Quick Links: SpywareGuide Greynets Blog | SpywareGuide Product Database | SpywareGuide Company Database | SpywareGuide Categories
SpywareGuide powered by FaceTime Security Labs
Search SpywareGuide Greynets Database & Site
Security Email Alerts & Updates
Search the Blog
 
Recent Posts
Categories
Monthly Blog Archives
Links
Subscribe
Subscribe to this blog's feed
About the Blog
About SpywareGuide Greynets Blog
Link to Us
Link to SpywareGuide.com

The SpywareGuide Greynets Blog

Main

October 29, 2007

  • Bang the Gong

Gong is a Trojan that has the ability to alter Windows Explorer and other Windows programs so that it can run happily without the user ever knowing of its existence. After it's installed by a large Trojan bundler like Dloader.Small.ele or ConCommand, it quickly phones home and gets an infected file named "svchost.exe" whose true purpose is sinister, but not entirely unexpected. This installs a file called "ctfmon.exe" which runs with autorun.inf.
http://blog.spywareguide.com/upload/2007/10/autorun-thumb.PNG
This .inf sets alters Windows to run the infected file whenever they try to open or explore.

http://blog.spywareguide.com/upload/2007/10/ustrightclick-thumb.PNG
Clicking either of these will run ctfmon.exe.

When Ctfmon.exe is run, it creates several hidden windows with a single minded purpose...clicks. Clicks mean revenue, and revenue means there are bound to be bad actors.

While those hidden windows are running they are frantically clicking as many hyperlinks as fast as they can in order to drive, or appear to drive, visitors to their site.


How can you detect these hidden windows? Good question and it might depend on your build of computer. In our X-cleaner proudce there is a handy feature that allows you to see any and all windows open at the time. No magic, just technical vision!

http://blog.spywareguide.com/upload/2007/10/xclean-thumb.PNG
From here you can see what is causing the attack and even kill the process.

More and more rogues and cyber bandits are are using these kinds of below-the-belt tactics to inflate numbers to their websites in order to pump up revenue. You may not know who they are, but you can know what they are using.- Click and inspect so you are aware of what programs are soaking up your processing power and you can return your system to its rightful owner- you. With a click and kill.

August 28, 2007

  • Ingreslock Exploit: Alive and Well

There has been a large steady stream of new Trojans coming out of China lately. Now it seems like its starting to look more drastic than that. It all begins with Downloader-Arun. Like most other downloaders, its purpose is to download as many Trojans as possible. This is just how bad it can get:

arun.png
Breakdown of what Downloader-Arun installs on the victim PC.

While Downloader-Arun is installing, it contacts another Chinese site to download sercer.exe onto the victim's PC. Sercer.exe is immediately ran and moved to C:\Program Files\Internet Explorer as SPLOAE.exe.

http://blog.spywareguide.com/upload/2007/08/directory-thumb.png
Sercer.exe has the same file size and MD5 hash as C:\Program Files\Internet Explorer\SPLOAE.exe.

Once SPLOAE.exe is running, it gets information that is stored in SPLOAE.dat.

http://blog.spywareguide.com/upload/2007/08/packetcapture-thumb.PNG
This is the same information that is stored in SPLOAE.dat.

Since the infection is in the Internet Explorer directory, it's probably a good idea to check out what kinds of connections are taking place. Looking closer at the connection you'll see that someone is attempting exploit your computer! You may recognize this type of attack if you were a playboy customer in '98.

http://blog.spywareguide.com/upload/2007/08/ingreslock1524-thumb.PNG
A connection has been made at port 1524. Foul play is sure to follow.

Now would be a good time to check and see what kinds of connections are currently active on the infected PC.

http://blog.spywareguide.com/upload/2007/08/netstat-thumb.png
You can tell if there is a connection to your computer by using the netstat -a -n command.

There is a connection established to the same IP address that was seen during the installation. Taking a closer look at the domain brings you to *dramatic pause* his blog!

http://blog.spywareguide.com/upload/2007/08/hack-thumb.png
The established connection redirects to a blog of questionable safety.

