Spyware Sucks
“There is no magic fairy dust protecting Macs" – Dai Zovi, author of “The Mac Hacker’s Handbook"

Valueclick and Winfixer continue to be a problem

May 31st 2007 in Uncategorized

Mike Burgess was hopeful that Valueclick had cut ties with Winfixer.
http://msmvps.com/blogs/hostsnews/archive/2007/05/25/valueclick-cuts-ties-with-the-winfixer-group.aspx


Unfortunately I have definitive proof that this is NOT the case.


See here – we have evidence of an attempt to infect systems with Winfixer TONIGHT via a malware ad via adfarm.mediaplex.com – this is one of the more *NASTY* ones – we’re not looking at just a pop-up, or just a dialogue box.  When the dangerous ad appears the victim is redirected AWAY from www.mobygames.com and dumped at the Winfixer site with no user interaction required.  In short, the user’s Web surfing is involuntarily HIJACKED.


Even worse, the bastards behind Winfixer are being tricky – the redirect only occurs once or so per day, *BUT* if you use the Flash console to delete all prior flash content, the hijack will occur again, and again, and again, VERY quickly indeed.


If you want to investigate this infestation, and want to avoid the bad guys’ attempts to avoid detection, you need to empty your Flash cache every time the malware hits.  Go here and then click on the option to delete all sites:


Here is my network trace showing the redirect via an advert on www.mobygames.com via adfarm.mediaplex.com.


I first instituted a dialogue with ValueClick via email about the winfixer problem more than a month ago, yet the problem continues.  This is simply not good enough. 


Network captures follow – yes there are a hell of a lot more, but let’s be honest here, how many times do we have to prove that there is the problem?


PLEASE SEND ME AN EMAIL IF YOU SEE WINFIXER – I WILL INVESTIGATE, PUBLICIZE, AND NAME AND SHAME ANY AD NETWORK THAT IS CONTRIBUTING TO THE DISTRIBUTION OF SUCH MALWARE.


  Frame:
+ WiFi: [Unencrypted Data Data] .T…., (I)
+ LLC: Unnumbered(U) Frame, Command Frame, SSAP = SNAP(Sub-Network Access Protocol), DSAP = SNAP(Sub-Network Access Protocol)
+ Snap: EtherType = Internet IP (IPv4), OrgCode = XEROX
+ Ipv4: Next Protocol = TCP, Packet ID = 15349, Total IP Length = 991
+ Tcp: Flags=…PA…, SrcPort=50185, DstPort=HTTP Alternate(8080), Len=951, Seq=3278634856 – 3278635807, Ack=40855410, Win=4262 (scale factor not found)
– Http: Request, GET http://adfarm.mediaplex.com/ad/ck/52500
    Command: GET
  – URI: http://adfarm.mediaplex.com/ad/ck/52500?aid=f0rw9rdx_rdt
     Location: http://adfarm.mediaplex.com/ad/ck/52500
     aid: f0rw9rdx_rdt
    ProtocolVersion: HTTP/1.1
    Accept:  image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-ms-application, application/vnd.ms-xpsdocument, application/xaml+xml, application/x-ms-xbap, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x
    Accept-Language:  en-US
    Referer:  http://ads.mobygames.com/adserver/adimage.php?filename=h2v_728x90_2.swf&contenttype=swf&
clickTAG=http://ads.mobygames.com/adserver/adclick.p

    Cookie:  svid=7106602301; __utma=183366586.1351200665.1177472688.1177472688.1177495208.2;
__utmz=183366586.1177472688.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none)
    UA-CPU:  x86
    Accept-Encoding:  gzip, deflate
    UserAgent:  Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; WOW64; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.0.04506; InfoPath.2; Media Center PC 5.0)
    Host:  adfarm.mediaplex.com
    Proxy-Connection:  Keep-Alive
    HeaderEnd: CRLF


Followed by:


