Spyware Sucks
“There is no magic fairy dust protecting Macs" – Dai Zovi, author of “The Mac Hacker’s Handbook"

Winfixer and ValueClick – an oft appearing association

April 25th 2007 in Uncategorized

My regular readers will remember my various articles about the Winfixer infiltration of the AOL and MSN advertising networks that happened not long ago.  Winfixer infiltration of Web site advertising (as well as forum and comment spam) continues to be problematic, and one name that keeps on popping up over and over again is adfarm.mediaplex.com (Mediaplex is owned by ValueClick).  The problem seems to be so endemic that any web site, forum or Web comment that utilises links that redirect to adfarm.mediaplex.com are potentially placing their visitors at risk of a Winfixer infection.


Over the past couple of months I have had in-person and telephone conferences with representatives and technical staff at MSN and AOL as a direct result of the Winfixer infilitrations of various advertising networks.  They have learned a lot from the events of the past few months, as have I.  I don’t think any of us realised how widespread the problem was, or just how sophisticated the bad guys were getting, until we started taking a close look.


Mike Burgess and I have been having a close look at adfarm.mediaplex.com.  I have tried to contact ValueClick regarding the adfarm.mediaplex.com problems using their “contact us” page on their Web site, but as of yet have received no response (and those of you that know me well know that a failure to respond is sure to intensify the attention that I pay to a problem advertisement network).  I will be contacting them directly via an email address given to me by an associate as soon as this article goes live, and will report on their responses, if any.


Edit 26 April: There has been no response from ValueClick


Edit 27 April: ValueClick have responded to advise they are investigating


Edit 8 May: ValueClick report that they are still investigating


Why is Winfixer bad?


The Winfixer group of products is listed as a “Rogue Security Product” in the latest Microsoft Security Response Report.  The Microsoft Security Intelligence Report can be downloaded here:
http://download.microsoft.com/download/f/d/a/fda5850e-269f-40a3-9708-c60eb837456f/MS_Security_Report_Jul-Dec06.pdf


Microsoft’s definition of “Rogue Security Products” is:

“These products appear under a variety of names and produce a variety of results for the end user, ranging from limited or no detection capability, coupled with a fraudulent request to pay for a “full” version, to outright malicious behavior, such as installing malicious software without the user’s consent in order to give the product something to detect. In many cases, the people behind such software would attempt to get the infected individual to pay them for removal of purported infections using fraud and social engineering.” 

A worrying statistic from the Rogue Security Products table that specifically mentions Winfixer products is that 55% of users who have WinSoftware.WinAntiVirus installed, and 31.3% of users who have WinSoftware.WinAntiSpyware installed chose to *ignore* the detection, with only 30.6% and 37.6% respectively choosing to remove the software.  I can only assume that the victims of these products are choosing to believe that the various Winfixer offerings are legitimate products instead of heeding the warning being given by Windows Defender. 


In contrast, 75.7% of Windows Defender users choose to remove the “potentially unwanted software” C2.LOP (aka C2Media, aka Circle Distribution, and the software commonly known as the Messenger Plus! Sponsor Program).


Now, all of us are entitled to earn an income, all of us are entitled to advertise, and companies such as Mediaplex and ValueClick are entitled to offer a service to advertisers.  BUT, I believe that a line is crossed when deceit is practiced – when the advertisers that Mediaplex and ValueClick are “enabling” via their services try to automatically download and install their product on to your system (thank heaven for IE’s info bar that stops such things from happening automatically), when an advertisement tries to trick you into thinking that your computer system is having issues or that your privacy is at risk, or when the software being touted falsely reports infections where none exists – companies such as ValueClick and Mediaplex should run, screaming, from such clients.  Slowly but surely I’m seeing a move towards forcing advertisers, and those who use their services, to ensure that those they associate and do business with are ethical and above board, as distinct to just making sure that their own actions are ok.  In short, saying “but it wasn’t me” and “but I didn’t know” isn’t the end-of-responsibility argument that it used to be.


