Spyware Sucks
“There is no magic fairy dust protecting Macs" – Dai Zovi, author of “The Mac Hacker’s Handbook"

The dangers of experimenting with online advertising…

July 27th 2007 in Uncategorized

A trackback on my site pointed me to www.eq2flames.com/general-gameplay/8990-seeking-ideas-make-people-less-upset-about-ads-20.html

Now, ever since this blog (and many others) became the target of sustained attempts to seed the blog with comments pointing to URLs that attempt to infect systems with winfixer malware, I check trackbacks and comments and delete those that are a risk to visitors.  The www.eq2flames.com trackback points to a legitimate site that went through a hell of a time after implementing advertising. 

A user’s complaint…

“Ok bud, here is the info on what happened yesterday. Im using AVG. Was viewing EQ2Flames when the popup blocker stopped a download, at the time I didn’t pay attention to what it was but immeditatly after that AVG kicked in and stopped a threat. Going back to the Virus Vault in AVG I see the following:

7/26/2007 5:00:45 PM
Virus Name: Trojan Horse Downloader.Generic4.XDV
File Name: poolsv.exe
Size: 36 KB

Now for the fun part, when I logged into just 5 mins ago and went to send you this PM, screen loaded and IE blocked another pop-up. This time the pop-up blocker frame said the following:

“This website wants to run the following add-on: ‘Microsoft Data Access – Remote Data Services Dat…’ from ‘Microsoft Corporation’. If you trust the website and the add-on and want to allow it to run, click here…”
After this AVG kicked in and stopped the threat. I then went to AVG virus vault and looked again and this time there were two additions showing the following:

7/27/2007 225 PM
Virus Name: Trojan Horse Downloader.Generic4.WTK
File Name: xpre.exe
Size: 59.5 KB

7/27/2007 222 PM
Virus Name: Trojan Horse Downloader.Agent.MFJ
File Name: xrun.exe
Size: 64 KB

As soon as I finish typing this I am going to run a full scan and will post up the results.”

What is really scary is the **Site Administrator’s Response** to the comment about MDAC:

“I also got that “download from microsoft” thing yesterday, but the certificate was Microsoft’s, so I allowed it.

It seemed reasonable to me, since I’d reinstalled both browsers based on unrelated browser issues I’m having (oddly – firefox currently won’t display ads on this site for me no matter what I do, and I can’t find the solution to that, plus my IE browser is bugged from a fricken Comcast toolbar I uninstalled that won’t allow me to switch toolbars now). So i assumed it was Microsoft updating what I’d deleted.

But my full AVG scan of less than an hour ago didn’t reveal a single malware on my comp, so as far as AVG is concerned, I don’t have any malware of any kind on my comp, and yes I updated AVG this morning.

Thanks for checking this out, though.”

Oh dear, oh dear, oh dear, oh dear, oh dear… they approved the MDAC download (a common symptom of a hacked web site, btw, and often used by bad guys to exploit computer systems) because “the certificate was Microsoft’s so I allowed it”??  Those poor guys, I hate to think about what may be on their systems now…

Information about MDAC exploits can be found at these URLs:

http://www.microsoft.com/technet/security/Bulletin/MS07-009.mspx
http://www.microsoft.com/technet/security/Bulletin/MS06-014.mspx

Adbrite’s reaction when complaints about winfixer ads were received:

“I’m very sorry to hear that! I just talked to my director. We’re immediately checking the ads and remove any ad that might cause you trouble.

We’re talking right now to our advertisers to find out what the problem is.

I’m very sorry for any inconvenience that might have caused you!!!

All my apologies. I’ll get back to you asap with any updates on the ads.”

Despite Adbrite apparently promising that the ads were gone, the problems continued.  The site’s admin became more and more and more upset, with messages sent to the advertising network like:

“Miriam, I’m very sorry, but your ads have downloaded some very nasty and severe malicious viruses/trojans/malware that has taken over my computer – this is defying even my AVG antivirus software, I may have to reformat my entire computer to get rid of this.

