Christopher Boyd: July 2006 Archives

The question on everybody's lips right now (well probably not, as it happened over the weekend but still..) is:

How much impact did this have on Zango pulling out of their Warner Brothers deal?

Digg.com is a well known source of breaking news stories, and often those stories spring into life well before many journalists are aware that the tale has come, gone and been again due to its rapid spread and rather large reach. A story was recently submitted to Digg with a rather spectacular title:

"Warner Bros website distributing Zango Spyware + Kiddy porn browser".

As someone who follows Zango extremely closely, I nearly fell off the chair when I saw this hit the frontpage of Digg. Could something have gone so amazingly wrong with Zango's distribution chain that someone had gamed the system (once again) and started serving up illegal pornography from the Warner Brothers site courtesy of Zango?

The answer is no. The story submitted to Digg takes the user to a Blog entry dated Thursday, 11th May 2006. Contained within are a number of factual errors, where various Zango related stories have meshed into one, messy whole - however, when the story was re-submitted to Digg last weekend (after being submitted for the first time a few months back and getting nowhere), the submitter added the rather inflammatory title into the mix and people went crazy voting for the thing. End result, a factually incorrect story slamming onto the frontpage of Digg and causing major, major ripples in the Adware space into the bargain.

We think.

Because in all honesty, there's no real way to tell exactly how much impact this submission had on Zango pulling out of the Warner Brothers deal. The first inkling that something was afoot was an article that hit the Washington Post, courtesy of Brian Krebs. This appeared the day after the Digg article went boom, and inside sources tell me that something was definitely going on in that timespan. The question...is what. In reality, we have no way of knowing who reads Digg, but as someone who has been Dugg a lot of times, I have a good feel for the way it works with regards to the way a story leaks into the media. I've had at least one story "break" from Digg - as an example...

BitTorrent Installed without Permission, Downloads Movie Files

The above story was part of a larger investigation. We didn't put out a press release about it, but we did fire it up as a Blog Article and let it loose. Now, that story was picked up by mainstream press and exploded - a clear indicator of the power of Digg. So, it is not impossible that such a massively dugg story such as the Zango / Warner Bros story could end up hitting in the right places. Especially as many, many people who voted for the piece also submitted their feelings about this to Warner Brothers directly.

At this point, I imagine they saw the title involving illegal pornography, maybe did a little Googling about Zango and got just as confused as some of the facts involved here. It doesn't help that findings about Zango and Myspace hit at roughly the same time as this story (well, the whole of July, actually) - in fact, I had a Digg going on at the same time as the Warner Bros story. In fact, someone suggested people Digg my story from the Warner Bros Digg too - leading to the strange site of two Zango related stories hitting first and second place in the Digg Security Section:

http://blog.spywareguide.com/upload/2006/07/2zngtop-thumb.gif
Click to enlarge

In fact, I actually saw a few pieces covering the story that mixed up the details from both the Zango on Myspace story and the Zango / Warner Bros article. As the Zango / WB story on Digg is now flagged as "inaccurate", many of you have asked me to straighten things out with regards the facts surrounding this whole mess - which is mainly the reason I've written this up in the first place. Though I'm no expert on the Zango / Warner Bros situation, I do know my stuff where the "illegal content" comes into play in all of this. With that in mind, here's my attempt to ease your mind...

1) "Warner Bros website distributing Zango Spyware + Kiddy porn browser"

This is entirely incorrect. The Warner Bros website was distributing Zango Adware (not "spyware"), and at no point in time did it distribute a "kiddy porn browser". The writer has confused a number of pieces of information - in this case, the "kiddy porn browser" is something called Yapbrowser.

Yapbrowser was a web-browser that (for a short period of time) was distributed with Zango Adware. When you used the browser, it redirected you to a 404 error page that contained hardcore child pornography. The Zango Adware itself did not have any connection with the child pornography, other than their software was bundled with the web browser. Once the revelation of the browser's "hidden feature" was brought to light, Zango removed themselves from distribution with Yapbrowser. Zango's main failing here is that they clearly did not test the Yapbrowser application enough, because they would have realised one click of the browser's "go" button was enough to send you to the illegal content. This doesn't say a great deal about the policing of their affiliates, but they were not responsible for serving up the offending content in any way.

Simply because Zango Adware was launched from the Warner Bros site does not mean visitors were at risk from anything "illegal" appearing on their desktop.