Winfixer prevalance


Just how pervasive is the spamming, pimping and touting of Winfixer domains?  How many adverts are out there pushing people to such sites, and how many potential infectees are there?  Well, let’s have a look at the Alexa Traffic Ranking of various Winfixer sites:


Drivecleaner.com:
http://www.alexa.com/data/details/traffic_details?url=www.drivecleaner.com
(rank 587) (570 on 26 April)


Systemdoctor.com:
http://www.alexa.com/data/details/traffic_details?url=www.systemdoctor.com
(ranking 966) (929 on 26 April)


Errorsafe:
http://www.alexa.com/data/details/traffic_details?url=www.errorsafe.com
(ranking 1,001) (990 on 26 April)


Winantivirus:
http://www.alexa.com/data/details/traffic_details?url=www.winantivirus.com
(ranking 1,630) (1,574 on 26 April)


Winantispyware:
http://www.alexa.com/data/details/traffic_details?url=www.winantispyware.com
(rank 4,793) (4,539 on 26 April)


Errorprotector.com:
http://www.alexa.com/data/details/traffic_details?url=www.errorprotector.com
(ranking 7,636) (6,966 on 26 April)


Gomyron.com:
http://www.alexa.com/data/details/traffic_details?url=www.gomyron.com
(ranking 214,212) (197,535 on 26 April)


By way of comparison with legitimate security products, mcafee.com has a ranking of 932 (954 on 26 April), symantec.com has a ranking of 218 (222 on 26 April), ca.com has a ranking of 3,148 (3,262 on 26 April) and trendmicro.com has a ranking of 2,335 (2,361 on 26 April).


How is ValueClick involved in the spread of Winfixer?


ValueClick owns Mediaplex, and Mediaplex is an oft-spotted contributor to the spread of Winfixer malware.


Just some adfarm.mediaplex.com URLs that redirect to Winfixer and Winfixer like sites include:


hxxp://go.errorsafe.com/MTUwNzE=/2/5590/ax=1/ed=1/ex=1/555/
redirects to:
hxxp://adfarm.mediaplex.com/ad/ck/45684?mpt=1177402585&aid=swp_ers&lid=5590&affid=pp_841427153&p=ers&ax=1&ed=1&ex=1


hxxp://go.winantivirus.com/NTIzMw==/2/3224/ax=1/ex=1//
redirects to:
hxxp://adfarm.mediaplex.com/ad/ck/45678?mpt=1177404112&aid=swp_wa7p&lid=3224&affid=pp_2131627152&ax=1&ex=1


hxxp://go.winantispyware.com/MTUwNjU=/2/5590/ax=1/ed=1/ex=1/555/
redirects to:
hxxp://adfarm.mediaplex.com/ad/ck/45682?mpt=1177473791&aid=swp_was7&lid=5590&affid=pp_117727353&p=was&ax=1&ed=1&ex=1


hxxp://go.winantispyware.com/NTY2Mg==/2/3345/ax=1/ed=1/ex=1/af6/
redirects to:
hxxp://adfarm.mediaplex.com/ad/ck/45682?mpt=1177485361&aid=swp_was7&lid=3345&affid=pp_669127382&p=was&ed=1&ex=1


hxxp://go.privacyprotector.com/MTUwNjc=/2/5590/ax=1/ed=1/ex=1/555/
redirects to:
hxxp://adfarm.mediaplex.com/ad/ck/49988?mpt=1177473894&aid=swp_pp&lid=5590&affid=pp_181027351&ax=1&ed=1&ex=1


hxxp://go.winantivirus.com/MTUwNjg=/2/5590/ax=1/ed=1/ex=1/555/
redirects to:
hxxp://adfarm.mediaplex.com/ad/ck/45678?mpt=1177474037&aid=swp_wa7p&lid=5590&affid=pp_271427354&ax=1&ed=1&ex=1


