Jan Hertsens: February 2006 Archives

This Story Made Me Spill My Noodles


As any regular day, this evening after work I settled with a snack (today: Cup-o-noodles) behind the computer for some "light reading" of industry blogs and their related links. This was a safe activity until tonight, when I came across this 180solutions press release, which made my noodles fly all over the place.

Let's for a moment sidestep the disregard for the great research work my collegues at FaceTime did, and focus on this quote:

However, according to McGraw, the company took the extra measure of requiring each user to re-opt in to the installation a second time, even though proper consent was obtained at the time of first install. "In this case, the re opt in opportunity wasn't required, because the few users who did install our software as delivered in this exploit did so with knowledge and consent," McGraw said. "But it was the right thing to do given the unorthodox and unapproved nature of the installation interface those users encountered."

Now let's read that again.

It seems only yesterday that I wrote about the dangers of the "sendkeys" attack, and how it would easily defeat any kind of confirmation screen the adware creator puts up, and what to do about the problem.

Now both crusaders Wayne Porter and Ben Edelman discuss this techinique actively being used in the wild. Grab (a small amount of) popcorn and watch the movie.

Let's make things very clear here:

If adware creators do not create a strong validation system like we have proposed (or something similiar), then any form of obtaining user consent via a confirmation dialog is virtually worthless!

On that note a personal message to 180 Solutions.
Your "S3" has been proven to be "less than satisfactory".
Get the message and learn the lesson, or S4 and S5 will go the same way.

This vitalsecurity entry took me to an interview the Washington Post did with a botnet herder. It is indeed a bit of a long read, but proved to be worthwhile.

As a spyware researcher, I was always wondering how the botnet operators are able to install all the different pieces of adware onto the victims PCs, without the users being any wiser. Many of these programs now have "confirmation boxes" which show a EULA that needs to be "agreed to" before installing. For the sake of clarity I will keep the disucssion on whether these EULAs actually fulfill their purpose for another place and time. We observered the end-user not seeing anything at all.

My first assumption was that the botnet operators distributed "hacked"/modified versions of the adware package, with that particular screen removed.

I was wrong. Seems like I was applying Occam's Razor at the dull end.

This "pseudo-technical" quote tipped me off that something else was going on:

Once they invade a computer and add it to their botnet, they use automated keystroke codes to order the enslaved machine to click "OK" on installation agreements.

If you are any kind of developer, this should ring a bell.
It seems they are using the good old "SendKeys" command, that has been arround for years.

In terms of efficiency this sleight of hand makes sense. Instead of having to mess with a resource editor, repackaging and hosting their own modified versions, they merely use the original installer package from the official adware location, launch it, do a "FindWindow" and a sendkeys of a few "OK" clicks. This can be implemented in less than a dozen lines of VBScript.

So it turns out the user gets to "see" the confirmation dialog after all, but only for the time it takes the Windows API to process the requests. On an average computer, that will be less time that it takes to blink a eye. On a slower system, that will about a quarter of a second, still in the "subliminal message" range. All of this is of course assuming that the user is effectively staring at the screen at the exact time of installation. This could be fairly unlikely, since most of these installations are scheduled to happen unattended in the wee hours of the night.

The adware vendors will, as per standard protocol, claim that there is nothing they can do about this practice.

With that I offer some free consulting advice for these vendors, who are actually interested in weeding out the bad affiliates (anybody still listening?) . It's easily implemented by a junior developer in a few hours and will earn back its costs many times over in a few days.

Given that your application is already reporting back installations, along with a computer identifier and an affiliate ID (otherwise you would not be able to cut cheques for your affiliates, which is exactly the root of the problem) :

- In the confirmation dialogs, note the time when the window opened. Note the time when the "I agree" button was clicked.

- Substract these measurements, so you end up with a number of elapsed seconds

- Report this "agree speed" along with the other installation information back to your central server.

- Release this as a new minor version of your application. Don't alert affiliates, just put the package in place of the existing one

- Run some simple statistics on this speed. If a user agrees to the license agreement in under half a second, he is either a Vulcan on steroids or a bot. Report the affiliate for fraud or the user to SETI. (If the records show that the elapsed time to read and agree to the 3000+ word EULA was still less than 3 seconds, you might still make some cash by reporting the user here or here. But I promised to have that discussion another time.)

So there, Mr. Adware Vendor, you have it. Using this free advice, you cannot lose. You make money in all cases and you have users who actually want your product.

I am not naive enough to think that this would actually make the vendors refuse the installation-adware is an industry driven by greed. But it will give them a good reason not to pay out the affiliate for the fraudlent installation. Which translates to less money and hence motivation for the fraudsters.

For this years traditional pilgramage to RSA, we visited sunny San Jose.

I will not bore everyone with news about press statements and product releases, but get to the interesting part immediately: the fashion trends.

If there is one thing that stood out during this event:
The "new black" is.... black!

Thats right, every vendor had some sort of black T-shirt to hand out.

This is just a random example of a "black shirt vendor" trying to push black clothing onto the bodies of innocent passersby.

In the "because I can" department: As an exercise in messing with the Google Maps API, I have started geocoding some of the addresses of creators of (adware and other) products that we have in the spywareguide database. Then with a little php and javascript glue, made a nice overview map on it.

Click here: List of Software Vendors to see it in action. (Please no yelling if it doesn't work. It's not even beta.)

Some observations already ([Insert disclaimer about small dataset here]):

- These companies seem to cluster together. You can notice some definite grouping. Coincidence?

- Some of them have really neat offices. Select one, zoom in to max level and switch to "satelite mode" to see them.

- Look at some of the exotic locations! Here is one in Hawaii!

About this Archive

This page is a archive of recent entries written by Jan Hertsens in February 2006.

Jan Hertsens: April 2006 is the next archive.

Find recent content on the main index or look in the archives to find all content.