Thursday, May 31, 2007 9:29 PM
sandi
Valueclick and Winfixer continue to be a problem
Mike Burgess was hopeful that Valueclick had cut ties with Winfixer.
http://msmvps.com/blogs/hostsnews/archive/2007/05/25/valueclick-cuts-ties-with-the-winfixer-group.aspx
Unfortunately I have definitive proof that this is NOT the case.
See here - we have evidence of an attempt to infect systems with Winfixer TONIGHT via a malware ad via adfarm.mediaplex.com - this is one of the more *NASTY* ones - we're not looking at just a pop-up, or just a dialogue box. When the dangerous ad appears the victim is redirected AWAY from www.mobygames.com and dumped at the Winfixer site with no user interaction required. In short, the user's Web surfing is involuntarily HIJACKED.
Even worse, the bastards behind Winfixer are being tricky - the redirect only occurs once or so per day, *BUT* if you use the Flash console to delete all prior flash content, the hijack will occur again, and again, and again, VERY quickly indeed.
If you want to investigate this infestation, and want to avoid the bad guys' attempts to avoid detection, you need to empty your Flash cache every time the malware hits. Go here and then click on the option to delete all sites:
Here is my network trace showing the redirect via an advert on www.mobygames.com via adfarm.mediaplex.com.
I first instituted a dialogue with ValueClick via email about the winfixer problem more than a month ago, yet the problem continues. This is simply not good enough.
Network captures follow - yes there are a hell of a lot more, but let's be honest here, how many times do we have to prove that there is the problem?
PLEASE SEND ME AN EMAIL IF YOU SEE WINFIXER - I WILL INVESTIGATE, PUBLICIZE, AND NAME AND SHAME ANY AD NETWORK THAT IS CONTRIBUTING TO THE DISTRIBUTION OF SUCH MALWARE.
Frame:
+ WiFi: [Unencrypted Data Data] .T...., (I)
+ LLC: Unnumbered(U) Frame, Command Frame, SSAP = SNAP(Sub-Network Access Protocol), DSAP = SNAP(Sub-Network Access Protocol)
+ Snap: EtherType = Internet IP (IPv4), OrgCode = XEROX
+ Ipv4: Next Protocol = TCP, Packet ID = 15349, Total IP Length = 991
+ Tcp: Flags=...PA..., SrcPort=50185, DstPort=HTTP Alternate(8080), Len=951, Seq=3278634856 - 3278635807, Ack=40855410, Win=4262 (scale factor not found)
- Http: Request, GET http://adfarm.mediaplex.com/ad/ck/52500
Command: GET
- URI: http://adfarm.mediaplex.com/ad/ck/52500?aid=f0rw9rdx_rdt
Location: http://adfarm.mediaplex.com/ad/ck/52500
aid: f0rw9rdx_rdt
ProtocolVersion: HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-ms-application, application/vnd.ms-xpsdocument, application/xaml+xml, application/x-ms-xbap, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x
Accept-Language: en-US
Referer: http://ads.mobygames.com/adserver/adimage.php?filename=h2v_728x90_2.swf&contenttype=swf&
clickTAG=http://ads.mobygames.com/adserver/adclick.p
Cookie: svid=7106602301; __utma=183366586.1351200665.1177472688.1177472688.1177495208.2;
__utmz=183366586.1177472688.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none)
UA-CPU: x86
Accept-Encoding: gzip, deflate
