P2P / File Sharing: February 2007 Archives

YouTube is probably the hottest of the so-called "Web 2.0" commodities out there right now - and their recent acquisition by Google won't have done any harm to that way of thinking. Of course, the fact that YouTube allows you to share its content raises the possibility that those files might appear in all manner of strange places.

Well, here's a perfect example of people jumping on the Web 2.0 bandwagon, offering up a (frankly bizarre) "media player" that

a) doesn't actually offer up much media and
b) doesn't play them half the time, either.

A group of files have been seen floating around the eDonkey network, and they offer up some surprising results.

http://blog.spywareguide.com/upload/2007/02/ytplayer5-thumb.jpg
Click to Enlarge

No EULA is displayed - depending on which of the two installers you execute, the program will simply run on the desktop or give you a bare bones installation. You'll then see this:

http://blog.spywareguide.com/upload/2007/02/ytplayer10-thumb.jpg
Click to Enlarge

...the introductory splash page might look interesting, but you'll notice that there are very few buttons on the player, and half of what's there isn't actually clickable. When we continually hear a lot about the "value proposition" of installing X in return for Y, this doesn't bode well does it? Pressing the "click here to continue" message brings up a "Locating Videos" message, and you'll note the first advert served up inside the player...in this case, an advert that was apparently for the Wall Street Journal but was eventually revealed to be for GoToMyPc (what you see in the screenshot is all we saw before the YouTube clips started to play. Thanks to a reader for the heads up). I don't personally have (much of) an issue with Adverts served to me inside an application (as opposed to firing all around the outside of it), but some people might take issue with this, especially as there was no EULA and no indication that there would be adverts at all.

Are these targeted ads? Adverts served up based on browsing history? Region specific? Who knows, as nobody told you. At any rate, the supposed "media content" loads up, and you might be surprised to find....

http://blog.spywareguide.com/upload/2007/02/ytplayer6-thumb.jpg
Click to Enlarge

.....YouTube movies!

Completely bizarre YouTube movies, at that - this example is a strange Lute playing session; another notable clip we saw was a 20 second clip of some guy telling us about his new book:

http://blog.spywareguide.com/upload/2007/02/ytplayer4-thumb.jpg
Click to Enlarge


....though the clip is in Italian, the translated version is that he's talking about his new work, "Experiments in Temporary Happiness", a "passionate romantic novel" apparently. Though there's no indication either of these two have any involvement with the player - it seems these are just two random movie files that happened to play more than most - you can learn more about the book writing guys' work here.

Putting aside our foray into the world of romantic literature, you might find yourself disappointed if you're expecting a constant stream of YouTube clips. Apart from the fact that an avid Youtube fan would simply....go to YouTube to watch them in the first place, this program only ever seemed to serve up one of the two clips mentioned above. Sometimes we'd get a flurry of other clips before it died out, but half the time, our research team couldn't even get the movies to play. Geographical targeting, perhaps?

Underneath the movie panel, you'll note three icons - one takes you to an online backgammon site, one takes you to a scratch card game and the other provides you with the option of logging into the Skype website. Why? No idea. That's just the way this thing rolls!

Beside the icons, a banner says "powered by Hobby-Tent.com". However, the truth is a little stranger than that. A site called Zapu.com provides "net acceleration" services, and also offer a toolbar that does much the same thing.

Why is Zapu relevant?

Because they're hosting the text served up by the media player:

http://blog.spywareguide.com/upload/2007/02/ytplayer1-thumb.jpg
Click to Enlarge

In addition, Zapu also hosts some of the smaller image files such as the "powered by hobby-tent" banner.

Exploring Hobby-Tent

This is where it gets really interesting. Hobby-tent is a site that links to a bunch of Youtube movies - aside from that, it's stuffed full of adverts designed to generate income.

http://blog.spywareguide.com/upload/2007/02/ytplayer7-thumb.jpg
Click to Enlarge

The site is currently down, but for some strange reason, there IS one directory still available:

ytplayer8.jpg

..."Papa Player"? What on Earth could that be? Oh well, let's download it and take a look....

http://blog.spywareguide.com/upload/2007/02/ytplayer9-thumb.jpg
Click to Enlarge

Still no product specific EULA, but this time we do have an agreement for WhenU. Ironically, the version of this media player NOT circulating in P2P networks doesn't actually work, as you can see from the below screenshot. Note the "page not found" message, as the program attempts to pull up the "Thank you for using our hottest web videos personal player" text and fails miserably - again, from Zapu.com:

http://blog.spywareguide.com/upload/2007/02/ytplayer12-thumb.jpg
Click to Enlarge

So far, then, we have THREE different versions of a "media player", THREE websites involved in distribution and / or hosting various pieces that make up the whole (we cover the final site below), TWO YouTube movies that made no sense whatsoever (though they made a lasting impression!) and ONE Adware vendor caught in the middle of it all.

