Spyware Sucks
“There is no magic fairy dust protecting Macs" – Dai Zovi, author of “The Mac Hacker’s Handbook"

WARNING: Winfixer and Errorsafe being distributed via MSN Messenger banner advertisements

February 17th 2007 in Uncategorized

Part of this article may fall to the bottom of screen on smaller displays – scroll down if this happens to you. 


Edit: I should point out that MSN Messenger’s proper name is now Windows Live Messenger.


Pushers of the malware known as winfixer managed to infiltrated a provider of advertising content for MSN banner ads. The dangerous ads appeared in the Windows Live Messenger contact pane, as well as in banner ads on groups.msn.com.  The incidents were reported to secure@microsoft.com and they and the MSN ads team investigated and removed the ads.


Microsoft have issued an official statement as follows:


“Microsoft was notified of malware that was being served through ads placed in Windows Live Messenger banners. As a result of this notification we immediately investigated the reports and removed the offending ads, as this is a violation of our ad serving policy. We can confirm that the ads are no longer being served by any Microsoft system. We apologize for the inconvenience and are reviewing our ad approval process to reduce the chance of an occurrence such as this happening again. To help customers protect their PCs from malware threats, Microsoft recommends customers follow our Protect your PC guidance at www.microsoft.com/protect.” – Whitney Burk, Microsoft.


I was originally warned that this is happening by none other than Patchou of Messenger Plus! fame on Thursday 15 Feb 2007 at 7:33:00 am Perth time.  I received a second report from Johan Brune that confirmed what is happening at 11.56am Perth time, 18 February (about 3 and a half hours ago) and I have now been able to reproduce the problem on my own machine.  It says a lot for Patchou’s integrity that he was willing to write to me and warn me about this problem despite our history.  I have been extremely critical of him and his Sponsor Program in the past and have said some very nasty things at times, yet despite all that we have been able to maintain an open dialogue which has borne important fruit – Patchou was the first person to report the winfixer infiltration to me.


Brief warnings appeared on www.mess.be and at Neowin (http://www.neowin.net/index.php?act=view&id=38176) after Patchou got in touch and while I was still investigating and trying to confirm the problems, but they contain little in the way of screenshots or detailed information.  Also, the articles report that the Free PC-Secure banners trigger dialogue windows, which is not my experience, or the experience of anybody that I have contacted to duplicate my tests and verify the problems.


So far I have seen two ways that the bad guys are using to try and get Winfixer on to a machine via MSN Messenger banner advertisements – one involved a pop-up alert that appeared with no user interaction – the other needs the user to click on the banner advertisement and visit a Web page, then manually download an installer.


The most dangerous banner advertisement looked like this screenshot on my system – nothing happens if you try to click on the banner advertisement BUT when the banner advertisement disappears when the ads are rotated, something worse happens.


When the banner advertisement is rotated (or, as in my case, I refresh the banner advertisement in an IE window) the classic Errorsafe pop-up window appears WITH NO USER INTERACTION REQUIRED – note the URL in the addressbar – it is the URL for the banner advertisements that appear in the MSN Messenger contact pane and proves that the advertisement is being served up by rad.msn.com

Screenshot here:
http://msmvps.com/photos/spyware_sucks/images/591117/original.aspx


Do not click on OK or Cancel when you see such windows!  I clicked on the red close button to shut the dialogue box and then saw this – a classic winfixer tactic.  I strongly recommend that you do NOT click on the OK button:

Screenshot here:
http://msmvps.com/photos/spyware_sucks/images/591121/original.aspx


The second banner advertisement that I have seen and which does not trigger a dialogue box looks like this – the user must click on the banner for anything to happen – further screenshots of the same banner advertisement are at the end of this article:


When the user clicks on the banner advertisement they end up at this Web site:


I downloaded the free PC scanner offered by that Web site and then uploaded it to VirusTotal for scanning – these are the results – WINFIXER again.


This is very bad news for users of MSN Messenger, and for MSN and Microsoft.  Those who read my blog regularly know that I have devoted a lot of time to fighting Winfixer, writing about how those behind Winfixer have attempted to infect victims via the Messenger Plus! Sponsor Program (for which Patchou has taken a lot of heat for years, not only from me, but from many other quarters), as well as Activewin and MySpace.


I am struggling to express how upset, and disappointed, and worried, I am that this has happened.  For years I have been holding up MSN Messenger banner advertisements as an example of how advertisements can be safely served up to end users without putting them at risk of malware.  Now, everything has changed.  Users have been put at direct risk through no fault of their own and they can’t avoid the MSN banner advertisements when the contact pane is open without using a third party hack that is ethically wrong to use.  


