Research: April 2006 Archives

Spyware Warriors and the Digital UnderGround: Part 1& 2 Podcast Segments

Podcast conducted and moderated by Jeff Molander of

Wayne Porter, Sr. Dir. Greynet Networks
Chris Boyd (PaperGhost), Dir. Malware Research
Facetime Communications

Wayne Porter and Chris Boyd (aka PaperGhost) get paid to spend their days infiltrating rings of real life cyber criminals, all the while risking they'll get caught by the thieves themselves. How must it feel to gather evidence on such bottom-feeders and then turn it over to the proper authorities- according to them- it feels great.

Spyware Warriors and the Digital UnderGround: Part 1

Press PLAY button to listen now or download as MP3.


00:01 - Introduction
02:38 - What does Facetime do and for whom?
04:09 - What is a botnet network? (Boyd)
05:20 - What are hackers and e-criminals motivations? (Boyd)
06:11 - Things changing for the worse; paradigm shift (Porter)
07:55 - The story of RinCe, tipster on major bust (Boyd, Porter)
10:20 - Anatomy of a good tipster; motivations (Boyd)
11:44 - Changing vectors & new dangerous hacker tactics (Porter)
12:54 - Instant Messaging no longer safe (Porter)
13:24 - Botnet criminal motivations (Boyd)
13:44 - New perspectives (Molander)
14:34 - Attack complexity increasing, vectors changing (Porter)
16:24 - Dark Economy: Organized crime moving online (Porter)
16:59 - Cloak & Dagger: How to penetrate a botnet (Boyd)
19:03 - Gathering intelligence from "the underbelly" (Porter)
22:54 - Fallout from adware, spyware & Web crime (Porter)
23:34 - Warning to e-commerce executives (Porter)

Spyware Warriors and the Digital UnderGround: Part 2

Wayne Porter, Sr. Dir. Greynet Networks
Chris Boyd (PaperGhost), Dir. Malware Research
Facetime Communications


Molander: In part two, I begin to discuss how and why major name advertisers (and advertising networks they work with) unknowingly get caught funding criminal activity.

Porter goes on to predict that the realm of click fraud is bound to get a lot more ugly as massive, criminal-operated networks of "zombie" PC's ("botnets") turn their guns in a new direction. Detecting them may, as it turns out, not be easy for Google, Yahoo Search, or others

Spyware Warriors and the Digital UnderGround: Part 2

Press PLAY button to listen now or download as MP3.


0:00 - Introduction
1:02 - How and why would major advertisers fund criminals?
2:04 - The Problem: brokers of ad brokers of ad brokers
2:34 - The connection between performance advertising and botnets, fraud
4:58 - Risk levels of cost per sale vs. cost per click vs. impression/CPM
6:28 - How brands are affected
7:16 - A new form of cost per click fraud?
9:19 - Small but widely distributed click fraud botnets may prove highly problematic
11:30 - Enterprise risks to botnets
11:48 - The potential for a new form of click fraud
13:44 - Web marketing, becoming less efficient and dangerous for brands
14:52 - "Botnets can be used for pay per click fraud" (Porter)
15:10 - Learn from the Past: AllAdvantage "Get Paid to Sleep" (Porter)
17:05 - New blog
19:15 - Funny story: "Mr. Bean" movies among bad guys
21:31 - Closing remarks

So whatever happened to these botnet operators?...stay tuned...something ground-shaking did happen after the first articles and podcasts went to press...

I received confirmation via the "Yap Browser" people who stated they would work on answering questions for next week. The YapBrowser's questions were written in English and then translated into Russian (Thanks Anna and thanks Joe!) and urged to reply in Russian- their native laungage. As soon as I have their answers I will have them translated, once again, by two different teams and post the Russian answer document as well. All will be followed per the rules of engagement.

Wayne Porter's E-mail Interview: Questions to Yap Browser:

1. So that it is clear what is the name of the entity or company that develops and operates YapBrowser?

2. Are YapBrowser and controlled and / or operated by the same entity or otherwise related?

3. For the purpose of general information background and mutual understanding, can you describe the business that you conduct on the Internet?

4. How long has YapBrowser been available for end-users to download from the Internet?

5. Aside from working with 180solutions can you cite, as trade references, any other businesses or advertisers that you work with, have worked with in the past or those who have expressed interest in working with you in the future?

6. How long has YapBrowser bundled the 180solutions product- Zango?

7. How were you not aware over that period of time that your application / sites were redirecting to the offensive material?

8. How rigorous was 180Solutions / Zango in terms of checking your application
before they agreed to have their software bundled with the YapBrowser application?

9. Did 180solutions test the software prior to your agreement to bundle Zango?

If so, can you describe the process that was involved?

10. Did they test your application after it launched with the
Zango product bundled?

11. Have you received payment from 180Solutions for the
Zango downloads you delivered?

12. Your sites were hosted on a server that also hosted
known hijack sites and sites related to other allegedly illegal practices.
Specific examples would include instme. biz and nstallme. info.

At the time of my testing there were only six other sites residing on this server besides yours,
and approximately 60 + sites on a related IP address. Again, many of which were highly dubious
and well known to the security community.

Given the current state of Russian webmaster forums, where whole sections are
devoted to "rogue" sites and installers, as well as the widespread coverage of these
groups by Western security companies, how is that you were not aware of the
practices of your neighbours on this server?