  Frame:
+ WiFi: [Unencrypted Data Data] .T…., (I)
+ LLC: Unnumbered(U) Frame, Command Frame, SSAP = SNAP(Sub-Network Access Protocol), DSAP = SNAP(Sub-Network Access Protocol)
+ Snap: EtherType = Internet IP (IPv4), OrgCode = XEROX
+ Ipv4: Next Protocol = TCP, Packet ID = 15351, Total IP Length = 1362
+ Tcp: Flags=…PA…, SrcPort=50192, DstPort=HTTP Alternate(8080), Len=1322, Seq=4010949088 – 4010950410, Ack=2340755632, Win=4016 (scale factor not found)
– Http: Request, GET http://www.drivecleaner.com/.freeware/
    Command: GET
  – URI: http://www.drivecleaner.com/.freeware/?p=20&ax=1&ex=1&ed=2&aid=f0rw9rdx_rdt
     Location: http://www.drivecleaner.com/.freeware/
     p: 20
     ax: 1
     ex: 1
     ed: 2
     aid: f0rw9rdx_rdt
    ProtocolVersion: HTTP/1.1
    Accept:  image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-ms-application, application/vnd.ms-xpsdocument, application/xaml+xml, application/x-ms-xbap, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x
    Accept-Language:  en-US
    Referer:  http://ads.mobygames.com/adserver/adimage.php?filename=h2v_728x90_2.swf&contenttype=
swf&clickTAG=http://ads.mobygames.com/adserver/adclick.p

    Cookie:  rff=http%253A%252F%252Fads.mobygames.com%252Fadserver%252Fadimage.php%253Ffilename%253
Dh2v_728x90_2.swf%2526contenttype%253Dswf%2526clickTAG%253Dhttp%253A%252F%252Fads.mobygames.com%252
Fadserver%252Fadclick.p; ad=f0rw9rdx_rdt_au_en_ed2; link=keyin; c
    UA-CPU:  x86
    Accept-Encoding:  gzip, deflate
    UserAgent:  Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; WOW64; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.0.04506; InfoPath.2; Media Center PC 5.0)
    Host:  www.drivecleaner.com
    Proxy-Connection:  Keep-Alive
    HeaderEnd: CRLF


Followed by:


  Frame:
+ WiFi: [Unencrypted Data Data] .T…., (I)
+ LLC: Unnumbered(U) Frame, Command Frame, SSAP = SNAP(Sub-Network Access Protocol), DSAP = SNAP(Sub-Network Access Protocol)
+ Snap: EtherType = Internet IP (IPv4), OrgCode = XEROX
+ Ipv4: Next Protocol = TCP, Packet ID = 15355, Total IP Length = 1230
+ Tcp: Flags=…PA…, SrcPort=50183, DstPort=HTTP Alternate(8080), Len=1190, Seq=2863417415 – 2863418605, Ack=2340276141, Win=16103 (scale factor not found)
– Http: Request, GET http://www.drivecleaner.com/.freeware/index.php
    Command: GET
  – URI: http://www.drivecleaner.com/.freeware/index.php?p=20&ax=1&ex=1&link=keyin&ad=f0rw9rdx_rdt_au_en_ed2&aff=
     Location: http://www.drivecleaner.com/.freeware/index.php
     p: 20
     ax: 1
     ex: 1
     link: keyin
     ad: f0rw9rdx_rdt_au_en_ed2
     aff: 
    ProtocolVersion: HTTP/1.1
    Accept:  image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-ms-application, application/vnd.ms-xpsdocument, application/xaml+xml, application/x-ms-xbap, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x
    Accept-Language:  en-US
    UA-CPU:  x86
    Accept-Encoding:  gzip, deflate
    UserAgent:  Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; WOW64; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.0.04506; InfoPath.2; Media Center PC 5.0)
    Host:  www.drivecleaner.com
    Proxy-Connection:  Keep-Alive
    Cookie:  rff=http%253A%252F%252Fads.mobygames.com%252Fadserver%252Fadimage.php%253Ffilename%253Dh2v_728x90_2.swf%2526contenttype%253Dswf%2526clickTAG%253Dhttp%253A%252F%252Fads.mobygames.com%252Fadserver%252Fadclick.p; ad=f0rw9rdx_rdt; link=keyin; cnt=AU; lng
    HeaderEnd: CRLF


 