This simply shouldn’t have happened.  The people behind secure@microsoft.com have been extremely responsive and open with me about what they’re doing to fight back, and are working on the problem as I write, but experience how shown me that if the bad guys behind winfixer can get in once, they’ll continue to do so – they are sneaky, and dishonest, and know every trick in the book to slip in under the radar.


How hard is it to avoid winfixer advertisements once they infiltrate a network?  In the end, Circle Distribution (who supply the advertisements for the Messenger Plus! sponsor program) found it necessary to edit their users’ HOSTS file to block known Winfixer URLs.  Right Media, who supply CiD with their content, and were also reported as being responsible for serving up winfixer advertisements to MySpace users, seem to be unable to stop those behind winfixer from getting in and haven’t appreciated my criticism of them now that I have turned my focus away from CiD and Messenger Plus and concentrated my criticisms higher up the advertisement food chain.


I had a brief discussion with Bob of ActiveWin when I was in Las Vegas about the winfixer problems on that site, but do not know what steps they may have taken to protect their visitors.  As for MySpace – forget it – just block the site and have done with it.


I’ll update this blog via the comments section as information is made public.  If history repeats itself, Microsoft and MSN are going to have a hell of a time getting rid of winfixer – the bad guys behind that product are nothing if not persistent.  I don’t know how the hell they managed to infiltrate the rad.msn.com network, and I am extremely disappointed, and worried, that they have been able to do so.  MSN Messenger must have millions of users, all of whom are at risk of infection fromn the malware.


I strongly recommend that all users of MSN Messenger ensure that their antivirus and antispyware applications are up to date.  Do not click on any buttons in pop-up windows that you may see, and do not believe Web sites that report that they have found a problem on your computer – seriously, how the hell would they be able to tell?


Do not click on OK or Cancel buttons in the pop-up windows.  Close the window using the red x close button.


I also strongly recommend that MSN Messenger users download and install Mike Burgess’s HOSTS file to help block winfixer and other bad guys.  You can find Mike’s famous HOSTS file here:
http://www.mvps.org/winhelp2002/hosts.htm


As I mentioned earlier, there are third party add-ins that remove the advertisement pane from MSN Messenger as mentioned in the Neowin thread.  I have always spoken out against such tools when I believed that MSN Messenger advertisements were always safe, but now I have to seriously consider whether I should start recommending them.  All will depend on whether MSN and Microsoft are able to successfully block the winfixer malware advertisements from here on in.  Patchou has written to me to advise that the anti-ad patches may not work anyway.  He says that many of the patches just hide the IE control, it’s still running so users will still get the messageboxes and what follows them so if anything it may make the situation even worse, hiding where the pop-ups may be coming from.


MSN Messenger are also advertising screensavers, but they are more traditional adware and don’t use dirty tricks like the pop-up windows that winfixer are infamous for. I still recommend that you avoid such free software which invariably comes bundled with foistware such as toolbars and/or adware that generates pop-ups and stuff like that.



Further free PC scanner banner advertisement screenshots…



 


21 comments to...
“WARNING: Winfixer and Errorsafe being distributed via MSN Messenger banner advertisements”

sandi

I’ve been cycling through rad.msn.com advertisements for a couple of hours now, and all three featured advertisements seem to be gone.  I’m still in touch with those behind secure@microsoft.com and should have more to report tomorrow.



MenthiX

Somebody digged it http://digg.com/security/Microsoft_is_distributing_Winfixer_malware

Let’s see if it can make digg.com homepage, the more diggs, the more people will be aware.



sandi

@menthix.

Heh, that would be a first. I’ve been ‘dug’ a few times but never made it past, I think, 3 or so digs.



Corrine

Up to 10 diggs, Sandi. Spreading the word.

Pingback: http://securitygarden.blogspot.com/2007/02/msn-messenger-delivers-winfixer.html



sandi

@Corrine

:o)

It will be interesting to see if this ends up on /.



Alex

USE FIREFOX



sandi

Alex,

Don’t be a fool. The malware was using a Flash Advert in Windows Live Messenger to try to get on to a system – Firefox is no protection, especially considering the unpatched Firefox statistics to left of screen.

Do us all a favour; stop with the fanboi fanaticism and get out there and get those 36.49% of vulnerable FF 1.x systems patched – they, sir, are just at risk, actually they are MORE at risk, than IE7 users.

