Deception, Deceit and Dollars- Spotting Red Flags

| | Comments (1) | TrackBacks (2)

While Googling for downloading Hijackthis, i spotted a link from Google's Adsense program. Check out the following screenshot:


Click Image to enlarge

(Note the Red X is part of the SiteAdvisor program which can help users spot sites that use deceptive practices and is only displayed if you using the program.)

In above screenshot clicking the link ?HijackThis Free download? opens a site http://hijack-thisnet/. Naturally curiosity compelled me to dig deeper into this site and also I wanted to know what Merijn, the original creator of HJT had to about this site? It appears it struck his radar a long time ago and was not pleased the name of his product was being used to push other commercial products.

He states from http://www.merijn.org/

" April 22, 2005:
Just a short note on the domain HIJACK-THIS.NET: this is not mine! It has been registered by an affiliate of XoftSpy (who are also on the Rogue Antispyware List on SpywareWarrior.com) and they are luring people into downloading their software believing it is HijackThis. Also, they have registered a few AdWords at Google leading to the same result. We'll see where this goes. In the meantime, if you want to download any of my programs, the official domain is and always will be www.merijn.org."

UPDATE: April 29, 2005:
I just received word from Paretologic (the ownsers XoftSpy) that the affiliate responsible for the page has been terminated and the site will be taken down. That's one down, one to go. :) "

Let's dig into this mystery...

More Googling about this website gives me the results on series of rogue anti-spywares downloaded from this website via the http://hijackthis.net.RogueAnti-spyware being provided through a third party affiliate aggregator, hop.clickbank.net, known as Clickbank. The Anti-Spyware software in the link changed frequently with what appears to be different anti-spyware products. Google Cached page of the Hijack-this..net page displayed the following:

Hijack-This.net

Your computer may be infected with harmful spyware programs.

These spyware infections can lead to computer crashes, instability, slowness, and full system failure.

Immediate removal may be required.

Please try the following:

* Click here to scan your computer for hidden spyware programs.

* When you see a grey download box like the one shown below, click the Open or Run button to download the free scanner.

* After the download completes, scanner will automatically install and load and show you a list of spyware programs on your machine -- and tell you how to get rid of them.

If you get an error message when trying to download the software -- or the software does not open automatically on your computer after the download completes -- click here for help.

By downloading the free scanner, you agree to the End User License Agreement.
? Copyright 2004-2005, Hijack-This.net All Rights Reserved.

If you were to click "Click Here", it would begin to download the "so-called" anti-spyware ?Adware Alert? which was listed as a rogue although the new version of ?Adware Alert? was de-listed from the Spywarewarrior Rogue List.

Suzi Turner, of ZDNET, wrote about this web-site sometime back. Apparently this site sold "NoAdware" for a period of time which is also classifed by many as a rogue product. This information can be found from the comments section on spywarewarrior blog entry

Take a note from Castlecops says the "Bad guys" registered this domain to make the user believe this is original HijackThis. This is rather deceptive and a prime example of how rogue affiliates leech on to a popular free program to drive sales programs with big commissions.

Check out the following screenshot for Hijack-This..net web-site:


Click Image to enlarge

This website appears to actively discouragethe user from downloading HiJackThis by a warning with the following content:

? HijackThis tool can only be used by advanced users, especially warning the user?

... it can lead to more serious complications on your PC - such as your Internet no longer working or problems with running Windows itself. Use at your own risk."

This is ironic since the original advertisement stated "accept no substitutes" and ad term targeted was hijackthis.

In the above part of the website there is a link to original HijackThis program. If we look at the website, it does not look suspicious. Because this website contains only Plain Text, No pop-ups, No banner ads, coupled with the domain name that mimics someone's else program it is easy to see how the affiliate is causing confusion.

Another notable content from HijackThis..net:


"...SpyOnThis is a powerful alternative to HijackThis for anyone facing problems with Spyware, Adware, and Hijackers on their PC...
...Click here to visit the SpyOnThis homepage and download SpyOnThis free of charge...."