  Frame:
+ WiFi: [Unencrypted Data Data] .T…., (I)
+ LLC: Unnumbered(U) Frame, Command Frame, SSAP = SNAP(Sub-Network Access Protocol), DSAP = SNAP(Sub-Network Access Protocol)
+ Snap: EtherType = Internet IP (IPv4), OrgCode = XEROX
+ Ipv4: Next Protocol = TCP, Packet ID = 15360, Total IP Length = 1036
+ Tcp: Flags=…PA…, SrcPort=50179, DstPort=HTTP Alternate(8080), Len=996, Seq=211796996 – 211797992, Ack=355888886, Win=4037 (scale factor not found)
– Http: Request, GET http://www.drivecleaner.com/.freeware/libs/product.js
    Command: GET
  – URI: http://www.drivecleaner.com/.freeware/libs/product.js
     Location: http://www.drivecleaner.com/.freeware/libs/product.js
    ProtocolVersion: HTTP/1.1
    Accept:  */*
    Referer:  http://www.drivecleaner.com/.freeware/index.php?p=20&ax=1&ex=1&link=keyin&ad=f0rw9rdx_rdt_au_en_ed2&aff=
    Accept-Language:  en-US
    UA-CPU:  x86
    Accept-Encoding:  gzip, deflate
    UserAgent:  Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; WOW64; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.0.04506; InfoPath.2; Media Center PC 5.0)
    Proxy-Connection:  Keep-Alive
    Host:  www.drivecleaner.com
    Cookie:  rff=http%253A%252F%252Fads.mobygames.com%252Fadserver%252Fadimage.php%253Ffilename%253Dh2v_728x90_2.swf%2526contenttype%253Dswf%2526clickTAG%253Dhttp%253A%252F%252Fads.mobygames.com%252Fadserver%252Fadclick.p; ad=f0rw9rdx_rdt_au_en_ed2; link=keyin; c
    HeaderEnd: CRLF

  Frame:
+ WiFi: [Unencrypted Data Data] .T…., (I)
+ LLC: Unnumbered(U) Frame, Command Frame, SSAP = SNAP(Sub-Network Access Protocol), DSAP = SNAP(Sub-Network Access Protocol)
+ Snap: EtherType = Internet IP (IPv4), OrgCode = XEROX
+ Ipv4: Next Protocol = TCP, Packet ID = 15370, Total IP Length = 1086
+ Tcp: Flags=…PA…, SrcPort=50187, DstPort=HTTP Alternate(8080), Len=1046, Seq=2230411576 – 2230412622, Ack=3079221333, Win=4212 (scale factor not found)
– Http: Request, GET http://www.drivecleaner.com/.freeware/libs/utils.php
    Command: GET
  – URI: http://www.drivecleaner.com/.freeware/libs/utils.php?ad=f0rw9rdx_rdt_au_en_ed2&link=keyin&ex=1&j=0&aff=
     Location: http://www.drivecleaner.com/.freeware/libs/utils.php
     ad: f0rw9rdx_rdt_au_en_ed2
     link: keyin
     ex: 1
     j: 0
     aff: 
    ProtocolVersion: HTTP/1.1
    Accept:  */*
    Referer:  http://www.drivecleaner.com/.freeware/index.php?p=20&ax=1&ex=1&link=keyin&ad=f0rw9rdx_rdt_au_en_ed2&aff=
    Accept-Language:  en-US
    UA-CPU:  x86
    Accept-Encoding:  gzip, deflate
    UserAgent:  Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; WOW64; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.0.04506; InfoPath.2; Media Center PC 5.0)
    Proxy-Connection:  Keep-Alive
    Host:  www.drivecleaner.com
    Cookie:  rff=http%253A%252F%252Fads.mobygames.com%252Fadserver%252Fadimage.php%253Ffilename%253Dh2v_728x90_2.swf%2526contenttype%253Dswf%2526clickTAG%253Dhttp%253A%252F%252Fads.mobygames.com%252Fadserver%252Fadclick.p; ad=f0rw9rdx_rdt_au_en_ed2; link=keyin; c
    HeaderEnd: CRLF


 


One comment to...
“Valueclick and Winfixer continue to be a problem”

TeMerc

I found this over on SpamHuntress and pointed here:
http://spamhuntress.com/2007/05/31/winfixer-more-aggressive/


Frustration levels are high.  *Very* high.  And Telstra is the focus of said frustration.
We got home from work yesterday to discover that there had been a power failure, and that not only was our internet access (which is cable) not working, but Foxtel was down as well.   The Foxtel digital box was reporting that it […]

Previous Entry

When you open a Web page that uses Secure Sockets Layer (SSL) in Microsoft Internet Explorer 6, an access violation may occur. Additionally, you may receive the following error message:
Microsoft Internet Explorer has encountered a problem and needs to close. We are sorry for the inconvenience.
http://support.microsoft.com/default.aspx/kb/936882

Next Entry

Archives