Paperghost: Malware Writers Beware, I'm Gunning For You

TeMerc · Jun 3, 2005

Paperghost, noted MS MVP has an excellent blog and has recently decided to take on the thugs at Direct Revenue. Much in the same way Webhelper has chronicled the Transponder Gang, Paperghost will also expose these scumbags for what they really are, greedy, lowlifes using the uneducated Internet user as their way to riches. He has given me permission to reprint his writeups as they proceed. Exposure is our best weapon against them. I'll keep this thread updated as he posts more info.

Originally Posted May 31
A Revolution is the Solution...

Paperghost said:

...and here it is. I had intended to go to London for a holiday, but it seems my best bit of online jibber-jabber actually took place a world away from modems, telephone sockets and keyboards that continually GET STUCK ON CAPS LOCK>

And so, one furtive meeting at a payphone later (seriously, why can't these guys meet up in Burger King like everyone else) and I had myself an audience. It came to me a while ago that we security researchers are almost cheating ourselves in the race to find new malware. By the time we've bust the doors down, cuffed everyone in sight, pepper-sprayed the occupants and wrote a load of stuff about horrible installs, in many cases, the damage has already been done. It's quite rare that we get there first.

There is, however, a group of people that tend to stumble across brand new infections weeks (or in some cases) months before anyone else claps eyes on them. These people are the great digital-disenfranchised, friend of no-one and enemy of all, if you believe the popular press. They may not go looking for this stuff - often, it's a by-product of whatever else they're looking for and so the initial discovery becomes discarded.

Not anymore, however.
Click to expand...

Full Read @ VitalSecurity.org

===============================================

Friday, June 03, 2005

Direct Revenue: BUSTED!

Paperghost said:

Let it never be said that I don't carry out a threat. After that little escapade, I wonder if Direct Revenue really expected anything less. Allow me to recap: Aurora. Nobody likes it. Everybody has it. No-one can find an install site.

Sunbelt Software threatened. Claims of legitimacy from Direct Revenue.

Paperghost: R0xoring the b0xor.

I've had a particular site on the radar for some time now (initally playing with it a good while back), but the damn thing went down before I could save any evidence. I know a number of other people have this one in their sites too. However, in an act of total stupidity, the people behind this site brought it back online, and it's a decision they'll likely regret for some time.

The time for babble is done - let's cut right to the chase. The following pictures will say it far, far better than I ever could.

Let me recap this. Pore over every single word of it:

"Aurora is the brand name of one Ad Client which, as stated above, is only installed upon affirmative acceptance of the EULA".

Now, they must do EULA stuff like that before EVERY install. Even something as nasty as, say, Ceres? (which is basically Aurora by another name). There could never be any confusion as to exactly which EULA they mean in any given installation, could there?

Wrong. Prepare to watch the plot thicken.
Click to expand...

Full Read @ VitalSecurity.org

TeMerc · Jun 9, 2005

Paperghost said:

Sometimes, words fail me. It's as if the Gods themselves decided to confirm in 100 foot high burning letters what Wayne Porter stated just a few days ago regarding the future of Malware (Greynets).

I've stated for a long time that the installs would get bigger (you have DSL? Great! We'll hose your bandwidth along with your PC!), though these installs would need something a little more sophisticated than a "You're our 1000th visitor! Click here, you've won a speedboat" banner ad. And, thundering into the world of P2P are a series of what can only be described as mega-installs. You may get some content with it, but the programs that lurch onto your PC mean you won't be sampling it anytime soon.

First there was the 8MB install. Ooh, we said. That's a whopper. Then there was Bube, with its 100+ individual items of Malware, Spyware and Trojans. Ouch, we said. That'll hurt. After that came Adware that forced the .NET framework onto your PC (whether you wanted it or not), with a 65MB piece of frivolity. Er...hang on, we said. That kinda' sucks.

And now....it looks like the once (vaguely) happy, clappy world of Bittorrent is being invaded with the marketing campaign to end all marketing campaigns. A concerted effort to get everybody's favourite piece of advertising genius into your lives...Aurora.

Maybe the reason why install sites are so thin on the ground is because there aren't any. Not a lot, anyway. It was obvious that Aurora was getting onboard somehow, but no-one seemed quite sure where from. When I think back now, to all those Hijack This logs posted on security forums...the answer was staring us in the face. Do a random Google search for Nail.exe and Aurora.exe, check out the forums and see what reoccurs, time and time again:

btdownloadgui.exe,

Otherwise known as Bittorrent. I checked hundreds of those damn logs, and more often than not, it was chugging away in the background. No wonder none of the victims (or spyware experts) seemed to know what site Aurora was coming from - there was no site. It would have never occured to the end-users that it could have crept in by another means altogether.

