Winfixer hide 'n' seek: explaining why some people see the ads, and some people don't
I've been watching reactions to my articles about the latest winfixer outbreak that I have been focusing on. I am seeing some confusion out there, and sometimes outright disbelief, based around a couple of questions - first, why do only some people see the malicious behaviour, and second, why don't the web sites in question do something about it if it is so bad. It might be worthwhile sharing with you some of the difficulties faced when tracking down these malicious advertisements.
As web sites and advertising networks have become more aware of the problem of malicious advertisements, and have started to watch for them, the low-lifes behind the malicious ads have focused on avoiding detection for as long as possible. Some of the ways they do this are:
-
The malicious SWF (Flash advertisement) often checks your geographical location by checking your IP address; it also checks your time zone. The bad guys may set things up so that the advertisements only appear at certain times of the day - outside of business hours, for example. Then, the malicious behaviour will only be triggered if the IP address/timezone/geographical location/time of day matches in with the SWF requirements.
Such trickery by the bad guys minimises the risk of website owners and advertising networks noticing the dangerous ads, and it also makes it difficult for them to investigate. For example, the bad guys may be displaying their advertisements on a USA based website and/or using a USA based advertising network. To help avoid detection they may code the malicious flash advertisement to remain dormant if it is displayed on a computer located in the United States. If the advertising network does not take the time to closely examine Flash files by decompiling and checking for malicious code, then bad stuff slips through.
Every single time I or my correspondents have reported a winfixer outbreak to a website, the response has been that the technical staff cannot reproduce the problem. Every single time I publicise an incident there are as many, if not more, people on various forums and mailing lists saying they cannot reproduce the problem as there are people confirming the problem. Invariably I have to provide cast iron proof before steps are taken to shut down dangerous ads.
-
Often the incident will trigger only once per day or less on a particular machine. To reliably trigger a malicious redirect at will you will need to delete not only stored cookies, but flash cached objects as well.
I have a set routine nowadays that maximises my chances of reproducing a winfixer incident pretty much as often as I wish which involves deleting cookies, and the Flash cache.
On Windows XP based systems you can find the Flash directories at ..\Documents and Settings\{username}\Application Data\Macromedia\Flash Player\#SharedObjects\{randomly named folder} and ..\Documents and Settings\{username}\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys. I delete the entire contents of the {randomly named folder} and sys. I then load the reported web site. Sometimes the malicious advert will trigger immediately, sometimes it may take a while before it hits.
Edit: With regards to the application data folder, you won't see that unless you have the option to view hidden files and folders enabled. You can get to that via Control Panel, Folder Options, View tab (show hidden files and folders). If that doesn't work, also turn off the option to "hide protected operating system files". Oh, and turn off the option to hide extensions for known files types as a standard safety precaution.
Even after taking these steps, it may be that I can't reproduce the incident using ISP-A, but can trigger it using ISP-B. Sometimes I may need to call in one of my contacts in another country to see if they can reproduce the problem.
I am sure you can understand what sort of problems the trickery I describe can cause. Far too often I have people write to me after getting the brush-off from whatever web site's technical support - invariably the reaction of the technical staff has been "we are unable to reproduce the problem, therefore it is not us - your computer is infected".
Without proof such as an Ethereal (aka Wireshark) or Microsoft Network Monitor capture, or Fiddler data, it can be very difficult for a website to put pressure on it's advertising network (assuming you can get the site to believe that the problem is coming from the ads on their site in the first place), but at the same time, such programmes (except for Fiddler) can expose extremely sensitive information such as email user names and passwords (if you have an email programme running), and other sensitive information. Even Fiddler exposes what can be considered to be sensitive information - server names if you're on a network for example, and your geograpical location and the like, so even Fiddler is not something that I would recommend to the untrained home user. Far better, I think, to refer incidents to people such as myself, or Mike of www.mikeonads.com or Mike Burgess of MVP Hosts file fame so that we can gather the needed data and try to get malicious advertisements shut down.