Fortunately for the victim, there is a very easy way to tell if you are being exploited by this threat. If you are infected by this particular threat, there will be an autostarter value called "MrXiaokan".

http://blog.spywareguide.com/upload/2007/08/autostarter-thumb.png
This threat auto starts using the value "Mrxiaokan"

This was just 1 of the files that was installed from the original Trojan Downloader-Arun. Other threats are out there just waiting to be clicked. My advice to you is this: Mind your clicks.

March 12, 2007

  • Kailash Ambwani Talks on Greynets and Perils of Web 2.0

Our CEO, Kailash Ambwani talks on the greynets concept and how the majority of internet traffic has evolved from http to communicative application traffic. Ambwani discussed how enterprises are adopting greynets, how this increases security liabilities, and how FaceTime security products enable and secure greynets. Remember, Facetime is about enablement and controlling these innovations inside of the Enteprise. Why? Because customers are demanding to communicate this way, and often an organization's most sophisticated users- the forward thinkers and innovators willl bring them into the network because they realize their value, but sometimes forget about the security and regulatory risks involved.

Here is part one and I would note to pay particular attention to how anonymizers, like Rodi and / or Tor, can be used to bypass typical forms of defense. Naturally, and Kailash acknowledges this, products like Tor (designed by the EFF), can be used as anti-censorship tools, especially in countries where this is a problem.

However they can be a disaster, a potential legal nightmare for large enterprises and I.T. administrators to manage. Kailash goes on to note how malware is now profit driven...in his limited time he didn't get to explore the use of widgets, (often thin-Ajax clients) or the stripping of content using browser-powered tools allowing the the propagation of content like video across the Enteprise. This can also be problematic given attacks like Windows Meta Frame exploits or exposure to inappropriate content.

In part two Kailash goes on to discuss how Facetime addresses the issues. Once again the focus is on enablement and control. The Internet is changing and we all must change with it.

Del.icio.us Tags: , , , , , , , , , , , , , , , , , , , , ,

Technorati Tags: , , , , , , , , , , , , , , , , , , , , ,

October 31, 2006

  • John Battelle on Google and DHS and Google Trends Can See

Noted blogger John Battelle reports in his blog based on a couple of pieces...about who Google (NASDAQ:GOOG) is working with these days.

One example from HomeLandStupidity.us he references:

IT contractors and intelligence officials familiar with the arrangement confirmed to HSToday.us that Google had been providing assistance to the intelligence community, but would not say under what authority that assistance had been requested or provided.

The intelligence community appears to be interested in data mining Google's vast store of information on each user who uses Google's services. Google collects data on each user's search queries, which web sites users visited after making a query, and through its Google Analytics service, can also track users on cooperating web sites. It's not clear what level of access to or how much of this information has been made available to intelligence agencies.

John goes on to note:

This might be filed in the Tin Foil Hat category, or it might be something we look back on and wonder how we ever missed it. I don't have any idea which. That alone sort of scares me.

The story says that Google is working with the Govt. in the war on terror. It depends a lot on ex CIA agent Robert Steele, who may or may not be a trustworthy source.

I've seen this story all over the place this weekend, and it strikes me as possibly accurate on at least one level: If the CIA/Dept. of Homeland Security was NOT trying to secretly work with Google, it's even lamer than we might imagine. After all, the company has just about the best infrastructure in the world to help them do their job. Is it legal? Moral? Right? Another question entirely....

