Another Small Piece of the Puzzle- Agree Speed

| | TrackBacks (3)

This vitalsecurity entry took me to an interview the Washington Post did with a botnet herder. It is indeed a bit of a long read, but proved to be worthwhile.

As a spyware researcher, I was always wondering how the botnet operators are able to install all the different pieces of adware onto the victims PCs, without the users being any wiser. Many of these programs now have "confirmation boxes" which show a EULA that needs to be "agreed to" before installing. For the sake of clarity I will keep the disucssion on whether these EULAs actually fulfill their purpose for another place and time. We observered the end-user not seeing anything at all.

My first assumption was that the botnet operators distributed "hacked"/modified versions of the adware package, with that particular screen removed.

I was wrong. Seems like I was applying Occam's Razor at the dull end.

This "pseudo-technical" quote tipped me off that something else was going on:

Once they invade a computer and add it to their botnet, they use automated keystroke codes to order the enslaved machine to click "OK" on installation agreements.

If you are any kind of developer, this should ring a bell.
It seems they are using the good old "SendKeys" command, that has been arround for years.

In terms of efficiency this sleight of hand makes sense. Instead of having to mess with a resource editor, repackaging and hosting their own modified versions, they merely use the original installer package from the official adware location, launch it, do a "FindWindow" and a sendkeys of a few "OK" clicks. This can be implemented in less than a dozen lines of VBScript.

So it turns out the user gets to "see" the confirmation dialog after all, but only for the time it takes the Windows API to process the requests. On an average computer, that will be less time that it takes to blink a eye. On a slower system, that will about a quarter of a second, still in the "subliminal message" range. All of this is of course assuming that the user is effectively staring at the screen at the exact time of installation. This could be fairly unlikely, since most of these installations are scheduled to happen unattended in the wee hours of the night.

The adware vendors will, as per standard protocol, claim that there is nothing they can do about this practice.

With that I offer some free consulting advice for these vendors, who are actually interested in weeding out the bad affiliates (anybody still listening?) . It's easily implemented by a junior developer in a few hours and will earn back its costs many times over in a few days.

Given that your application is already reporting back installations, along with a computer identifier and an affiliate ID (otherwise you would not be able to cut cheques for your affiliates, which is exactly the root of the problem) :

- In the confirmation dialogs, note the time when the window opened. Note the time when the "I agree" button was clicked.

- Substract these measurements, so you end up with a number of elapsed seconds

- Report this "agree speed" along with the other installation information back to your central server.

- Release this as a new minor version of your application. Don't alert affiliates, just put the package in place of the existing one

- Run some simple statistics on this speed. If a user agrees to the license agreement in under half a second, he is either a Vulcan on steroids or a bot. Report the affiliate for fraud or the user to SETI. (If the records show that the elapsed time to read and agree to the 3000+ word EULA was still less than 3 seconds, you might still make some cash by reporting the user here or here. But I promised to have that discussion another time.)

So there, Mr. Adware Vendor, you have it. Using this free advice, you cannot lose. You make money in all cases and you have users who actually want your product.

I am not naive enough to think that this would actually make the vendors refuse the installation-adware is an industry driven by greed. But it will give them a good reason not to pay out the affiliate for the fraudlent installation. Which translates to less money and hence motivation for the fraudsters.

3 TrackBacks

Listed below are links to blogs that reference this entry: Another Small Piece of the Puzzle- Agree Speed.

TrackBack URL for this entry: http://blog.spywareguide.com/mt-tb.cgi/240

It seems only yesterday that I wrote about the dangers of the "sendkeys" attack, and how it would defeat any kind of confirmation screen the adware creator puts up, and what to do about it. Now both Porter and Edelman... Read More

Let's Dive Right Into It... Recently, like my colleague Chris Boyd, I received the Microsoft MVP Award, I thought I might get a raise- instead I received the honor of leading the Greynets Blog! What a task it has been.... Read More

Apples to Oranges- Adware is not like Television from ReveNews - Wayne Porter: Greynets, Malware, Adware & Spyware Research- E-commerce on May 30, 2006 10:00 PM

SeekMo, from 180 Solutions, popped up on my radar (as well as some other firms) today and I found it interesting given light to a recent, private e-mail exchange with some ad industry thought shapers. One of the cruxes of debate centered around merchan... Read More

About this Entry

This page contains a single entry by Jan Hertsens published on February 19, 2006 11:45 AM.

When Computers Get Snatched... was the previous entry in this blog.

Security Measures Broken In Half... is the next entry in this blog.

Find recent content on the main index or look in the archives to find all content.