November 19th, 2006

Zango's continued bad practices in light of FTC's proposed settlement terms

Posted by Suzi Turner @ 9:11 pm

Categories: Spyware/adware news

Tags:

Just over two weeks ago, the FTC announced a proposed settlement with Zango for the complaint filed earlier this year. Under terms of the settlement, Zango is required to give up $3 million in ill-gotten gains and to stop a number of bad practices that have been documented back to 2002. As usual Zango claims innocence, and on November 3 stated on their blog:

Zango has met or exceeded the key notice and consent standards detailed in the FTC consent order since at least January 1, 2006.

Since November 3, Chris Boyd (aka Paperghost) of Vitalsecurity has posted several articles showing more bad Zango practices, including Zango and the Licat worm, a nasty trojan serving Zango videos, a(nother) Zango profile on MySpace, and trojan named LowZones putting a bunch of Zango domains into Internet Explorer’s Trusted Zone on user’s computers. Security company Websense posted an alert on November 6 of fraudulent supposed You Tube videos with embedded Zango Toolbar installers on MySpace profiles. Just a week ago, Vitalsecurity posted about ProfileWatcher, another method of spreading Zango on MySpace. Read the rest of this entry »

November 6th, 2006

Zango, the FTC, MySpace and You Tube

Posted by Suzi Turner @ 6:18 pm

Categories: Spyware/adware news, Spyware/adware warnings

Tags:

This past Friday, the FTC announced a $3 million dollar settlement with Zango, formerly named 180solutions, in a lawsuit charging Zango with unfair and deceptive business practices, among other things. See ZDNet story here with more details. FTC announcement here.  Case documents can be downloaded here.

As usual Zango refuses to take responsibility for anything, again blaming it on their naughty affiliates. From the ZDNet article:

Zango's executives pointed a finger elsewhere, claiming that the federal violations were due to third-party distributors rather than the software manufacturer itself. "We relied too heavily on our affiliates to enforce our customer notice and consent policies," said CEO Keith Smith. "Unfortunately, this allowed deceptive third parties to exploit our system to the detriment of consumers, our advertisers, and our publishing partners." Smith went on to say that Zango would "embrace the new standards" required by the FTC.

Er, cough.. cough.  SOS, different day. How long have the anti-spyware bloggers been writing about this now? Ben Edelman wrote about 180solutions installation methods in July 2004. Eric Howes summed up 180solutions' activities in 2005 with links to over 60 news stories and blogs.

I spoke with Ben Edelman about the FTC's settlement with Zango.  Ben states he has proof that Zango is currently not in compliance with the FTC agreement.

180 continues plenty of bad practices, including some unlabeled ads, materially misleading installations that fail to disclose key aspects of 180's effects, and installation attempts predicated on security exploits. I have the proof, and I expect to post this on my web site in the coming weeks, subject only to my busy travel schedule.

I commend the FTC's efforts here, but serious diligence will be required to assure that 180 actually complies with its many obligations under the settlement. At this instant, I am confident that 180 is not in compliance.

Are we surprised?  Paperghost of Vitalsecurity blogged on Saturday, after the FTC announcement, that Zango download prompts are appearing along side the Licat IM worm.  Another rogue affiliate, I suppose. 

Today Websense released an alert titled Fraudulent You Tube video on MySpace installing Zango Cash.

Websense® Security Labs^TM has discovered a number of user pages on the MySpace domain which have videos that look like they are from You Tube. The videos have an installer embedded within them for the Zango Cash Toolbar.  When users click on the video, they are directed to a copy of the video, which is hosted on a site called "Yootube.info."

There are screenshots and a video.  It must be the naughty affiliates again.  What next guys? 

October 20th, 2006

Scary malware tricks part 1

Posted by Suzi Turner @ 11:57 am

Categories: Spyware/adware news

Tags:

In keeping with this Halloween season, I’m starting a series on scary malware tricks, similar to last year’s series on spyware tricks. Perhaps my personal focus has changed, but it seems to me spyware tricks are becoming far more devious and destructive. Last year I was testing mostly adware, whereas this year I’m testing more trojans, backdoors, rootkits, etc. Also scary — botnets are reportedly growing in frightening numbers.