This is ironic for two reasons:

1) Chris Boyd (Microsoft Security MVP) and head of our Malware Research Labs (currently on hiatus preparing for our talk at the RSA show and something he want talk about called The Fourth Wall) and yours truly- Wayne Porter, also Microsoft Security MVP, Director of Special Research, currently working on e-commerce analysis....were recently, along with the Facetime Communication's team and our Security Labs team, noted publicly on Google's Security thank you page:

Google Thanks You People and organizations with an interest in security issues have made a tremendous contribution to the quality of the online experience. We are grateful for the responsible disclosure of security vulnerabilities in our software. On behalf of our millions of users, would like to thank the following individuals and organizations for going out of their way to improve the Google experience for everyone:

* Alex Shipp, Messagelabs
* Bryan Jeffries
* Castlecops
* H D Moore
* Jeremiah Grossman
* Johannes Fahrenkrug
* Martin Straka
* Team Cymru
* Yahoo! Paranoids
* Wayne Porter & Chris Boyd, FaceTime Communications
* Alex Eckelberry, Sunbelt Software
* Richard Forand

I add as an odd aside that after commenting on an article at ThoughtShapers on Google's move into podcasting/adsense and how they are tearing up top down media all kinds of people pinged me on whether I was one of the 'trusted sources" who leaked this to Jeff Molander. The answer is no. I made that clear in my personal blog notably here (The Google Rumor Mill Redux- Getting Details Straight) and an aside here Leaked Papers and Google Adsense.

Going back to John's observations though I have no idea how Google or to what capacity they are working with Homeland Security- I am just a cog. With their processing and information gathering power I would be hard pressed to say that it wouldn't make sense for DHS and / or the CIA not to want to do so.

Remember that GUID I talked about at Revenews? (Note: GUID is a Globally Unique Identifier. A GUID is often a pseudo-random number used in software applications. Each generated GUID is "statistically guaranteed" to be unique.)

For example, the concept of a GUID or the longer they use a service (even anonymously and in aggregate) makes it easier to determine who they are. Granted Google may not have any nefarious purposes for this, but what happens when other agencies do? You might be “anonymous” to Google, but when another agency plays connect the dots after obtaining access to your machine and subpoenas activity around a GUID- you aren’t so anonymous anymore. In reality, you become an online novel- I can perhaps establish your character by your queries. Of course, this risk exists with any tracking mechanisms, but a service as ubiquitous as Google, especially one that looks at queries, is all the more potent.

2) I do know that Homeland Security does pay attention to cyberthreats- as they should. I was surprised to find some of our research in their daily briefing reports, specifically around some notable worms. These reports a.k.a. The DHS Daily Open Source Infrastructure Report (Daily Report) is a daily [Monday through Friday] summary of open-source published information concerning significant critical infrastructure issues. They divide it up by the critical infrastructure sectors and key assets defined in the National Strategy for the Physical Protection of Critical Infrastructures and Key Assets.

An Example- this was over the KMeth Worm, which I find interesting.

  • Kmeth Worm noted by DHS [PDF Document]
  • Most of these Daily Briefings- which are free and unclassified appear on the DHS.gov site, although to search them you need to use the FEMA.gov site...

    Tin Foil Hats? I don't know. Safety and privacy and security are all different but related and require a delicate balance. Then you have to think back to the NSA wiretaping scandal. Did people really notice? Did they really care?

    Take a look at Google Trends (given the questions is this a good place to validate this question?). Google trends is a fairly good indicator of search activity. It is an indirect reflection of what is going on online.

    Here we see the terms: wiretapping, NSA scandal, wiretapping scandal, wire tapping

    Click to See Chart

    Interesting...there is some movement there.

    Now: NSA scandal, wiretapping scandal, ATT scandal, NSA wiretapping, phone tapping

    Click to See Chart

    Nada, zilch. Not even if you analyze U.S. queries only- despite major press coverage. Try your own strings and see what turns up.

    Of course per Google: "Google Trends aims to provide insights into broad search patterns. As a Google Labs product, it is still in the early stages of development. Also, it is based upon just a portion of our searches, and several approximations are used when computing your results. Please keep this in mind when using it."

    August 09, 2006

    • CDT Releases Following The Money Trail Part Two

    The Center for Democracy and Technology has released their latest report on advertising intermediaries, which include ad networks, affiliate networks, and cpa networks. The document might be confusing if you are not practiced in the world of online advertising but the CDT does a pretty good job of making a complex economy simple.