So with that partial mystery solved, there was only one thing left - go hunting. Shotgun in one hand and crucifix in the other (just in case), I've quickly discovered a whole world of agonised PC owners who have yet to march across security forums and cry out for help. Check this out...
Click to expand...

Full Read, w\screenshots @ VitalSecurity.org

Reprinted with permission by Peperghost

TeMerc · Jun 13, 2005

Aurora install links wanted!

Paperghost said:

That's right, I want more...more! If you've been nailed (excuse the poor gag) by Aurora, either in P2P land or from a website you visited, please let me know and pass on the relevant URL or file-sharing link so I can go and have a look. I have plenty more in the pipeline for Direct Revenue. Send any and all information to paperghost@vitalsecurity.org.

Thanks.
Click to expand...

Reprinted with permission by Paperghost

TeMerc · Jun 15, 2005

Direct-Revenue: VitalSecurity Info 'Misleading'
Spyware Floods In Through BitTorrent
By Ryan Naraine
June 15, 2005

BitTorrent, the beloved file-sharing client and protocol that provides a way around bandwidth bottlenecks, has become the newest distribution vehicle for adware/spyware bundles.

Public peer-to-peer networks have always been associated with adware program distributions, but BitTorrent, the program created by Bram Cohen to offer a new approach to sharing digital files, has managed to avoid the stigma.

Not any more, anti-spyware advocates warn.

According to Chris Boyd, a renowned security researcher who runs the VitalSecurity.org nonprofit resource center, the warm and fuzzy world of BitTorrent has been invaded by a massive software distribution campaign linked to New York-based adware purveyor Direct Revenue LLC.

"This is the marketing campaign to end all marketing campaigns," said Boyd, the Microsoft Security MVP (most valuable professional) known throughout the security industry by the "Paperghost" moniker.

In an e-mail interview with Ziff Davis Internet News, Boyd said rogue files have popped up occasionally in BitTorrent land but those were usually just random executables. "This is the first time I've seen a definite money-making campaign with affiliates, distributors and some pretty heavy-duty adware names," he added.

Boyd, widely known for chronicling spyware, hacking and malware exploits, has published details of the BitTorrent distributions and identified Direct Revenue and Marketing Metrix Group as the companies responsible for the rigged files.

More.......

Page 2

Direct Revenue admitted to using MMG to push Aurora distributions via BitTorrent, but insisted that the actual adware installation was done with adequate and up-front disclosure.

In an interview, Direct Revenue chief technology officer Daniel Doman said MMG is "one of many affiliates" used to distribute Aurora. "They [MMG] specialize in doing content distribution on peer-to-peer channels, and we think they provide an easy mechanism for people like us who want to monetize software or content."

Doman, a former director of engineering at DoubleClick Inc., said the increased visibility of Aurora and the "nail.exe" component was not the result of new installations, pointing out that Direct Revenue is auto-updating its file-naming convention to address criticisms that the adware program was hidden on purpose.

Doman described Boyd's posts on VitalSecurity.org as "misleading" and pointed out that the screenshots provided by the researcher "clearly show full disclosure" before the Aurora program is installed.

Full Read @ eWeek

TeMerc · Jun 16, 2005

Paperghost: My Response
...ahahahaha! Someone sounds rattled!

Where?

Here

In an interview just given with Eweek.com, a tale of two cities is presented - one where thousands of people have ended up with Aurora on their systems and wished they could get a can of industrial strength bug-spray to clean the damn thing out.

The other is a place where Aurora is a "valuable marketing proposition" and everybody can't wait to have anything up to five advertising windows popped open at the same time.

In other words, Daniel Doman (chief technology officer for Direct Revenue) sounds a touch rattled by the increased attention paid to their "toy" - it's a long time since I saw someone come across as that defensive in an interview. Even better, he appeared to miss the point of this article completely. So in the spirit of fair play (and because I love stuff like this), what follows is a breakdown of the above article with my responses to this guy's vaguely panicked sounding "accusations". Don't worry, I'll be fine. I've seen Eric Howes do this hundreds of times...

Full Read, w\screenshots and detailed analysis @ VitalSecurity

TeMerc · Jun 17, 2005

Direct Revenue respond...