CNET’s Joris Evers reported on the recent Virus Bulletin Conference, saying the future of malware is trojan horses. Instant messaging worms are on the rise. Rootkit-based malware is spookiest, and some IM worms are infecting users with rootkits.

Just this week we learned that Apple shipped some iPods with a trojan, (not to mention that Apple tried to push the blame on Microsoft.) In their announcement, Apple used the word virus, but it’s more like a worm with a backdoor trojan component.

The name of the malware process on the infected iPods is RavMone.exe. Symantec has a good description here, calling it W32.Rajump. When I first read the description, the name was Backdoor.Rajump, but either way, its malicious payload is the same. On initial infection, the malware creates RavMone.exe in the Windows directory and puts itself in a Run key in the registry to make sure it starts with every Windows boot-up. Symantec says it open a TCP port and immediately tries to phone home to the following URLs:

What happens next is anyone’s guess, but with a backdoor, it can be ugly. Both domains shown appear to be Chinese, as seen here and here. There has been some speculation that perhaps the infected iPods were shipped from a “contract manufacturer”, using Apple’s words, in China, but I’ve not seen any confirmation of that. If anyone has a sample of RavMone.exe, I’d be interested in getting it to test. My ZDNet bio has a contact form here.

Another example of very scary technology is the Gromozon rootkit, aka Trojan.LinkOptimizer. I’ll write about Gromozon in the next article in the series.

Gallery: Nine more Firefox add-ons to try

Gallery: Nine more Firefox add-ons to try
· More Photo Galleries

http://content.zdnet.com/2346-9595_22-289082.html?tag=gald

Oracle critical patch · FoxNews scareware
Microsoft: Exchange 2010 beta today
· Office 2007 SP2 April 28

Microsoft: Exchange 2010 beta today
·
Tier your workforce, save money

Jason Hiner: With industry giants like Cisco, Apple,
Microsoft and Google racking up huge cash reserves,
and the market price of many public tech companies
on a “50% off sale”, consolidation is in the air.
Although the IBM-Sun deal fell apart, expect more
tech acquisitions in 2009. These are most likely…

Photos: Cracking open the Dell Adamo
· More Photo Galleries

Apple releases third iPhone 3.0 beta

· How to adopt iPhone in the enterprise

http://blogs.zdnet.com/Apple/?p=3697

Photos: The robot designs of iRobot
· More Photo Galleries

http://content.zdnet.com/2346-9595_22-288760.html?tag=gald

October 16th, 2006

Edelman on 'Deceptive Door Openers' and Ask toolbars

Posted by Suzi Turner @ 10:09 am

Categories: Spyware/adware news

Tags:

In a new article posted this morning, Ben Edelman continues his investigation of high-profile companies clogging users' computers with junk.  Today's target: InterActiveCorp's Ask.com, known for its widespread "smiley" toolbars.

Last year I blogged about Ask's various toolbars and the trinkets Ask uses to get users to install them.  But Ben thinks there's a bigger problem here.  So I sat him down for an interview.

Q: Ben, what's the big deal with Ask's toolbars?

A: The core problem is that users are being tricked into installing them, under false pretenses.  Users are offered one thing, like "free smileys" or "top 10 cursors."  Then users end up getting Ask's toolbar too.

Q: Is that really so bad? You're not claiming these are security exploit installs, like what you documented last year. Users actually consent to these installations, right?  What's the problem?

A: The problem is that users' "consent" is obtained under false pretenses.  Ask gets users' attention with the promise of free tidbits that some users do indeed want.  Once it has their attention, it switches them over to something else — namely, free tidbits plus a bundled toolbar.

Q: Sounds like the old bait-and-switch routine.  Is that illegal?

A: Ask most folks, and they'll tell you no.  It's all in the EULA, they'll say, so they think it's just fine.  I want to push back on that a bit.

