February 2006 Archives

This Story Made Me Spill My Noodles

|

As any regular day, this evening after work I settled with a snack (today: Cup-o-noodles) behind the computer for some "light reading" of industry blogs and their related links. This was a safe activity until tonight, when I came across this 180solutions press release, which made my noodles fly all over the place.

Let's for a moment sidestep the disregard for the great research work my collegues at FaceTime did, and focus on this quote:

However, according to McGraw, the company took the extra measure of requiring each user to re-opt in to the installation a second time, even though proper consent was obtained at the time of first install. "In this case, the re opt in opportunity wasn't required, because the few users who did install our software as delivered in this exploit did so with knowledge and consent," McGraw said. "But it was the right thing to do given the unorthodox and unapproved nature of the installation interface those users encountered."

Now let's read that again.

It seems only yesterday that I wrote about the dangers of the "sendkeys" attack, and how it would easily defeat any kind of confirmation screen the adware creator puts up, and what to do about the problem.

Now both crusaders Wayne Porter and Ben Edelman discuss this techinique actively being used in the wild. Grab (a small amount of) popcorn and watch the movie.

Let's make things very clear here:

If adware creators do not create a strong validation system like we have proposed (or something similiar), then any form of obtaining user consent via a confirmation dialog is virtually worthless!

On that note a personal message to 180 Solutions.
Your "S3" has been proven to be "less than satisfactory".
Get the message and learn the lesson, or S4 and S5 will go the same way.

....kind of. There's something of a storm brewing, and it all centers on this writeup by Ben Edelman, and his refusal to hand over the rogue affiliate details to 180 Solutions.

On the one hand, 180 are claiming that their security procedures are fine...on the other, they are essentially making the security researchers a part of their seemingly broken loop. I'm reminded of that old line about not having your cake and eating it, but oh well. You can try, I guess...

As Wayne Porter says on his Revenews Weblog:

Many researchers have done this to help educate the public, law enforcement and the legal eagles, and it has had some effect. However the routine grows stale when Company X utilizes said research to clean up their network and then claim how great they are at making the Internet a better place and being proactive. (These are my words not those of any company I work for.)

Can you almost feel the inflection point shimmering before you in the battlefield air? Can you see the line in the sand being drawn? I can. I think in the future the anti-spyware minutemen will continue to fire volley after volley only instead of giving out the full dose of lead they are going to release only what needs to be released to call attention to the bad behavior and leave the rest in reserve as ammo for the real guns that are slowly pivoting into the battlefield.

Yep. I can see the line in the sand.

This vitalsecurity entry took me to an interview the Washington Post did with a botnet herder. It is indeed a bit of a long read, but proved to be worthwhile.

As a spyware researcher, I was always wondering how the botnet operators are able to install all the different pieces of adware onto the victims PCs, without the users being any wiser. Many of these programs now have "confirmation boxes" which show a EULA that needs to be "agreed to" before installing. For the sake of clarity I will keep the disucssion on whether these EULAs actually fulfill their purpose for another place and time. We observered the end-user not seeing anything at all.

My first assumption was that the botnet operators distributed "hacked"/modified versions of the adware package, with that particular screen removed.

I was wrong. Seems like I was applying Occam's Razor at the dull end.

This "pseudo-technical" quote tipped me off that something else was going on:

Once they invade a computer and add it to their botnet, they use automated keystroke codes to order the enslaved machine to click "OK" on installation agreements.

If you are any kind of developer, this should ring a bell.
It seems they are using the good old "SendKeys" command, that has been arround for years.

In terms of efficiency this sleight of hand makes sense. Instead of having to mess with a resource editor, repackaging and hosting their own modified versions, they merely use the original installer package from the official adware location, launch it, do a "FindWindow" and a sendkeys of a few "OK" clicks. This can be implemented in less than a dozen lines of VBScript.

So it turns out the user gets to "see" the confirmation dialog after all, but only for the time it takes the Windows API to process the requests. On an average computer, that will be less time that it takes to blink a eye. On a slower system, that will about a quarter of a second, still in the "subliminal message" range. All of this is of course assuming that the user is effectively staring at the screen at the exact time of installation. This could be fairly unlikely, since most of these installations are scheduled to happen unattended in the wee hours of the night.

The adware vendors will, as per standard protocol, claim that there is nothing they can do about this practice.

With that I offer some free consulting advice for these vendors, who are actually interested in weeding out the bad affiliates (anybody still listening?) . It's easily implemented by a junior developer in a few hours and will earn back its costs many times over in a few days.

Given that your application is already reporting back installations, along with a computer identifier and an affiliate ID (otherwise you would not be able to cut cheques for your affiliates, which is exactly the root of the problem) :

- In the confirmation dialogs, note the time when the window opened. Note the time when the "I agree" button was clicked.

- Substract these measurements, so you end up with a number of elapsed seconds

- Report this "agree speed" along with the other installation information back to your central server.

- Release this as a new minor version of your application. Don't alert affiliates, just put the package in place of the existing one

- Run some simple statistics on this speed. If a user agrees to the license agreement in under half a second, he is either a Vulcan on steroids or a bot. Report the affiliate for fraud or the user to SETI. (If the records show that the elapsed time to read and agree to the 3000+ word EULA was still less than 3 seconds, you might still make some cash by reporting the user here or here. But I promised to have that discussion another time.)

So there, Mr. Adware Vendor, you have it. Using this free advice, you cannot lose. You make money in all cases and you have users who actually want your product.