    The takeaway is that advertisers and advertising intermediaries need to practice more due dilligence in their business practices.

    Find below the download links for the Following the Money Trail Series Part I and the latest Part II. If you want to understand how malware and money are the new fuel for Internet mayhem this is a good place to start.

    To give you an idea how complex some of the relationships become while we track the money trail on cases take a look at this sample screenshot from the report. Rest assured we have seen cases far more tangled than this cloud.

    adware-advertising-small.gif


    "Companies need to take responsibility when their advertising dollars go to support companies that prey on unsuspecting consumers," said CDT Policy Analyst Alissa Cooper, who co-authored the report. "Whether placed directly or through intermediaries, these ads diminish the Internet experience for millions of people. Advertisers that work with these distributors are running out of excuses, and must either start policing their advertising spending, or answering to their customers who have been harmed by adware."

    Indeed! We could not agree more.

    Take the time to get educated with these great reports from the CDT and pass them along to your friends. Have an advertising question? Drop us a comment and and I will be happy to answer it for you or find someone who can.

    Part 1 of the CDT Report [PDF]

    Part 2 of the CDT Report [PDF]

    Report Write-Up: Wayne Porter, Sr. Dir. Greynets Research

    July 18, 2006

    • Pop Ups Will Fade- Ad Injection Next? More Observations from Ben Edelman

    Ben Edelman has some new spyware research about Vonage and some of the unsavory things going on. It is a long and technical read, but I recommend it. (see link to video at end) and Late Entry on Vonage behind the scenes action.

    He covered several examples, but the one that caught my eye and I wanted to talk about was the use of ad injection.

    Examples he covered in the article. Ad Injection in bold.

    Spyware-Delivered Pop-Up Ads
    Direct Revenue
    Targetsaver - covering AOL
    Targetsaver - covering a sexually-explicit site
    SearchingBooth

    Banner Injection Into Others' Properties
    Fullcontext - ad injected into Google.com
    Searchingbooth - ad injected into True.com
    Searchingbooth - ad injected into eBay
    DollarRevenue - replacing an ad within Boston.com

    Spyware Delivered Banner Farms
    Hula's Global-Store
    ExitExchange

    Spyware Lead Acquisition
    Direct Revenue - Vendare's Myphonebillsavings
    Direct Revenue - NextClick's Phonebillsolution

    It is worthy to note that in the first three examples: Google, eBay, and True.com ads are injected above a site.
    However, DollarRevenue injects its ads into a site - covering a banner placed by the site. For a site this means the person who bought the media might not be getting their fair share and the site owner is not getting paid.

    But what does this mean for people- netizens?

    I was intrigued by this question and what seems to be a relatively dead tactic coming to life the field. So I queried Ben for a discussion. In short he wondered aloud whether banner injection might be "the next big thing." He told me that until this past month, he had only seen one spyware program injecting banner ads into others' sites: DeskWizz's SearchingBooth. but then this past month he found two more -- FullContext and DollarRevenue. That's a startling and rapid growth -- suggesting there may be more to come.

    Ben also pointed out that these ad injectors benefit from the lack of transparency in banner ad syndication. At least affiliate merchants generally get to approve their partners one by one. (Most sophisticated merchants have long since disabled auto-approve.) But when advertisers buy banner ads, especially run-of-network / remnant / untargeted ads, they get very little visibility into where those ads appear. This is practically an invitation for placements in spyware injections and other unseemly locations.

    In the past many users suspected they had spyware from all the annoying pop-ups, but like the Borg the dark forces adapt and change tactics- smaller front prints, random file names and MD5's, using rootkits- so I am not surpised if this new tactic enters into the fray. I can invision it popping up on social networks like MySpace or non-hierarchical news sites like Digg.

    The Ad Injection is very subtle and thus people may not know it is going on and that a program is doing it.

