Microsoft lifts lid on Messenger 'scareware'

Microsoft said it moved quickly to remove a banner advertisement that appeared on its instant-messaging program for a software application that falsely hypes security threats on a user's computer.


Microsoft said it moved quickly to remove a banner advertisement that appeared on its instant-messaging program for a software application that falsely hypes security threats on a user's computer.

"We immediately investigated the reports and removed the offending ads, as this is a violation of our ad-serving policy," said Microsoft spokeswoman Whitney Burk.

Last week, computer security analysts noticed two advertisements for Winfixer - a self-described security program that also goes by the name ErrorSafe - on Windows Live Messenger.

Security companies have labelled it as a "potentially unwanted program". They believe the program falsely alerts users to problems with their computer and encourages them to purchase the application. It falls into an informally named category of program called "scareware", whose creators try to bully users into downloading their program or face problems with their computer.

Microsoft, which called Winfixer "malware", did not provide details of how the ads appeared. However, the CDT(Center for Democracy and Technology), a civil liberties and consumer group in Washington, DC, has investigated how questionable ads promoting spyware and other malicious software have appeared on ad networks.

The incident highlights how even a well-resourced company such as Microsoft can be vulnerable to the vagaries of complex associations of internet-advertising networks.

"There are often a host of parties involved in the advertising chain, making it difficult to track the journey an advertisement takes from its original source to a user's computer," according to a CDT report released last year.

It's extremely hard to police advertisements, as the organisations which supply them could suddenly substitute new ones, said Graham Cluley, senior technology consultant for security firm Sophos.

"There remains a risk that advertisements may be vetted and approved when first placed with an advertising network only to be later 'updated' to advertise less savoury products," Cluley said. "This isn't just a problem for Microsoft, it's a problem for any company which is delivering advertisements to its userbase."

The Winfixer incident sparks concerns over end-user security and could be especially important for Microsoft. The company seeks to use advertising to subsidise the cost for free services such as Windows Live Mail, formerly Hotmail, and other web-based services it's using to compete with online offerings from Google.

"For years I have been holding up MSN Messenger banner advertisements as an example of how advertisements can be safely served up to end users without putting them at risk of malware," wrote Sandi Hardmeier, a Microsoft Most Valued Professional and specialist in Internet Explorer, on her blog. "Now, everything has changed. This simply shouldn't have happened."

Winfixer, which sells for around $39.95, has a shady history, experts say. It's a persistent program, constantly popping up on newly created domains under various aliases, including ErrorSafe, WinAntiVirus and DriveCleaner, said Chris Boyd, security research manager for FaceTime.

The changing names and versions are hard to keep up with for security analysts, let alone for ad network managers who may have no idea of the true nature of the program, Boyd said.

"The suspicions are that it [Winfixer] is a quite sophisticated operation," Boyd said.

At one time, Winfixer was one of several bad programs installed in a bundle by hackers on vulnerable machines, wrote Ben Edelman, a malware researcher and doctoral candidate at Harvard University, on his website.

The hackers exploited the WMF (Windows Metafile) problem, a particularly dangerous security hole that appeared in December 2005 and prompted Microsoft to hurriedly issue an off-schedule patch.

As always, users should be careful. "The responsibility ultimately falls on the users to be wary of advertisements which may be selling inappropriate or potentially damaging - to data or finances - goods," Cluley said.

"Recommended For You"

Browser holes worse than thought Apple quietly suggests antivirus needed for Macs