I am not naive enough to think that this would actually make the vendors refuse the installation-adware is an industry driven by greed. But it will give them a good reason not to pay out the affiliate for the fraudlent installation. Which translates to less money and hence motivation for the fraudsters.

When Computers Get Snatched...

|

...you'd better invest in a bigger set of padlocks. Take this case for instance:


In the six hours between crashing into bed and rolling out of it, the 21-year-old hacker has broken into nearly 2,000 personal computers around the globe. He slept while software he wrote scoured the Internet for vulnerable computers and infected them with viruses that turned them into slaves.

Now, with the smoke of his day's first Marlboro curling across the living room of his parents' brick rambler, the hacker known online as "0x80" (pronounced X-eighty) plops his wiry frame into a tan, weathered couch, sets his new laptop on the coffee table and punches in a series of commands. At his behest, the commandeered PCs will begin downloading and installing software that will bombard their users with advertisements for pornographic Web sites. After the installation, 0x80 orders the machines to search the Internet for other potential victims.

Brian Krebbs has a stunning writeup over at Security Fix. A must read.

For this years traditional pilgramage to RSA, we visited sunny San Jose.

I will not bore everyone with news about press statements and product releases, but get to the interesting part immediately: the fashion trends.

If there is one thing that stood out during this event:
The "new black" is.... black!

Thats right, every vendor had some sort of black T-shirt to hand out.


This is just a random example of a "black shirt vendor" trying to push black clothing onto the bodies of innocent passersby.

In the "because I can" department: As an exercise in messing with the Google Maps API, I have started geocoding some of the addresses of creators of (adware and other) products that we have in the spywareguide database. Then with a little php and javascript glue, made a nice overview map on it.

Click here: List of Software Vendors to see it in action. (Please no yelling if it doesn't work. It's not even beta.)

Some observations already ([Insert disclaimer about small dataset here]):

- These companies seem to cluster together. You can notice some definite grouping. Coincidence?

- Some of them have really neat offices. Select one, zoom in to max level and switch to "satelite mode" to see them.

- Look at some of the exotic locations! Here is one in Hawaii!

Welcome to India...

|

Well, one of the worst plane trips of all time ended at about 4AM this morning - all it needed was Indy asking what happened to the pilots. Along with customary delhi-belly (in...er...Bangalore), and a horrifically bad ache in my jaw that just...wouldn't....quit....it's safe to say I had a rough ride out. However, I'm now in India and looking to see what goes on in spyware land.

Did you know FaceTime have a whole R&D lab out here? Yeah, well you do now. And it rocks. I'm here with the American contingent to see what the deal is.

Well, that was the plan at any rate. Because of said sickness, I spent the whole day rolling around in my bed. Not a pleasant sensation when you've spent what feels like about a fortnight sitting in a tin-can at 30,000 feet.

On the bright side, I can now name, recite and dance to every single song in the Bangalore charts. I can tell you how many times I have stumbled out of my room, comedy fashion, only to find the others had already gone out before shambling back in again. I can tell you how many monsters I fragged on Unreal Tournament 2004. But mainly, I can tell you that I have WiFi access in my room and it rocks.

The trip from the airport was pretty scary - next time I go somewhere, I'm sitting upfront with a seatbelt, as opposed to bouncing round in the back praying for a quick death. If you love cars that go honk, you'll love Bangalore. They just love tooting those things.

I also talked to some guy at Heathrow airport about spyware (the plane was delayed, what else were we supposed to do)? Turns out I'd actually cleaned one of his PCs out not so long ago on a forum, and he's like, Big Chief Important-pants of a well known Hotel chain. Next time I go abroad, it's free rooms for teh win!

Comedy moment of the day? Taking the bizarre "clean for your comfort" banner (which looked for all the world like the police tape at a murder scene) off the toilet bowl, only for it to then (of course) fall in the toilet is was previously protecting. Plunging your hand down the accursed thing to extract a "clean for your comfort" ticker tape ain't really my idea of clean, or even comfort. Oh well.

Haven't actually eaten anything as of yet, for obvious reasons - just walking around at the moment is making my stomach do flip-flops. I might attempt to carve up a biscuit later.

As for the rest of the week, well, what do I have in store for you?

Assuming I can keep down the four minstrels I just ate long enough to get something done, well, er, a whole load of spyware kicking goodness. And that.

Well, what else did you expect?

My trip to India...

|

...because you want to hear all about it, don't you?

/ hypno-eyes

See, here's the deal. I traveled to India in January, to take part in a Spyware research summit in Bangalore. There, I would meet the guys from the US and the guys based in India. A jolly good time would be had by all. Now, I know what you're thinking. Oh noes, you're thinking - the dates, they are all messed up.

Well, yes and no.

See, I can't backdate my entries before the date the Spywareguide Weblog was launched - that'd be stupid. Plus, I'd have to invent time travel, and I'm just too busy at the moment. So, rather than have a permanent record of my travels forever stored in the limbo that is Paperghost.com, I thought I'd haul a whole bunch of stuff over here complete with some new entries. Yes, the dates are out of whack, but then if you visit the "Travel" section everything is in order anyway. Dates really don't matter too much when you're busting spyware and feeling ill (more on that next time). You just gotta' roll with it, baby.

So yeah...strap yourself in and prepare for travelling aplenty.

You're gonna' need more jiggawatts.

About this Archive

This page is an archive of entries from February 2006 listed from newest to oldest.

March 2006 is the next archive.

Find recent content on the main index or look in the archives to find all content.