Author (#12)April 2006 Archives

Spyware Warriors and the Digital UnderGround: Part 1& 2 Podcast Segments

Podcast conducted and moderated by Jeff Molander of

Wayne Porter, Sr. Dir. Greynet Networks
Chris Boyd (PaperGhost), Dir. Malware Research
Facetime Communications

Wayne Porter and Chris Boyd (aka PaperGhost) get paid to spend their days infiltrating rings of real life cyber criminals, all the while risking they'll get caught by the thieves themselves. How must it feel to gather evidence on such bottom-feeders and then turn it over to the proper authorities- according to them- it feels great.

Spyware Warriors and the Digital UnderGround: Part 1

Press PLAY button to listen now or download as MP3.


00:01 - Introduction
02:38 - What does Facetime do and for whom?
04:09 - What is a botnet network? (Boyd)
05:20 - What are hackers and e-criminals motivations? (Boyd)
06:11 - Things changing for the worse; paradigm shift (Porter)
07:55 - The story of RinCe, tipster on major bust (Boyd, Porter)
10:20 - Anatomy of a good tipster; motivations (Boyd)
11:44 - Changing vectors & new dangerous hacker tactics (Porter)
12:54 - Instant Messaging no longer safe (Porter)
13:24 - Botnet criminal motivations (Boyd)
13:44 - New perspectives (Molander)
14:34 - Attack complexity increasing, vectors changing (Porter)
16:24 - Dark Economy: Organized crime moving online (Porter)
16:59 - Cloak & Dagger: How to penetrate a botnet (Boyd)
19:03 - Gathering intelligence from "the underbelly" (Porter)
22:54 - Fallout from adware, spyware & Web crime (Porter)
23:34 - Warning to e-commerce executives (Porter)

Spyware Warriors and the Digital UnderGround: Part 2

Wayne Porter, Sr. Dir. Greynet Networks
Chris Boyd (PaperGhost), Dir. Malware Research
Facetime Communications


Molander: In part two, I begin to discuss how and why major name advertisers (and advertising networks they work with) unknowingly get caught funding criminal activity.

Porter goes on to predict that the realm of click fraud is bound to get a lot more ugly as massive, criminal-operated networks of "zombie" PC's ("botnets") turn their guns in a new direction. Detecting them may, as it turns out, not be easy for Google, Yahoo Search, or others

Spyware Warriors and the Digital UnderGround: Part 2

Press PLAY button to listen now or download as MP3.


0:00 - Introduction
1:02 - How and why would major advertisers fund criminals?
2:04 - The Problem: brokers of ad brokers of ad brokers
2:34 - The connection between performance advertising and botnets, fraud
4:58 - Risk levels of cost per sale vs. cost per click vs. impression/CPM
6:28 - How brands are affected
7:16 - A new form of cost per click fraud?
9:19 - Small but widely distributed click fraud botnets may prove highly problematic
11:30 - Enterprise risks to botnets
11:48 - The potential for a new form of click fraud
13:44 - Web marketing, becoming less efficient and dangerous for brands
14:52 - "Botnets can be used for pay per click fraud" (Porter)
15:10 - Learn from the Past: AllAdvantage "Get Paid to Sleep" (Porter)
17:05 - New blog
19:15 - Funny story: "Mr. Bean" movies among bad guys
21:31 - Closing remarks

So whatever happened to these botnet operators?...stay tuned...something ground-shaking did happen after the first articles and podcasts went to press...

I received confirmation via the "Yap Browser" people who stated they would work on answering questions for next week. The YapBrowser's questions were written in English and then translated into Russian (Thanks Anna and thanks Joe!) and urged to reply in Russian- their native laungage. As soon as I have their answers I will have them translated, once again, by two different teams and post the Russian answer document as well. All will be followed per the rules of engagement.

Wayne Porter's E-mail Interview: Questions to Yap Browser:

1. So that it is clear what is the name of the entity or company that develops and operates YapBrowser?

2. Are YapBrowser and controlled and / or operated by the same entity or otherwise related?

3. For the purpose of general information background and mutual understanding, can you describe the business that you conduct on the Internet?

4. How long has YapBrowser been available for end-users to download from the Internet?

5. Aside from working with 180solutions can you cite, as trade references, any other businesses or advertisers that you work with, have worked with in the past or those who have expressed interest in working with you in the future?

6. How long has YapBrowser bundled the 180solutions product- Zango?

7. How were you not aware over that period of time that your application / sites were redirecting to the offensive material?

8. How rigorous was 180Solutions / Zango in terms of checking your application
before they agreed to have their software bundled with the YapBrowser application?

