sdr&lid=5590&affid=pp_737127354&ax=1&ed=1&ex=1

hxxp://gomyron.com/MTUwNzM=/2/5590/555/
redirects to:
hxxp://adfarm.mediaplex.com/ad/ck/7412-39608-16292-6?mpt=1177475141&aid=swp_ron&lid=5590&affid=pp_944227352&

Mike Burgess writes about hard-core adult sites with images of underage boys that use adfarm.mediaplex.com content
http://msmvps.com/blogs/hostsnews/archive/2007/04/22/more-on-Winfixer-and-valueclick.aspx

He also writes about false claims of TRUSTe certification (again with adfarm.mediaplex.com content)
hxxps://secure.drivecleaner.com/payment/?ad=keyin&link=keyin&site=169&product=452&aff=

<body onload="setSelected()">
<IMG SRC="hxxps://adfarm.mediaplex.com/ad/bk/7412-39614-2054-1?Get=1&mpuid=" BORDER=0 HEIGHT=1 WIDTH=1>
<IMG SRC="hxxps://adfarm.mediaplex.com/ad/bk/7390-42400-2054-1?1-PaypageEntrance=1&mpuid=" BORDER=0 HEIGHT=1 WIDTH=1>

The above is the same exact code as is displayed here:
http://msmvps.com/blogs/hostsnews/archive/2007/04/23/Winfixer-and-valueclick-in-the-uk.aspx

Then there is this report by Mike:
http://msmvps.com/blogs/hostsnews/archive/2007/04/20/are-advertisers-promoting-malware.aspx

And this:
http://msmvps.com/blogs/hostsnews/archive/2007/04/21/more-on-Winfixer.aspx

My sincere hope is that Mediaplex and ValueClick come to the attention of the FTC, and that the FTC takes action, if Mediaplex and ValueClick to not take comprehensive action to clean up their service and make sure that the problems discussed here do not recur in the future.

Do ValueClick enforce their antispam policy?

ValueClick says:

“It is our policy to prohibit the sending of unsolicited or "Spam" e-mail by ValueClick or any of its marketing partners.” (cite: http://www.valueclick.com/privacy.html)

Hundreds of spam messages have been posted on various forums in contravention of the above policy:

http://www.google.com/search?q=drivecleaner.com&hl=en&safe=off&start=40&sa=N$
http://www.google.com/search?q=go.sexprofit.com&hl=en&safe=off&start=10&sa=N

A typical spam post can be found here:
http://www.splinecage.com/forums/archive/index.php/t-1550.html

Every single one of the links in that forum post route thru adfarm.mediaplex.com.

My own blog is being hit by hundreds of spam comments every week – in fact, I have 2095 comments awaiting my attention right at this very moment, all of which are marked as spam, and 99% of which are submitted by a very prolific “author” under the pseudonym “…” (yes, I know, the author is a bot – I’m being facetious). 

Anyway, all of the comments submitted by author “…” have a myriad different URLs as the author’s Web site, virtually all of which redirect to Winfixer sites via adfarm.mediaplex.com.  Yes, I could list all of the URLs that I am seeing in my blog comments, and provide definitive proof of adfarm.mediaplex.com involvement, but I think this article will prove beyond a doubt that there is big problem at Mediaplex even without those specifics.

To give you an idea of just how endemic the problem of adfarm.mediaplex.com being used as a conduit for winfixer malware is, check out the list of adfarm.mediaplex.com URLs below, all of which redirect to Winfixer, Winfixer related or Winfixer type sites at the time of testing.  I noticed as I was working my way through the various adfarm.mediaplex.com URLs by changing (for example) 45678 to 45679 then 45680 and so on and so forth, that I was hitting very few “legitimate” Web sites using this test routine, which is very worrying and makes me wonder just how widespread the Winfixer infiltration is at ValueClick.  I suspect that if I kept checking, and testing, that I could continue to add to that list, but let's be honest, I'm already at the stage where I am thinking "enough already - I get it - there's a big problem here".

