Research: June 2006 Archives

Security is always full of twists and surprises. To borrow from the spirit of Forrest Gump" Security is like a box of handgrenades- you'll never know when you're gonna get a live one."

Much to the chagrin of some Yahoo Mail users. the JS/Yamanner Worm played havoc through a vulnerability in Yahoo Mail service. Now for that bizarro twist- the alleged worm writer was simply looking for a job. He concocted the worm to show off his "elite skills".

From Silicon Valley Sleuth Blog.

Subject: I have written JS/Yamanner@MM Worm

I have written JS/Yamanner@MM Worm that has been discovered 12 June 2006. I found that in Yahoo! mail and use it to execute scripts ( collecting yahoo addresses from someone mail, sending this email using Ajax technology to them and then redirecting them into a sample site).

Finally I should mention that I don't like to disturb no one. Since I live in iran and taking a Job in good computer companies is very hard (becaue getting Visa is very hard from US) I just want to prove that I have some abilities in web programming . And I like to work with professional team like you if there is any way to do that.

Perhaps they should have named the worm JS/BadManners?

Bottom line is security companies don't hire digital criminals. The actions don't say much for this misguided individual. As Silicon Valley Sleuth notes he simply could of have written a proof of concept instead of steam rolling innocents via e-mail. Security ethics are cemented around integrity. Some of the finest malware fighters I know are truly great people- who care not only about our technological ecosphere but simply want to make it more safe.

On that note stay tuned to this bat channel- PaperGhost has been leading a mad hunt, guns blazing, with the team into the murky depths of- let's say the "Lords of The Underworld". That's your hint. The days get stranger...

I also promise you won't want to hire this guy either...not even to stock your grocery shelves or to mow your lawn.

Internet security...sometimes it isn't all dry analysis and wading through rogue code and links...sometimes the stories get- strange.

First we thought the YapBrowser was dead and buried. After being exposed for serving up UA Porn by a number of security experts 180Solutions (now Zango after the Hotbar merger) stopped sponsoring the product. A product, I might add, that should have never gotten through any good quality assurance department in the first place.

Then I conducted an e-mail interview with "John Sandy" to try to get to the bottom of the fiasco. The answers were evasive and to date no one can seem to take responsibility for the situation- it has all been pass the buck. Then, mysteriously and quietly, the YapBrowser comes back online promising an adult browser that in their own words: "There is a 100% guarantee no system infection will occur when using our software. YapBrowser is the only browser which gives you safe search and browsing capabilities.". We find that promise hard to believe.

We thought that might be the end of it, but now a mini-soap opera is playing out as the people behind the project have launched a discussion forum. What is intriguing about this forum is that a number of the names are the same as or similiar to well known security professionals and analysts and people in stories we have covered before. They have registered as users and they are actively carrying on coversations. Some examples include:

Chris Boyd, our own PaperGhost, well known and accomplished malware researcher who went back and forth with the YapBrowser crew across a number of blogs including his own at It is notable the real Chris Boyd did not sign up at the forum. (He has now as Paper-Ghost to monitor the events.)

Susie, who we assume could be an impersonation of Suzi Turner, the well known anti-malware activist that runs and blogger at ZDNET Spyware Confidential who covered the story and had harsh words for the Yap people. In the forum she states her favorite blog is "Sunbelt Software", run by Alex Eckleberry, who was also instrumental in the crack down on YapBrowser, our own Greynets Blog, and a large business blog I contribute to at Revenews (neutral ground where the first interview took place). Susi goes on to make some jabs at VitalSecurity and Washington Post's Security Blog- written by Brian Krebs. It is notable that the real Suzie does consult for Sunbelt Software and she doesn't speak Russian either. Then again, maybe it isn't *that* Suzie just a vague "coincidence".

RinCe- An individual who assisted our team with a tip-off while investigating a rogue botnet involved in a massive credit card theft scheme whose owners later wound up in serious legal hotwater after the story broke. RinCe doesn't speak Russian to our knowledge. (More on that story later.)

Ozzy, we assume this could be the top gun hacker buster of BlueMicro We really don't know if it is actually Ozzy having a go at them, or an Ozzy impersonater, but given the circumstances we simply have to wonder. You see how confusing it all gets.