9. Did 180solutions test the software prior to your agreement to bundle Zango?

If so, can you describe the process that was involved?

10. Did they test your application after it launched with the
Zango product bundled?

11. Have you received payment from 180Solutions for the
Zango downloads you delivered?

12. Your sites were hosted on a server that also hosted
known hijack sites and sites related to other allegedly illegal practices.
Specific examples would include instme. biz and nstallme. info.

At the time of my testing there were only six other sites residing on this server besides yours,
and approximately 60 + sites on a related IP address. Again, many of which were highly dubious
and well known to the security community.

Given the current state of Russian webmaster forums, where whole sections are
devoted to "rogue" sites and installers, as well as the widespread coverage of these
groups by Western security companies, how is that you were not aware of the
practices of your neighbours on this server?

13. How is it that you were not aware your chosen server host
were well known and documented for hosting such sites and material?

14. To quote from your exchange with Paperghost at

Paperghost: The same details are used for a group of sites at Eltel, a Russian ISP,
including one site that redirects the user to browser exploits at,
which load trojans, spyware and dialers. Paradise-dialer's whois places it as part of
the CWS group known as Dimpy, aka BigBuks. Since the BigBuks whois is also given
by mix-click, referred to by the yapbrowser/yapsearch whois, and the aforementioned
servers at Pilosoft and Eltel (as well as the paradise-dialer server also at Pilosoft just a
few IP addresses away) run many other sites that link back to browser exploits and
child porn promotions run by BigBuks, it seems reasonable to assume that they are
the same group of people.

So, is this you or not? And if not, how come the contact details are the same?

YapBrowser: We now try to find people which are involved in
an illegal site. They had some attitude to domain names, but not to our activity. Similar
these people are engaged in distribution illegal content and in parallel contain a server
for this purpose. We have chosen a unsuccessful place of accommodation of the
projects in a network.

Given your statements and acknowledgement of illegal content distribution,
presumably you have accurate details of who you did business with for hosting.
This would include business names, individual names, addresses, phone-numbers, etc.
You appear to claim to have been victimized by a supposedly legitimate business entity,
are you willing to serve the public interest by making this information
available in this interview?

If so, please provide details. If not, why not?

15. It was been brought to my attention that:

A representative of YapBrowser is John Helbert, as seen here:

A connection has been made between this person and an individual called ?Klass? a member of a ?Lolita / CP? board called ?Dark Master?. (Matching ICQ numbers, etc). More on this connection can be seen here:

Sumbelt Haloscan comments

What is your response to this connection between YapBrowser and the ?Dark Master? forums?

16. Ben Edelman provides video evidence of the dubious activities of an outfit
called HighConvert working with a number of adware companies. See video:
this operation appears to be related to a document uncovered and transcribed from Russian
into English by Sunbelt Software in early April. The YapSearch domain is cited in this document.
Reference English translation of document here: Sunbelt Translation Document.

The document outlines plans for ?invisible clickers?, lowering of browser?s security settings,
utilizing ?Blue Screen of Death? for trick ads, and the changing of 404 error pages among
other dubious practices. How do you explain this reference to YapSearch?

17. Did YapSearch or YapBrowser ever deploy any of the
tactics outlined in this document?

18. Given the current state of affairs what is the future for YapBrowser-
do you still intend to distribute this application?


I am pleased to announce that two members of the FSL research team received Microsoft Security MVP Awards this year. Namely Wayne Porter, Sr. Director of Greynets Research and Chris Boyd, Director of Malware Research. This is my first time to receive this honor but this is the second year running for the indefatigable Chris Boyd, a.k.a. PaperGhost.

The Microsoft Most Valuable Professional (MVP) Award is an annual award that is given to outstanding members of Microsoft's peer-to-peer communities, and is based on the past year's contributions those members make in those communities online and offline.

You can learn more about the awards at the Microsoft MVP FAQ or check out the official MSFT MVP site.

A little history and color about the awards from Wikipedia:

The Microsoft Most Valuable Professional (MVP) Program is an award and recognition program run by Microsoft. Microsoft MVPs are volunteers who have been awarded for providing technical expertise towards communities supporting Microsoft products or technologies. An MVP is awarded for contributions over the past year.

The MVP program grew out of the developer community: rumor has it the initials stood for "Most Valuable Professional", as the initial MVPs were drawn from the online peer support communities such as Usenet and CompuServe. It has since grown to include other types of products, and other avenues of contribution.

A posting from Tamar Granor on the Universal Thread web site gives this account of the origin of the MVP program.