2) "They are also the people behind this alleged child porn browser. They are also the people who still silently install their software on your pcs".

This is taken from the Blog entry that caused all the commotion. Again, this is incorrect. Zango were not responsible for the browser - indeed, the article the Do Not Reply blog links to actually states as much:

"So who is this "Enigma Global Inc" that the YapBrowser installer claims is responsible for the program?"

These are the two main points that people asked me to address, because after seeing the Digg story and knowing that their kids visit the Warner Bros website, they were suddenly panicking like nothing else at the thought they might have illegal pornography on their desktops.

I'm all for taking a company apart in public when needed - but in my opinion, this was entirely the wrong way to go about it. It freaked out too many people through no real reason other than inaccuracy, and I know one person actually scrubbed their hard drive because they thought the police were going to "kick the door in" or something. However you angle it, that's not a particularly pleasant situation for people to be in. The original Yapbrowser story was bad enough - in fact, it's probably the nastiest investigation I've ever been a part of - but dragging it up from the depths to cause needless panic was rather unnecessary. "The end justifying the means" is always a tough one to call, but in this case, it's way too close to the line for my liking.

Would I feel different if I hadn't been involved in the Yapbrowser shambles?

Probably.

All I can say on this occasion is - this is one of the few times a story about Zango did not get a vote from me. Still, who knows what the future holds...!

Yesterday I wrote about fake Myspace profiles leading to pornographic webcam sites - today, we're looking at a variation on the theme. However, the end result this time is not naked ladies, but gambling software. The profile uses the same bait as the webcam profiles - attractive female, long "about me" section designed to convince the person in the profile is indeed "real":

http://blog.spywareguide.com/upload/2006/07/pkrbt1-thumb.jpg
Click to enlarge

There's also one final lure that the webcam profiles did not have:

"The first night I used a poker bot I won $3,000".

The irony here is that an online gambling website is being pushed by a profile promoting illegal bots - exactly the kind of program that the gambling site would not want being used on their system. Talk about conflict of interest! Of course, if you click the link to "Red Casino", you won't see any Bots - just a website asking you to install the gambling software:

http://blog.spywareguide.com/upload/2006/07/pkrbt2-thumb.jpg
Click to enlarge

From there, gambling fun is just a step away...

http://blog.spywareguide.com/upload/2006/07/pkrbt3-thumb.jpg
Click to enlarge

It goes without saying, but never download any programs you happen to find floating around Myspace - especially when it sounds too good to be true. In this case, you're "only" downloading a piece of online gambling software - but there are far greater risks out there in Myspace land as we've already seen...!

Myspace has had a mighty beating lately due to people exploiting the network for their own ends - we've had Adware, Flash hacks, infections via banner adverts and now here's the next problem marching across Tom's lawn with big, muddy boots and trampling all the flowers. It's time to take a look at the seedier side of what goes on in Myspace - you've probably heard about "Myspace Bots", but not seen one in action. Well, today's your lucky day.

There are currently lots of near-identical profiles being created on Myspace at the moment, for some reason all called "Monica". No idea why, I guess they just like the name - at least they're not going to forget who's who. This is of some benefit to us, however, because it makes it easier to steer clear of fake-profile related trouble. It goes without saying to double check any Myspace users you encounter called "Monica" for the time being, especially if the text on the "about me" section of these profiles is all about being "different" and "individual" - and adding them to your MSN Messenger. Here's a screenshot of one of these profiles (note that the picture will change with each profile, but the "about me" text will remain (mostly) the same:

http://blog.spywareguide.com/upload/2006/07/mspcebtprofile1-thumb.jpg
Click to enlarge

Once added, talking to "Monica" will result in a bunch of Bot-style replies that all try to get you to pay for access to hardcore pornography webcams. The interesting part was trying to work out how much was automated, and how much was human-controlled. The first chat I had veered away from the "4 random replies and set to Away status" that all the subsequent sessions with Monica had - after all, when you're telling someone to "do a barrell roll" and asking them if they "like potatoes", yet all you get for your troubles is "check out my webcam!" it's the signal for a (not very advanced) Bot. It's entirely possible that the first chat was human controlled, but they had to stick to a script and not deviate too much. Ultimately it's all about the money, not random chat with some guy they're trying to extract payment from. Worth noting that if someone was talking to me the first time, they were quite happy to encourage me to join up, even though I mentioned I was twelve years old!

http://blog.spywareguide.com/upload/2006/07/mspcebtprofile2-thumb.jpg
Click to enlarge

You can see the results of some of these chats here - always good to see just how intelligent these things are (whether human or Bot!) As you'll see, the first chat definitely suggests some form of personality behind the screen - however, the rest are all 100% guaranteed conversations with automated scripts. Doh!