UserAgent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; WOW64; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.0.04506; InfoPath.2; Media Center PC 5.0)
Host: adfarm.mediaplex.com
Proxy-Connection: Keep-Alive
HeaderEnd: CRLF
Followed by:
Frame:
+ WiFi: [Unencrypted Data Data] .T...., (I)
+ LLC: Unnumbered(U) Frame, Command Frame, SSAP = SNAP(Sub-Network Access Protocol), DSAP = SNAP(Sub-Network Access Protocol)
+ Snap: EtherType = Internet IP (IPv4), OrgCode = XEROX
+ Ipv4: Next Protocol = TCP, Packet ID = 15351, Total IP Length = 1362
+ Tcp: Flags=...PA..., SrcPort=50192, DstPort=HTTP Alternate(8080), Len=1322, Seq=4010949088 - 4010950410, Ack=2340755632, Win=4016 (scale factor not found)
- Http: Request, GET http://www.drivecleaner.com/.freeware/
Command: GET
- URI: http://www.drivecleaner.com/.freeware/?p=20&ax=1&ex=1&ed=2&aid=f0rw9rdx_rdt
Location: http://www.drivecleaner.com/.freeware/
p: 20
ax: 1
ex: 1
ed: 2
aid: f0rw9rdx_rdt
ProtocolVersion: HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-ms-application, application/vnd.ms-xpsdocument, application/xaml+xml, application/x-ms-xbap, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x
Accept-Language: en-US
Referer: http://ads.mobygames.com/adserver/adimage.php?filename=h2v_728x90_2.swf&contenttype=
swf&clickTAG=http://ads.mobygames.com/adserver/adclick.p
Cookie: rff=http%253A%252F%252Fads.mobygames.com%252Fadserver%252Fadimage.php%253Ffilename%253
Dh2v_728x90_2.swf%2526contenttype%253Dswf%2526clickTAG%253Dhttp%253A%252F%252Fads.mobygames.com%252
Fadserver%252Fadclick.p; ad=f0rw9rdx_rdt_au_en_ed2; link=keyin; c
UA-CPU: x86
Accept-Encoding: gzip, deflate
UserAgent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; WOW64; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.0.04506; InfoPath.2; Media Center PC 5.0)
Host: www.drivecleaner.com
Proxy-Connection: Keep-Alive
HeaderEnd: CRLF
Followed by:
Frame:
+ WiFi: [Unencrypted Data Data] .T...., (I)
+ LLC: Unnumbered(U) Frame, Command Frame, SSAP = SNAP(Sub-Network Access Protocol), DSAP = SNAP(Sub-Network Access Protocol)
+ Snap: EtherType = Internet IP (IPv4), OrgCode = XEROX
+ Ipv4: Next Protocol = TCP, Packet ID = 15355, Total IP Length = 1230
+ Tcp: Flags=...PA..., SrcPort=50183, DstPort=HTTP Alternate(8080), Len=1190, Seq=2863417415 - 2863418605, Ack=2340276141, Win=16103 (scale factor not found)
- Http: Request, GET http://www.drivecleaner.com/.freeware/index.php
Command: GET
- URI: http://www.drivecleaner.com/.freeware/index.php?p=20&ax=1&ex=1&link=keyin&ad=f0rw9rdx_rdt_au_en_ed2&aff=
Location: http://www.drivecleaner.com/.freeware/index.php
p: 20
ax: 1
ex: 1
link: keyin
ad: f0rw9rdx_rdt_au_en_ed2
aff:
ProtocolVersion: HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-ms-application, application/vnd.ms-xpsdocument, application/xaml+xml, application/x-ms-xbap, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x
Accept-Language: en-US
UA-CPU: x86
Accept-Encoding: gzip, deflate
UserAgent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; WOW64; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.0.04506; InfoPath.2; Media Center PC 5.0)
Host: www.drivecleaner.com
Proxy-Connection: Keep-Alive