"Way back in the dark ages, Microsoft provided a great deal of technical support on CompuServe. The CompuServe FoxPro forum was extremely busy and Calvin Hsia, then an independent developer, now Developer Lead on the Fox team, created what we called "Calvin's List." It was a listing of the number of postings by person, including info on both messages sent and received. Being in the top 10 on Calvin's List any month was an accomplishment, though we discussed whether it was a good thing or a bad thing. "

As the story goes, some of the Microsoft people jumped on Calvin's List as a way to identify high contributors, and thus was born the MVP program.

Question? What is the McCain Amendment as it relates to CAN-SPAM?
Level: Advanced

This is a tough one so I tracked down a real expert- Anne Mitchell, Esq., CEO of the Institute for Spam and Internet Public Policy, and a Professor of Law in California for the answer.

This interview is an attempt to try to clarify the news I reported here earlier coming out of report on the lawsuit that went all the way up and down the chain.

It wasn't easy catching her as she was busy preparing for a workshop, but I think we have some solid answers for readers. (And thanks Anne for taking the time!) So to recap we're talking about the recent announcement by the Federal Trade Commission and California Attorney General Bill Lockyer that they have settled a lawsuit in which they went after a spammer both for the spam they sent, and for the spam which their affiliates sent. Let's dive in!

As a researcher it is critical to look at not what is on the ground but what is coming down the pipe in terms of development ideas.

This site lists all sorts of sites and applications which are in beta and a handy reference for the curious. For the REALLY curious check out the current alpha releases.

Check out the Museum of Modern Betas.

Note that Google has over 70 + Betas !!!

It appears this fellow isn't the only one tired of getting lots of "useful addons" on his new PC from Dell. Rather than ship a virgin system, Dell has money making deals to include certain forms of adware or sponsored search engines and they pocket the change.

This, in theory, is ok, depending on what the Dell EULA states, but what about users who do not want all of the extraneous stuff, trial installations and other unwanted programs? This person took matters into his own hands by by creating and running a very simple file.

Enter in the Dell Decrappifier, a script, that hopefully returns your PC back to its pristine state before all the marketing deals take over your coveted resources.

From their website:

It's a sad state of affairs when you buy a new computer these days and it comes pre-loaded with a ton of garbage software that brings your new machine to a crawl. If anyone's bought a Dell PC in the last few years, you probably know what I'm talking about. Just recently, I was helping a friend set up his brand new Inspiron 1300 and it took FOREVER for it to boot up. It's a very dissatifiying experience to pull a brand new computer out of the box and be spammed with a bunch of trial software. After removing all of the crap, (wich took a significant amount of time) it booted much faster and performed like it should. I kept thinking it would be nice to have an automated way to remove all this stuff. Thus was born the Dell De-Crapifier script.

Now, to be fair, I know most all of the major PC manufacturers have similar practices of installing trialware. I would suspect they don't make any profit on the hardware (or even a loss) and they make their money on the kickbacks from the software companies. I don't know.

Anyway, I wrote the Dell De-Crapifier using a great little scripting tool called AutoIT. You can use it to automate pretty much anything in Windows. There is also a cool editor called SciTE that gives you all the tools you need to put together a script. The best thing about this whole system is that you can generate stand alone executables that don't require a runtime.


Visit the Dell Decrappifier to see it in action. Read *carefully* before you download the file and use!

Level: Advanced

While conducting log analysis around a new web application we have been developing the ever vigilant Obijan
noticed what appears to be an individual using automated tools to probe the application
in several nefarious ways. We can also assume that they are running the same styles of attack
on all forms sitewide.

Skype, recently acquired by eBay, is becoming a very popular Instant Messenging client. You can text chat, hold conferences, send files and most importantly talk in real time with wonderful clarity. Not only can you talk to just those on your Skype list, but you can also by credits to dial out to real world lines. Skype is a proprietary peer-to-peer Internet telephony (VoIP) network, founded by Niklas Zennstrom and Janus Friis, the creators of KaZaA.

I have been using Skype for sometime but never before had I received an unsolicited commercial message in my months of usage. In terms of e-mail this is commonly called spam but on instant messenging networks this is called SPIM. In short someone contacts you hawking goods and wares, or anything that you don't want. You don't know them, you did not contact them, did not opt-in to be contacted by them, in short they simply hammer out commercial messages in hopes someone will buy.

I found this case particularly interesting because, as I said before, I had never received SPIM through Skype (and fortunately it is easy to block a user.) In this case I decided to "play" with the spammer to gauge their response and have some fun and games.