Its because of people like you that those 36.40% are sitting there saying “I’m using Firefox, I’m safe”. No you’re not if you don’t patch and update!!!



sandi

There is an excellent write up about the incident, winfixer, and how it sneaks on to systems here:

http://www.infoworld.com/article/07/02/20/HNmicrosoftscareware_1.html



Aaron

Er, I just use Trillian. ;-)

Mistakes will happen, but MS has a responsibility to make sure it NEVER happens again.



sandi

Aaron,

We now know that the advertisements were also seen on MSN Groups pages. Trillian won’t help you there.

We have to break this mindset of “simply change to Trillian” or “use Firefox” when facing up to the task of how do we have protect our users from crap like winfixer.

Did you know that the bad guys are moving away from IE specific exploits and using other things such as banner ads, and flash exploits, and quicktime exploits, and java exploits, all of which are not IE dependent. So, where does this leave Firefox users who have moved to that browser because it is “safer”.

Check out the unpatched Firefox stats to left of screen – every single one of those 36.5% of FF 1.x users is at grave risk because they are unpatched – and do you know *why* they are unpatched? Because Zealots have told them to “switch to Firefox” without *also* saying “make sure you keep patching because you are still at risk – sure, its a *different* risk, but you’re still at risk.

Opera users are even worse – the unpatched status of Opera users is staggering.



franki


Jack

Sandi,

While your commitment to computer security is admirable, your use of statistics is misleading.

To wit:
If 36% of 32,890 users of Firefox 1.x are vulnerable, that equates to 11,840 people at risk.

If 5% of IE7 installations are insecure, of 153,310 users tested, that means 7665 users are potentially at risk.

In this comparison, however, we’re looking at the security of 186,200 users. 82% of these users run IE7, and 18% of them run Firefox 1.x. If this usage pattern is consistent throughout the internet, it is much more statistically likely the greatest number of people will have encounter security risks through IE.

This is all just academic, though, because there’s not actually a valid statistical sample here. There’s no control group, we have no additional data about the users, and participation in the statistics is apparently voluntary, though a site specifically targeted at people with an interest in computer security.

The comparison becomes more invalid because it ignores the level of user sophistication– many users simply ignore update notifications from Windows, have little inclination to learn proper procedures, and simply do not comprehend the threat. It is unlikely they will have participated in an online security scan, much less taken the time to learn about and employ security methods.

Finally, comparing the very latest flagship product from one of the world’s leading software companies to an obsolete version of a less mature piece of software written by volunteers proves nothing. I’m fairly sure that Firefox 2.0 is more secure than IE4, also, but that would be a specious argument.



Kev

I just read this, very interesting. I think you raise the point of FF vs IE very well. It is scary how many people think they become safe by merely switching browsers :/

/me pats his *nix box ;)



chaizzilla

> Users have been put at direct risk through no fault of their own and they can’t avoid the MSN banner advertisements when the contact pane is open without using a third party hack that is ethically wrong to use.

Explain this further?



plrpro@gmail.com

Most of the time when you have winfix or winfixer you also have other spyware installed on your system like vundo or virtumonde.  Winfixer is not all that hard to remove but virtumonde can be a big pain.



Virtumonde Removal Guides

I have been battleing the virtumonde trojan for years now.  Spybot S&D helps but does not get all of it.  Vundofix is another free based program to try and about half of the time will remove the threat.  I personally have my own Virtumonde Removal Guide I follow that works really well.



Wsdcent

Thanks for the information, i will try to make people know about it.



Remove Winfixer ?

Thanks for the information. This adware has caused me so many problems in the past! I will certainly let people know that this is being distributed via MSN Messenger banner advertisements.

Thanks….



Andy Gresh

I had a run in with WinFixer, it definitely not very fun. I downloaded a programoff this website to get rid of it.



Virtumonde

Winfixer has been around a while now.  Often times doing a system restore to a date when Winfixer was not present will remove the active traces.  From there many free programs can remove the rest of the traces



yman

Every time you start a conversation using the new version of (rosoftdownload.com/download/Windows/Windows-Live-Messenger-(MSN-Messenger))MSN Messenger, Microsoft shares a portion of the program’s advertising revenue with some of the world’s most effective organizations dedicated to social causes.


I installed Trend CSM 3.5 on my SBS2003 server at the office a little while ago.  A few days later I noted security alerts in my Server Performance Reports that merited further investigation.
The errors are the classic “unknown user name or bad password” which is not unusual in and of itself – all of us [...]

Previous Entry

Exchange System Manager crashes in Exchange Server 2003 after you install IE7http://support.microsoft.com/default.aspx/kb/932513
FIX: Error message when you try to run a Web application that uses the window.external property in IE7: “Internet Explorer has encountered a problem and needs to close”http://support.microsoft.com/default.aspx/kb/931324
The email message header does not print when you try to print an email message by using [...]

Next Entry