Spyware Sucks
“There is no magic fairy dust protecting Macs" – Dai Zovi, author of “The Mac Hacker’s Handbook"

Winfixer, real media and valueclick…. the fight continues

June 26th 2007 in Uncategorized

I don’t know about you, but I feel like I am playing whack-a-mole most of the time.


I was asked to review a discussion through on dslreports today – a report that was complaining about malware incidents on the www.wfaa.com web site – the typical Winfixer via hostile banner advertisements carry on.


Cite: http://www.dslreports.com/forum/r18551684-Another-WinFixer-infiltrationthis-time-on-wwwwfaacom


So, let’s go have a look.


I can state, conclusively, that the wfaa.com web site *is* exposing its users to fraudware – and Real Media and ValueCilck are both implicated.


Proof – Fiddler was running during an attempted infestation. – now, there are some bits and pieces stripped…. as much for the readers’ convenience as for my privacy, but you get the gist…


The powers that be are welcome to the entire capture… you know who you are…


GET /pages/scanner/index.php?aid=alreadyx&lid=intl&ax=1&ex=1&ed=2 HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Accept-Language: en-us
Referer: http://ads.belointeractive.com/RealMedia/ads/Creatives/OasDefault/NtlZappinadsInc001A-rmn/NtlZappinadas728_061907.swf?clickTAG=http://ads.be
Content-Type: application/x-www-form-urlencoded
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322)
Host: www.errorsafe.com
Proxy-Connection: Keep-Alive


HTTP/1.1 302 Found
Via: 1.1 SERVER
Connection: Keep-Alive
Proxy-Connection: Keep-Alive
Transfer-Encoding: chunked
Date: Tue, 26 Jun 2007
Location: http://adfarm.mediaplex.com/ad/ck/52853?aid=alreadyx_rdt&mpt=[CACHEBUSTER]
Content-Type: text/html
Server: Apache
X-Powered-By: PHP/4.4.2
P3P: policyref=”/w3c/p3p.xml”, CP=”NOI DSP COR NID PSA OUR IND COM NAV STA”
Set-Cookie: cnt=**; expires=Thu, 21 Feb 2008 00:13:36 GMT; path=/; domain=.errorsafe.com
Set-Cookie: lng=**; expires=Thu, 21 Feb 2008 00:13:36 GMT; path=/; domain=.errorsafe.com


GET /ad/ck/52853?aid=alreadyx_rdt&mpt=[CACHEBUSTER] HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Accept-Language: en-us
Referer: http://ads.belointeractive.com/RealMedia/ads/Creatives/OasDefault/NtlZappinadsInc001A-rmn/NtlZappinadas728_061907.swf?clickTAG=http://ads.be
Cookie: svid=**
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322)
Proxy-Connection: Keep-Alive
Host: adfarm.mediaplex.com


HTTP/1.1 302 Moved Temporarily
Via: 1.1 SERVER
Connection: Keep-Alive
Proxy-Connection: Keep-Alive
Content-Length: 0
Date: Tue, 26 Jun 2007 00:13:36 GMT
Location: http://pcturbopro.com/.download_now/index.php?p=18&ax=1&ed=2&ex=1&hv=10&j=1&aid=alreadyx_rdt&mpt=[CACHEBUSTER]
Server: Apache-Coyote/1.1
Cache-Control: no-cache

GET /.download_now/index.php?p=18&ax=1&ed=2&ex=1&hv=10&j=1&aid=alreadyx_rdt&mpt=[CACHEBUSTER] HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Accept-Language: en-us
Referer: http://ads.belointeractive.com/RealMedia/ads/Creatives/OasDefault/NtlZappinadsInc001A-rmn/NtlZappinadas728_061907.swf?clickTAG=http://ads.be
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322)
Host: pcturbopro.com
Proxy-Connection: Keep-Alive


6 comments to...
“Winfixer, real media and valueclick…. the fight continues”

Just Bob

Thanks Sandi.

It seems to me that the only way ValueClick and friends will change their ways will be due to pressure from their customers. Unfortunately their customers aren’t aware of the problem. If you could use some help in this regard I’m retired now and have time on my hands.



JeanInMontana

Hi Sandi,
Great work as usual. I have a site that I know is using CommissionJunction/ ValueClick links. I can’t prove it but I think at least one had an added payload stopped by my security programs. I fought with the site owner and got that page taken down. But they constantly hide links behind images used as links to “surveys”. They claim to be a mystery shopping site and offer surveys for pay. I have screen shots and page code proving they have the links.

They refuse to acknowledge Commission Junction and ValueClick are the same. I had to back off all communication with them because they threatened to sue me for harrassment and slander. LOL I know they could never win, but I can’t afford to defend myself either. If you want to have a look at them or my screenshots, just let me know.
Jean



sandi

@Jean,

If you want to send me the information I’m more than happy to take them on :o) They won’t get anywhere with me with regards to threats of harrassment and slander. 1) I’ve got 20 years in the legal industry under my belt so know what’s what and am not easily scared by such threats; and 2) As the saying goes “just the facts M’am” – you can’t be sued for publicising fact – threats re slander don’t work unless what you’re saying is not true, or within the bounds of reasonable possibility.

@Just Bob

If you’re based in the USA there won’t be much you can do because these guys are clever enough to use IP addresses to restrict the chances of their activities being discovered on US soil.

If you do happen to come across a site that does trigger an exploit for you, use Microsoft Network Monitor or Fiddler to capture proof, send it to me and I’ll get the publicity going.

But, if you can send me information that you find about complaints so that I can investigate, that would be great.



Jean Dahl

I’m sorry for not getting back to this sooner. I haven’t said anything that isn’t true. I have screen shots of their pages to prove what I’m saying is true. No one seems to be able to find a malicious link, but that doesn’t mean they weren’t there when I became aware something was weird, or that they won’t come back.



sandi

Hi Jean,

If you could send me what you’ve got including the screenshots and URLs I can start investigating :o)



Alex

Does this mean that my Real Player and associated programs are spying on my and making my private information available to others?
If that is the case, I will get rid of Real Player.


Ok, so I’ve had the chance to chat to the developers behind Haute Secure, and I have a little more information about the how’s and why’s of the product.  I’ll leave it to them to introduce themselves, and provide their Curriculum Vitae, in future days/weeks. My regular readers will know that I had a few […]

Previous Entry

Nothing really scandalous or exciting like a denial of service or a hacking or something like that has happened – all it was was a hardware failure.  Susan may post the details to Yoda’s blog some time soon.
Things may be shaky for a little while, and I’ve lost roughly half of my Feedburner subscribers  [:(] But […]

Next Entry

Archives