Recently in Adware Research Category

Our CEO, Kailash Ambwani talks on the greynets concept and how the majority of internet traffic has evolved from http to communicative application traffic. Ambwani discussed how enterprises are adopting greynets, how this increases security liabilities, and how FaceTime security products enable and secure greynets. Remember, Facetime is about enablement and controlling these innovations inside of the Enteprise. Why? Because customers are demanding to communicate this way, and often an organization's most sophisticated users- the forward thinkers and innovators willl bring them into the network because they realize their value, but sometimes forget about the security and regulatory risks involved.

Here is part one and I would note to pay particular attention to how anonymizers, like Rodi and / or Tor, can be used to bypass typical forms of defense. Naturally, and Kailash acknowledges this, products like Tor (designed by the EFF), can be used as anti-censorship tools, especially in countries where this is a problem.

However they can be a disaster, a potential legal nightmare for large enterprises and I.T. administrators to manage. Kailash goes on to note how malware is now profit driven...in his limited time he didn't get to explore the use of widgets, (often thin-Ajax clients) or the stripping of content using browser-powered tools allowing the the propagation of content like video across the Enteprise. This can also be problematic given attacks like Windows Meta Frame exploits or exposure to inappropriate content.

In part two Kailash goes on to discuss how Facetime addresses the issues. Once again the focus is on enablement and control. The Internet is changing and we all must change with it.

Del.icio.us Tags: , , , , , , , , , , , , , , , , , , , , ,

Technorati Tags: , , , , , , , , , , , , , , , , , , , , ,

Tap, Tap, Tap...we are waiting on the go ahead to release our presentation from RSA and in the course of it looking at some interesting China-based "mysteryware". Until then...

There is something about this picture that yells "viral". It has popped up in my own inbox more than once and I had to explain I was with said Paperghost while he was wearing the shirt. Actually I had to ask him to stand politely three meters to the left or right (his choice) at all times in case I was taken out by any stray fire. Actually the folks at Homeland Security had a good laugh...good sports...unless you are in a long line.

homeland-spg.jpg

Because if you spin him him around it says "I Am Not A". I think they actually had him pose for a couple more.



waynephone-spg.jpg

Yes there is video of this one where I am talking in a rather animated fashion with someone from an "adware" company...this particular company sent me an e-mail touting their FTC Certification. I don't know about you, but I didn't know the FTC was in the business of making such certifications...must be a new division? I will find out.

The Center for Democracy and Technology has released their latest report on advertising intermediaries, which include ad networks, affiliate networks, and cpa networks. The document might be confusing if you are not practiced in the world of online advertising but the CDT does a pretty good job of making a complex economy simple.

The takeaway is that advertisers and advertising intermediaries need to practice more due dilligence in their business practices.

Find below the download links for the Following the Money Trail Series Part I and the latest Part II. If you want to understand how malware and money are the new fuel for Internet mayhem this is a good place to start.

To give you an idea how complex some of the relationships become while we track the money trail on cases take a look at this sample screenshot from the report. Rest assured we have seen cases far more tangled than this cloud.

adware-advertising-small.gif


"Companies need to take responsibility when their advertising dollars go to support companies that prey on unsuspecting consumers," said CDT Policy Analyst Alissa Cooper, who co-authored the report. "Whether placed directly or through intermediaries, these ads diminish the Internet experience for millions of people. Advertisers that work with these distributors are running out of excuses, and must either start policing their advertising spending, or answering to their customers who have been harmed by adware."

Indeed! We could not agree more.

Take the time to get educated with these great reports from the CDT and pass them along to your friends. Have an advertising question? Drop us a comment and and I will be happy to answer it for you or find someone who can.

Part 1 of the CDT Report [PDF]

Part 2 of the CDT Report [PDF]

Report Write-Up: Wayne Porter, Sr. Dir. Greynets Research

IST Adware Via WMV Files

| | Comments (2)

Are you interested to downloadable movie clips? Many people are so be alert!

During the course of research, I tried googling for some popular video albums, I came across a forum that holds many articles and download links based on the users interests. More than ten thousand members are sharing their articles and download links in this forum. Many of these are what you might call spicy material. I suddenly paused when I found a fellow who was posting many adult video clips. Most of the download links are from Rapidshare

Rapidshare is a domain where people can upload / download files of up to 45GigaBytes.

