My regular readers will remember my various articles about the Winfixer infiltration of the AOL and MSN advertising networks that happened not long ago. Winfixer infiltration of Web site advertising (as well as forum and comment spam) continues to be problematic, and one name that keeps on popping up over and over again is adfarm.mediaplex.com (Mediaplex is owned by ValueClick). The problem seems to be so endemic that any web site, forum or Web comment that utilises links that redirect to adfarm.mediaplex.com are potentially placing their visitors at risk of a Winfixer infection.
Over the past couple of months I have had in-person and telephone conferences with representatives and technical staff at MSN and AOL as a direct result of the Winfixer infilitrations of various advertising networks. They have learned a lot from the events of the past few months, as have I. I don't think any of us realised how widespread the problem was, or just how sophisticated the bad guys were getting, until we started taking a close look.
Mike Burgess and I have been having a close look at adfarm.mediaplex.com. I have tried to contact ValueClick regarding the adfarm.mediaplex.com problems using their “contact us” page on their Web site, but as of yet have received no response (and those of you that know me well know that a failure to respond is sure to intensify the attention that I pay to a problem advertisement network). I will be contacting them directly via an email address given to me by an associate as soon as this article goes live, and will report on their responses, if any.
Edit 26 April: There has been no response from ValueClick
Edit 27 April: ValueClick have responded to advise they are investigating
Edit 8 May: ValueClick report that they are still investigating
Why is Winfixer bad?
The Winfixer group of products is listed as a “Rogue Security Product” in the latest Microsoft Security Response Report. The Microsoft Security Intelligence Report can be downloaded here:
http://download.microsoft.com/download/f/d/a/fda5850e-269f-40a3-9708-c60eb837456f/MS_Security_Report_Jul-Dec06.pdf
Microsoft’s definition of “Rogue Security Products” is:
“These products appear under a variety of names and produce a variety of results for the end user, ranging from limited or no detection capability, coupled with a fraudulent request to pay for a “full” version, to outright malicious behavior, such as installing malicious software without the user’s consent in order to give the product something to detect. In many cases, the people behind such software would attempt to get the infected individual to pay them for removal of purported infections using fraud and social engineering.”
A worrying statistic from the Rogue Security Products table that specifically mentions Winfixer products is that 55% of users who have WinSoftware.WinAntiVirus installed, and 31.3% of users who have WinSoftware.WinAntiSpyware installed chose to *ignore* the detection, with only 30.6% and 37.6% respectively choosing to remove the software. I can only assume that the victims of these products are choosing to believe that the various Winfixer offerings are legitimate products instead of heeding the warning being given by Windows Defender.
In contrast, 75.7% of Windows Defender users choose to remove the “potentially unwanted software” C2.LOP (aka C2Media, aka Circle Distribution, and the software commonly known as the Messenger Plus! Sponsor Program).
Now, all of us are entitled to earn an income, all of us are entitled to advertise, and companies such as Mediaplex and ValueClick are entitled to offer a service to advertisers. BUT, I believe that a line is crossed when deceit is practiced – when the advertisers that Mediaplex and ValueClick are "enabling" via their services try to automatically download and install their product on to your system (thank heaven for IE’s info bar that stops such things from happening automatically), when an advertisement tries to trick you into thinking that your computer system is having issues or that your privacy is at risk, or when the software being touted falsely reports infections where none exists – companies such as ValueClick and Mediaplex should run, screaming, from such clients. Slowly but surely I'm seeing a move towards forcing advertisers, and those who use their services, to ensure that those they associate and do business with are ethical and above board, as distinct to just making sure that their own actions are ok. In short, saying "but it wasn't me" and "but I didn't know" isn't the end-of-responsibility argument that it used to be.