I have absolutely no problem with heaping out credit where credit is due - especially when that credit involves shutting down a rogue affiliate. Even more so when that rogue affiliate exists in the world of Adware - because all too often, it's the easiest thing in the world for the makers of the software installed to wash their hands of all responsibility. That has been a common staple of the Adware industry for years, and the most common excuse made when things go wrong.

So with that in mind, I will happily publish the below letter from Direct Revenue. I'm still going to write about installs that I feel to be rogue, I'm still not impressed with the whole Aurora issue, and I still don't agree with many of the practices employed by various companies whose products fall (rightly or wrongly) under the banner of "Adware". I also take issue with the article regarding Aurora's distribution being labelled as "deceptive". Apart from that, it certainly doesn't fix the problem overnight - it's just one small chunk of rogue site gone wrong action shut down - but it would be unrealistic to assume such a thing could be achieved with no time given to set things straight.

Direct-Revenue said:

June 16, 2005Mr. Christopher BoydVitalsecurity.orgVia email:Thank you for posting the video on Vitalsecurity.org today showing an improper download of Direct Revenue software. We have identified the third-party distribution channel responsible for the download in question, confirmed that the download of our software was occurring in breach of our distribution agreement and without user consent and, as is our policy in such matters, we have shut down the distribution channel responsible for the offense.Direct Revenue
Click to expand...

Well done - it's a start.
Click to expand...

Full Read @ VitalSecurity.org

Reprinted with permission by Paperghost

TeMerc · Jun 22, 2005

PCMagaperghost Scheming Against Bittorent

By John C. Dvorak

John Dvorak said:

Simple Lies, Told as Fact. There is no spyware in BitTorrent. There is no way BitTorrent is being tricked into delivering spyware. We hear that BitTorrent files are "infected." What specific to BitTorrent is infected? Is it the BitTorrent initiation files? Or is it the payload? If it's the payload (the media file, for example) then what's it got to to do with BitTorrent per se? Nothing, that's what.

Someone took an executable file, which in one instance is distributed as a Family Guy episode. Instead of just being an .avi or .mpg file, it's an .exe or some other executable. Executing the file results in a load of spyware being installed. So again I ask what's this got to do with BitTorrent per se? If BitTorrent didn't exist this file could still be traded in any number of ways. Nothing would change. BitTorrent in this instance is merely the download mechanism. You'd STILL get the spyware if you used something other than BitTorrent. Spotlighting BitTorrent is a cowardly way to discredit the product.

The Root of the Accusations. This was all begun by a Microsoft MVP character named Chris Boyd, who is always described as a "renowned" security expert. By whose standards is he renowned? Has he written books? Academic papers? Articles? What exactly besides blogging? So where does this assertion come from? The blog?

He posted his BitTorrent discovery on his security blog here. He discovered that the Aurora spyware is on machines that also have BitTorrent installed and implies that BitTorrent has more to do with it than a casual coincidence. Does this guy know that BitTorrent is a downloading system and people who do a lot of downloading tend to have it on their machines? The cause and effect logic here eludes me. Is he saying it's impossible to get Aurora without BitTorrent?
Click to expand...

Full Read @ PCMagazine

Read my reply over at the PCMag forums here

TeMerc · Jun 22, 2005

Paperghost Replies to John Dvorak:

Paperghost said:

Simple facts, told as lies
Simple Lies, Told as Fact.

This is how John C. Dvorak's piece begins. It's a lofty piece, full of astounding claims, incredible payoffs and tantalising climaxes.

Unfortunately, it's also complete and utter nonsense. In an amazing piece of trollishness, he attempts on a grand scale to divert attention from what is possibly the MMG installer's lowest depth yet. I will post the second part of this update sometime later today - prepare to be amazed. I'll cut through John's points nice and quick, no hanging him out to dry like Direct Revenue this time.

John: There is no spyware in BitTorrent.

Nobody said there was.

John: There is no way BitTorrent is being tricked into delivering spyware.

Nobody said Bittorrent could be tricked. Last I hard, Bittorrent was an unthinking, unfeeling program. You can't generally "trick" things like that.

John: What specific to BitTorrent is infected? Is it the BitTorrent initiation files?
Is this guy listening? Maybe he should, you know, read the article.

John: Or is it the payload? If it's the payload (the media file, for example) then what's it got to to do with BitTorrent per se? Nothing, that's what.