In summary we have an affiliate using a URL that mimics a popular, albeit advanced, helper utility against spyware. However, they claim SpyOnThis is a very good alternative for HiJackThis- especially if you are not an advanced user. ?Click here? in the above content links to the page http://www.spyonthis..net/index.html via http://hijackthis.spyonthis.hop.clickbank..net/ link confirming it is going through an affiliate program aggregator called ClickBank. The site looks like the following:


Click Image to enlarge

Note there is no Privacy Policy on the website. This is an additional "red flag" a user should be aware of.

At this point I decided to take a deep dive and downloaded the software manually and installed on a clean machine using VMWare to ensure system was clean. While installing the software it does display a EULA. You can Download EULA from this link,
SpyOnthisEULA

SpyOnThis looked like this in the following snapshot:

Click Image to enlarge

Here is where the problems become flagrant. Upon scanning a completely clean machine SpyOnthis detected valid registry keys and cookies as spyware applications such as ClearSearch, Claria, e-Surveiller, Bargain Buddy..etc., Following snaphot shows the detections that SpyonThis returned on a clean machine.


Scan started : 4/24/2006 3:39:19 PM

Total items scanned : 18010
Objects found : 13
Objects ignored : 0

ClearSearch object found!!!
Object: ClearSearch
Class: REGKEY
Type: SPYWARE
FoundIn: HKEY_CURRENT_USER:SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\
TRUSTEDPUBLISHER\CTLS
RiskLevel: 4

ClearSearch object found!!!
Object: ClearSearch
Class: REGKEY
Type: SPYWARE
FoundIn: HKEY_CURRENT_USER:SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\
TRUSTEDPUBLISHER\CRLS
RiskLevel: 4

Claria object found!!!
Object: Claria
Class: REGKEY
Type: SPYWARE
FoundIn: HKEY_USERS:.default\software\microsoft\systemcertificates\trustedpublisher\crls
RiskLevel: 3

Possible Browser Hijack object found!!!
Object: Possible Browser Hijack
Class: REGDATA
Type: HIJACKER
FoundIn: HKEY_CURRENT_USER:SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN[START PAGE="ABOUT:BLANK"]
RiskLevel: 3

e-Surveiller object found!!!
Object: e-Surveiller
Class: REGKEY
Type: KEY LOGGER
FoundIn: HKEY_LOCAL_MACHINE:SOFTWARE\Classes\.zlg
RiskLevel: 6

e-Surveiller object found!!!
Object: e-Surveiller
Class: REGKEY
Type: KEY LOGGER
FoundIn: HKEY_CLASSES_ROOT:.zlg
RiskLevel: 6

Bargain Buddy Bundle object found!!!
Object: Bargain Buddy Bundle
Class: REGKEY
Type: SPYWARE
FoundIn: HKEY_LOCAL_MACHINE:SOFTWARE\Microsoft\Code Store Database
RiskLevel: 3

Cookie object found!!!
Object: Cookie
Class: TRACKING COOKIE
Type: SPYWARE
FoundIn: C:\Documents and Settings\Administrator\Cookies\administrator@2o7[2].txt
RiskLevel: 0

Cookie object found!!!
Object: Cookie
Class: TRACKING COOKIE
Type: SPYWARE
FoundIn: C:\Documents and Settings\Administrator\Cookies\administrator@cgi-bin[1].txt
RiskLevel: 0

Cookie object found!!!
Object: Cookie
Class: TRACKING COOKIE
Type: SPYWARE
FoundIn: C:\Documents and Settings\Administrator\Cookies\administrator@mediaplex[1].txt
RiskLevel: 0

AGM65's FileCD Key Harvester 0.2 object found!!!
Object: AGM65's FileCD Key Harvester 0.2
Class: FILE
Type: CRACKING TOOL
FoundIn: C:\Program Files\upx125w\COPYING
RiskLevel: 3

AGM65's FileCD Key Harvester 0.2 object found!!!
Object: AGM65's FileCD Key Harvester 0.2
Class: FILE
Type: CRACKING TOOL
FoundIn: C:\Program Files\upx125w\LICENSE
RiskLevel: 3

AGM65's FileCD Key Harvester 0.2 object found!!!
Object: AGM65's FileCD Key Harvester 0.2
Class: FILE
Type: CRACKING TOOL
FoundIn: C:\Program Files\upx125w\README
RiskLevel: 3

Click Image to enlarge

Naturally to remove the various registry keys (which are valid keys making them either false positives or possibly intentionally deceptive) it asks the user to register the product in this fashion:


Click Image to enlarge

If we click 'OK' it redirects to the page where the product can be registered http://www.spyonthis..net/registration.html. It asks for email address and name and clicking the button order redirects to the page where the product can be registered through the ClickBank website. Finishing the process is done by the country name and the postal code Clicking the button "Continue to step 2" opens up a form like the following which is the standard "checkout process" for products sold through the Clickbank network.