Winfixer prevalance
Just how pervasive is the spamming, pimping and touting of Winfixer domains? How many adverts are out there pushing people to such sites, and how many potential infectees are there? Well, let’s have a look at the Alexa Traffic Ranking of various Winfixer sites:
Drivecleaner.com:
http://www.alexa.com/data/details/traffic_details?url=www.drivecleaner.com
(rank 587) (570 on 26 April)
Systemdoctor.com:
http://www.alexa.com/data/details/traffic_details?url=www.systemdoctor.com
(ranking 966) (929 on 26 April)
Errorsafe:
http://www.alexa.com/data/details/traffic_details?url=www.errorsafe.com
(ranking 1,001) (990 on 26 April)
Winantivirus:
http://www.alexa.com/data/details/traffic_details?url=www.winantivirus.com
(ranking 1,630) (1,574 on 26 April)
Winantispyware:
http://www.alexa.com/data/details/traffic_details?url=www.winantispyware.com
(rank 4,793) (4,539 on 26 April)
Errorprotector.com:
http://www.alexa.com/data/details/traffic_details?url=www.errorprotector.com
(ranking 7,636) (6,966 on 26 April)
Gomyron.com:
http://www.alexa.com/data/details/traffic_details?url=www.gomyron.com
(ranking 214,212) (197,535 on 26 April)
By way of comparison with legitimate security products, mcafee.com has a ranking of 932 (954 on 26 April), symantec.com has a ranking of 218 (222 on 26 April), ca.com has a ranking of 3,148 (3,262 on 26 April) and trendmicro.com has a ranking of 2,335 (2,361 on 26 April).
How is ValueClick involved in the spread of Winfixer?
ValueClick owns Mediaplex, and Mediaplex is an oft-spotted contributor to the spread of Winfixer malware.
Just some adfarm.mediaplex.com URLs that redirect to Winfixer and Winfixer like sites include:
hxxp://go.errorsafe.com/MTUwNzE=/2/5590/ax=1/ed=1/ex=1/555/
redirects to:
hxxp://adfarm.mediaplex.com/ad/ck/45684?mpt=1177402585&aid=swp_ers&lid=5590&affid=pp_841427153&p=ers&ax=1&ed=1&ex=1
hxxp://go.winantivirus.com/NTIzMw==/2/3224/ax=1/ex=1//
redirects to:
hxxp://adfarm.mediaplex.com/ad/ck/45678?mpt=1177404112&aid=swp_wa7p&lid=3224&affid=pp_2131627152&ax=1&ex=1
hxxp://go.winantispyware.com/MTUwNjU=/2/5590/ax=1/ed=1/ex=1/555/
redirects to:
hxxp://adfarm.mediaplex.com/ad/ck/45682?mpt=1177473791&aid=swp_was7&lid=5590&affid=pp_117727353&p=was&ax=1&ed=1&ex=1
hxxp://go.winantispyware.com/NTY2Mg==/2/3345/ax=1/ed=1/ex=1/af6/
redirects to:
hxxp://adfarm.mediaplex.com/ad/ck/45682?mpt=1177485361&aid=swp_was7&lid=3345&affid=pp_669127382&p=was&ed=1&ex=1
hxxp://go.privacyprotector.com/MTUwNjc=/2/5590/ax=1/ed=1/ex=1/555/
redirects to:
hxxp://adfarm.mediaplex.com/ad/ck/49988?mpt=1177473894&aid=swp_pp&lid=5590&affid=pp_181027351&ax=1&ed=1&ex=1
hxxp://go.winantivirus.com/MTUwNjg=/2/5590/ax=1/ed=1/ex=1/555/
redirects to:
hxxp://adfarm.mediaplex.com/ad/ck/45678?mpt=1177474037&aid=swp_wa7p&lid=5590&affid=pp_271427354&ax=1&ed=1&ex=1
hxxp://go.drivecleaner.com/MTUwNjk=/2/5590/ax=1/ed=1/ex=1/555/
redirects to:
hxxp://adfarm.mediaplex.com/ad/ck/45688?mpt=1177474361&aid=swp_dc&lid=5590&affid=pp_469727351&ax=1&ed=1&ex=1
hxxp://go.errorprotector.com/MTUwNzA=/2/5590/ctx=1/in=1/epp=1/555/
redirects to:
hxxp://adfarm.mediaplex.com/ad/ck/49487?mpt=1177474589&aid=swp_erp&lid=5590&affid=pp_619327354&ctx=1&in=1&epp=1
hxxp://go.systemdoctor.com/MTUwNzI=/2/5590/ax=1/ed=1/ex=1/555/
redirects to:
hxxp://adfarm.mediaplex.com/ad/ck/45686?mpt=1177474773&aid=swp_sdr&lid=5590&affid=pp_737127354&ax=1&ed=1&ex=1
hxxp://gomyron.com/MTUwNzM=/2/5590/555/
redirects to:
hxxp://adfarm.mediaplex.com/ad/ck/7412-39608-16292-6?mpt=1177475141&aid=swp_ron&lid=5590&affid=pp_944227352&