Actually, it's got everything to do with it. Bittorrent didn't have this kind of problem before. The odd rogue Malware bundles, sure, but not a clear and concise marketing campaign. And as someone will point out sometime later today, these installers have actually been tracked since May - and my God if he hasn't found something potentially ready to blow the lid of the Adware industry forever.
Click to expand...

Full Read @ VitalSecurity.org

TeMerc · Jun 23, 2005

asasasa

Paperghost said:

Amazing as it sounds, the sorry case of the first major Bittorrent Adware marketing campaign has gotten worse, both in terms of what it means as a warning for those who ended up becoming involved and those who would possibly ever think of considering that this was, in any way, shape or form, a vaguely good idea.

Bittorrent didn't have this kind of problem before. The odd rogue Malware bundles, sure, but not a clear and concise marketing campaign. And as Dave Methvin of PCPitstop points out in his dynamite writeup, he had been tracking these things for quite some time too. Since May, as a matter of fact. And what he has potentially discovered, is enough to make every Adware company out there want to examine every single last detail of a distribution deal down to the last ounce in future...

Dave: In reviewing comments on BitTorrent forums, it appears that MMG's infected files had been posted as early as mid-April. Administrators of the BitTorrent sites removed the files and/or banned the users when someone reported them, but it sometimes took several days before this occurred. This provided a window of opportunity where the downloader would be unaware of the effects of MMG's file and continue to share it for others to download.

MMG seemed particularly busy with new files on Fridays, perhaps in the hopes that the admins would be away for the weekend and unable to clean up the mess for a while. Although I observed several files that were hundreds of megabytes during May, the later posts tended to be less than 50 megabytes; perhaps MMG was betting that more people would successfully download short files before warnings were posted and the files removed.
Click to expand...

So here we have the first inkling of this infestation, which increased dramatically as time went on. The first "shocker" with this was that the MMG installers did not disclose every piece of software in every bundle - the second, that a mass of supposedly copyright protected mediafiles were being distributed, and neither the Adware vendors or MMG seemed to be able to say who exactly had responsibility to licence these files. So far we have undisclosed Adware, seemingly out of date installer licence agreements and potentially copyright infringing mediafiles which would potentially leave the end-user (who assumes the content is legit) in a world of RIAA fun and games. This is already (and you don't need me to point this out), a very bad thing.

However - things would get worse. specially for the Adware companies who made such a massive mistake in getting involved in this distribution. I actually feel sorry for them - to a degree. As anyone who knows something about anything will generally tell you, play with fire enough times and...well, you can guess the rest. I would also like to state - emphatically - that none of the below accuses (or even suggests) the mentioned Adware companies of being involved in creating, uploading, distributing or having anything at all to do with the media content mentioned, other than simply agreeing to have their software bundled with mediafiles provided by MMG. They couldn't possibly have forseen that things could go in such a wrong direction through the apparent actions of MMG, or else they wouldn't have gotten involved. Though maybe they should have forseen that, without screening every last ounce of what somebody actually plans to do with their particular distribution, you are just asking for a recipe laced with disaster.

180 Solutions, Direct Revenue, IBIS, Belcaro and a bunch of others have all ended up getting their software involved in a distribution campaign that, as Dave states in his article, potentially...

(Contained)...adult videos (that) depicted young girls and implied they were under 18 years of age.

That isn't just huge, it's off the frigging scale.

Full Read @ VitalSecurity.org
Click to expand...

TeMerc · Jun 23, 2005

Wayne Porter writes his opinions on John Dvorak's(PCMag, above post) artcile slamming Paperghost\Chris Boyd.

Wayne Porter said:

Today I have my sleep-deprived EEG. The only painful aspect to this procedure is having to stay up all night so I can be properly "sleep deprived". In order to do that I have dedicated a significant portion of the late night to an entry about Mavens and Misinformation and some of the latest antics going on in the pay-for-performance install world.

Mavens are knowledgeable people. While most consumers wouldn't know if a product were priced above the market rate by, say, 10 percent, mavens would. Bloggers who detect false claims in the media could also be considered mavens.
Click to expand...

In the spyware/adware world Mavens are especially important. I have a dazzling collection of Mavens that I rely on to help me synthesize the information vibrating on the Net everyday. Many of them are household names in the anti-spyware business like Suzi Turner, Eric Howes, Ben Edelman, Alex Ekleberry, Chris Boyd, Dave Methvin, Bill Pytlovany, and Mike Healan to name only a few. These are people I admire for their breadth of knowledge and willingness to share it. (It also amazes me how frequently people who are willing to share their knowledge get attacked from left-field.)