Would they ignore me? Hit me with more unwanted spam? Or are they truly ignorant? Find below the full transcript of our "conversation". Obviously near the end I was pretending to execute various "commands" on her machines when in reality I was doing nothing but typing in all caps simulating a "look up" of who they were.

This spammer was not harmed in the incident, but let's hope they don't do it again. Read on...

The first part of the transcript is the list of brand new units of phones they sell, below it you will find our "dialogue" and my simulated commands of geolocation as I tried to steer this spammer into the path of not doing it again. I doubt that will work, but it is amusing nonetheless. More below...

Did you know we had a Mail Bag? We do! Our team, including two MSFT Security MVPs, select good questions from the Mail Bag and give it our best shot.

Question: I receive lots of hot stock tips in my email. Are these legitimate stocks? Should I invest?

Disclaimer: We don't give investment advice...but what you are referring to is commonly called a Pump & Dump stock scam.

Like many people you probably get alot of spam- even with the better filters we have today. Have you ever noticed how many spams are touting a particular stock? Usually this is a slimly traded stock on a small exchange for only pennies a share. In a recent Honeypot studied it was found that 3% of all the spam collected were actually pump & dump scams! Still at pennies a share it seems so easy to make money! Not so.

New research was released recently about these "pump and dump" schemes. The way it works is the stock owners or holders send out massive amounts of spam touting their stock, somtimes resorting to pumping them on up on stock related message boards with false or misleading claims.

What was really interesting in this study is the researchers found that the more spam sent actually sent the stock of the price higher- naturally the scamsters unload the stock as it peaks and the regular investors are left holding the bag.

Answer: If you get e-mails like these simply hit delete. They are more than likely scammers tricks stacked against you in order to part you from your hard earned money. The only ones profiting from these "spam e-mail tips" are the senders themselves- in this case spammers.

For more on Pump & Dump Stock Scams read this illuminating article.

If you still aren't sure check out this savvy fellow who charted a variety of spam touted stocks and see for yourself just how "good" the returns where: We suspect that some of these fraudsters might using botnets as spam relays so they can send out literally millions of these types of thinly traded, dubious equities.

Imagine that- a whole legion of zombie machines working OTC stocks. Again- hit delete and don't fall for it.

Office 2003/XP Add-in: Remove Hidden Data

We talked about this a couple of years ago but as tips and tricks go it is a must have in your privacy toolset and best of all it's free.

Did you know that when you edit a Microsoft Word document there are all kinds of hidden meta-data in the document that you cannot see? With this little add-in you can permanently remove hidden and collaboration data, such as change tracking and comments, from Word 2003/XP, Excel 2003/XP, and PowerPoint 2003/XP files. If only certain government officials had known about the tool because meta-data has led to a few scandals in the past!

The Remove Hidden Data add-in is a tool that you can use to remove personal or hidden data that might not be immediately apparent when you view the document in Microsoft Office. The tool is free but only works in 2003/XP.

Phishing is a form of criminal activity using social engineering or trickster techniques to fraudulently acquire sensitive information, such as passwords and credit card details, by masquerading as a trustworthy person or business in an apparently official electronic communication, such as an email or an instant message. The term phishing arises from the use of increasingly sophisticated lures to "fish" for users' financial information and passwords.

Phishing attempts that target employees of an particular company are often called "Spear Phishing". There is a current bill called the Anti-Phishing Act of 2005 now under debate and other community-driven methods are underway to attack phishers like the Phried Phish project from Castlecops where you can submit phishing address and skilled hunters will go after them and get them shutdown!

Coming soon...a bevy of tools and techniques to help protect your self from phishing.

Ever wonder what the inside of part of an anti-spyware lab might look like? What actual researchers do? This short segment aired on WSAZ, an MSNBC affiliate profiling our Huntington, West Virginia research team.

Click The Photo for Footage

But there's more coming up! Check out the teaser piece on the scoop with this two-part Podcast Chris Boyd and I delivered to Jeff Molander profiling what we see in the trenches of the Internet and information on our team's latest bust. I think it will truly "shock and awe" some listeners. Check out Spyware Warriors and the Digital Underground Teaser [mp3 format]

I am really ready to start tackling EULAs, so to kick things off I am revisiting a piece I did on the TinkoPal EULA months ago. Take a close look as I highlight some of the language and conditions you would accept in this EULA. For added value my comments will be in bold text surrounded by parentheses and are not a part of the EULA.

TinkoPal EULA Page:
Note: The original EULA is longer valid at this URL.

About this Archive

This page is a archive of recent entries written by (Display Name not set) in April 2006.

Author (#12)May 2006 is the next archive.

Find recent content on the main index or look in the archives to find all content.