‚ÄčAs a researcher with the Microsoft Malware Protection Center (MMPC), I see a lot of digital advertising. Recently I came across a nefarious ad that is so convincing I need to warn you about it.

Below is a mock-up of the ad I saw. I’ve changed the name of the company to Contoso, which is a fictitious company used by Microsoft in examples and documentation:

The nefarious ad 

Figure 1: The nefarious ad

At first glance, the ad seems to follow all of the criteria Microsoft has for clean advertising as explained in our objective criteria.

  1. Attribution: The ad has attribution; in this example it is attributed to Contoso Ads. 
  2. An uninstall entry: If I check the Uninstall or change a program menu in Windows, I can find Contoso listed there.
  3. A close button: The ad has a close button – the grey ‘X’ in the top right corner. This is not to be confused with the red circle next to it, which has no function and is just part of the rest of the ad.

This ad is usually displayed by adware in the bottom left hand corner of the browser. However, this ad could be displayed by any other means, for example, embedded in a webpage, as a standalone popup, or something else.

What makes this ad exceptionally nefarious is that when you move your mouse over it, another ad appears in a new browser tab. Until recently the ad did not even have the text at the bottom that mentions the “rollover” functionality.

Some examples of this second pop-up ad are shown in figure 2. I have seen a lot of these ads pop-up and they all omit to do two things. The first is they do not tell you that they are an ad. The second is they do not display what program has caused this ad to be shown. The user has no indication that the ad in the new tab would not be there if it was not for the program that displays the first ad, in this case Contoso.

Microsoft considers this behavior as adware and in this case we would detect and remove Contoso. Some of the examples of the second ad that I have seen look like this:

Second ad 1 

Second ad 2 

Second ad 3 

Figure 2: Some examples of the second ad displayed by this adware

As for the second ads, they look like real warnings, but are not. These are advertisements to entice you to download a program which will then offer you more programs to download. I suggest closing the page.

If you do see this ad I suggest you keep your mouse well away from it and do not attempt to close it using the close button (the grey 'X'). Instead, run a scan with an antivirus product, such as Microsoft Security Essentials. You should also see if there is an uninstaller for the program displaying the ad. In the example above there should be an uninstall entry for Contoso in the Uninstall or change a program menu. You might also want to check if you can disable an add-on entry for it in Internet Explorer.

Michael Johnson
MMPC