I recently came across an installer file being pushed in a Botnet - nothing new there, but it serves up an interesting take on how Adware companies need to make sure that it's not just their software springing up in hijacks - it's their websites, too.
In this case, the Zango.com website is popped open on the user's desktop (ignore the box mentioning Poker, that's from a different popup):
...this is what's known in the trade as "strangeness incarnate". Usually someone will try and install something, so they can make money. Simply popping open the Zango.com website doesn't seem to point to any financial gain, unless the person behind it gets a cut of the profits from the clips on that page. But that would also be stupid, as it wouldn't be too hard for the Zango people to then find out who stuck what movie files where on their website. Plus, I'm under the impression that Zango themselves are responsible for placing the videoclips on Zango.com anyway.
I ran the infection again, and who should pop up in the next barrage of adverts but Bestoffers Network (another name for Direct Revenue):
....whoops. As for what's installed, it's the usual (rather popular) mish-mash of files from WebHancer, Dollar Revenue, SurfSidekick and Toolbar888, which is apparently a Maxifiles variant. I've spoken about Maxifiles in relation to Direct Revenue many times. At any rate, here's a screenshot:
Nice collection!
Of course, it goes without saying that the PC is hosed shortly after the install:
...ouch. Still, at least the hijacked end-user will have no shortage of Smileys to play with, pills to take and celebrity videos to watch while smoke starts to pour out the back of their monitor. All in all, I'd say that's a pretty good tradeoff...!