So color me stunned when I start hearing reports that Chris Boyd was the "evil mastermind" behind a plot to discredit BitTorrent and to advance Microsoft's future foray into P2P. To think I thought conspiracy theories only came from affiliate la-la land?

Eventually I discovered the "conspiracy theory" was coming from of from this piece called The Scheme to Discredit BitTorrent (see above post)by John Dvorak. I could go to great lengths defending Boyd's inititial article but it is very clear that he can defend himself as he systematically goes through every piece of misinformation with facts.

What amazes me is how easy it is for someone to take fragments of a story and twist it into a conspiracy theory. This is the type of action I would expect from a mob not a computer magazine. Boyd's blog didn't outline anything that Dvorak insinuates, and after reading Dvorak's article I really wonder if he actually read the original or it was a knee jerk reaction to what he was seeing in the media coverage? Blaming the media for shoddy coverage is fair game, but blaming the objective researcher is not very fair.
Click to expand...

Full Read @ ReveNews

I stronlgy urge all to read the entire thread, its well worth it.

TeMerc · Jun 24, 2005

Now eWeek Jumps On Dvorak

By Steven J. Vaughan-Nichols
June 23, 2005

Opinion: But there is way too much crazy talk going on about Avalanche, BitTorrent and adware.

John, John, John. John Dvorak, what were you thinking?

In his recent column, The Scheme to Discredit BitTorrent, Dvorak gets so much wrong about BitTorrent, its security problems, Microsoft and Avalanche that's it hard to know where to begin.

So, let's just walk down Mr. Dvorak's column, shall we?

First, is Microsoft really taking aim at BitTorrent, the justifiably popular peer to peer protocol? Yes, I know that Bram Cohen, BitTorrent's inventor, thinks so, but is it really?

Both Cohen and Dvorak describe Microsoft's Avalanche project as vaporware.

Ah, actually, it's not even that. It never was.

I don't need to explain this, though. I'll let Kevin Schofield, Microsoft Research's general manager for strategy and communications.

Full Read @ eWeek

TeMerc · Jun 24, 2005

Paperghost said:

Someone just alerted me to an interesting read. Actually, two.

You may or may not have seen this- in it, the world and its uncle are accused of a grand Microsoft world domination takeover, with me at the helm. No doubt dressed in black robes and swinging a lightsaber. Well, you probably already saw my response to John C Dvorak, but what you might not have seen are some of the pieces springing up in direct contrast to what he wrote.

The first- Wayne Porter of XBlock systems. If I die young, I want "The Zaphod Beeblebrox of spyware fighting" stamped across my gravestone. Of course, I'll need 24/7 protection to ensure my remains aren't dug up and hung from a tree with a "BT Pwns jo0 sucka!!112" sticker pasted to my forehead.

The second- Steven J Vaughan-Williams, a fittingly musical surname to my vaguely witty title. In it, he calmly and rationally asserts why there is indeed no "grand conspiracy" against Bittorrent - only against the kind of marketing campaign we saw launched into it's relatively infestation-free world. You may remember the origiinal on EWeek - in it, a perfectly reasonable discussion about the MMG bundles that were filling up numerous sites in Bittorrent land was twisted into something that had no similarity to the original piece. A definite case of Rise, Lord Vader if ever there was one. Immediately, people started screaming for blood and, without actually checking the facts regarding what was actually going on (it seems), rafts of people jumped on the bandwagon, outraged that someone said Bittorrent itself was full of spyware.

The sad part was, nobody did.
Click to expand...

Full Read @ VitalSecurity.org

TeMerc · Jul 30, 2005

Paperghost said:

Aurora's latest distribution source?

A wonderful game of connect the dots is being played out...and it looks like we have a winner. When a raft of circumstantial evidence is available, putting the pieces together usually solves the puzzle. And what a puzzle it has been! A globe-spanning paperhunt, multiple translations and a whole bunch of testing has driven me to one conclusion...Aurora has a new home.

But where could it be?

Stay tuned to find out. All I'll say for now is...a while back, Wayne Porter mentioned "classic greynets" and "daisy-chained" installations on his ReveNews blog. Looks like his prophecy has been fulfilled...!
Click to expand...