I've recently been rereading old FTC cases about unfair and deceptive trade practices.  One that particularly caught my eye is Federal Trade Commission v. Encyclopaedia Britannica, Inc., 87 F.T.C. 421 (1976).  Here's what happened.  Britannica door-to-door salesmen had various ruses "to get in the door" into users' homes — "door-opener" lines, they're called, because they get users to open the door and let the salesman in.  Apparently the salesmen often made promises about free vacations and the like.  It's thanks to these promises that consumers let them in. 

Now, ultimately the salesmen revealed that actually they were there to sell encyclopedias, albeit with some chance of a free trip thrown in too.  So the truth of the salesman's offer was made known prior to purchase.  But the Britannica case holds that that's just not good enough.  It's not enough for a salesman to talk his way in the front door with a deceptive opening line, planning to tell the truth later.  An honest sales pitch can't begin with a false or misleading offer.  Once a salesman uses such an offer to get a user's attention, there's no cleaning that up, however well the truth is disclosed later.

Q: That's most interesting.  How does this apply to Internet advertising?

A: I think the analogy is actually remarkably direct.  Ask's ads make promises like "free smileys."  But Ask no more offers "free smileys" (with nothing more) than the Britannica salesman offers a "free vacation."  To get (a chance at) a Britannica free trip, a customer apparently had to buy an encyclopedia set.  Similarly, to get an Ask free smiley, a user must install Ask's toolbar.  In both cases, the opening offer is materially misleading — promising something that's just not available on the specified terms (a free vacation with nothing more, or free smileys with nothing more). 

In both cases the truth is made known later: Ask ultimately does explain that users must accept its toolbar too.  But as the Britannica case holds, that's not enough.  The initial offer was so different from the resulting deal that the confusion can't be cured by a subsequent disclosure.

Q: Is there anything else wrong with Ask's approach?

Sure.  I show Ask advertising its toolbars through other vendors' spyware, even after Ask specifically promised it had "cleaned up" its advertising practices.  I show Ask's EULA link appearing off-screen, even after Ask specifically promised it fixed that too. 

Q: What about the Ask toolbar itself?  Is it worth installing?

No.  I discourage users from running Ask's toolbars for two reasons.  First, Ask moves the browser's Address Bar from top-left (where it is found in every browser I've ever seen) to top-right.  Ask puts its own search box in the top-left.  So Ask's software makes it highly likely that users will accidentally conduct searches when they intend simply to navigate to sites they request by name.

Second, Ask's toolbar leads to landing pages that are objectionable in their own right.  Ask's landing pages show ten ads — ten! — above the first organic result.  On a 800×600 screen, that means 2 full pages of ads, plus a little bit more after that, all before the first organic result.  That's ridiculous.  No user deserves that, especially since organic results are safer than sponsored links.

Q: Ben, do you have any big-picture thoughts?

A: Definitely.  These "deceptive door openers" are remarkably widespread. Many online advertisers use these schemes to pull in unwary customers.  "See what happens next in this video," invite several widespread banner ads, only to require users to give an email address or install software to actually see the rest of the video.  That's materially different from what the ad specifies, and it's a rotten deal for consumers.

It's reassuring that our legal system already confronted this kind of tactic.  These deceptive door opener cases were litigated before I was born, but they stand for a valuable consumer protection principle that withstands the test of time.  Companies ought not begin their interaction with a prospective customer by making false statements, misleading statements, or statements with material omissions.  That's a lesson Ask (among many others) ought to take to heart.

Ben, thanks for the interview. 

The full article can be read here.  There's also a video, made yesterday, showing a non-consensual installation of the Ask toolbar. 

October 13th, 2006

Is Zango stealing affiliate commissions from adult webmasters?

