Adware / Spyware Issues: February 2006 Archives

This Story Made Me Spill My Noodles


As any regular day, this evening after work I settled with a snack (today: Cup-o-noodles) behind the computer for some "light reading" of industry blogs and their related links. This was a safe activity until tonight, when I came across this 180solutions press release, which made my noodles fly all over the place.

Let's for a moment sidestep the disregard for the great research work my collegues at FaceTime did, and focus on this quote:

However, according to McGraw, the company took the extra measure of requiring each user to re-opt in to the installation a second time, even though proper consent was obtained at the time of first install. "In this case, the re opt in opportunity wasn't required, because the few users who did install our software as delivered in this exploit did so with knowledge and consent," McGraw said. "But it was the right thing to do given the unorthodox and unapproved nature of the installation interface those users encountered."

Now let's read that again.

....kind of. There's something of a storm brewing, and it all centers on this writeup by Ben Edelman, and his refusal to hand over the rogue affiliate details to 180 Solutions.

On the one hand, 180 are claiming that their security procedures are fine...on the other, they are essentially making the security researchers a part of their seemingly broken loop. I'm reminded of that old line about not having your cake and eating it, but oh well. You can try, I guess...

As Wayne Porter says on his Revenews Weblog:

Many researchers have done this to help educate the public, law enforcement and the legal eagles, and it has had some effect. However the routine grows stale when Company X utilizes said research to clean up their network and then claim how great they are at making the Internet a better place and being proactive. (These are my words not those of any company I work for.)

Can you almost feel the inflection point shimmering before you in the battlefield air? Can you see the line in the sand being drawn? I can. I think in the future the anti-spyware minutemen will continue to fire volley after volley only instead of giving out the full dose of lead they are going to release only what needs to be released to call attention to the bad behavior and leave the rest in reserve as ammo for the real guns that are slowly pivoting into the battlefield.

Yep. I can see the line in the sand.

This vitalsecurity entry took me to an interview the Washington Post did with a botnet herder. It is indeed a bit of a long read, but proved to be worthwhile.

As a spyware researcher, I was always wondering how the botnet operators are able to install all the different pieces of adware onto the victims PCs, without the users being any wiser. Many of these programs now have "confirmation boxes" which show a EULA that needs to be "agreed to" before installing. For the sake of clarity I will keep the disucssion on whether these EULAs actually fulfill their purpose for another place and time. We observered the end-user not seeing anything at all.

My first assumption was that the botnet operators distributed "hacked"/modified versions of the adware package, with that particular screen removed.

I was wrong. Seems like I was applying Occam's Razor at the dull end.

This "pseudo-technical" quote tipped me off that something else was going on:

Once they invade a computer and add it to their botnet, they use automated keystroke codes to order the enslaved machine to click "OK" on installation agreements.

If you are any kind of developer, this should ring a bell.
It seems they are using the good old "SendKeys" command, that has been arround for years.

In terms of efficiency this sleight of hand makes sense. Instead of having to mess with a resource editor, repackaging and hosting their own modified versions, they merely use the original installer package from the official adware location, launch it, do a "FindWindow" and a sendkeys of a few "OK" clicks. This can be implemented in less than a dozen lines of VBScript.

So it turns out the user gets to "see" the confirmation dialog after all, but only for the time it takes the Windows API to process the requests. On an average computer, that will be less time that it takes to blink a eye. On a slower system, that will about a quarter of a second, still in the "subliminal message" range. All of this is of course assuming that the user is effectively staring at the screen at the exact time of installation. This could be fairly unlikely, since most of these installations are scheduled to happen unattended in the wee hours of the night.

The adware vendors will, as per standard protocol, claim that there is nothing they can do about this practice.

With that I offer some free consulting advice for these vendors, who are actually interested in weeding out the bad affiliates (anybody still listening?) . It's easily implemented by a junior developer in a few hours and will earn back its costs many times over in a few days.

Given that your application is already reporting back installations, along with a computer identifier and an affiliate ID (otherwise you would not be able to cut cheques for your affiliates, which is exactly the root of the problem) :

- In the confirmation dialogs, note the time when the window opened. Note the time when the "I agree" button was clicked.

- Substract these measurements, so you end up with a number of elapsed seconds

- Report this "agree speed" along with the other installation information back to your central server.

- Release this as a new minor version of your application. Don't alert affiliates, just put the package in place of the existing one

- Run some simple statistics on this speed. If a user agrees to the license agreement in under half a second, he is either a Vulcan on steroids or a bot. Report the affiliate for fraud or the user to SETI. (If the records show that the elapsed time to read and agree to the 3000+ word EULA was still less than 3 seconds, you might still make some cash by reporting the user here or here. But I promised to have that discussion another time.)

So there, Mr. Adware Vendor, you have it. Using this free advice, you cannot lose. You make money in all cases and you have users who actually want your product.

I am not naive enough to think that this would actually make the vendors refuse the installation-adware is an industry driven by greed. But it will give them a good reason not to pay out the affiliate for the fraudlent installation. Which translates to less money and hence motivation for the fraudsters.

When Computers Get Snatched...

|'d better invest in a bigger set of padlocks. Take this case for instance:

In the six hours between crashing into bed and rolling out of it, the 21-year-old hacker has broken into nearly 2,000 personal computers around the globe. He slept while software he wrote scoured the Internet for vulnerable computers and infected them with viruses that turned them into slaves.

Now, with the smoke of his day's first Marlboro curling across the living room of his parents' brick rambler, the hacker known online as "0x80" (pronounced X-eighty) plops his wiry frame into a tan, weathered couch, sets his new laptop on the coffee table and punches in a series of commands. At his behest, the commandeered PCs will begin downloading and installing software that will bombard their users with advertisements for pornographic Web sites. After the installation, 0x80 orders the machines to search the Internet for other potential victims.

Brian Krebbs has a stunning writeup over at Security Fix. A must read.


About this Archive

This page is a archive of entries in the Adware / Spyware Issues category from February 2006.

Adware / Spyware Issues: March 2006 is the next archive.

Find recent content on the main index or look in the archives to find all content.