Malware Being Distributed via MSN Messenger Banner Advertisements

Via spywaresucks blog -

The malware commonly known as Winfixer aka Errorsafe is being distributed via MSN Messenger banner advertisements. This has been reported to secure@microsoft.com and they and the MSN ads team are investigating.

I was originally warned that this is happening by none other than Patchou of Messenger Plus! fame on Thursday 15 Feb 2007 at 7:33:00 am Perth time. I received a second report from Johan Brune that confirmed what is happening at 11.56am Perth time, 18 February (about 3 and a half hours ago) and I have now been able to reproduce the problem on my own machine. It says a lot for Patchou's integrity that he was willing to write to me and warn me about this problem despite our history. I have been extremely critical of him and his Sponsor Program in the past and have said some very nasty things at times, yet despite all that we have been able to maintain an open dialogue which has borne important fruit - Patchou was the first person to report the winfixer infiltration to me.

Brief warnings appeared on www.mess.be and at Neowin (http://www.neowin.net/index.php?act=view&id=38176) after Patchou got in touch and while I was still investigating and trying to confirm the problems, but they contain little in the way of screenshots or detailed information. Also, the articles report that the Free PC-Secure banners trigger dialogue windows, which is not my experience, or the experience of anybody that I have contacted to duplicate my tests and verify the problems.

So far I have seen two ways that the bad guys are using to try and get Winfixer on to a machine via MSN Messenger banner advertisements - one involved a pop-up alert that appeared with no user interaction - the other needs the user to click on the banner advertisement and visit a Web page, then manually download an installer.