13. How is it that you were not aware your chosen server host
were well known and documented for hosting such sites and material?

14. To quote from your exchange with Paperghost at

Paperghost: The same details are used for a group of sites at Eltel, a Russian ISP,
including one site that redirects the user to browser exploits at,
which load trojans, spyware and dialers. Paradise-dialer's whois places it as part of
the CWS group known as Dimpy, aka BigBuks. Since the BigBuks whois is also given
by mix-click, referred to by the yapbrowser/yapsearch whois, and the aforementioned
servers at Pilosoft and Eltel (as well as the paradise-dialer server also at Pilosoft just a
few IP addresses away) run many other sites that link back to browser exploits and
child porn promotions run by BigBuks, it seems reasonable to assume that they are
the same group of people.

So, is this you or not? And if not, how come the contact details are the same?

YapBrowser: We now try to find people which are involved in
an illegal site. They had some attitude to domain names, but not to our activity. Similar
these people are engaged in distribution illegal content and in parallel contain a server
for this purpose. We have chosen a unsuccessful place of accommodation of the
projects in a network.

Given your statements and acknowledgement of illegal content distribution,
presumably you have accurate details of who you did business with for hosting.
This would include business names, individual names, addresses, phone-numbers, etc.
You appear to claim to have been victimized by a supposedly legitimate business entity,
are you willing to serve the public interest by making this information
available in this interview?

If so, please provide details. If not, why not?

15. It was been brought to my attention that:

A representative of YapBrowser is John Helbert, as seen here:

A connection has been made between this person and an individual called ?Klass? a member of a ?Lolita / CP? board called ?Dark Master?. (Matching ICQ numbers, etc). More on this connection can be seen here:

Sumbelt Haloscan comments

What is your response to this connection between YapBrowser and the ?Dark Master? forums?

16. Ben Edelman provides video evidence of the dubious activities of an outfit
called HighConvert working with a number of adware companies. See video:
this operation appears to be related to a document uncovered and transcribed from Russian
into English by Sunbelt Software in early April. The YapSearch domain is cited in this document.
Reference English translation of document here: Sunbelt Translation Document.

The document outlines plans for ?invisible clickers?, lowering of browser?s security settings,
utilizing ?Blue Screen of Death? for trick ads, and the changing of 404 error pages among
other dubious practices. How do you explain this reference to YapSearch?

17. Did YapSearch or YapBrowser ever deploy any of the
tactics outlined in this document?

18. Given the current state of affairs what is the future for YapBrowser-
do you still intend to distribute this application?


I am pleased to announce that two members of the FSL research team received Microsoft Security MVP Awards this year. Namely Wayne Porter, Sr. Director of Greynets Research and Chris Boyd, Director of Malware Research. This is my first time to receive this honor but this is the second year running for the indefatigable Chris Boyd, a.k.a. PaperGhost.

The Microsoft Most Valuable Professional (MVP) Award is an annual award that is given to outstanding members of Microsoft's peer-to-peer communities, and is based on the past year's contributions those members make in those communities online and offline.

You can learn more about the awards at the Microsoft MVP FAQ or check out the official MSFT MVP site.

A little history and color about the awards from Wikipedia:

The Microsoft Most Valuable Professional (MVP) Program is an award and recognition program run by Microsoft. Microsoft MVPs are volunteers who have been awarded for providing technical expertise towards communities supporting Microsoft products or technologies. An MVP is awarded for contributions over the past year.

The MVP program grew out of the developer community: rumor has it the initials stood for "Most Valuable Professional", as the initial MVPs were drawn from the online peer support communities such as Usenet and CompuServe. It has since grown to include other types of products, and other avenues of contribution.

A posting from Tamar Granor on the Universal Thread web site gives this account of the origin of the MVP program.

"Way back in the dark ages, Microsoft provided a great deal of technical support on CompuServe. The CompuServe FoxPro forum was extremely busy and Calvin Hsia, then an independent developer, now Developer Lead on the Fox team, created what we called "Calvin's List." It was a listing of the number of postings by person, including info on both messages sent and received. Being in the top 10 on Calvin's List any month was an accomplishment, though we discussed whether it was a good thing or a bad thing. "

As the story goes, some of the Microsoft people jumped on Calvin's List as a way to identify high contributors, and thus was born the MVP program.

As a researcher it is critical to look at not what is on the ground but what is coming down the pipe in terms of development ideas.

This site lists all sorts of sites and applications which are in beta and a handy reference for the curious. For the REALLY curious check out the current alpha releases.

Check out the Museum of Modern Betas.

Note that Google has over 70 + Betas !!!

Ever wonder what the inside of part of an anti-spyware lab might look like? What actual researchers do? This short segment aired on WSAZ, an MSNBC affiliate profiling our Huntington, West Virginia research team.

Click The Photo for Footage

But there's more coming up! Check out the teaser piece on the scoop with this two-part Podcast Chris Boyd and I delivered to Jeff Molander profiling what we see in the trenches of the Internet and information on our team's latest bust. I think it will truly "shock and awe" some listeners. Check out Spyware Warriors and the Digital Underground Teaser [mp3 format]


About this Archive

This page is a archive of entries in the Research category from April 2006.

Research: May 2006 is the next archive.

Find recent content on the main index or look in the archives to find all content.