I can only imagine the money being brought in by a scam like this - fake profiles on Myspace have been around for some time, but a quick check of the message boards and forums suggest that this particular issue is taking off in a fairly major (and concentrated) way. It's the easiest thing in the World to create a bunch of fake profiles on Myspace, though to be fair, at time of writing Myspace have deleted a whole bunch of these accounts so proactive steps are being taken.

It's just a shame that they seemed to have missed one in the process! As I mentioned in this BBC article on the problems facing Myspace at the moment:

"Any site has an increased risk of attack where a lot of customisation is possible," said Mr Boyd. "This level of customisation is what both attracts people to use the service, and what causes the most security issues."

The problem faced by Myspace is that if you start locking down all the things the users like about the service in the first place, they'll simply move elsewhere - quite the dilemma! However, somehow they need to educate their users to see that, sometimes, restrictions can be a good thing. The good news is, there are plenty of tech support and Spyware help groups on Myspace and they're doing an extremely good job of educating the everyday users there. We need to see much, much more of this kind of activity if Myspace is to begin clawing back the security of both its own service and that of its userbase.

Of course, if any of you Myspace users ever see anything you think is dubious going on - be it Adware, fake profiles or anything else - feel free to drop us a line here. We'll happily go check it out and see if we can get something done about it.

Stay tuned to Spywareguide, because we'll be looking at more common (and not so common!) scams and other such shenanigans going on in Myspace land - tomorrow, we'll be looking at a nice (!) example of Gambling software being pushed with (clearly fake) user profiles.

Looks like someone's number is up...

There's been plenty of issues for Zango to consider these past few weeks - in particular, their unexpected appearance on Myspace is a good example. Well, we have a rather intersting case here - a website enticing an end-user to install something they think they need, only to pull the rug out from under them and reveal that (in actual fact), is was this program over here that they needed all along!

http://blog.spywareguide.com/upload/2006/07/zngosbrowser1-thumb.jpg
Click to Enlarge

As you can see, the site above is a typical free movies / webcam website. This site displays numerous videos for you to watch, with the words "live now" next to a play button. Pressing the button does not launch a video (as one would reasonably assume!), but actually opens up a download prompt:

http://blog.spywareguide.com/upload/2006/07/zngosbrowser2-thumb.jpg
Click to Enlarge

The name of the executable continues the baiting strategy - "open for instant access". At this stage, the end-user still reasonably believes running this software is essential to viewing the videos on the frontpage. You can see the icon on the desktop and a EULA (feel free to try our Beta EULA Analyzer) presented below:

http://blog.spywareguide.com/upload/2006/07/zngosbrowser3-thumb.jpg
Click to Enlarge

However, when you install it, IE opens automatically and you see this:

http://blog.spywareguide.com/upload/2006/07/zngosbrowser4-thumb.jpg
Click to Enlarge

...a page of Zango videos, where you have to install various pieces of Adware from Zango in order to acquire the License to watch the video. However, these are not the "videos" mentioned on the frontpage - in fact, they don't seem to exist. And as far as "watching the videos on the frontpage" goes, installing Smart Browser serves no purpose whatsoever. Research from our database reflects:

The SmartBrowser is controlled by smart-browser.com. In our studies it changes the default home page. It opens pop-up pornographic advertising. Examples included extremelybabes.com and extremelyamateurs.com, and redirects attempted access of other pornographic sites to these sites instead. (Caution: these sites may attempt to load premium-rate dialers.)