Mike Burgess writes about hard-core adult sites with images of underage boys that use adfarm.mediaplex.com content
http://msmvps.com/blogs/hostsnews/archive/2007/04/22/more-on-Winfixer-and-valueclick.aspx
He also writes about false claims of TRUSTe certification (again with adfarm.mediaplex.com content)
hxxps://secure.drivecleaner.com/payment/?ad=keyin&link=keyin&site=169&product=452&aff=
<body onload="setSelected()">
<IMG SRC="hxxps://adfarm.mediaplex.com/ad/bk/7412-39614-2054-1?Get=1&mpuid=" BORDER=0 HEIGHT=1 WIDTH=1>
<IMG SRC="hxxps://adfarm.mediaplex.com/ad/bk/7390-42400-2054-1?1-PaypageEntrance=1&mpuid=" BORDER=0 HEIGHT=1 WIDTH=1>
The above is the same exact code as is displayed here:
http://msmvps.com/blogs/hostsnews/archive/2007/04/23/Winfixer-and-valueclick-in-the-uk.aspx
Then there is this report by Mike:
http://msmvps.com/blogs/hostsnews/archive/2007/04/20/are-advertisers-promoting-malware.aspx
And this:
http://msmvps.com/blogs/hostsnews/archive/2007/04/21/more-on-Winfixer.aspx
My sincere hope is that Mediaplex and ValueClick come to the attention of the FTC, and that the FTC takes action, if Mediaplex and ValueClick to not take comprehensive action to clean up their service and make sure that the problems discussed here do not recur in the future.
Do ValueClick enforce their antispam policy?
ValueClick says:
“It is our policy to prohibit the sending of unsolicited or "Spam" e-mail by ValueClick or any of its marketing partners.” (cite: http://www.valueclick.com/privacy.html)
Hundreds of spam messages have been posted on various forums in contravention of the above policy:
http://www.google.com/search?q=drivecleaner.com&hl=en&safe=off&start=40&sa=N$
http://www.google.com/search?q=go.sexprofit.com&hl=en&safe=off&start=10&sa=N
A typical spam post can be found here:
http://www.splinecage.com/forums/archive/index.php/t-1550.html
Every single one of the links in that forum post route thru adfarm.mediaplex.com.
My own blog is being hit by hundreds of spam comments every week – in fact, I have 2095 comments awaiting my attention right at this very moment, all of which are marked as spam, and 99% of which are submitted by a very prolific “author” under the pseudonym “…” (yes, I know, the author is a bot – I’m being facetious).
Anyway, all of the comments submitted by author “…” have a myriad different URLs as the author’s Web site, virtually all of which redirect to Winfixer sites via adfarm.mediaplex.com. Yes, I could list all of the URLs that I am seeing in my blog comments, and provide definitive proof of adfarm.mediaplex.com involvement, but I think this article will prove beyond a doubt that there is big problem at Mediaplex even without those specifics.
To give you an idea of just how endemic the problem of adfarm.mediaplex.com being used as a conduit for winfixer malware is, check out the list of adfarm.mediaplex.com URLs below, all of which redirect to Winfixer, Winfixer related or Winfixer type sites at the time of testing. I noticed as I was working my way through the various adfarm.mediaplex.com URLs by changing (for example) 45678 to 45679 then 45680 and so on and so forth, that I was hitting very few “legitimate” Web sites using this test routine, which is very worrying and makes me wonder just how widespread the Winfixer infiltration is at ValueClick. I suspect that if I kept checking, and testing, that I could continue to add to that list, but let's be honest, I'm already at the stage where I am thinking "enough already - I get it - there's a big problem here".