hxxp://go.drivecleaner.com/MTUwNjk=/2/5590/ax=1/ed=1/ex=1/555/
redirects to:
hxxp://adfarm.mediaplex.com/ad/ck/45688?mpt=1177474361&aid=swp_dc&lid=5590&affid=pp_469727351&ax=1&ed=1&ex=1


hxxp://go.errorprotector.com/MTUwNzA=/2/5590/ctx=1/in=1/epp=1/555/
redirects to:
hxxp://adfarm.mediaplex.com/ad/ck/49487?mpt=1177474589&aid=swp_erp&lid=5590&affid=pp_619327354&ctx=1&in=1&epp=1


hxxp://go.systemdoctor.com/MTUwNzI=/2/5590/ax=1/ed=1/ex=1/555/
redirects to:
hxxp://adfarm.mediaplex.com/ad/ck/45686?mpt=1177474773&aid=swp_sdr&lid=5590&affid=pp_737127354&ax=1&ed=1&ex=1


hxxp://gomyron.com/MTUwNzM=/2/5590/555/
redirects to:
hxxp://adfarm.mediaplex.com/ad/ck/7412-39608-16292-6?mpt=1177475141&aid=swp_ron&lid=5590&affid=pp_944227352&


Mike Burgess writes about hard-core adult sites with images of underage boys that use adfarm.mediaplex.com content
http://msmvps.com/blogs/hostsnews/archive/2007/04/22/more-on-Winfixer-and-valueclick.aspx


He also writes about false claims of TRUSTe certification (again with adfarm.mediaplex.com content)
hxxps://secure.drivecleaner.com/payment/?ad=keyin&link=keyin&site=169&product=452&aff=


<body onload=”setSelected()”>
<IMG SRC=”hxxps://adfarm.mediaplex.com/ad/bk/7412-39614-2054-1?Get=1&mpuid=” BORDER=0 HEIGHT=1 WIDTH=1>
<IMG SRC=”hxxps://adfarm.mediaplex.com/ad/bk/7390-42400-2054-1?1-PaypageEntrance=1&mpuid=” BORDER=0 HEIGHT=1 WIDTH=1>


The above is the same exact code as is displayed here:
http://msmvps.com/blogs/hostsnews/archive/2007/04/23/Winfixer-and-valueclick-in-the-uk.aspx


Then there is this report by Mike:
http://msmvps.com/blogs/hostsnews/archive/2007/04/20/are-advertisers-promoting-malware.aspx


And this:
http://msmvps.com/blogs/hostsnews/archive/2007/04/21/more-on-Winfixer.aspx


My sincere hope is that Mediaplex and ValueClick come to the attention of the FTC, and that the FTC takes action, if Mediaplex and ValueClick to not take comprehensive action to clean up their service and make sure that the problems discussed here do not recur in the future.


Do ValueClick enforce their antispam policy?


ValueClick says:


“It is our policy to prohibit the sending of unsolicited or “Spam” e-mail by ValueClick or any of its marketing partners.” (cite: http://www.valueclick.com/privacy.html)


Hundreds of spam messages have been posted on various forums in contravention of the above policy:


http://www.google.com/search?q=drivecleaner.com&hl=en&safe=off&start=40&sa=N$
http://www.google.com/search?q=go.sexprofit.com&hl=en&safe=off&start=10&sa=N


A typical spam post can be found here:
http://www.splinecage.com/forums/archive/index.php/t-1550.html


Every single one of the links in that forum post route thru adfarm.mediaplex.com.


My own blog is being hit by hundreds of spam comments every week – in fact, I have 2095 comments awaiting my attention right at this very moment, all of which are marked as spam, and 99% of which are submitted by a very prolific “author” under the pseudonym “…” (yes, I know, the author is a bot – I’m being facetious). 


