Sunday, April 22, 2007 2:40 PM
sandi
The ongoing winfixer saga
So, what do we do about an advertising network like ValueClick that will not clean up its act? A network that has been implicated, over and over, in the spread of malware? An advertising network that was involved in the infiltration of the Windows Live Messenger banner advertisement by winfixer malware?
Wayne Porter notes that ValueClick was implicated in the Windows Live Messenger banner advert infiltration:
http://www.revenews.com/wayneporter/archives/adware-spyware-greynets/getting_the_fix_on_winfixer_aol_network_now/
Mike Burgess of MVP Hosts file fame reported on another three incidents where ValueClick has been used as a conduit to infect victims with winfixer:
http://msmvps.com/blogs/hostsnews/archive/2007/04/20/are-advertisers-promoting-malware.aspx
http://msmvps.com/blogs/hostsnews/archive/2007/04/21/more-on-winfixer.aspx
and this (fraudulently claiming eTrust membership?)
http://msmvps.com/blogs/hostsnews/archive/2007/04/23/winfixer-and-valueclick-in-the-uk.aspx
and, disgustingly (I don't know about you, but I think the chances are high that we're looking at some underage kids):
http://msmvps.com/blogs/hostsnews/archive/2007/04/22/more-on-winfixer-and-valueclick.aspx
Perhaps it is time for the FTC to get involved, and for the big names that have been hurt by ValueClick in the past (Hello MSN?) to refuse to have any dealings with ValueClick, or any other company that uses their content. Mike On Ads says "The last thing I want is a crusade against AOL, MSN, or any ad-network for running these ads. EVERYBODY is running them — and EVERYBODY needs to work together to stop them." but I don't agree with him on this. When we see a network that exhibits an ongoing tendency to distribute malware, then we do need a "crusade". ValueClick is not the first company I have said this about, I said the same thing about the company that Mike currently works for, being Right Media (Right Media was implicated in the distribution of winfixer malware via the Messenger Plus! Live Sponsor Program).
The other side of the coin: Why is this happening?
We know ValueClick is a recurrent participant in the distribution of hostile SWF. But are they victims or collaborators? I honestly don't know.
Often hostile Flash ads infiltrate a network via what are called "rogue affiliates" who use "bait and switch" and other nefarious tactics to fool services such as ValueClick. But, although ValueClick may (I hope) be innocent victims who have been fooled into allowing the affiliates into their network, it has become glaringly obvious that there is something basicly wrong with ValueClick's checks and balances.
Then again, maybe ValueClick are not innocent - cite this article:
http://www.shoemoney.com/2007/03/29/what-does-valueclick-have-to-hide/
I have contacted ValueClick via their Contact Us page (http://www.valueclick.com/about/contact.html). Time will tell if they respond, and I will post their comments here.
The problem of hostile Flash ads is endemic. MSN has been hit, AOL has been hit, MySpace has been hit - that equates to hundreds of millions of potential victims. Those behind errorsafe/winfixer are not only creating their own software and domains, they are also creating fake advertisements for known legitimate sites such as getsafeonline.org, Priceline and Travelocity (source: http://www.mikeonads.com/what-is-errorsafe-and-how-do-we-stop-it/ and http://www.mikeonads.com/2007/04/05/ironic-errorsafe-advertising-for-getsafeonlineorg/)
Mike On Ads has some succinct advice about how to fight back against rogue affiliates at (http://www.mikeonads.com/what-is-errorsafe-and-how-do-we-stop-it/) In the comments of the blog entry, Mike states:
"In essence, there are two key things the flash files do:
#1 - Check the geo of the user. Since GeoIP databases are too large to store, the file has to request this info from a third-party server.
#2 - Uses javascript to check all sorts of browser parameters. E.g., the timezone of the browser. If the buy is with a US based ad-network, no browser with a US timezone would trigger the active-x."
I've known about the geo checks for a while now - we saw evidence of that back when we were fighting winfixer outbreaks on the Messenger Plus! Live sponsor program's advertising network. The goal seems to be to evade detection by the advertising networks for as long as possible (and, I suspect, avoid the US Justice system as well). But I think we am seeing even more. The AOL outbreak was extremely interesting. Not only was it geo specific, but the hostile SWF advert was only appearing on my PCs once per day - almost as if the SWF was not only checking IP for geo, but also for previous exposure to a particular IP address. But the sample SWF that was grabbed using my network capture data was click dependent - there was nothing to indicate that the SWF would cause a redirect or anything else without user interaction, so how was this happening? Are the hostile SWF being swapped out regularly to reduce the chances of detection even further, forcing us to rely on video and network captures to prove misbehaviour?
My thinking at the moment is that the only real solution to this problem is for end-advertisement networks to directly host creatives, and stop third parties from having control of what those creatives will be. Yes, it is more expensive, but I think the basic reality of the situation is that as long as somebody else controls what is being distributed via your advertising network, your network is at risk of being used as a conduit for malware.
Alternatives? Dump Flash adverts altogether but the advert networks (and their clients) don't want to do that; colour and movement draw the eye and the mouse clicks far more than static pictures can.