I have already tried the "Contact Us" facility at http://www.valueclick.com/about/contact.html and received NO RESPONSE - not even an acknowledgement that my approach had been received, despite my including this URL - hell, if potential underage porn doesn't get their attention, what the hell will???
http://msmvps.com/blogs/spywaresucks/archive/2007/04/22/857830.aspx

It will be very interesting to see what reaction, if any, we get from Mediaplex and ValueClick when they see this article.  You see, they need to do more than get rid of the rogue content that is already there; they have to stop future occurrences and reassure everybody who uses their content that Mediaplex and ValueClick can be trusted to stay clean going forward, but here is the kicker… will they want to, especially if Winfixer and Winfixer type clients are a major part of any sector of their income stream? 

hxxp://adfarm.mediaplex.com/ad/ck/45678
hxxp://adfarm.mediaplex.com/ad/ck/45682
hxxp://adfarm.mediaplex.com/ad/ck/45684
hxxp://adfarm.mediaplex.com/ad/ck/45686
hxxp://adfarm.mediaplex.com/ad/ck/45688
hxxp://adfarm.mediaplex.com/ad/ck/49487
hxxp://adfarm.mediaplex.com/ad/ck/49686
hxxp://adfarm.mediaplex.com/ad/ck/49688
hxxp://adfarm.mediaplex.com/ad/ck/49690
hxxp://adfarm.mediaplex.com/ad/ck/49694
hxxp://adfarm.mediaplex.com/ad/ck/49696
hxxp://adfarm.mediaplex.com/ad/ck/49698
hxxp://adfarm.mediaplex.com/ad/ck/49700
hxxp://adfarm.mediaplex.com/ad/ck/49702
hxxp://adfarm.mediaplex.com/ad/ck/49704
hxxp://adfarm.mediaplex.com/ad/ck/49706
hxxp://adfarm.mediaplex.com/ad/ck/49708
hxxp://adfarm.mediaplex.com/ad/ck/49710
hxxp://adfarm.mediaplex.com/ad/ck/49712
hxxp://adfarm.mediaplex.com/ad/ck/49714
hxxp://adfarm.mediaplex.com/ad/ck/49717
hxxp://adfarm.mediaplex.com/ad/ck/49719
hxxp://adfarm.mediaplex.com/ad/ck/49720
hxxp://adfarm.mediaplex.com/ad/ck/49725
hxxp://adfarm.mediaplex.com/ad/ck/49727
hxxp://adfarm.mediaplex.com/ad/ck/49729
hxxp://adfarm.mediaplex.com/ad/ck/49735
hxxp://adfarm.mediaplex.com/ad/ck/49737
hxxp://adfarm.mediaplex.com/ad/ck/49739
hxxp://adfarm.mediaplex.com/ad/ck/49741
hxxp://adfarm.mediaplex.com/ad/ck/49743
hxxp://adfarm.mediaplex.com/ad/ck/49746
hxxp://adfarm.mediaplex.com/ad/ck/49748
hxxp://adfarm.mediaplex.com/ad/ck/49791
hxxp://adfarm.mediaplex.com/ad/ck/49793
hxxp://adfarm.mediaplex.com/ad/ck/49795
hxxp://adfarm.mediaplex.com/ad/ck/49799
hxxp://adfarm.mediaplex.com/ad/ck/49806
hxxp://adfarm.mediaplex.com/ad/ck/49811
hxxp://adfarm.mediaplex.com/ad/ck/49816
hxxp://adfarm.mediaplex.com/ad/ck/49827
hxxp://adfarm.mediaplex.com/ad/ck/49831
hxxp://adfarm.mediaplex.com/ad/ck/49836
hxxp://adfarm.mediaplex.com/ad/ck/49837
hxxp://adfarm.mediaplex.com/ad/ck/49988

When you try to open a Microsoft ActiveX control-based MIME handler in Windows Internet Explorer 7, you may receive the following script error message:

Line: Line number
Char: Character number
Error: Invalid character
Code: Code number

Line: Line number
Char: Character number
Error: Object expected
Code: Code number

For example, you may receive this script error message when you try to open a Macromedia Shockwave Flash (.swf) file or when you try to open an Audio Video Interleaved (.avi) file.

This problem occurs if the following conditions are true:

• The file is located in the Internet Web zone or in the Intranet Web zone.
• The Allow active content to run in files on My Computer check box is selected in Internet Explorer 7.

Note To locate this check box in Internet Explorer 7, click Internet Options on the Tools menu, and then click the Advanced tab. Under Security, you can see the Allow active content to run in files on My Computer check box.

Source:  http://support.microsoft.com/default.aspx/kb/934366

You use the document.open method with the replace parameter in Windows Internet Explorer 7. In this scenario, the content of a Web page does not appear to update as expected. When you click the Back button, the updated content appears.

Source: http://support.microsoft.com/default.aspx/kb/933182

In Windows Internet Explorer 7, a Web site cannot set a cookie if the following conditions are true:

• The Domain attribute is in uppercase characters.
• The Domain attribute has an odd number of characters.

Note:  If the Domain attribute starts with a dot, this dot is not included in the number of characters. For example, if the cookie tries to set the .EUROPE.CORP.CONTOSO.COM domain name, the cookie cannot be set. This domain name has 23 characters.

Source: http://support.microsoft.com/default.aspx/kb/932044