I picked up one of the threads which appeared on May 22, 2006.

http://blog.spywareguide.com/upload/2006/05/ISTAdwareThroughWMVFile/jimpolk-thumb.gif

Jimpolk , the user name of the person who posted the thread did not give any personal information and he is not the member of any public group in the pakkadesi forum so I can deduce this might be a marketing attempt.

http://blog.spywareguide.com/upload/2006/05/ISTAdwareThroughWMVFile/infectionurl-thumb.GIF

I received two download links, which hold the same video clips and I selected via the rapidshare link.

I downloaded the clip and played it using Windows Media Player. It suddenly began acquiring a license rather than opening the media.

http://blog.spywareguide.com/upload/2006/05/ISTAdwareThroughWMVFile/acquiringLicense-thumb.gif

I used Netpeeker to track what is happening with my Media Player and the report showed the Windows Media Player making contact with ysbwebcom to install IST Adware products

http://blog.spywareguide.com/upload/2006/05/ISTAdwareThroughWMVFile/netpeeker1-thumb.GIF

All becomes apparent when an Active X Control pops up. The Active X control is signed by Integrated Search Technologies. (Note: This does not mean a control is safe- only signed.)

http://blog.spywareguide.com/upload/2006/05/ISTAdwareThroughWMVFile/ActiveX-thumb.GIF

They did not allow me to view the video without installing the IST adware.

http://blog.spywareguide.com/upload/2006/05/ISTAdwareThroughWMVFile/License-thumb.gif

The EULA was last updated on May 4, 2006 (Incidentally the very same date which Jimpolk registered in the pakkadesi forum), which is a very recent move by Integrated Search Technologies to distribute their Advertisements. People can also check out EULA Analyzer Beta to help analyze agreements.

Users will need to agree to a license that enables the installment of several applications. These include ISTbar , SlotchBar , YourSitebar and Xxxtoolbar. This is just to view one movie!

They may also install their third parties adware products like Internet Optimizer and SurfAccuracy.

I picked up the network traffic, which helped me to find determine IST might be affiliated with some people who are distributing the WMV files. Of course, it could also be an account set-up for internal analysis.

POST /v7.aspx?id=65181&filename=Desi_bhabhi_******.wmv&affiliate_id=1000656:1913 HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: SendHTTP
Host: drm.ysbweb.com

GET /ist/scripts/license.php?key_id=&filename=Desi_bhabhi_******.wmv&affiliate_id=1000656%3a1913 HTTP/1.1
User-Agent: SendHTTP
Host: www.ysbweb.com

Since there is large demand for adult entertainment online it comes as no surprise, companies are distributing their products through pornographic video clips. Likewise it is not surprising people are trying to earn money by becoming an affiliate for adware companies like IST. (In this case, by uploading their movies in sites like rapidshare.) The user, JimPolk, may be one among them who gets their pocket money just by distributing adware through the video clips.

The lesson here is that free often carries a steeper price tag than what you might think- the trade-offs are often hidden. Think before you click and ask yourself is downloading several applications that will throw pop-up ads, make trade-offs in your privacy, and slowing down your computer worth the video you are about to download? Also consider you will have to endure this software long after the video is gone.

Chris Boyd and I talked about the possability of this happening back in March during our Podcast with Jeff Molander. In this instance I will quote myself:


Porter says, "Once you've compromised a PC you own it... it's yours you can do with it what you want and you can emulate that activity. Because that net is spread out... you can execute any type of activity and get away with it -from sending spam to recommending certain Web sites to infecting them with more adware to emulating surfing activity and possibly emulating click activity... yes... definitely for sure."

It appears our unfortunate prophecy has become "documented reality" as a botnet owner took aim at Adsense with a small herd of bots designed to click on adsense ads as noted the SANS Institute's Internet Storm Center...


Bottom line is that the advertiser pays in exchange for a bot visiting him.

It seems some bot operator left a website with both the bot's *.exe and the web based control panels wide open. An anonymous source sent us the URL.

The critical part to note about this activity documented by SANS is this:


It is interesting to note that the botnet was 115 bots in size at the early time of the day I was looking at it and most were under 15 clicks each.

Note the small size of the Botnet- without an anonymous tip and some lack of planning by the botnet owner it might have flown for a long time. This means it was either immature in size or the owner knew to keep the size of the herd under the radar. This is, unfortunately, what we thought we would see and The Register noted it.