Cookie: rff=http%253A%252F%252Fads.mobygames.com%252Fadserver%252Fadimage.php%253Ffilename%253Dh2v_728x90_2.swf%2526contenttype%253Dswf%2526clickTAG%253Dhttp%253A%252F%252Fads.mobygames.com%252Fadserver%252Fadclick.p; ad=f0rw9rdx_rdt; link=keyin; cnt=AU; lng
HeaderEnd: CRLF
Frame:
+ WiFi: [Unencrypted Data Data] .T...., (I)
+ LLC: Unnumbered(U) Frame, Command Frame, SSAP = SNAP(Sub-Network Access Protocol), DSAP = SNAP(Sub-Network Access Protocol)
+ Snap: EtherType = Internet IP (IPv4), OrgCode = XEROX
+ Ipv4: Next Protocol = TCP, Packet ID = 15360, Total IP Length = 1036
+ Tcp: Flags=...PA..., SrcPort=50179, DstPort=HTTP Alternate(8080), Len=996, Seq=211796996 - 211797992, Ack=355888886, Win=4037 (scale factor not found)
- Http: Request, GET http://www.drivecleaner.com/.freeware/libs/product.js
Command: GET
- URI: http://www.drivecleaner.com/.freeware/libs/product.js
Location: http://www.drivecleaner.com/.freeware/libs/product.js
ProtocolVersion: HTTP/1.1
Accept: */*
Referer: http://www.drivecleaner.com/.freeware/index.php?p=20&ax=1&ex=1&link=keyin&ad=f0rw9rdx_rdt_au_en_ed2&aff=
Accept-Language: en-US
UA-CPU: x86
Accept-Encoding: gzip, deflate
UserAgent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; WOW64; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.0.04506; InfoPath.2; Media Center PC 5.0)
Proxy-Connection: Keep-Alive
Host: www.drivecleaner.com
Cookie: rff=http%253A%252F%252Fads.mobygames.com%252Fadserver%252Fadimage.php%253Ffilename%253Dh2v_728x90_2.swf%2526contenttype%253Dswf%2526clickTAG%253Dhttp%253A%252F%252Fads.mobygames.com%252Fadserver%252Fadclick.p; ad=f0rw9rdx_rdt_au_en_ed2; link=keyin; c
HeaderEnd: CRLF
Frame:
+ WiFi: [Unencrypted Data Data] .T...., (I)
+ LLC: Unnumbered(U) Frame, Command Frame, SSAP = SNAP(Sub-Network Access Protocol), DSAP = SNAP(Sub-Network Access Protocol)
+ Snap: EtherType = Internet IP (IPv4), OrgCode = XEROX
+ Ipv4: Next Protocol = TCP, Packet ID = 15370, Total IP Length = 1086
+ Tcp: Flags=...PA..., SrcPort=50187, DstPort=HTTP Alternate(8080), Len=1046, Seq=2230411576 - 2230412622, Ack=3079221333, Win=4212 (scale factor not found)
- Http: Request, GET http://www.drivecleaner.com/.freeware/libs/utils.php
Command: GET
- URI: http://www.drivecleaner.com/.freeware/libs/utils.php?ad=f0rw9rdx_rdt_au_en_ed2&link=keyin&ex=1&j=0&aff=
Location: http://www.drivecleaner.com/.freeware/libs/utils.php
ad: f0rw9rdx_rdt_au_en_ed2
link: keyin
ex: 1
j: 0
aff:
ProtocolVersion: HTTP/1.1
Accept: */*
Referer: http://www.drivecleaner.com/.freeware/index.php?p=20&ax=1&ex=1&link=keyin&ad=f0rw9rdx_rdt_au_en_ed2&aff=
Accept-Language: en-US
UA-CPU: x86
Accept-Encoding: gzip, deflate
UserAgent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; WOW64; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.0.04506; InfoPath.2; Media Center PC 5.0)
Proxy-Connection: Keep-Alive
Host: www.drivecleaner.com
Cookie: rff=http%253A%252F%252Fads.mobygames.com%252Fadserver%252Fadimage.php%253Ffilename%253Dh2v_728x90_2.swf%2526contenttype%253Dswf%2526clickTAG%253Dhttp%253A%252F%252Fads.mobygames.com%252Fadserver%252Fadclick.p; ad=f0rw9rdx_rdt_au_en_ed2; link=keyin; c
HeaderEnd: CRLF