Botnet Installer Launches Zango.com and BestOffers Network Ads...

| | Comments (3) | TrackBacks (1)

I recently came across an installer file being pushed in a Botnet - nothing new there, but it serves up an interesting take on how Adware companies need to make sure that it's not just their software springing up in hijacks - it's their websites, too.

In this case, the Zango.com website is popped open on the user's desktop (ignore the box mentioning Poker, that's from a different popup):

http://blog.spywareguide.com/upload/2006/06/zangobbs1-thumb.jpg
Click image to enlarge

...this is what's known in the trade as "strangeness incarnate". Usually someone will try and install something, so they can make money. Simply popping open the Zango.com website doesn't seem to point to any financial gain, unless the person behind it gets a cut of the profits from the clips on that page. But that would also be stupid, as it wouldn't be too hard for the Zango people to then find out who stuck what movie files where on their website. Plus, I'm under the impression that Zango themselves are responsible for placing the videoclips on Zango.com anyway.

I ran the infection again, and who should pop up in the next barrage of adverts but Bestoffers Network (another name for Direct Revenue):

http://blog.spywareguide.com/upload/2006/06/zangdrpop-thumb.jpg
Click image to enlarge

....whoops. As for what's installed, it's the usual (rather popular) mish-mash of files from WebHancer, Dollar Revenue, SurfSidekick and Toolbar888, which is apparently a Maxifiles variant. I've spoken about Maxifiles in relation to Direct Revenue many times. At any rate, here's a screenshot:

http://blog.spywareguide.com/upload/2006/06/zangfiles-thumb.jpg
Click image to enlarge

Nice collection!

Of course, it goes without saying that the PC is hosed shortly after the install:

http://blog.spywareguide.com/upload/2006/06/zangdrpop3-thumb.jpg
Click image to enlarge

...ouch. Still, at least the hijacked end-user will have no shortage of Smileys to play with, pills to take and celebrity videos to watch while smoke starts to pour out the back of their monitor. All in all, I'd say that's a pretty good tradeoff...!

1 TrackBacks

Listed below are links to blogs that reference this entry: Botnet Installer Launches Zango.com and BestOffers Network Ads....

TrackBack URL for this entry: http://blog.spywareguide.com/mt-tb.cgi/264

If you have read any of Wayne Porters or Chris Boyd?s recent posts, you know they have been seeing lots and lots of bots on computers, and according to a recent report from Microsoft, they are showing up on 60%... Read More

3 Comments

I work for a computer repair place and in the past week we've seen 8 computers infected with this stuff and it's nasty to remove, Boot in Windows PE and run scans there then run ewido in safe mode command prompt seems to resolve it.
But this appeared all of a sudden for most of these people, are you saying they were all on a botnet that the owner decided to infect suddenly?

I have somehow gotten the Zango bot on my system and do not know how to remove it. Can someone please give me a little guidance?

Thanks,

Jmill3r9

I have repeatedly attempted to remove "BestOffers" but since it came in on Kazza years ago, it can't be deleted. I'm not as concerned about this program as much as how we can stop such invasive and intrusive advertisers from intruding in on our privacy with these "behavioral methods". I would like to boycott anyone and everyone who uses BestOffers. Is there someplace I can go to register a complaint and help put these people out of business?

Leave a comment

About this Entry

This page contains a single entry by Christopher Boyd published on June 12, 2006 11:54 AM.

The Mail Bag: Can People Hide Messages in Pictures? was the previous entry in this blog.

Alleged Yahoo Worm Author Just Wanted a Job...& More to Come is the next entry in this blog.

Find recent content on the main index or look in the archives to find all content.