Generating traffic from a small number of machines (numbered in the hundreds) makes the traffic generated from compromised machines look innocuous. In return for helping click fraud scammers keep a low profile, botnet owners rake in a percentage from the scam.

No doubt we will see more of this in the future. Whether this is contained or not will depend much on how savvy Google is in detecting and shutting down this activity as well how well user's guard their machines.

I wish I could say the prognosis was better...

Many others have picked up on this activity and that's good. The more people know about it, the better it can be defended against.

It seems only yesterday that I wrote about the dangers of the "sendkeys" attack, and how it would easily defeat any kind of confirmation screen the adware creator puts up, and what to do about the problem.

Now both crusaders Wayne Porter and Ben Edelman discuss this techinique actively being used in the wild. Grab (a small amount of) popcorn and watch the movie.

Let's make things very clear here:

If adware creators do not create a strong validation system like we have proposed (or something similiar), then any form of obtaining user consent via a confirmation dialog is virtually worthless!

On that note a personal message to 180 Solutions.
Your "S3" has been proven to be "less than satisfactory".
Get the message and learn the lesson, or S4 and S5 will go the same way.

This vitalsecurity entry took me to an interview the Washington Post did with a botnet herder. It is indeed a bit of a long read, but proved to be worthwhile.

As a spyware researcher, I was always wondering how the botnet operators are able to install all the different pieces of adware onto the victims PCs, without the users being any wiser. Many of these programs now have "confirmation boxes" which show a EULA that needs to be "agreed to" before installing. For the sake of clarity I will keep the disucssion on whether these EULAs actually fulfill their purpose for another place and time. We observered the end-user not seeing anything at all.

My first assumption was that the botnet operators distributed "hacked"/modified versions of the adware package, with that particular screen removed.

I was wrong. Seems like I was applying Occam's Razor at the dull end.

This "pseudo-technical" quote tipped me off that something else was going on:

Once they invade a computer and add it to their botnet, they use automated keystroke codes to order the enslaved machine to click "OK" on installation agreements.

If you are any kind of developer, this should ring a bell.
It seems they are using the good old "SendKeys" command, that has been arround for years.

In terms of efficiency this sleight of hand makes sense. Instead of having to mess with a resource editor, repackaging and hosting their own modified versions, they merely use the original installer package from the official adware location, launch it, do a "FindWindow" and a sendkeys of a few "OK" clicks. This can be implemented in less than a dozen lines of VBScript.

So it turns out the user gets to "see" the confirmation dialog after all, but only for the time it takes the Windows API to process the requests. On an average computer, that will be less time that it takes to blink a eye. On a slower system, that will about a quarter of a second, still in the "subliminal message" range. All of this is of course assuming that the user is effectively staring at the screen at the exact time of installation. This could be fairly unlikely, since most of these installations are scheduled to happen unattended in the wee hours of the night.

The adware vendors will, as per standard protocol, claim that there is nothing they can do about this practice.

With that I offer some free consulting advice for these vendors, who are actually interested in weeding out the bad affiliates (anybody still listening?) . It's easily implemented by a junior developer in a few hours and will earn back its costs many times over in a few days.

Given that your application is already reporting back installations, along with a computer identifier and an affiliate ID (otherwise you would not be able to cut cheques for your affiliates, which is exactly the root of the problem) :

- In the confirmation dialogs, note the time when the window opened. Note the time when the "I agree" button was clicked.

- Substract these measurements, so you end up with a number of elapsed seconds

- Report this "agree speed" along with the other installation information back to your central server.

- Release this as a new minor version of your application. Don't alert affiliates, just put the package in place of the existing one

- Run some simple statistics on this speed. If a user agrees to the license agreement in under half a second, he is either a Vulcan on steroids or a bot. Report the affiliate for fraud or the user to SETI. (If the records show that the elapsed time to read and agree to the 3000+ word EULA was still less than 3 seconds, you might still make some cash by reporting the user here or here. But I promised to have that discussion another time.)

So there, Mr. Adware Vendor, you have it. Using this free advice, you cannot lose. You make money in all cases and you have users who actually want your product.

I am not naive enough to think that this would actually make the vendors refuse the installation-adware is an industry driven by greed. But it will give them a good reason not to pay out the affiliate for the fraudlent installation. Which translates to less money and hence motivation for the fraudsters.

About this Archive

This page is a archive of recent entries in the Adware Research category.

Adware / Spyware Issues is the previous category.

Botnets is the next category.

Find recent content on the main index or look in the archives to find all content.