    Take for this instance an "anti-fraud screen" I found while tracing the money trails of a mass spam attack (still looking into that one) that was delivering malware and porn through deceptive SEO and encoded JavaScript injection. In this case, as I understand it so far, a company from Russia runs a private pay-click-engine and I believe offers XML feeds and search results powered through syndication results from various pay-per-click search engines. They dole out up to 75% or more for webmasters and pocket the rest.



    http://blog.spywareguide.com/upload/2006/07/7search-anti-fraud-thumb.gif

    Click To Enlarge In New Window

    While it is good 7Search is periodically checking for problem syndication- I have to ask- why do you need the end user to police it? I would prefer them to keep the problems out at the gate.

    What topic did you click? Straight forward. If you can remember. Why not log the topic?

    Are you infected with spyware? How would they really know? That is how it got the moniker "spyware" in the first place. People didn't know how it got there or someone else installed it or any number of situations occur.

    Are you a part of pay-to-surf program- name them? Ouch. Not as if people getting paid are going to out anyone- or would they? Doesn't add up to me. Not to mention incetivized search historically gives low yields for advertisers.

    In closing pay close attention to this video from Ben's research on the DollarRevenue ad injection. The easy to catch warning signs of spyware infection may indeed fade meaning people will have to be all the more careful.

    Watch in full video of what an ad injection looks like: Edelman's Video on Ad Injection. (Opens to New Window)

    LATE ENTRY: Using the ever-so-handy insider status in the ad world I have learned from more than one anonymous source that Vonage is putting on hold a number of their advertising deals. I am not sure if it is just with the companies Edelman cited in his research or how far this reaches yet. At any rate Vonage is reacting and getting serious in their response. This could be a pivotal movement in the spyware wars. You kill the spies by cutting out the well-funded brands sponsoring their existence.

    May 02, 2006

    • SpyOnThis False Positives and Detailed Registry Key Analysis

    As i blogged earlier in the Entry
    In Clean VM, SpyOnThis detected 13 different threats which are all FPs. Most of them were cookies.

    Let us dig onto each key flagged as spywares by SpyOnThis and see why are they False Positives?

    Object: ClearSearch
    Class: REGKEY
    Type: SPYWARE
    FoundIn: HKEY_CURRENT_USER:SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\
    TRUSTEDPUBLISHER\CTLS
    RiskLevel: 4

    ClearSearch object found!!!
    Object: ClearSearch
    Class: REGKEY
    Type: SPYWARE
    FoundIn: HKEY_CURRENT_USER:SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\
    TRUSTEDPUBLISHER\CRLS
    RiskLevel: 4

    Claria object found!!!
    Object: Claria
    Class: REGKEY
    Type: SPYWARE
    FoundIn: HKEY_USERS:.default\software\microsoft\systemcertificates\trustedpublisher\crls
    RiskLevel: 3

    Look at the Original keys are in Registry which is flagged as Spyware,

    Windows Registry Editor Version 5.00

    [HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\CRLs]

    Windows Registry Editor Version 5.00

    [HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\CTLs]

    Windows Registry Editor Version 5.00
    [HKEY_USERS\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPublisher\CRLs]

    Note: There are no values associated with the keys when it detected as Spyware.

    In order to make a full analysis we need to know some basic things here:


    CA - Certification Authority

    An entity entrusted to issue certificates that assert that the recipient individual, computer,
    or organization requesting the certificate fulfills the conditions of an established policy.

    CRL - Certificate Revocation List
    A document maintained and published by a certification authority (CA) that lists certificates
    issued by the CA that are no longer valid.

    CTL - Certificate Trust list
    A predefined list of items that have been signed by a trusted entity. A CTL can be anything,
    such as a list of hashes of certificates, or a list of file names. All the items in the list are
    authenticated (approved) by the signing entity.

    The keys which i mentioned are default keys for Windows operating system to handle
    trusted publisher certificates when IE makes secure connection (SSL). SSL creates a secure
    connection between a client and a server, over which any amount of data can be sent securely.