Click Image to enlarge

If we carefully look at the bottom page of the above snapshot which shows affiliate=hijackthis. This is probably an internal tracking mechanism that allows the affiliate to see where the sale is originating from- this is a common form of crude web analytics.

In this scenario several parties benefit from this scheme:

1) Hijack-This.net is the affiliate who will receive a commission for selling the product.
2) ClickBank, the affiliate aggregator, will receive a smaller commission for the sale of this product.
3) SpyonThis, the merchant, will receive monies less the money paid to Hijack-This.net and the fee from Clickbank for facilitating the transaction.
4) Google benefits by charging the affiliate a per-click-fee for the ad

It is also notable, according to SiteAdvisor, that in the past Hijack-this..net was also promoting a program called MySpywareCleaner (well documented at SysInternals.com) which is no longer available for download.

This probably stems from the lawsuit filed against it's owners by the U.S. District Court in Seattle, which accuses New York-based Secure Computer, as well as associates in the United States and India, of marketing software that falsely claims computers were infected with spyware and selling consumers a program that claims to remove it. In fact, the software renders computers more susceptible to attacks. Secure Computer also owned several Web sites, including myspywarecleaner.com, myerrorfixer.com, and checkforspyware.com.

Washington?s new spyware act prohibits inducing a computer user to download software by making any false claims that the software is necessary for security purposes. It further prohibits software from surreptitiously modifying a computer?s security settings. The statute carries a penalty of $100,000 per violation.

If found liable, the defendants can also be fined up to $250 per violation under the federal CAN-SPAM act, $500 per violation under Washington?s spam act, $2,000 per violation under the Consumer Protection Act, as well as other restitution to be determined by the court.

In summary it is important to check out a program's history and look for "Red Flags" in this case they are very evident with a little sleuth work:

- Use of another popular freeware program to lure in new users
- The ad says "Accept No Substitutes" but the page itself is designed and does offer a substitute
- Glaring false positives upon scanning a machine in the VMWare (clean) environment
- Bidding on the term "HiJackThis" and "Hijack This" in order to lure in users by usurping the name of another program
- Language crafted to discourage using HiJackThis if you are not an advanced user or afraid of "taking risks"
- Past affiliation promoting a program that is currently being sued by the U.S. District Court in Seattle for deceptive practices
- Domain ownership is "masked"; it's hidden under the name: Domain Listing Agent (NRPDB)
- No link to any privacy policy on the website

Note: http://www.hijack-this.net/eula.html is active at the moment however there is no link to it on the homepage of the domain. This EULA can be downloaded from the link
HiJackThis EULA

2 TrackBacks

Listed below are links to blogs that reference this entry: Deception, Deceit and Dollars- Spotting Red Flags.

TrackBack URL for this entry: http://blog.spywareguide.com/mt-tb.cgi/249

As i blogged earlier in the Entry In Clean VM, SpyOnThis detected 13 different threats which are all FPs. Most of them were cookies. Let us dig onto each key flagged as spywares by SpyOnThis and see why are they... Read More

As i blogged earlier in the Entry In Clean VM, SpyOnThis detected 13 different threats which are all FPs. Most of them were cookies. Let us dig onto each key flagged as spywares by SpyOnThis and see why are they... Read More

1 Comments

Thanks, that was a nice breakdown of the fraud!!!!!!!!

Leave a comment

About this Entry

This page contains a single entry by published on April 24, 2006 7:25 AM.

Facetime Security Lab Researchers Net Two Microsoft MVP Security Awards was the previous entry in this blog.

Nugache: The Shape of Things to Come in P2P Land is the next entry in this blog.

Find recent content on the main index or look in the archives to find all content.