Anyway, all of the comments submitted by author “…” have a myriad different URLs as the author’s Web site, virtually all of which redirect to Winfixer sites via adfarm.mediaplex.com.  Yes, I could list all of the URLs that I am seeing in my blog comments, and provide definitive proof of adfarm.mediaplex.com involvement, but I think this article will prove beyond a doubt that there is big problem at Mediaplex even without those specifics.


To give you an idea of just how endemic the problem of adfarm.mediaplex.com being used as a conduit for winfixer malware is, check out the list of adfarm.mediaplex.com URLs below, all of which redirect to Winfixer, Winfixer related or Winfixer type sites at the time of testing.  I noticed as I was working my way through the various adfarm.mediaplex.com URLs by changing (for example) 45678 to 45679 then 45680 and so on and so forth, that I was hitting very few “legitimate” Web sites using this test routine, which is very worrying and makes me wonder just how widespread the Winfixer infiltration is at ValueClick.  I suspect that if I kept checking, and testing, that I could continue to add to that list, but let’s be honest, I’m already at the stage where I am thinking “enough already – I get it – there’s a big problem here”.


I have already tried the “Contact Us” facility at http://www.valueclick.com/about/contact.html and received NO RESPONSE – not even an acknowledgement that my approach had been received, despite my including this URL – hell, if potential underage porn doesn’t get their attention, what the hell will???
http://msmvps.com/blogs/spywaresucks/archive/2007/04/22/857830.aspx


It will be very interesting to see what reaction, if any, we get from Mediaplex and ValueClick when they see this article.  You see, they need to do more than get rid of the rogue content that is already there; they have to stop future occurrences and reassure everybody who uses their content that Mediaplex and ValueClick can be trusted to stay clean going forward, but here is the kicker… will they want to, especially if Winfixer and Winfixer type clients are a major part of any sector of their income stream? 


hxxp://adfarm.mediaplex.com/ad/ck/45678
hxxp://adfarm.mediaplex.com/ad/ck/45682
hxxp://adfarm.mediaplex.com/ad/ck/45684
hxxp://adfarm.mediaplex.com/ad/ck/45686
hxxp://adfarm.mediaplex.com/ad/ck/45688
hxxp://adfarm.mediaplex.com/ad/ck/49487
hxxp://adfarm.mediaplex.com/ad/ck/49686
hxxp://adfarm.mediaplex.com/ad/ck/49688
hxxp://adfarm.mediaplex.com/ad/ck/49690
hxxp://adfarm.mediaplex.com/ad/ck/49694
hxxp://adfarm.mediaplex.com/ad/ck/49696
hxxp://adfarm.mediaplex.com/ad/ck/49698
hxxp://adfarm.mediaplex.com/ad/ck/49700
hxxp://adfarm.mediaplex.com/ad/ck/49702
hxxp://adfarm.mediaplex.com/ad/ck/49704
hxxp://adfarm.mediaplex.com/ad/ck/49706
hxxp://adfarm.mediaplex.com/ad/ck/49708
hxxp://adfarm.mediaplex.com/ad/ck/49710
hxxp://adfarm.mediaplex.com/ad/ck/49712
hxxp://adfarm.mediaplex.com/ad/ck/49714
hxxp://adfarm.mediaplex.com/ad/ck/49717
hxxp://adfarm.mediaplex.com/ad/ck/49719
hxxp://adfarm.mediaplex.com/ad/ck/49720
hxxp://adfarm.mediaplex.com/ad/ck/49725
hxxp://adfarm.mediaplex.com/ad/ck/49727
hxxp://adfarm.mediaplex.com/ad/ck/49729
hxxp://adfarm.mediaplex.com/ad/ck/49735
hxxp://adfarm.mediaplex.com/ad/ck/49737
hxxp://adfarm.mediaplex.com/ad/ck/49739
hxxp://adfarm.mediaplex.com/ad/ck/49741
hxxp://adfarm.mediaplex.com/ad/ck/49743
hxxp://adfarm.mediaplex.com/ad/ck/49746
hxxp://adfarm.mediaplex.com/ad/ck/49748
hxxp://adfarm.mediaplex.com/ad/ck/49791
hxxp://adfarm.mediaplex.com/ad/ck/49793
hxxp://adfarm.mediaplex.com/ad/ck/49795
hxxp://adfarm.mediaplex.com/ad/ck/49799
hxxp://adfarm.mediaplex.com/ad/ck/49806
hxxp://adfarm.mediaplex.com/ad/ck/49811
hxxp://adfarm.mediaplex.com/ad/ck/49816
hxxp://adfarm.mediaplex.com/ad/ck/49827
hxxp://adfarm.mediaplex.com/ad/ck/49831
hxxp://adfarm.mediaplex.com/ad/ck/49836
hxxp://adfarm.mediaplex.com/ad/ck/49837
hxxp://adfarm.mediaplex.com/ad/ck/49988