    CA releases CRLs so often to make sure the user or enterprise knows about the no longer valid certificates.
    This registry key modified when we import the CRLs from CA.

    None of the above keys are related to either Claria or ClearSearch.
    Thus classifying these keys as spyware is erroneous.

    Let us check other keys also in detail.

    Continue reading "SpyOnThis False Positives and Detailed Registry Key Analysis" »

    April 24, 2006

    • Deception, Deceit and Dollars- Spotting Red Flags

    While Googling for downloading Hijackthis, i spotted a link from Google's Adsense program. Check out the following screenshot:


    Click Image to enlarge

    (Note the Red X is part of the SiteAdvisor program which can help users spot sites that use deceptive practices and is only displayed if you using the program.)

    In above screenshot clicking the link “HijackThis Free download” opens a site http://hijack-thisnet/. Naturally curiosity compelled me to dig deeper into this site and also I wanted to know what Merijn, the original creator of HJT had to about this site? It appears it struck his radar a long time ago and was not pleased the name of his product was being used to push other commercial products.

    He states from http://www.merijn.org/

    " April 22, 2005:
    Just a short note on the domain HIJACK-THIS.NET: this is not mine! It has been registered by an affiliate of XoftSpy (who are also on the Rogue Antispyware List on SpywareWarrior.com) and they are luring people into downloading their software believing it is HijackThis. Also, they have registered a few AdWords at Google leading to the same result. We'll see where this goes. In the meantime, if you want to download any of my programs, the official domain is and always will be www.merijn.org."

    UPDATE: April 29, 2005:
    I just received word from Paretologic (the ownsers XoftSpy) that the affiliate responsible for the page has been terminated and the site will be taken down. That's one down, one to go. :) "

    Let's dig into this mystery...

    Continue reading "Deception, Deceit and Dollars- Spotting Red Flags" »

    April 11, 2006

    • Pondering Security and My Perspective...

    Any given day of the week (and many weekends) I keep myself busy with the task of trying to insure that end-user's computers are free of whatever the spy / ad / greyware of the day might be. Making sure that their shopping habits or surfing history are not transmitted to some faceless company. It is a never-ending struggle.

    It came as a bit of a wakeup call that, no matter what I do to keep the desktop clean, there are still other dangers out there.

    Continue reading "Pondering Security and My Perspective..." »

    April 04, 2006

    • EULA Madness Tinko Pal Revisited With Commentary

    I am really ready to start tackling EULAs, so to kick things off I am revisiting a piece I did on the TinkoPal EULA months ago. Take a close look as I highlight some of the language and conditions you would accept in this EULA. For added value my comments will be in bold text surrounded by parentheses and are not a part of the EULA.

    TinkoPal EULA Page: http://www.tinkopal.com/terms.html
    Note: The original EULA is longer valid at this URL.


    Continue reading "EULA Madness Tinko Pal Revisited With Commentary" »

    February 21, 2006

    • Sometimes I Hate Being Right- Send Keys

    It seems only yesterday that I wrote about the dangers of the "sendkeys" attack, and how it would easily defeat any kind of confirmation screen the adware creator puts up, and what to do about the problem.

    Now both crusaders Wayne Porter and Ben Edelman discuss this techinique actively being used in the wild. Grab (a small amount of) popcorn and watch the movie.

    Let's make things very clear here:

    If adware creators do not create a strong validation system like we have proposed (or something similiar), then any form of obtaining user consent via a confirmation dialog is virtually worthless!

    On that note a personal message to 180 Solutions.
    Your "S3" has been proven to be "less than satisfactory".
    Get the message and learn the lesson, or S4 and S5 will go the same way.

    February 19, 2006

    • Another Small Piece of the Puzzle- Agree Speed

    This vitalsecurity entry took me to an interview the Washington Post did with a botnet herder. It is indeed a bit of a long read, but proved to be worthwhile.