I know you tried, but what your ad software is doing to my site is worse than the very worst porn/warez site I’ve ever seen – I’ve never seen anything like this and must remove your code immediately to protect my site and users.”

And then, sadly, the Admin reports *about his own computer* (although it is not surprising considering he allowed the MDAC control to load when it appeared in a pop-up window):

“This is worse than the very worst porn / warez site I’ve ever seen – I’m running three different cleaning programs, and getting over 5000 malicious files downloaded since this morning.

Jesus Christ, I hope Niber can delete this shit asap, I don’t know how to myself.”

The site admin’s “Privacy Protector” software screenshot shows 3,419 malware entries found, and 3,414 entries repaired.  The screenshot looks like Uniblue’s SpeedUpMyPC software, not the likenamed Winfixer crud.

The admin also says:

“Jesus people I’m really really sorry, Niber is deleting the ad code from our site right now, I’ll try another advertiser later tonight.

We can’t allow the current one to continue for another minute.

I’m shocked, the one that allowed all this bullshit to slip through with it’s ads is ADXDirect, one of the leading ad companies on the Internet.

I’ve never seen anything like this, had to uninstall firefox and reset IE back to manufacturer specs – I’m not sure if I need to wipe and reinstall my harddrive, even AVG isn’t getting rid of this shit.”

The advertising code had been removed from eq2flames by the time I saw the trackback and went to have a look at the eq2flames.com site (although white panels remain where the advertising used to be displayed – a check using Fiddler shows no sign of advertising activity)  so I don’t have a trace to show exactly where the adverts are coming from. 

The admin then goes on to say:

“Ok, the ad code is removed, there is no possiblity of this reoccuring.

To remove all this bullshit from my comp, I had to:

-uninstall Firefox
-reinstall IE 7
-Run the MS malicious software tool
-Update IE 7 from Windows Update
-Run AVG + 2 other virus/malware apps – got over 5k bad files total
-reinstall Firefox

Got rid of it all, now running normally.

Again, we’ve removed that advertisers ad code. In the future, I’m pursuing a zero tolerance policy with this shit. Any malware downloaded = that advertiser is gone.”

So, in short, the supplier of the advertising did not clean up its act – eq2flames were forced to remove the advertising completely.  What an amazing amount of grief to go through, all because the site owner wanted to earn some money to try and support the costs of running his web site – and the sad thing is, there are who knows how many other sites being served the same dangerous advertisements, and will continue to be served those advertisements unless and until they complain.


2 comments to...
“The dangers of experimenting with online advertising…”

Jon

What the hell are the feds doing while these hackers are going to town with all these viruses and malwares they’re creating??

There should be a federal computer crimes task force. and if I were in charge… I’d make it where these criminals MUST REPAIR ALL THE MACHINES THEIR MALWARE HAS CAUSED. If they cannot they must BUY a new computer for all those affected. if they cannot they must work off the cost of the damaged computers. plus do 1 year in prison FOR EVERY COMPUTER DAMAGED… ex 10 computers=10 years behind bars and so on.



Anton

“What the hell are the feds doing while these hackers are going to town with all these viruses and malwares they’re creating??”

Ha! The fed are now concern about working for the corporations who pay for the electaral campain of the elected officials! They dont give a shit about you or me or any citizen arround! They are just concerned about doing the dead of the corupting coprorations not even from USA!

You want some exemples? Vivendi Universal (France), Sony/BMG( Japan/Germany), EMI (England), Time Warner(Canada) all members of the infamous RIAA.

To solve the malware problem with have to first put all these corps out of business and retake our governement!


A common request by developers is that they want to run IE6 and IE7 side by side for testing purposes.  To address this need (and help developers avoid having to use the various hacks that almost/kinda/close enough met the developers’ need to run IE6 and IE7 on the same machine) the IE team started offering, […]

Previous Entry

Consider the following scenario. You download an ActiveX control. You view the file properties for the control in the Downloaded Program Files folder. You click the Dependency tab in the Properties dialog box. In this scenario, the Size (bytes) field may not display the file size in bytes. Instead, the Size (bytes) field displays the […]

Next Entry

Archives