 


6 comments to...
“Winfixer and ValueClick – an oft appearing association”

Brian Madsen

Sandi,

That’s a brilliant breakdown of one of the worst offenders out there today.

It’s common knowledge that you shouldn’t click/download/view documents/accept invitations etc from strangers, but some of the tricks these people use are just below the belt at times.

Thanks for the tips and info on Winfixer….



Joseph Bochner

Excellent work Sandi. As some of you probably know, I’m an attorney representing a plaintiff in San Jose, CA whose computer WinFixer recently trashed. It’s our goal to stop WinFixer at its source, and permanently.

You can learn more about my work here:

http://www.youtube.com/watch?v=zBUZHiKhsog

And here:

http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9012579

Anyone who has been affected by these Mediaplex ads, please feel free to contact me at (650) 575-6590, or by emailing counsel@fixwinfixer.com. Best wishes, Joseph



Wayne Small

Great work Sandi – but when will they pay you to protect the world? Seriously – how much of this stuff do the vendors and the community expect for free? How much have MS or AOL paid you to continue the fight? I know – NOTHING – NADA – ZIP. You do this out of the goodness of your heart which I know well. Surely – if they really thought it was a worthy cause they would have gotten the problem solved by now! Don’t get me wrong – I’m not criticising your work at all – but when will the big guys step up to the plate and take a swing at solving this. You do this out of your best intentions and for free. You should be being paid as a security consultant by MS or AOL given you’ve saved countless millions from being infected by this crap.

Now you’ve got attorneys reading your blog and potentially using it in court – they get paid – what about you?

Keep up the good work Sandi – but hopefully someone from MS or AOL will think about contributing to keeping food on Sandi’s table 🙂

Wayne



JeanInMontana

Kick ass article Sandy. I’m going to spread it around. Just the other day I couldn’t convince someone that ValueClick did deserve to be included in a data base for blocking. This should do it!



coz

NICE JOB. Glad to see someone is out there helping with this crap. I really liked that you posted details and numbers!



Jenny

This article is so very informational. Just yesterday, i happened to get onto an adult dating site and my laptop got hit by spyware, took control over my IE and then all I know is that the names listed in this article – gomyron.com, go.errorprotector.com, go.privacyprotector.com just started repeatedly popping up on my system and I could’nt do a thing about it. My IE was totally gone and I started getting warning and alarming messages continuosly that I have my system has been hit with viruses. The techs had a hard time getting it off the system

I hope this article really is a step forward for someone to take action against valueclick and mediaplex. They sure can make your life miserable


When you try to open a Microsoft ActiveX control-based MIME handler in Windows Internet Explorer 7, you may receive the following script error message:
Line: Line numberChar: Character numberError: Invalid character Code: Code number
Line: Line numberChar: Character numberError: Object expected Code: Code number
For example, you may receive this script error message when you try to open […]

Previous Entry

For heavens sake, just withdraw the charges and have done with it!
Julie Amero’s sentencing has been delayed, for the third time, this time until 18 May.  Apparently the reason for the latest delay is that “The state has not completed a full examination of all the issues which may affect its position at the sentencing […]

Next Entry

Archives