Microsoft a Victim of Shady Scareware

Microsoft said it moved quickly to remove a banner advertisement that appeared on its instant-messaging program for a software application that falsely hypes security threats on a user’s computer.

“We immediately investigated the reports and removed the offending ads, as this is a violation of our ad-serving policy,” wrote Microsoft spokeswoman Whitney Burk in an e-mail Tuesday.

Last week, computer security analysts noticed two advertisements for Winfixer—a self-described security program that also goes by the name ErrorSafe—on Windows Live Messenger.

Security companies have labeled it as a “potentially unwanted program.” They believe the program falsely alerts users to problems with their computer and encourages them to purchase the application. It falls into an informally named category of program called “scareware,” whose creators try to bully users into downloading their program or face problems with their computer.

Microsoft, which called Winfixer “malware,” did not detail how the ads appeared. However, the Center for Democracy and Technology (CDT), a civil liberties and consumer group in Washington, D.C., has investigated how questionable ads promoting spyware and other malicious software have appeared on ad networks.

The incident highlights how even a well-resourced company such as Microsoft can be vulnerable to the vagaries of complex associations of Internet advertising networks.

“There are often a host of parties involved in the advertising chain, making it difficult to track the journey an advertisement takes from its original source to a user’s computer,” according to a CDT report released last year.

It’s extremely hard to police advertisements, as the organizations that supply them could suddenly substitute new ones, said Graham Cluley, senior technology consultant for Sophos, a security software company.

“There remains a risk that advertisements may be vetted and approved when first placed with an advertising network only to be later ‘updated’ to advertise less savory products,” Cluley said. “This isn’t just a problem for Microsoft; it’s a problem for any company which is delivering advertisements to its user base.”

The U.S. Federal Trade Commission (FTC) has undertaken several actions against companies that have created special programs designed to exploit security vulnerabilities in computers, that—like Winfixer—purport to repair the machine.

The Winfixer incident sparks concerns over end-user security and could be especially important for Microsoft. The company seeks to use advertising to subsidize the cost for free services such as Windows Live Mail, formerly Hotmail, and other Web-based services it’s using to compete with online offerings from Google.

“For years I have been holding up MSN Messenger banner advertisements as an example of how advertisements can be safely served up to end users without putting them at risk of malware,” wrote Sandi Hardmeier, a Microsoft Most Valued Professional and specialist in Internet Explorer, on her blog. “Now, everything has changed. This simply shouldn’t have happened.”

Winfixer, which sells for US$39.95, has a shady history, experts say. It’s a persistent program, constantly popping up on newly created domains under various aliases, including ErrorSafe, WinAntiVirus and DriveCleaner, said Chris Boyd, security research manager for FaceTime Communications.

The changing names and versions are hard to keep up with for security analysts, let alone for ad network managers who may have no idea of the true nature of the program, Boyd said.

“The suspicions are that [Winfixer] is a quite sophisticated operation,” Boyd said.

At one time, Winfixer was one of several bad programs installed in a bundle by hackers on vulnerable machines, wrote Ben Edelman, a malware researcher and doctoral candidate at Harvard University, on his website.

The hackers exploited the Windows Metafile problem, a particularly dangerous security hole that appeared in December 2005 and prompted Microsoft to hurriedly issue an off-schedule patch.

As always, users should be careful. “The responsibility ultimately falls on the users to be wary of advertisements which may be selling inappropriate or potentially damaging—to data or finances—goods,” Cluley said.

-Jeremy Kirk, IDG News Service