Vital Security.org

TeMerc · Jul 31, 2005

Aurora Adware bundle hits Instant Messaging

Paperghost said:

The thing about timed explosives is, you're never quite sure when they're going to go off. And in this case, something that was posted on my forum some weeks ago has lain dormant, unwilling to co-operate. That is, until a few days ago. Wayne Porter has often said (and I agree) that Greynets are the future of Malware (and other Ware) installs. Most of the "big" stories I've covered have involved some pretty zany techniques to get things onto your system. And Aurora has managed to find itself installed in everything from Bittorrent media bundles to multi-webpage EULA funfests. In fact, I'm convinced if you looked in my underpants right now, Aurora would be down there too.

Omnipresent doesn't come into it.

But yet again, I am forced to look in slack-jawed amazement at the - er - ingenuity?...of the Aurora affiliates so desperate to get it onto your PC that they really will stoop to any means necessary to make their dough. Come with me, into the new Adware-bundle battlefield....Instant Messaging.
Click to expand...

Full Read w\screenshots @ VitalSecurity.org

TeMerc · Aug 2, 2005

From SpywareGuide.com:

Greynets Special Report: Instant Messenger Opens Flood Gates to Hidden Spyware

by SpywareGuide.com Staff

BACKGROUND ON GREYNETS

To better understand this analysis it is helpful to understand the concept of Greynets. Greynets are network enabled applications that are installed on an end user's system without permission from IT and are frequently evasive at the network level, using techniques like port agility and encryption to avoid being detected and blocked. Greynets sport a number of network and information security risks including potential vectors for malware, client-side code vulnerabilities, intellectual property loss, identity theft and more. While some greynets, especially IM, have legitimate business uses, others are not so business-friendly. Even legitimate greynet applications can pose serious network and information security risks. It is critical to understand that Greynets are not just IM or P2P applications but can also encompass applications that are typically called "spyware" or "adware". Most technology is neutral, it is how it is used and deployed that helps us determine whether it is harmful or useful to the end user. Thus the world of software must be viewed in shades of grey.

INTRODUCTION TO INSTANT MESSENGER EXPLOIT

A recent and potent Greynet threat has emerged in the form of an Instant Messaging mega-bundle of Adware (another form of a Greynet), which our research team has recorded [Format: .avi || Running Time 4:47 || Size: 28.1 Megabytes] and also captured traffic logs from in an effort to understand the install process better. This bundle (described on VitalSecurity.org minus the nail.exe Aurora infection) relies upon an end-user who is trusting enough to click on the infection link generated by an apparently modified IRC Trojan, Poker3.exe.
Click to expand...

Full Read @ SpywareGuide.com

======================================================================
From Paperghost:

Well, I'm fully aware that not everyone can download a 28MB movie file. So I tried to create a flash animation that brings home the full effect of the install as best I can. All I can say is - make sure you have your speakers cranked up!
Click to expand...

Watch flash movie

TeMerc · Aug 3, 2005

Instant Messaging Adware: First rogue affiliate dragged into the light?

Paperghost said:

To all those that create the kind of wonderful bundles we have seen of late, I say this - you cannot hide from me You cannot escape the soul-crushingly obvious fact that, sooner or later, I am going to discover your secrets and blast them out into the open. And so here we are - a few articles into the IM adware invasion and faced with an install of massive proportions. Piles of unwanted software. Multiple points of entry. Websites galore popped open. No EULAs or warning in sight for everything but a single toolbar. What is the common thread? What is the tie that binds all this stuff together? Where is a good place to start, when you're hunting someone responsible for kickstarting an invasion not seen since men in black costumes jackbooted their way across Poland?

I'll tell you.
Click to expand...

Full Read @ VitalSecurity.org

TeMerc · Aug 5, 2005

Paperghost said:

I'm on it, get on it, the troops are on fire...

...and more needs to be done to stamp this garbage out forever.

It's great that Wayne Porter just challenged those whose software is involved in this bundle to step up to the plate and explain what the hell is going on with this thing . Because I'll make it known that I have already had numerous Advertising and Adware companies contact me about this, some practically begging me to stomp the rogue affiliates and make it all better. I'm not surprised - it's one thing to argue about the technicalities of a spurious webpage install. But its something altogether different when your crazy rogue affiliate is using an established virus technique to hawk software onto PCs. The line has been crossed, and I don't think there's a company out there who could ever say this was a good idea.
Click to expand...