To top it off they link to my interview with the alleged "John Sandy" as if the interview vindicates their activities. Folks- it doesn't. My role was merely to facilitate the conversation and work with the translators to try to get some answers to how a situation could go so horribly wrong.

So why this apparent complex game of charades? We really don't now. That is what we mean by the story getting stranger and stranger. We will continue to monitor, but that won't distract us from the really interesting stories on the horizon. Stay tuned for more mayhem from the digital trenches.

ADDENDUM: Within a few minutes of posting this blog, the Chris Boyd page at Wikipedia was defaced. Fortunately the Wikipedia provides the IP address of individuals who deface the popular wiki.

For several weeks speculation has been moving fast and furious inside security research circles that "adware" maker 180Solutions Inc. has been courting Hotbar, another company that traffics in adware. Naturally this deal would catch the eyes and probing minds of security researchers given 180Solution's checkered past and Hotbar has had it is own fair share of controversy. The most notable when Symantec sued Hotbar for the right to classify Hotbar's products as adware. (The suit was settled out of court.)

Now there are articles hitting mainstream press covering the proposed deal, and we can point readers to a rough translation of an article that Google News snagged out of Israel: Hotbar in talks for sale to 180Solutions at

The article says :

Israeli company Hotbar Inc. is negotiating its sale at a company value of $52 million. The probably buyer is Internet company 180Solutions Inc.. Sources inform ''Globes'' that Hotbar is also negotiating with other companies, including ICQ. Hotbar develops software that sits on the browser, enabling users to change their toolbar to include links to services the company offers. Founded in 1999 by CEO Oren Dobronsky and president Gabriella Karni, the company has raised $15 million to date. Its last financing round was held in 2001. Investors include Eurofund, Tamar technology Ventures, Technorov Holdings, CE Unterberg Towbin, and Deutsche Bank subsidiary ABS Ventures. According to IVC Online, the company had $35 million in sales in 2004.

180Solutions develops software solutions for on-line advertising. The company develops adware, otherwise known as spyware, activities hated by surfers and users of computers. Coincidently or not, this activity is connected to a lawsuit anti-virus developer Symantec Corp. (Nasdaq:SYMC) filed a year ago against Hotbar, in which Symantec demanded that some of Hotbar?s activities be classified as adware. the case was settled out of court a few months ago.

Some of this article seems completely off base and some of the connections are a pretty far stretch. For example, it is hard to discern how the Symantec suit had anything to do with a deal like this being brokered- although the article does reference it as a possible "coincidence".

Furthermore, it would be surprising if ICQ were a buyer- ICQ is merely an instant messaging service. Mirabilis was the name of the Israeli company that produced ICQ. Mirabilis was formed in 1996 by four Israelis Arik Vardi, Yair Goldfinger, Sefi Vigiser and Amnon Amir, and was purchased by AOL in 1998 for over 200 hundred million U.S. (Note our recent walk down IM memory lane with ICQ.)

In 2001, a new company called AOL Time Warner was created when AOL purchased Time Warner forming the world's largest media company . The deal, announced in 2000, employed an atypical merger structure in which each original company merged into a newly created entity. We have documented Time Warner engaged in distribution deals with 180Solutions for some of their online soap operas. A distribution deal that was ill-timed given the highly problematic YapBrowser fiasco where the browser product, sponsored by Zango (the same adware product sponsoring Time Warner's content), displayed UA pornography after making it through 180Solution's "stringent" approval process. [Reference background on YapBrowser and links to our interview.] 180Solutions did end the relationship after the activities came to public light.

At this stage it all remains speculative, however information from many credible sources has been flowing into researchers for weeks now and coupled with coverage in Israel- Hotbar's hometown- this researcher is inclined to believe the deal is more than likely going down.

The looming question will be if 180Solutions will continue with what many call irresponsible and poorly controlled distribution practices. A good researcher relies on intuition and what he/she sees in the field. At the same time a good researcher doesn't ignore history and its lessons either.


About this Archive

This page is a archive of entries in the Research category from June 2006.

Research: May 2006 is the previous archive.

Research: July 2006 is the next archive.

Find recent content on the main index or look in the archives to find all content.