EULA Analysis demonstrates some notable and alarming security risks:

- "YOU AGREE THAT UPON ENTERING ANY SITES UNDER THE CATEGORY THAT FEETS OUR PUBLISHERS CATEGORIES ,AN ADVERISEMENT MATCHING THAT CATEGORY WOULD POP UP, AND"

- "YOU AGREE THAT YOUR COMPUTER WILL BE USED TO CONNECT TO OUR SERVER FOR ANY UPDATES OR ADDINS. AND"

- "YOU KNOW AND AGREE THAT YOUR COMPUTER WILL BE USED TO SEND EMAILS (PUBLISHMENT & FILES) TO YOUR FRIENDS (USING YOUR LOCAL USER DATABASE) AND TO OUR LISTS .AND YOU ASSURE US THAT YOU WON'T CONSIDER THAT A VIOLATIONS OF YOUR PRIVACY OR ANY OTHER RIGHT. AND"

- "YOU KNOW AND AGREE THAT YOUR COMPUTER WILL BE USED TO CONNECT TO CHATS IRC, YAHOO ,MSN ,ETC IN ORDER TO PUBLISH OUR PRODUCTS."


What we have here is a clear example of Bait and Switch - luring you in with one offer, only to be denied the desired item, but presented with a "substitute" at the last moment. The difference here, is that the webmaster also gets to install Smart Browser onto the PC in the process - I suppose you could call it a two for the price of one deal or a "bonus". Even if the end-user doesn't choose to download any Zango videos, they'll still be receiving pop-ups (and possibly premium rate dialers) via Smart Browser.

As I am (increasingly) fond of saying - if it looks to good to be true....it probably is.

Research Summary Write-Up: Chris Boyd, Director of Malware Research
Technical Research and Discovery: Chris Mannon, FSL Senior Threat Researcher
EULA Analysis: Wayne Porter, Senior Director of Greynets Research

You can read the full article here - a good summary of some of the problems faced by Social Networking sites as hackers and confidence tricksters move in on previously unsoiled ground. From the article:

Chris Boyd, director of Malware research at Facetime Security Labs, said sites such as MySpace and Orkut often felt like "gated communities" and made people feel more secure than they should.

"They might click something that outside of that community they would usually think twice about," he added.

It's good to note that sites such as Orkut and Myspace are reacting quickly to these issues - the question is, can they keep up with the bad guys?

More Myspace Misery

|

Check out this illuminating post by Brian Krebs on how anything up to a million Myspace users were exposed to Spyware. Myspace is having a pretty rough time of it lately, with Zango Adware, Flash-based redirects and XSS (cross site scripting) attacks running riot. I don't think anyone could have predicted this current explosion of attacks on Myspace, but this probably won't be the last time you see Myspace mentioned here. The hackers have picked up the scent of blood in the air...

If you use Myspace, you need to be extremely careful at the moment.

First we had Zango Adware being pushed from profiles encouraging other users to spread the same content.

Then, we had a "Myspace Toolbar".

Now, there is talk of an exploit that relies on redirects via Flash, meaning the hacker has complete control over your profile. You can see the ripples being made here on Digg - should be interesting to see if Myspace put out some kind of "official response" to this one as it's really caught fire. Of course, there have been exploits floating round Myspace for a long time...but as always, don't let familiarity breed contempt - here's a nasty example of what can go wrong for the non-cautious individual!

Yep, it's Yap time again. The Yap (of course) being Yapbrowser - a free web-browser that served up a whole lot more than end-users were probably bargaining for. Just when you think there's nothing more to write about, something else pops up and gets the whole story moving again. In this case, a tip from RinCe illustrates that there are some people who will still take a gamble on one of the strangest browser stories in years. Step up to the plate, Searchwebme (you'll need to scroll down to the entry dated Tuesday, 12th June):

"More recently the browser it self has been in trouble. We are well aware of Yapbrowser's application history but this is all the in past, this is why were pleased YapBrowser has decided to partner with us, SearchWebMe. We can assure you that the new YapBrowser download does not contain any hidden software, spy-ware, ad-ware or any harmful applications. We will be regularly checking the software and updating."

They link to both Wayne Porter's Interview with a Yapbrowser Representative, and a post from the Sunbelt Blog. Searchwebme appear to be a new(ish) Search Engine, with various portals and services on offer for both the casual surfer and the aspiring webmaster. It will be interesting to see how this particular partnership develops over the coming months. They appear to have been live for a few weeks now and there have been no reports of anything going wrong - we received this tip-off a few weeks ago, but didn't want them to feel like "Big Brother" was watching over them!

Could this finally be the end of what the Yapbrowser people would definitely consider their "bad luck run"?

About this Archive

This page is a archive of recent entries written by Christopher Boyd in July 2006.

Christopher Boyd: June 2006 is the previous archive.

Christopher Boyd: August 2006 is the next archive.

Find recent content on the main index or look in the archives to find all content.