There's still one piece of the puzzle left....

DV-Networks.com

Remember the three clickable links in the Media Player that took you to scratchcard games, Skype and backgammon? Well, clicking those links would redirect you to your destination from a site called DV-Networks.com. Visiting the site gives you a holding page, claiming it will redirect you to a site called "Iportent.com", though this never actually happens.

However, some quick digging later and you'll find the below - a bunch of icons, possibly related to some other program, that take you to sites related to "free international calls" and "PC Tune ups". It's the final image that interests me, though:

http://blog.spywareguide.com/upload/2007/02/ytplayer13-thumb.jpg
Click to Enlarge

...note the link to Zapu.com from the final icon, and the Alt text..."Hottest Web Videos", which is the name of the media player. Clicking that link takes you to this page, which seems to be a holding area for numerous streamed movie clips from sites similar to Youtube:

http://blog.spywareguide.com/upload/2007/02/ytplayer14-thumb.jpg
Click to Enlarge

...are these clips supposed to stream via the Media Player too? It's hard to say, though for now it looks like YouTube is the primary focus.

Why is DV-Networks.com particularly interesting? Well, a quick Google didn't reveal much about the site....however, this link is particularly interesting. It's a forum post on Spamcop relating to some application that caused some consternation amongst the users:

3. There are discrepancies regarding the name of the person behind this software. On the referenced website, his name is given as "Barak Abutbul" and yet in the domain name registration, it appears as "Barak Avitbul." My knowledge of Hebrew is limited, but I don't think that sort of discrepancy is due to transliteration issues...he gave the name differently in different situations. For example, he posted information about another of the "MinuteGroup" programs (VCatch) at Winsite, using the "Avitbul" version of his name:

http://www.winsite.com/bin/Info?4754

4. The two partners listed on the "minutegroup" site apparently have had some other joint projects. Here's a mockup of their "DV Networks" site I found on the site of the company that designed the "minutegroup" site:

http://www.121webdesign.com/customers/dvnetworking/

However, when you go to:

http://www.dv-networks.com/

you'll see that this operation is no longer active at that URL, in that it displays a logo for "IPortent" and says "Formely [sic] DVNetworks."

Now, if you check out the About Us page on the Zapu site, one of the founders is named as...Barak Abutbul. The forum post continues:

"5. If you Google "Barak Abutbul," you'll find some rather disturbing references to this man as being part of a group of hackers (or crackers?) who were charged with breaking into computers at the "Pentagon, US Navy, NASA, MIT, Harvard, Yale, Cornell, Stanford, the Israeli Parliament. Hacked two Israeli ISPs obtaining names and passwords of subscribers." The news articles say that Abutbul reached a plea agreement in exchange for testifying against the others."

...is this the same individual? Certainly, Googling the name does indeed return some incredibly troublesome results. Check out the data from a packet capture as the player installed and phoned home:

http://blog.spywareguide.com/upload/2007/02/ytplayer15-thumb.jpg
Click to Enlarge

...note the name "baraka" highlighted in red.

If it's not the same person, it's certainly a strange collection of chance happenings and coincidences. At any rate, I'd be very wary about using this media player - especially as quite a few other Vendors detect this particular file:

http://blog.spywareguide.com/upload/2007/02/ytplayer24-thumb.jpg
Click to Enlarge

"Experiments in Temporary Happiness"? In this case, I'd say that's an entirely appropriate description...

Research and Summary Write-Up: Chris Boyd, Director of Malware Research
Technical Research: Chris Mannon, FSL Senior Threat Researcher
Technical Research: Peter Jayaraj, FSL Threat Researcher
Supplemental / E-Commerce Research: Wayne Porter, Senior Director Special Research

About this Archive

This page is a archive of entries in the P2P / File Sharing category from February 2007.

P2P / File Sharing: August 2006 is the previous archive.

P2P / File Sharing: March 2007 is the next archive.

Find recent content on the main index or look in the archives to find all content.