Tuesday, June 26, 2007 10:35 PM sandi

Winfixer, real media and valueclick.... the fight continues

I don't know about you, but I feel like I am playing whack-a-mole most of the time.

I was asked to review a discussion through on dslreports today - a report that was complaining about malware incidents on the www.wfaa.com web site - the typical Winfixer via hostile banner advertisements carry on.

Cite: http://www.dslreports.com/forum/r18551684-Another-WinFixer-infiltrationthis-time-on-wwwwfaacom

So, let's go have a look.

I can state, conclusively, that the wfaa.com web site *is* exposing its users to fraudware - and Real Media and ValueCilck are both implicated.

Proof - Fiddler was running during an attempted infestation. - now, there are some bits and pieces stripped.... as much for the readers' convenience as for my privacy, but you get the gist...

The powers that be are welcome to the entire capture... you know who you are...

GET /pages/scanner/index.php?aid=alreadyx&lid=intl&ax=1&ex=1&ed=2 HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Accept-Language: en-us
Referer: http://ads.belointeractive.com/RealMedia/ads/Creatives/OasDefault/NtlZappinadsInc001A-rmn/NtlZappinadas728_061907.swf?clickTAG=http://ads.be
Content-Type: application/x-www-form-urlencoded
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322)
Host: www.errorsafe.com
Proxy-Connection: Keep-Alive

HTTP/1.1 302 Found
Via: 1.1 SERVER
Connection: Keep-Alive
Proxy-Connection: Keep-Alive
Transfer-Encoding: chunked
Date: Tue, 26 Jun 2007
Location: http://adfarm.mediaplex.com/ad/ck/52853?aid=alreadyx_rdt&mpt=[CACHEBUSTER]
Content-Type: text/html
Server: Apache
X-Powered-By: PHP/4.4.2
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID PSA OUR IND COM NAV STA"
Set-Cookie: cnt=**; expires=Thu, 21 Feb 2008 00:13:36 GMT; path=/; domain=.errorsafe.com
Set-Cookie: lng=**; expires=Thu, 21 Feb 2008 00:13:36 GMT; path=/; domain=.errorsafe.com

GET /ad/ck/52853?aid=alreadyx_rdt&mpt=[CACHEBUSTER] HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Accept-Language: en-us
Referer: http://ads.belointeractive.com/RealMedia/ads/Creatives/OasDefault/NtlZappinadsInc001A-rmn/NtlZappinadas728_061907.swf?clickTAG=http://ads.be
Cookie: svid=**
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322)
Proxy-Connection: Keep-Alive
Host: adfarm.mediaplex.com

HTTP/1.1 302 Moved Temporarily
Via: 1.1 SERVER
Connection: Keep-Alive
Proxy-Connection: Keep-Alive
Content-Length: 0
Date: Tue, 26 Jun 2007 00:13:36 GMT
Location: http://pcturbopro.com/.download_now/index.php?p=18&ax=1&ed=2&ex=1&hv=10&j=1&aid=alreadyx_rdt&mpt=[CACHEBUSTER]
Server: Apache-Coyote/1.1
Cache-Control: no-cache

GET /.download_now/index.php?p=18&ax=1&ed=2&ex=1&hv=10&j=1&aid=alreadyx_rdt&mpt=[CACHEBUSTER] HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Accept-Language: en-us
Referer: http://ads.belointeractive.com/RealMedia/ads/Creatives/OasDefault/NtlZappinadsInc001A-rmn/NtlZappinadas728_061907.swf?clickTAG=http://ads.be
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322)
Host: pcturbopro.com
Proxy-Connection: Keep-Alive

Comments

# re: Winfixer, real media and valueclick.... the fight continues

Tuesday, June 26, 2007 1:01 PM by Just Bob

Thanks Sandi.

It seems to me that the only way ValueClick and friends will change their ways will be due to pressure from their customers. Unfortunately their customers aren't aware of the problem. If you could use some help in this regard I'm retired now and have time on my hands.

# re: Winfixer, real media and valueclick.... the fight continues

Friday, June 29, 2007 8:55 AM by JeanInMontana

Hi Sandi,

Great work as usual.  I have a site that I know is using CommissionJunction/ ValueClick links.  I can't prove it but I think at least one had an added payload stopped by my security programs.  I fought with the site owner and got that page taken down.  But they constantly hide links behind images used as links to "surveys".  They claim to be a mystery shopping site and offer surveys for pay.  I have screen shots and page code proving they have the links.  

They refuse to acknowledge Commission Junction and ValueClick are the same.  I had to back off all communication with them because they threatened to sue me for harrassment and slander.  LOL  I know they could never win, but I can't afford to defend myself either.  If you want to have a look at them or my screenshots, just let me know.

Jean

# re: Winfixer, real media and valueclick.... the fight continues

Saturday, June 30, 2007 12:31 AM by sandi

@Jean,

If you want to send me the information I'm more than happy to take them on :o)  They won't get anywhere with me with regards to threats of harrassment and slander.  1) I've got 20 years in the legal industry under my belt so know what's what and am not easily scared by such threats; and 2) As the saying goes "just the facts M'am" - you can't be sued for publicising fact - threats re slander don't work unless what you're saying is not true, or within the bounds of reasonable possibility.

@Just Bob

If you're based in the USA there won't be much you can do because these guys are clever enough to use IP addresses to restrict the chances of their activities being discovered on US soil.

If you do happen to come across a site that does trigger an exploit for you, use Microsoft Network Monitor or Fiddler to capture proof, send it to me and I'll get the publicity going.

But, if you can send me information that you find about complaints so that I can investigate, that would be great.

# re: Winfixer, real media and valueclick.... the fight continues

Tuesday, July 03, 2007 8:00 PM by Jean Dahl

I'm sorry for not getting back to this sooner.  I haven't said anything that isn't true.  I have screen shots of their pages to prove what I'm saying is true.  No one seems to be able to find a malicious link, but that doesn't mean they weren't there when I became aware something was weird, or that they won't come back.

# re: Winfixer, real media and valueclick.... the fight continues

Tuesday, July 03, 2007 8:11 PM by sandi

Hi Jean,

If you could send me what you've got including the screenshots and URLs I can start investigating  :o)

Leave a Comment

(required) 
(required) 
(optional)
(required)