Full Read @ VitalSecurity.org

TeMerc · Aug 8, 2005

August 7, 2005

Amazon In the Logs of the Latest IM Spyware Scandal

Wayne Porter said:

Already we have demonstrated the agile nature of Greynets across a wide range of installation vectors and the damage they can cause. First we had the furor over SpazBox and rogue IRC networks and then BitTorrent installs. For the record John Dvorak I acknowledge it is not BitTorrent that is spyware laden, but what you can get from BitTorrent that becomes problematic.

Lately our staff at SpywareGuide.com, with some help of other crack researchers, have been doing some hard digging into the world of Instant Messenger and what can spew forth from such benign technologies. I am particularly attracted to IM as an attack vector for study because of the aspects of social engineering. Inspired by the pranks of LowTax at SomethingAwful.com I have spent hours on various chat clients convincing people I built battle bots for a living, and asking them if they wanted to “talk” to a live Battlebot. I accomplished this by using techno-jargon and typing in all caps when the Battlebot “spoke”. User’s would respond the vast majority of the time. (Note to Brian Clark: You will see how I have taken my Pusher versus Puller Bot studies to pragmatic use.)

Granted it gave me hours of entertainment, but most important it provided insight into how trusting and naïve users are on chat networks, especially IM.

What if I had sent a link to install a chat module so they could “hear” the robot speak? It would have been a funny prank, but in the hands of adware pusher or identity thief, it would have been disaster. In the hands of a skilled social engineer it would have been child's play. It shows you just how easy massive spyware fraud rings like Sunbelt Software uncovered recently.

The social engineering 'fun' could have ended up as an adware bundle, a keylogger, a logic bomb, a virus, or a timed installer set to go off when the computer was idle for X hours. While this doesn't sound scalable I assure it can be made so but I see no reason to give the "other side" any more ideas.
Click to expand...

Full Read @ ReveNews
=================================================

August 8 2005

More on IM adware infiltration from Paperghost:

How deep does the IM rabbit hole go?

Using established virus techniques to push a huge bundle of Adware in IM land is bad enough. But now it looks like someone has had the bright idea of pushing something on a bunch of kid-themed sites. In fact, they have been since last year. But what is the connection between this and current events? Let's look at the evidence.

My good friend Roger Karlsonn of Kephyr.com heeded my call and let me know about a number of sites that push AIM chat / smiley tools. Nothing new about Adware being bundled there. Though something approaching 20MB of unwanted software is never a good thing. These three sites have (for no apparent reason) an .exe sitting on them. This .exe is, you guessed it, a really bad thing. Agree to the install, and you're whackalised with unwanted installs. No EULA, nothing. Even more maddening, the sites have an "uninstall" page mentioning some of the programs, but what kid is going to scroll down to the bottom when a dialogue box is sitting in the middle of the page asking them to do something?
Click to expand...

Ful Read @ Vital Security.org

TeMerc · Aug 12, 2005

August 12, 2005

The creators of the IM bundles discovered...

Paperghost said:

When a roadblock is met, what happens to the story? Where does it go, when the leads have dried up and there's nothing more to say? What do I do when I've promised you another chapter, some kind of payoff to the twisting, turning story at hand - but there's nothing more to be seen? Do I just stop writing about it, and pretend it never happened? Hope something may just turn up somewhere in the future? Watch as the wheels come off, the momentum dries up and everyone goes home more entertained by the support act?

Nope - I get out there, take some names and BUST SOME HEADS.So come with me, as I raise the bar then gun it down, the group responsible for the IM installers caught red-handed and trailing in my wake. Angry words, incriminating screenshots and punks nailed to the floor is the order of the day.And that's just the start. It's time to rock...
Click to expand...

Full Read @ VitalSecurity.org

TeMerc · Sep 6, 2005

Paperghost said:

IM Hacker Gang...their secrets exposed

Yep, in a nifty series of writeups over at Spywareguide.com, I'll be examining in detail the methods employed by one of the groups behind those IM Adware installers, beloved by - er - nobody at all, actually.

Part one, for your viewing pleasure!

Of course, there is more to come - including an explanation of exactly how the IM virus technique works, a look at their Trojan-toolkit and possibly a few other nifty things too.

Paperghost, keeping it real 7 days a week...
Click to expand...

VitalSecurity.org

================================================

A microscopic cog, in a catastrophic plan...

Paperghost said:

...though the red right hand is not directing, nor designing. Instead, here I am, Superman, rhymes wearing capes and busting up the place. When you get a raw deal, go for the steel and BRING THE BEAT BACK.

