A particularly convincing nefarious ad

​As a researcher with the Microsoft Malware Protection Center (MMPC), I see a lot of digital advertising. Recently I came across a nefarious ad that is so convincing I need to warn you about it.

Below is a mock-up of the ad I saw. I’ve changed the name of the company to Contoso, which is a fictitious company used by Microsoft in examples and documentation:

The nefarious ad

Figure 1: The nefarious ad

At first glance, the ad seems to follow all of the criteria Microsoft has for clean advertising as explained in our objective criteria.

  1. Attribution: The ad has attribution; in this example it is attributed to Contoso Ads.
  2. An uninstall entry: If I check the Uninstall or change a program menu in Windows, I can find Contoso listed there.
  3. A close button: The ad has a close button – the grey ‘X’ in the top right corner. This is not to be confused with the red circle next to it, which has no function and is just part of the rest of the ad.

This ad is usually displayed by adware in the bottom left hand corner of the browser. However, this ad could be displayed by any other means, for example, embedded in a webpage, as a standalone popup, or something else.

What makes this ad exceptionally nefarious is that when you move your mouse over it, another ad appears in a new browser tab. Until recently the ad did not even have the text at the bottom that mentions the “rollover” functionality.

Some examples of this second pop-up ad are shown in figure 2. I have seen a lot of these ads pop-up and they all omit to do two things. The first is they do not tell you that they are an ad. The second is they do not display what program has caused this ad to be shown. The user has no indication that the ad in the new tab would not be there if it was not for the program that displays the first ad, in this case Contoso.

Microsoft considers this behavior as adware and in this case we would detect and remove Contoso. Some of the examples of the second ad that I have seen look like this:

Second ad 1

Second ad 2

Second ad 3

Figure 2: Some examples of the second ad displayed by this adware

As for the second ads, they look like real warnings, but are not. These are advertisements to entice you to download a program which will then offer you more programs to download. I suggest closing the page.

If you do see this ad I suggest you keep your mouse well away from it and do not attempt to close it using the close button (the grey ‘X’). Instead, run a scan with an antivirus product, such as Microsoft Security Essentials. You should also see if there is an uninstaller for the program displaying the ad. In the example above there should be an uninstall entry for Contoso in the Uninstall or change a program menu. You might also want to check if you can disable an add-on entry for it in Internet Explorer.

Michael Johnson

Comments (8)

  1. adwbust says:

    these typically drop affiliate smart downloaders disguised as an update or required software indicated in the ad. mse doesn't detect these affliate downloaders that drop snake oil/open source rip-off programs that mse also ignores due to being in the gray
    zone. pathetic. just detect the downloaders aka the origin! smartscreen should block ads serving the downloaders. they're bad ad servers. in the past, these ads usually drop trojans. malware writers evolved so should the analysts… former malware writers
    are now shady businessmen/con artists that utilize grey tools and works, which in general are still malware. wake up mmpc. 🙂

  2. Tiirath says:

    But.. Lots of people dont have smartscreen turn of and some dont use IE10 / IE11 so smart screen wont work. So that said Michael's advice is still valid.

    "Be a smarty come and join the IE party" 🙂

  3. Ed Fry says:

    I'm still trying to find out why bundle programs, Like Conduit and any toolbar from Mindspark Interactive, Are still allowed to be installed.

    Every infection of Conduit or Mindspark I find embeds ad's just like this to just about any site they embed to. They don't QA their ad content and will accept any ad from just about any scammer, and that's the real threat. I don't care if the program itself
    follows the adware policy, If the ads' themselves are malicious the app should be flagged at least as a low threat.

    And it's not just these as well, well established ad firms fall for this too, for example, do a Search for "VLC media player" or "7zip" in Bing or Google. I Guarantee that the ad's are all for Adware bundle droppers. Hell even the Microsoft store has a few
    of these apps (Search for "Getdesktopapp" in the windows 8 store to see a list of them) since the store allows links to other sites (get app from Publisher) to redirect you to the web.

    It's getting to the point that I have to tell Customers "Don't download anything and Don't Install anything" because there's no download place I can find that doesn't have scam downloads.

  4. adwbust says:

    This comment box is too small and the Submit button below it is barely visible. I'm using Firefox 31 on Android. Pls correct.

  5. FF says:

    Use Firefox with NoScript to block these types of things.

  6. HomeUser says:

    On 8/9/14, I visited a website and when I clicked on a thread, received a Java window that looked exactly like the one if you went to their site. Then the second window appeared just like you've posted. Thanks to Microsoft Security Essentials, they quarantined
    it. It was the Ransom:JS/Krypterade.A. I went back to the website today and the same thing happened. I have the URL of the "Java" window that popped up, if you want it. Let me know here on this blog. I ran a full scan yesterday with MSE and also MBAM-Premium.
    And again today before visiting the website in question. I don't know how to keep this from happening. Any info is appreciated.

  7. adwbust says:

    homeuser, the brolock didn't work because you don't have jre installed i think. good call.

  8. Homeuser says:

    @adwbust, The Fake Java window pop up advised me my vs of Java was out of date and I needed to update….click here! Since I had Uninstalled Java from all 3 of my machines over 2 years ago, it didn't take but a second to know I was about to be someone's
    lunch:-) MBAM detects malicious websites and MSE catches the Trojans so that's good teamwork!!