Adware / Spyware Issues: April 2006 Archives

I received confirmation via the "Yap Browser" people who stated they would work on answering questions for next week. The YapBrowser's questions were written in English and then translated into Russian (Thanks Anna and thanks Joe!) and urged to reply in Russian- their native laungage. As soon as I have their answers I will have them translated, once again, by two different teams and post the Russian answer document as well. All will be followed per the rules of engagement.

Wayne Porter's E-mail Interview: Questions to Yap Browser:

1. So that it is clear what is the name of the entity or company that develops and operates YapBrowser?

2. Are YapBrowser and controlled and / or operated by the same entity or otherwise related?

3. For the purpose of general information background and mutual understanding, can you describe the business that you conduct on the Internet?

4. How long has YapBrowser been available for end-users to download from the Internet?

5. Aside from working with 180solutions can you cite, as trade references, any other businesses or advertisers that you work with, have worked with in the past or those who have expressed interest in working with you in the future?

6. How long has YapBrowser bundled the 180solutions product- Zango?

7. How were you not aware over that period of time that your application / sites were redirecting to the offensive material?

8. How rigorous was 180Solutions / Zango in terms of checking your application
before they agreed to have their software bundled with the YapBrowser application?

9. Did 180solutions test the software prior to your agreement to bundle Zango?

If so, can you describe the process that was involved?

10. Did they test your application after it launched with the
Zango product bundled?

11. Have you received payment from 180Solutions for the
Zango downloads you delivered?

12. Your sites were hosted on a server that also hosted
known hijack sites and sites related to other allegedly illegal practices.
Specific examples would include instme. biz and nstallme. info.

At the time of my testing there were only six other sites residing on this server besides yours,
and approximately 60 + sites on a related IP address. Again, many of which were highly dubious
and well known to the security community.

Given the current state of Russian webmaster forums, where whole sections are
devoted to "rogue" sites and installers, as well as the widespread coverage of these
groups by Western security companies, how is that you were not aware of the
practices of your neighbours on this server?

13. How is it that you were not aware your chosen server host
were well known and documented for hosting such sites and material?

14. To quote from your exchange with Paperghost at

Paperghost: The same details are used for a group of sites at Eltel, a Russian ISP,
including one site that redirects the user to browser exploits at,
which load trojans, spyware and dialers. Paradise-dialer's whois places it as part of
the CWS group known as Dimpy, aka BigBuks. Since the BigBuks whois is also given
by mix-click, referred to by the yapbrowser/yapsearch whois, and the aforementioned
servers at Pilosoft and Eltel (as well as the paradise-dialer server also at Pilosoft just a
few IP addresses away) run many other sites that link back to browser exploits and
child porn promotions run by BigBuks, it seems reasonable to assume that they are
the same group of people.

So, is this you or not? And if not, how come the contact details are the same?

YapBrowser: We now try to find people which are involved in
an illegal site. They had some attitude to domain names, but not to our activity. Similar
these people are engaged in distribution illegal content and in parallel contain a server
for this purpose. We have chosen a unsuccessful place of accommodation of the
projects in a network.

Given your statements and acknowledgement of illegal content distribution,
presumably you have accurate details of who you did business with for hosting.
This would include business names, individual names, addresses, phone-numbers, etc.
You appear to claim to have been victimized by a supposedly legitimate business entity,
are you willing to serve the public interest by making this information
available in this interview?

If so, please provide details. If not, why not?

15. It was been brought to my attention that:

A representative of YapBrowser is John Helbert, as seen here:

A connection has been made between this person and an individual called ?Klass? a member of a ?Lolita / CP? board called ?Dark Master?. (Matching ICQ numbers, etc). More on this connection can be seen here:

Sumbelt Haloscan comments

What is your response to this connection between YapBrowser and the ?Dark Master? forums?

16. Ben Edelman provides video evidence of the dubious activities of an outfit
called HighConvert working with a number of adware companies. See video:
this operation appears to be related to a document uncovered and transcribed from Russian
into English by Sunbelt Software in early April. The YapSearch domain is cited in this document.
Reference English translation of document here: Sunbelt Translation Document.

The document outlines plans for ?invisible clickers?, lowering of browser?s security settings,
utilizing ?Blue Screen of Death? for trick ads, and the changing of 404 error pages among
other dubious practices. How do you explain this reference to YapSearch?

17. Did YapSearch or YapBrowser ever deploy any of the
tactics outlined in this document?

18. Given the current state of affairs what is the future for YapBrowser-
do you still intend to distribute this application?

While Googling for downloading Hijackthis, i spotted a link from Google's Adsense program. Check out the following screenshot:

Click Image to enlarge

(Note the Red X is part of the SiteAdvisor program which can help users spot sites that use deceptive practices and is only displayed if you using the program.)

In above screenshot clicking the link ?HijackThis Free download? opens a site http://hijack-thisnet/. Naturally curiosity compelled me to dig deeper into this site and also I wanted to know what Merijn, the original creator of HJT had to about this site? It appears it struck his radar a long time ago and was not pleased the name of his product was being used to push other commercial products.

He states from

" April 22, 2005:
Just a short note on the domain HIJACK-THIS.NET: this is not mine! It has been registered by an affiliate of XoftSpy (who are also on the Rogue Antispyware List on and they are luring people into downloading their software believing it is HijackThis. Also, they have registered a few AdWords at Google leading to the same result. We'll see where this goes. In the meantime, if you want to download any of my programs, the official domain is and always will be"

UPDATE: April 29, 2005:
I just received word from Paretologic (the ownsers XoftSpy) that the affiliate responsible for the page has been terminated and the site will be taken down. That's one down, one to go. :) "

Let's dig into this mystery...

This one has crept across the security pros and analysis can now be found here and here.

For those not in the know, Yapbrowser is a browser "search tool" - unfortunately, none of the paid for links work (returning a blank page) and anything entered into the browser redirects to...illegal pornography. What makes this even more interesting is that you need to install Zango (from 180 Solutions) to run the application.

The response, or perhaps lack of one, from 180 should be interesting, to say the least...I wonder how it will differ from their interview Wayne Porter did with them a year ago.

They said...

First, 180solutions cares a tremendous amount about what users think about our software from how it is distributed to how it works on a user?s machine. As our company has grown, our company has and will continue to invest heavily in user-focused initiatives. Going forward, through the use of additional staff and innovative technology, we will dramatically increase control over how our partners operate. We understand and accept the responsibility to monitor and police our partners.

Historically, 180solutions has not installed software; we relied on a network of partners to distribute our applications. Over the last year, 180solutions has placed greater emphasis on managing distribution partners as well as moving to maintain more control over how our software is installed on users? machines. In response to public and our own concerns, we careful monitor our channels for conduct we find inappropriate. 180solutions has a stringent distributor code of conduct in place and frequently audits distribution partners.


Porter's Preface to 180 Solutions Response & Some Software Philosophy.

Official Response from 180solutions to Porter's Questions


About this Archive

This page is a archive of entries in the Adware / Spyware Issues category from April 2006.

Adware / Spyware Issues: March 2006 is the previous archive.

Adware / Spyware Issues: May 2006 is the next archive.

Find recent content on the main index or look in the archives to find all content.