And for those of you who have absolutely no idea what I'm talking about, the above link takes you to the second part of the Spywareguide.com series exploring the IM hacker's treasure trove of files - this time round, looking at what they actually did to come up with such a brutally nasty installer in the first place.
Click to expand...

Full Read @ VitalSecurity.org

TeMerc · Sep 14, 2005

Major BitTorrent Adware distribution underway?

Paperghost said:

I got so much trouble on my mind - refuse, to lose!

Look what I found - none other than Marketing Metrix Group - they live! Yes, that's right - the guys behind the, er, wonderful BitTorrent Adware installers that kicked off World War Three not so long ago have returned.

Well, guess what - I don't know if this is a coincidence. I don't know if MMG are involved in this latest escapade. But I do know from a fellow security pro that there is a new BitTorrent distribution campaign underway, and it is something of a biggie from all accounts.

They appear to have set up several blocks of IP addresses hosted on different servers across the country. There were more than 100 computers seeding each file, and a lot of them appear to be controlled by.....
Click to expand...

Full Read @ VitalSecurity.org

TeMerc · Sep 27, 2005

Paperghost said:

....kidding on the exploding galaxy thing, but Direct Revenue have indeed made some changes to their cash-cow (click the image to see some nifty re-branding action). And here comes the science part...

In a nutshell, they're now calling everything "The Best Offers Network". They've already been using that name for about a year, but they liked it so much they decided to splatter it all over everything, crazy paintball style.
Click to expand...

Direct-Revenue said:

The Best Offers creates the opportunity for developers of content and software to generate income from each permission-based consumer download.
Click to expand...

Full Read @ VitalSecurity.org

TeMerc · Oct 11, 2005

The Song Remains The Same:

Direct-Revenue said:

Direct Revenue LLC said it will stop using affiliate networks as of Sept. 22 and rely exclusively on bundling arrangements with "free advertising-supported software" to promote its software in the future.
Click to expand...

Referenced here

Fast Forward, Oct 11, From Paperghost:

Paperghost said:

Direct Revenue's tasty burger.......

...thanks to Mike Burgess for giving me a heads up on this one. Recently Direct Revenue stated that they were "pulling out of third party affiliate distribution". The only exception would be companies they had direct relationships with. This should mean (in theory) that everything is now 100% above board, with no sprinkles of controversy. Right? Well, what do we have here but something approaching an invasion from the East...the French are overrun with installs and they're heading our way! The question is - what do they do, how did they get there and (more importantly)...is everything nice and clear, disclosure wise?

How about (in this order) - don't know, not sure and probably not?

.....it looks like Direct Revenue's name change antics have made a difference - the difference being, the whole process now blows even more.
Click to expand...

TeMerc said:

Read on all about the crazy installs provided by what may, or may not be D-R's 'direct partners', and get ready for more of the same responses from them as they try and defend these unethcal instals.
Click to expand...

Full Read @ VitalSecurity.org

Log in or Sign up

Paperghost: Malware Writers Beware, I'm Gunning For You

TeMerc Registered Member

TeMerc Registered Member

TeMerc Registered Member

TeMerc Registered Member

TeMerc Registered Member

TeMerc Registered Member

TeMerc Registered Member

TeMerc Registered Member

TeMerc Registered Member

TeMerc Registered Member

TeMerc Registered Member

TeMerc Registered Member

TeMerc Registered Member

TeMerc Registered Member

TeMerc Registered Member

TeMerc Registered Member

TeMerc Registered Member

TeMerc Registered Member

TeMerc Registered Member

TeMerc Registered Member

TeMerc Registered Member

TeMerc Registered Member

TeMerc Registered Member

Log in or Sign up

Paperghost: Malware Writers Beware, I'm Gunning For You

TeMerc Registered Member

TeMerc Registered Member

TeMerc Registered Member

TeMerc Registered Member

TeMerc Registered Member

TeMerc Registered Member

TeMerc Registered Member

TeMerc Registered Member

TeMerc Registered Member

TeMerc Registered Member

TeMerc Registered Member

TeMerc Registered Member

TeMerc Registered Member

TeMerc Registered Member

TeMerc Registered Member

TeMerc Registered Member

TeMerc Registered Member

TeMerc Registered Member

TeMerc Registered Member

TeMerc Registered Member

TeMerc Registered Member

TeMerc Registered Member

TeMerc Registered Member

Useful Searches