Part of this article may fall to the bottom of screen on smaller displays - scroll down if this happens to you.
Edit: I should point out that MSN Messenger's proper name is now Windows Live Messenger.
Pushers of the malware known as winfixer managed to infiltrated a provider of advertising content for MSN banner ads. The dangerous ads appeared in the Windows Live Messenger contact pane, as well as in banner ads on groups.msn.com. The incidents were reported to secure@microsoft.com and they and the MSN ads team investigated and removed the ads.
Microsoft have issued an official statement as follows:
"Microsoft was notified of malware that was being served through ads placed in Windows Live Messenger banners. As a result of this notification we immediately investigated the reports and removed the offending ads, as this is a violation of our ad serving policy. We can confirm that the ads are no longer being served by any Microsoft system. We apologize for the inconvenience and are reviewing our ad approval process to reduce the chance of an occurrence such as this happening again. To help customers protect their PCs from malware threats, Microsoft recommends customers follow our Protect your PC guidance at www.microsoft.com/protect." - Whitney Burk, Microsoft.
I was originally warned that this is happening by none other than Patchou of Messenger Plus! fame on Thursday 15 Feb 2007 at 7:33:00 am Perth time. I received a second report from Johan Brune that confirmed what is happening at 11.56am Perth time, 18 February (about 3 and a half hours ago) and I have now been able to reproduce the problem on my own machine. It says a lot for Patchou's integrity that he was willing to write to me and warn me about this problem despite our history. I have been extremely critical of him and his Sponsor Program in the past and have said some very nasty things at times, yet despite all that we have been able to maintain an open dialogue which has borne important fruit - Patchou was the first person to report the winfixer infiltration to me.
Brief warnings appeared on www.mess.be and at Neowin (http://www.neowin.net/index.php?act=view&id=38176) after Patchou got in touch and while I was still investigating and trying to confirm the problems, but they contain little in the way of screenshots or detailed information. Also, the articles report that the Free PC-Secure banners trigger dialogue windows, which is not my experience, or the experience of anybody that I have contacted to duplicate my tests and verify the problems.
So far I have seen two ways that the bad guys are using to try and get Winfixer on to a machine via MSN Messenger banner advertisements - one involved a pop-up alert that appeared with no user interaction - the other needs the user to click on the banner advertisement and visit a Web page, then manually download an installer.
The most dangerous banner advertisement looked like this screenshot on my system - nothing happens if you try to click on the banner advertisement BUT when the banner advertisement disappears when the ads are rotated, something worse happens.
When the banner advertisement is rotated (or, as in my case, I refresh the banner advertisement in an IE window) the classic Errorsafe pop-up window appears WITH NO USER INTERACTION REQUIRED - note the URL in the addressbar - it is the URL for the banner advertisements that appear in the MSN Messenger contact pane and proves that the advertisement is being served up by rad.msn.com
Screenshot here:
http://msmvps.com/photos/spyware_sucks/images/591117/original.aspx
Do not click on OK or Cancel when you see such windows! I clicked on the red close button to shut the dialogue box and then saw this - a classic winfixer tactic. I strongly recommend that you do NOT click on the OK button:
Screenshot here:
http://msmvps.com/photos/spyware_sucks/images/591121/original.aspx
The second banner advertisement that I have seen and which does not trigger a dialogue box looks like this - the user must click on the banner for anything to happen - further screenshots of the same banner advertisement are at the end of this article:
When the user clicks on the banner advertisement they end up at this Web site:
I downloaded the free PC scanner offered by that Web site and then uploaded it to VirusTotal for scanning - these are the results - WINFIXER again.
This is very bad news for users of MSN Messenger, and for MSN and Microsoft. Those who read my blog regularly know that I have devoted a lot of time to fighting Winfixer, writing about how those behind Winfixer have attempted to infect victims via the Messenger Plus! Sponsor Program (for which Patchou has taken a lot of heat for years, not only from me, but from many other quarters), as well as Activewin and MySpace.
I am struggling to express how upset, and disappointed, and worried, I am that this has happened. For years I have been holding up MSN Messenger banner advertisements as an example of how advertisements can be safely served up to end users without putting them at risk of malware. Now, everything has changed. Users have been put at direct risk through no fault of their own and they can't avoid the MSN banner advertisements when the contact pane is open without using a third party hack that is ethically wrong to use.
This simply shouldn't have happened. The people behind secure@microsoft.com have been extremely responsive and open with me about what they're doing to fight back, and are working on the problem as I write, but experience how shown me that if the bad guys behind winfixer can get in once, they'll continue to do so - they are sneaky, and dishonest, and know every trick in the book to slip in under the radar.
How hard is it to avoid winfixer advertisements once they infiltrate a network? In the end, Circle Distribution (who supply the advertisements for the Messenger Plus! sponsor program) found it necessary to edit their users' HOSTS file to block known Winfixer URLs. Right Media, who supply CiD with their content, and were also reported as being responsible for serving up winfixer advertisements to MySpace users, seem to be unable to stop those behind winfixer from getting in and haven't appreciated my criticism of them now that I have turned my focus away from CiD and Messenger Plus and concentrated my criticisms higher up the advertisement food chain.
I had a brief discussion with Bob of ActiveWin when I was in Las Vegas about the winfixer problems on that site, but do not know what steps they may have taken to protect their visitors. As for MySpace - forget it - just block the site and have done with it.
I'll update this blog via the comments section as information is made public. If history repeats itself, Microsoft and MSN are going to have a hell of a time getting rid of winfixer - the bad guys behind that product are nothing if not persistent. I don't know how the hell they managed to infiltrate the rad.msn.com network, and I am extremely disappointed, and worried, that they have been able to do so. MSN Messenger must have millions of users, all of whom are at risk of infection fromn the malware.
I strongly recommend that all users of MSN Messenger ensure that their antivirus and antispyware applications are up to date. Do not click on any buttons in pop-up windows that you may see, and do not believe Web sites that report that they have found a problem on your computer - seriously, how the hell would they be able to tell?
Do not click on OK or Cancel buttons in the pop-up windows. Close the window using the red x close button.
I also strongly recommend that MSN Messenger users download and install Mike Burgess's HOSTS file to help block winfixer and other bad guys. You can find Mike's famous HOSTS file here:
http://www.mvps.org/winhelp2002/hosts.htm
As I mentioned earlier, there are third party add-ins that remove the advertisement pane from MSN Messenger as mentioned in the Neowin thread. I have always spoken out against such tools when I believed that MSN Messenger advertisements were always safe, but now I have to seriously consider whether I should start recommending them. All will depend on whether MSN and Microsoft are able to successfully block the winfixer malware advertisements from here on in. Patchou has written to me to advise that the anti-ad patches may not work anyway. He says that many of the patches just hide the IE control, it's still running so users will still get the messageboxes and what follows them so if anything it may make the situation even worse, hiding where the pop-ups may be coming from.
MSN Messenger are also advertising screensavers, but they are more traditional adware and don't use dirty tricks like the pop-up windows that winfixer are infamous for. I still recommend that you avoid such free software which invariably comes bundled with foistware such as toolbars and/or adware that generates pop-ups and stuff like that.
Further free PC scanner banner advertisement screenshots...