Adware / Spyware Issues: June 2006 Archives

Internet security...sometimes it isn't all dry analysis and wading through rogue code and links...sometimes the stories get- strange.

First we thought the YapBrowser was dead and buried. After being exposed for serving up UA Porn by a number of security experts 180Solutions (now Zango after the Hotbar merger) stopped sponsoring the product. A product, I might add, that should have never gotten through any good quality assurance department in the first place.

Then I conducted an e-mail interview with "John Sandy" to try to get to the bottom of the fiasco. The answers were evasive and to date no one can seem to take responsibility for the situation- it has all been pass the buck. Then, mysteriously and quietly, the YapBrowser comes back online promising an adult browser that in their own words: "There is a 100% guarantee no system infection will occur when using our software. YapBrowser is the only browser which gives you safe search and browsing capabilities.". We find that promise hard to believe.

We thought that might be the end of it, but now a mini-soap opera is playing out as the people behind the project have launched a discussion forum. What is intriguing about this forum is that a number of the names are the same as or similiar to well known security professionals and analysts and people in stories we have covered before. They have registered as users and they are actively carrying on coversations. Some examples include:

Chris Boyd, our own PaperGhost, well known and accomplished malware researcher who went back and forth with the YapBrowser crew across a number of blogs including his own at VitalSecurity.org. It is notable the real Chris Boyd did not sign up at the forum. (He has now as Paper-Ghost to monitor the events.)

Susie, who we assume could be an impersonation of Suzi Turner, the well known anti-malware activist that runs SpywareWarrior.com and blogger at ZDNET Spyware Confidential who covered the story and had harsh words for the Yap people. In the forum she states her favorite blog is "Sunbelt Software", run by Alex Eckleberry, who was also instrumental in the crack down on YapBrowser, our own Greynets Blog, and a large business blog I contribute to at Revenews (neutral ground where the first interview took place). Susi goes on to make some jabs at VitalSecurity and Washington Post's Security Blog- written by Brian Krebs. It is notable that the real Suzie does consult for Sunbelt Software and she doesn't speak Russian either. Then again, maybe it isn't *that* Suzie just a vague "coincidence".

RinCe- An individual who assisted our team with a tip-off while investigating a rogue botnet involved in a massive credit card theft scheme whose owners later wound up in serious legal hotwater after the story broke. RinCe doesn't speak Russian to our knowledge. (More on that story later.)

Ozzy, we assume this could be the top gun hacker buster of BlueMicro We really don't know if it is actually Ozzy having a go at them, or an Ozzy impersonater, but given the circumstances we simply have to wonder. You see how confusing it all gets.

To top it off they link to my interview with the alleged "John Sandy" as if the interview vindicates their activities. Folks- it doesn't. My role was merely to facilitate the conversation and work with the translators to try to get some answers to how a situation could go so horribly wrong.

So why this apparent complex game of charades? We really don't now. That is what we mean by the story getting stranger and stranger. We will continue to monitor, but that won't distract us from the really interesting stories on the horizon. Stay tuned for more mayhem from the digital trenches.

ADDENDUM: Within a few minutes of posting this blog, the Chris Boyd page at Wikipedia was defaced. Fortunately the Wikipedia provides the IP address of individuals who deface the popular wiki.

Yesterday we reported on speculation of a marriage between Hotbar and 180Solutions. Today it was announced that 180 Solutions had merged with Hotbar. The new name for the company will be Zango and it would probably be correct to assume they are now the largest adware maker on the Internet.

According to the Seattle Times:


Bellevue-based 180solutions, which makes software commonly known as adware, has acquired Hotbar of New York for an undisclosed amount of money. As part of the announcement, 180solutions will be renamed after its consumer brand: Zango.

Adware is an application that users download to their computer to get free content. The application monitors what they are doing online to deliver relevant advertising. In the past, Zango and other companies have been lumped together with spyware, which works similarly, but is typically installed on a computer without permission.

For several weeks speculation has been moving fast and furious inside security research circles that "adware" maker 180Solutions Inc. has been courting Hotbar, another company that traffics in adware. Naturally this deal would catch the eyes and probing minds of security researchers given 180Solution's checkered past and Hotbar has had it is own fair share of controversy. The most notable when Symantec sued Hotbar for the right to classify Hotbar's products as adware. (The suit was settled out of court.)

Now there are articles hitting mainstream press covering the proposed deal, and we can point readers to a rough translation of an article that Google News snagged out of Israel: Hotbar in talks for sale to 180Solutions at Globes.co.il

The article says :


Israeli dot.com company Hotbar Inc. is negotiating its sale at a company value of $52 million. The probably buyer is Internet company 180Solutions Inc.. Sources inform ''Globes'' that Hotbar is also negotiating with other companies, including ICQ. Hotbar develops software that sits on the browser, enabling users to change their toolbar to include links to services the company offers. Founded in 1999 by CEO Oren Dobronsky and president Gabriella Karni, the company has raised $15 million to date. Its last financing round was held in 2001. Investors include Eurofund, Tamar technology Ventures, Technorov Holdings, CE Unterberg Towbin, and Deutsche Bank subsidiary ABS Ventures. According to IVC Online, the company had $35 million in sales in 2004.

180Solutions develops software solutions for on-line advertising. The company develops adware, otherwise known as spyware, activities hated by surfers and users of computers. Coincidently or not, this activity is connected to a lawsuit anti-virus developer Symantec Corp. (Nasdaq:SYMC) filed a year ago against Hotbar, in which Symantec demanded that some of Hotbar?s activities be classified as adware. the case was settled out of court a few months ago.

