The blick.ch malware advertisement outbreak - update and nine.ch responds.
Note: a BIG thank you to Tom of http://bloggingtom.ch (one of the most recognized blogs in the German speaking areas of Switzerland) for bringing so much attention to bear on the blick.ch malicious banner advertisement incident, and for gathering responses, and comments, from nine.ch, and Ringier (the company that owns blick.ch). If you can read German, I recommend you keep an eye on his blog, and also keep an eye on inside-it.ch (for whom Tom writes a weekly column), as Tom continues to report on the fall-out from the Blick incident.
(BTW, Tom tells me that woot.com may also have been hit by a malicious advertisement - I'll look into that later)
The blick.ch outbreak has become bigger than Ben Hur”. The German and Swiss online press have picked up on the report, and nine.ch were not happy with my comment that nine.ch did not seem to be willing to take action about the malicious content on their servers.
To remind everybody, I said that nine.ch are "hosting several malicious sites and content and don't seem to be willing to do anything about it".
Nine.ch have stated in several emails to various parties that my statement is false, and have now been in direct contact with me. They say in their email to me:
"we do not lock a server system immediately after we got a complaint. We always contact the customer first to set him or her a deadline to fix the abuse. So it was here with Pc Ions Incorporation. Unfortunately they did not react and were not reachable by phone, so we startet blocking their network today morning (CET time) Meanwhile we are in contact with the Pc Ions."
The original response to a complaint about the malicious content which triggered my reaction was:
"Die Domain gehört zu einem Dedicated Server, der nicht von uns verwaltet wird, wir stellen nur die Hardware. Ich habe unseren Kunden informiert und hoffe, dass er dieses Zustand zeitnah behebt."
Loosely translated, the above says that the complained of domain is on a dedicated server, that nine.ch does not administer it, and that nine.ch would contact the customer - but no more than that. If nine.ch had also said that there was a deadline, and that they would act if no response was received within a set period of time, then I would have waited to see what nine.ch's next step was. As it was, I had no reason to believe that nine.ch would take any further action (bearing in mind that newbieadguide, in particular, has been a problem for a couple of months now).
nine.ch have further responded that they understand my reaction, and that they will publish their standard procedure on the web for such issues and instruct their support team accordingly, which will certainly help improve communication between the the Internet community and nine.ch.
I am pleased to report that Nine.ch have now “firewalled” the malicious content on their servers – for example, the following URLs are no longer responding:
vozemiliogaranon.com/swf/gnida.swf?campaign=revenantan&u=1199379735
newbieadguide.com/swf/gnida.swf?campaign=denouement&u=23423424
newbieadguide.com/swf/gnida.swf?campaign=in5t4nce&u=23423424
vozemiliogaranon.com/swf/gnida.swf?campaign=zoolatrymy&u=1199391035
akamahi.net/swf/gnida.swf?campaign=orlapidary&u=1197898069
This is a *big* win for us – by shutting down the malicious domains, and in particular access to gnida.swf, nine.ch have crippled every single malicious advertising campaign that utilizes that content - if I had a bottle of champagne nearby, I'd be opening it in honor of steps nine.ch have taken to mitigate the damage being caused by gwida.swf. (By the way, Gnida is a Russian word that means a very bad person (rotten) - ironic, yes?)
Now, as I said above, there has been a *lot* of noise generated by the discovery of the blick.ch malicious advertisement in the German speaking press. I have received a *lot* of emails, and forwarded emails, virtually all of which is in German (which of course takes time to translate). Blick have also issued a statement (in German), which I expect Tom to publish on his blog some time very soon.
German is my second language, not my first, so my husband (who speaks German first language, English second) has been going through all the information with me and translating as necessary.
Now, if I understand the situation correctly from the various emails I have received copies of:
- nine.ch has pointed out that the malicious content is hosted on a dedicated server
- nine.ch has pointed out that they only provide the hardware
- nine.ch claim that they have no control over the content their customers put on the hardware that they provide
- nine.ch claim they cannot do anything about said customer content, and that all they can do is ask the customer to act on complaints
- nine.ch claim that they can not do anything without attempting to contact the customer first
- nine.ch have now started filtering the malicious content, but only after they did not receive a response from their client
- nine.ch says that perhaps there was a misunderstanding triggered by the translation from German to English.
With regard to points 3, 4 and 5, I will point out that Nine.ch have terms and conditions (German version, English version) on their web site which say:
"The Customer agrees not to use the Services to commit nor to support criminal actions and will take the necessary steps within his sphere of responsibility to prevent any criminal use by the Customer’s users or third parties."
And
"Nine reserves the right to terminate the Contract at any time for an important reason, namely such as use of Services for the purposes of, or in connection with, criminal acts".
And
"In the event of a well-founded suspicion that the Services are being used in breach of the law or of the contract by the Customer, the Customer’s users or third parties who have gained access to the Services via the computer equipment of the Customer, Nine shall be entitled, at any time and if necessary without prior notification, to prevent the distribution, the allowing of access or the calling up of unlawful content or to interrupt the connection to the Customer, without any obligation of liability or of compensation arising herefrom."
So, it seems to me that the quoted parts of the Terms and Conditions of nine.ch allow nine.ch to act without contacting the customer first in the case of "well-founded suspicion that the Services are being used in breach of the law or of the contract". How much more well founded can you be than actual network captures, and an established history of malicious behaviour?
I suppose a question is are any laws being broken in Switzerland? We know that the target sites of the malicious banner advertisements - the sites that the gwida.swf forced victims to (malwarealarm, performanceoptimizer etc etc), are all known as fraudware. The software touted by such sites "scans" victim computers, "finds" "infections" (that don't actually exist) and then charge anywhere between US$20 and US$80 to "clean" said "infections" (infections that don't exist). Does it break the law to facilitate such fraudulent behavior by hosting malicious SWF and other content? Hopefully Tom will address these points in his upcoming article(s).
I will also say that it is simply not good enough to say (paraphrased) "we only supply the hardware and have no control what our customers do with that hardware" or "only the customer can take steps to stop what is happening" or "we can't do anything without contacting the customer first". Nine.ch are perfectly entitled to say "we will not allow anybody to use our hardware to facilitate fraudulent activity" and nine.ch are perfectly entitled to take steps to immediately isolate malicious domains without contacting the customer first. I know for a fact that this is what happens with malicious advertising campaigns - they are suspended and *then* then talking starts, not vice versa.
Anyway, that is enough for now. Watch this blog for future developments in the ongoing battle against malicious banner advertisements.