    As a spyware researcher, I was always wondering how the botnet operators are able to install all the different pieces of adware onto the victims PCs, without the users being any wiser. Many of these programs now have "confirmation boxes" which show a EULA that needs to be "agreed to" before installing. For the sake of clarity I will keep the disucssion on whether these EULAs actually fulfill their purpose for another place and time. We observered the end-user not seeing anything at all.

    My first assumption was that the botnet operators distributed "hacked"/modified versions of the adware package, with that particular screen removed.

    I was wrong. Seems like I was applying Occam's Razor at the dull end.

    This "pseudo-technical" quote tipped me off that something else was going on:

    Once they invade a computer and add it to their botnet, they use automated keystroke codes to order the enslaved machine to click "OK" on installation agreements.

    If you are any kind of developer, this should ring a bell.
    It seems they are using the good old "SendKeys" command, that has been arround for years.

    In terms of efficiency this sleight of hand makes sense. Instead of having to mess with a resource editor, repackaging and hosting their own modified versions, they merely use the original installer package from the official adware location, launch it, do a "FindWindow" and a sendkeys of a few "OK" clicks. This can be implemented in less than a dozen lines of VBScript.

    So it turns out the user gets to "see" the confirmation dialog after all, but only for the time it takes the Windows API to process the requests. On an average computer, that will be less time that it takes to blink a eye. On a slower system, that will about a quarter of a second, still in the "subliminal message" range. All of this is of course assuming that the user is effectively staring at the screen at the exact time of installation. This could be fairly unlikely, since most of these installations are scheduled to happen unattended in the wee hours of the night.

    The adware vendors will, as per standard protocol, claim that there is nothing they can do about this practice.

    With that I offer some free consulting advice for these vendors, who are actually interested in weeding out the bad affiliates (anybody still listening?) . It's easily implemented by a junior developer in a few hours and will earn back its costs many times over in a few days.

    Given that your application is already reporting back installations, along with a computer identifier and an affiliate ID (otherwise you would not be able to cut cheques for your affiliates, which is exactly the root of the problem) :

    - In the confirmation dialogs, note the time when the window opened. Note the time when the "I agree" button was clicked.

    - Substract these measurements, so you end up with a number of elapsed seconds

    - Report this "agree speed" along with the other installation information back to your central server.

    - Release this as a new minor version of your application. Don't alert affiliates, just put the package in place of the existing one

    - Run some simple statistics on this speed. If a user agrees to the license agreement in under half a second, he is either a Vulcan on steroids or a bot. Report the affiliate for fraud or the user to SETI. (If the records show that the elapsed time to read and agree to the 3000+ word EULA was still less than 3 seconds, you might still make some cash by reporting the user here or here. But I promised to have that discussion another time.)

    So there, Mr. Adware Vendor, you have it. Using this free advice, you cannot lose. You make money in all cases and you have users who actually want your product.

    I am not naive enough to think that this would actually make the vendors refuse the installation-adware is an industry driven by greed. But it will give them a good reason not to pay out the affiliate for the fraudlent installation. Which translates to less money and hence motivation for the fraudsters.

    February 14, 2006

    • Google API: Geocoding Spyware Pushers and Adware Vendors

    In the "because I can" department: As an exercise in messing with the Google Maps API, I have started geocoding some of the addresses of creators of (adware and other) products that we have in the spywareguide database. Then with a little php and javascript glue, made a nice overview map on it.

    Click here: List of Software Vendors to see it in action. (Please no yelling if it doesn't work. It's not even beta.)

    Some observations already ([Insert disclaimer about small dataset here]):

    - These companies seem to cluster together. You can notice some definite grouping. Coincidence?

    - Some of them have really neat offices. Select one, zoom in to max level and switch to "satelite mode" to see them.

    - Look at some of the exotic locations! Here is one in Hawaii!

    Site EULA | Site Map | Contact Us | About Us | Site and Spyware FAQ | Advertise | RSS Feeds  | Link To Us | SpywareGuide JapanJapanese

    © Copyright 2006, FaceTime Communications, Inc. All rights reserved.