A trackback on my site pointed me to www.eq2flames.com/general-gameplay/8990-seeking-ideas-make-people-less-upset-about-ads-20.html
Now, ever since this blog (and many others) became the target of sustained attempts to seed the blog with comments pointing to URLs that attempt to infect systems with winfixer malware, I check trackbacks and comments and delete those that are a risk to visitors. The www.eq2flames.com trackback points to a legitimate site that went through a hell of a time after implementing advertising.
A user's complaint...
"Ok bud, here is the info on what happened yesterday. Im using AVG. Was viewing EQ2Flames when the popup blocker stopped a download, at the time I didn't pay attention to what it was but immeditatly after that AVG kicked in and stopped a threat. Going back to the Virus Vault in AVG I see the following:
7/26/2007 5:00:45 PM
Virus Name: Trojan Horse Downloader.Generic4.XDV
File Name: poolsv.exe
Size: 36 KB
Now for the fun part, when I logged into just 5 mins ago and went to send you this PM, screen loaded and IE blocked another pop-up. This time the pop-up blocker frame said the following:
"This website wants to run the following add-on: 'Microsoft Data Access - Remote Data Services Dat...' from 'Microsoft Corporation'. If you trust the website and the add-on and want to allow it to run, click here..."
After this AVG kicked in and stopped the threat. I then went to AVG virus vault and looked again and this time there were two additions showing the following:
7/27/2007 225 PM
Virus Name: Trojan Horse Downloader.Generic4.WTK
File Name: xpre.exe
Size: 59.5 KB
7/27/2007 222 PM
Virus Name: Trojan Horse Downloader.Agent.MFJ
File Name: xrun.exe
Size: 64 KB
As soon as I finish typing this I am going to run a full scan and will post up the results."
What is really scary is the **Site Administrator's Response** to the comment about MDAC:
"I also got that "download from microsoft" thing yesterday, but the certificate was Microsoft's, so I allowed it.
It seemed reasonable to me, since I'd reinstalled both browsers based on unrelated browser issues I'm having (oddly - firefox currently won't display ads on this site for me no matter what I do, and I can't find the solution to that, plus my IE browser is bugged from a fricken Comcast toolbar I uninstalled that won't allow me to switch toolbars now). So i assumed it was Microsoft updating what I'd deleted.
But my full AVG scan of less than an hour ago didn't reveal a single malware on my comp, so as far as AVG is concerned, I don't have any malware of any kind on my comp, and yes I updated AVG this morning.
Thanks for checking this out, though."
Oh dear, oh dear, oh dear, oh dear, oh dear... they approved the MDAC download (a common symptom of a hacked web site, btw, and often used by bad guys to exploit computer systems) because "the certificate was Microsoft's so I allowed it"?? Those poor guys, I hate to think about what may be on their systems now...
Information about MDAC exploits can be found at these URLs:
http://www.microsoft.com/technet/security/Bulletin/MS07-009.mspx
http://www.microsoft.com/technet/security/Bulletin/MS06-014.mspx
Adbrite's reaction when complaints about winfixer ads were received:
"I’m very sorry to hear that! I just talked to my director. We’re immediately checking the ads and remove any ad that might cause you trouble.
We’re talking right now to our advertisers to find out what the problem is.
I’m very sorry for any inconvenience that might have caused you!!!
All my apologies. I’ll get back to you asap with any updates on the ads."
Despite Adbrite apparently promising that the ads were gone, the problems continued. The site's admin became more and more and more upset, with messages sent to the advertising network like:
"Miriam, I'm very sorry, but your ads have downloaded some very nasty and severe malicious viruses/trojans/malware that has taken over my computer - this is defying even my AVG antivirus software, I may have to reformat my entire computer to get rid of this.
I know you tried, but what your ad software is doing to my site is worse than the very worst porn/warez site I've ever seen - I've never seen anything like this and must remove your code immediately to protect my site and users."
And then, sadly, the Admin reports *about his own computer* (although it is not surprising considering he allowed the MDAC control to load when it appeared in a pop-up window):
"This is worse than the very worst porn / warez site I've ever seen - I'm running three different cleaning programs, and getting over 5000 malicious files downloaded since this morning.
Jesus Christ, I hope Niber can delete this *** asap, I don't know how to myself."
The site admin's "Privacy Protector" software screenshot shows 3,419 malware entries found, and 3,414 entries repaired. The screenshot looks like Uniblue's SpeedUpMyPC software, not the likenamed Winfixer crud.
The admin also says:
"Jesus people I'm really really sorry, Niber is deleting the ad code from our site right now, I'll try another advertiser later tonight.
We can't allow the current one to continue for another minute.
I'm shocked, the one that allowed all this bullshit to slip through with it's ads is ADXDirect, one of the leading ad companies on the Internet.
I've never seen anything like this, had to uninstall firefox and reset IE back to manufacturer specs - I'm not sure if I need to wipe and reinstall my harddrive, even AVG isn't getting rid of this ***."
The advertising code had been removed from eq2flames by the time I saw the trackback and went to have a look at the eq2flames.com site (although white panels remain where the advertising used to be displayed - a check using Fiddler shows no sign of advertising activity) so I don't have a trace to show exactly where the adverts are coming from.
The admin then goes on to say:
"Ok, the ad code is removed, there is no possiblity of this reoccuring.
To remove all this bullshit from my comp, I had to:
-uninstall Firefox
-reinstall IE 7
-Run the MS malicious software tool
-Update IE 7 from Windows Update
-Run AVG + 2 other virus/malware apps - got over 5k bad files total
-reinstall Firefox
Got rid of it all, now running normally.
Again, we've removed that advertisers ad code. In the future, I'm pursuing a zero tolerance policy with this ***. Any malware downloaded = that advertiser is gone."
So, in short, the supplier of the advertising did not clean up its act - eq2flames were forced to remove the advertising completely. What an amazing amount of grief to go through, all because the site owner wanted to earn some money to try and support the costs of running his web site - and the sad thing is, there are who knows how many other sites being served the same dangerous advertisements, and will continue to be served those advertisements unless and until they complain.