I have already tried the "Contact Us" facility at http://www.valueclick.com/about/contact.html and received NO RESPONSE - not even an acknowledgement that my approach had been received, despite my including this URL - hell, if potential underage porn doesn't get their attention, what the hell will???
http://msmvps.com/blogs/spywaresucks/archive/2007/04/22/857830.aspx
It will be very interesting to see what reaction, if any, we get from Mediaplex and ValueClick when they see this article. You see, they need to do more than get rid of the rogue content that is already there; they have to stop future occurrences and reassure everybody who uses their content that Mediaplex and ValueClick can be trusted to stay clean going forward, but here is the kicker… will they want to, especially if Winfixer and Winfixer type clients are a major part of any sector of their income stream?
hxxp://adfarm.mediaplex.com/ad/ck/45678
hxxp://adfarm.mediaplex.com/ad/ck/45682
hxxp://adfarm.mediaplex.com/ad/ck/45684
hxxp://adfarm.mediaplex.com/ad/ck/45686
hxxp://adfarm.mediaplex.com/ad/ck/45688
hxxp://adfarm.mediaplex.com/ad/ck/49487
hxxp://adfarm.mediaplex.com/ad/ck/49686
hxxp://adfarm.mediaplex.com/ad/ck/49688
hxxp://adfarm.mediaplex.com/ad/ck/49690
hxxp://adfarm.mediaplex.com/ad/ck/49694
hxxp://adfarm.mediaplex.com/ad/ck/49696
hxxp://adfarm.mediaplex.com/ad/ck/49698
hxxp://adfarm.mediaplex.com/ad/ck/49700
hxxp://adfarm.mediaplex.com/ad/ck/49702
hxxp://adfarm.mediaplex.com/ad/ck/49704
hxxp://adfarm.mediaplex.com/ad/ck/49706
hxxp://adfarm.mediaplex.com/ad/ck/49708
hxxp://adfarm.mediaplex.com/ad/ck/49710
hxxp://adfarm.mediaplex.com/ad/ck/49712
hxxp://adfarm.mediaplex.com/ad/ck/49714
hxxp://adfarm.mediaplex.com/ad/ck/49717
hxxp://adfarm.mediaplex.com/ad/ck/49719
hxxp://adfarm.mediaplex.com/ad/ck/49720
hxxp://adfarm.mediaplex.com/ad/ck/49725
hxxp://adfarm.mediaplex.com/ad/ck/49727
hxxp://adfarm.mediaplex.com/ad/ck/49729
hxxp://adfarm.mediaplex.com/ad/ck/49735
hxxp://adfarm.mediaplex.com/ad/ck/49737
hxxp://adfarm.mediaplex.com/ad/ck/49739
hxxp://adfarm.mediaplex.com/ad/ck/49741
hxxp://adfarm.mediaplex.com/ad/ck/49743
hxxp://adfarm.mediaplex.com/ad/ck/49746
hxxp://adfarm.mediaplex.com/ad/ck/49748
hxxp://adfarm.mediaplex.com/ad/ck/49791
hxxp://adfarm.mediaplex.com/ad/ck/49793
hxxp://adfarm.mediaplex.com/ad/ck/49795
hxxp://adfarm.mediaplex.com/ad/ck/49799
hxxp://adfarm.mediaplex.com/ad/ck/49806
hxxp://adfarm.mediaplex.com/ad/ck/49811
hxxp://adfarm.mediaplex.com/ad/ck/49816
hxxp://adfarm.mediaplex.com/ad/ck/49827
hxxp://adfarm.mediaplex.com/ad/ck/49831
hxxp://adfarm.mediaplex.com/ad/ck/49836
hxxp://adfarm.mediaplex.com/ad/ck/49837
hxxp://adfarm.mediaplex.com/ad/ck/49988