Some of this article seems completely off base and some of the connections are a pretty far stretch. For example, it is hard to discern how the Symantec suit had anything to do with a deal like this being brokered- although the article does reference it as a possible "coincidence".

Furthermore, it would be surprising if ICQ were a buyer- ICQ is merely an instant messaging service. Mirabilis was the name of the Israeli company that produced ICQ. Mirabilis was formed in 1996 by four Israelis Arik Vardi, Yair Goldfinger, Sefi Vigiser and Amnon Amir, and was purchased by AOL in 1998 for over 200 hundred million U.S. (Note our recent walk down IM memory lane with ICQ.)

In 2001, a new company called AOL Time Warner was created when AOL purchased Time Warner forming the world's largest media company . The deal, announced in 2000, employed an atypical merger structure in which each original company merged into a newly created entity. We have documented Time Warner engaged in distribution deals with 180Solutions for some of their online soap operas. A distribution deal that was ill-timed given the highly problematic YapBrowser fiasco where the browser product, sponsored by Zango (the same adware product sponsoring Time Warner's content), displayed UA pornography after making it through 180Solution's "stringent" approval process. [Reference background on YapBrowser and links to our interview.] 180Solutions did end the relationship after the activities came to public light.

At this stage it all remains speculative, however information from many credible sources has been flowing into researchers for weeks now and coupled with coverage in Israel- Hotbar's hometown- this researcher is inclined to believe the deal is more than likely going down.

The looming question will be if 180Solutions will continue with what many call irresponsible and poorly controlled distribution practices. A good researcher relies on intuition and what he/she sees in the field. At the same time a good researcher doesn't ignore history and its lessons either.

IST Adware Via WMV Files

| | Comments (2)

Are you interested to downloadable movie clips? Many people are so be alert!

During the course of research, I tried googling for some popular video albums, I came across a forum that holds many articles and download links based on the users interests. More than ten thousand members are sharing their articles and download links in this forum. Many of these are what you might call spicy material. I suddenly paused when I found a fellow who was posting many adult video clips. Most of the download links are from Rapidshare

Rapidshare is a domain where people can upload / download files of up to 45GigaBytes.

I picked up one of the threads which appeared on May 22, 2006.

http://blog.spywareguide.com/upload/2006/05/ISTAdwareThroughWMVFile/jimpolk-thumb.gif

Jimpolk , the user name of the person who posted the thread did not give any personal information and he is not the member of any public group in the pakkadesi forum so I can deduce this might be a marketing attempt.

http://blog.spywareguide.com/upload/2006/05/ISTAdwareThroughWMVFile/infectionurl-thumb.GIF

I received two download links, which hold the same video clips and I selected via the rapidshare link.

I downloaded the clip and played it using Windows Media Player. It suddenly began acquiring a license rather than opening the media.

http://blog.spywareguide.com/upload/2006/05/ISTAdwareThroughWMVFile/acquiringLicense-thumb.gif

I used Netpeeker to track what is happening with my Media Player and the report showed the Windows Media Player making contact with ysbwebcom to install IST Adware products

http://blog.spywareguide.com/upload/2006/05/ISTAdwareThroughWMVFile/netpeeker1-thumb.GIF

All becomes apparent when an Active X Control pops up. The Active X control is signed by Integrated Search Technologies. (Note: This does not mean a control is safe- only signed.)

http://blog.spywareguide.com/upload/2006/05/ISTAdwareThroughWMVFile/ActiveX-thumb.GIF

They did not allow me to view the video without installing the IST adware.

http://blog.spywareguide.com/upload/2006/05/ISTAdwareThroughWMVFile/License-thumb.gif

The EULA was last updated on May 4, 2006 (Incidentally the very same date which Jimpolk registered in the pakkadesi forum), which is a very recent move by Integrated Search Technologies to distribute their Advertisements. People can also check out EULA Analyzer Beta to help analyze agreements.

Users will need to agree to a license that enables the installment of several applications. These include ISTbar , SlotchBar , YourSitebar and Xxxtoolbar. This is just to view one movie!

They may also install their third parties adware products like Internet Optimizer and SurfAccuracy.

I picked up the network traffic, which helped me to find determine IST might be affiliated with some people who are distributing the WMV files. Of course, it could also be an account set-up for internal analysis.

POST /v7.aspx?id=65181&filename=Desi_bhabhi_******.wmv&affiliate_id=1000656:1913 HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: SendHTTP
Host: drm.ysbweb.com

GET /ist/scripts/license.php?key_id=&filename=Desi_bhabhi_******.wmv&affiliate_id=1000656%3a1913 HTTP/1.1
User-Agent: SendHTTP
Host: www.ysbweb.com

Since there is large demand for adult entertainment online it comes as no surprise, companies are distributing their products through pornographic video clips. Likewise it is not surprising people are trying to earn money by becoming an affiliate for adware companies like IST. (In this case, by uploading their movies in sites like rapidshare.) The user, JimPolk, may be one among them who gets their pocket money just by distributing adware through the video clips.

The lesson here is that free often carries a steeper price tag than what you might think- the trade-offs are often hidden. Think before you click and ask yourself is downloading several applications that will throw pop-up ads, make trade-offs in your privacy, and slowing down your computer worth the video you are about to download? Also consider you will have to endure this software long after the video is gone.

Pages

About this Archive

This page is a archive of entries in the Adware / Spyware Issues category from June 2006.

Adware / Spyware Issues: May 2006 is the previous archive.

Adware / Spyware Issues: July 2006 is the next archive.

Find recent content on the main index or look in the archives to find all content.