Posted by Suzi Turner @ 9:07 pm

Categories: Spyware/adware news

Tags:

It seems that Zango, formerly known as 180solutions, the company we all love to hate, has royally ticked off a bunch of adult webmasters. Paperghost, aka Chris Boyd, has the story, complete with links to forums where the adult webmasters discuss Zango allegedly stealing affiliate commissions.  True?  I don’t know, but considering some of Zango/180solutions’ past questionable business practices, nothing would surprise me. Interestingly enough, Zango’s blog has a very recent post about cookies, claiming that “Zango does not read, alter, modify or delete Web site or cookie content.” and  stating “Zango… do[es] not alter, manipulate, or delete third-party affiliate referral tracking information.”

In Boyd’s comments Dave Methvin of PCPitstop, explains what happens when affiliate cookies are overwritten and links to an article by Ben Edelman on “cookie stuffing”.  Dave writes:

[...] here’s how it works. Someone goes to Zango and buys a keyword and/or URL to generate an ad. When an infested user goes to a site or page with the keywords, Zango generates a popup window with the “ad” in it. However, the ad is actually a redirect to a URL with a parameter indicating this is a referral from an affiliate–the affiliate that bought the ad from Zango! It overwrites any other affiliate tracking code that the site was using.

It hasn’t been that long ago that the CDT filed their complaint to the Federal Trade Commission about 180solutions and their practices. One would think Zango would be minding their Ps and Qs, but maybe not.

October 9th, 2006

MVP awards, Messenger Plus! and adware -- a good combination?

Posted by Suzi Turner @ 9:19 pm

Categories: Spyware/adware news

Tags:

A controversy has been raging in certain circles the last few days over a MVP award, which has now been rescinded, to an adware pusher known as Patchou, Cyril Paciullo, the author of Messenger Plus!, now known as Messenger Plus! Live. Ed Bott blogged about it here. Patchou's devotees have been staunchly defending him and his app and are blaming a few MVPs for causing Microsoft to rescind the award.  There's a lot of nonsense going around and I'd like to clear some of that up. 

Why did the security MVPs, including myself, object to Patchou's award?  Simple answer — his app bundles adware and a rather nasty adware at that, best known as Lop even though Patchou and Messenger Plus! refer to it as the "sponsor". So what's wrong that?  The devotees say the adware is optional, which is true, but there's some guilt thrown at a user who opts out of the "sponsor".  The dialog says "I refuse to give my support, don't install the sponsor".  "Gee — I must be bad if I don't install the sponsor." See SunbeltBLOG for screenshots.  Also Messenger Plus! is widely known to be primarily targeted at kids under 18, who cannot enter into a legal contract and likely would not understand the EULA, if they bothered to read it. 

So what is this "sponsor" software?  I downloaded and installed MessengerPlus! Live, including the "sponsor" to see for myself. Lop is primarily advertising software that spawns pop-ups on the desktop. Lop used to include a toolbar and change the user's homepage, but that behavior has been eliminated. The "sponsor" installer adds a fake bho (browser helper object) in the registry and creates a hidden job that starts IE in the background and launches another executable. I observed Lop to keep two instances of Internet Explorer running constantly, even when I didn't have a browser open. Each time I opened IE one or two pop-ups immediately appeared.  These pop-ups are not branded, unlike WhenU and Zango even. When I tried to terminate the two instances of IE, one or two other files would kick into action and restart IE, files with names like JugsRoam.exe and heart bend send dash.exe. You can see a list of file names used by Lop here. Lop frequently changes file and folder names in an attempt to evade detection by anti-malware programs. The EULA even contains a clause prohibiting its removal by other applications. The Lop processes continuously contact these domains, ayb.dns-look-up.com and ads.dns-look-up.com, which reside on an IP address owned by C2 Media, the makers of Lop.

It's no wonder that many of the anti-malware vendors call the "sponsor software" a trojan, Trojan Swizzor. 

SunbeltBLOG has some additional gripes about the "sponsor".

Ok, to those who support Patchou?  Fundamental problem:  LOP stinks.  And imagine someone installing MessengerPlus and getting that little cute icon to "upgrade your antivirus program" and getting an outright fraudulent scam.  Imagine that person being a relative of yours who doesn't quite know much about computers, and getting scammed.  Or getting popups they don't know the source of (because LOP does not disclose that the popup was generated by LOP, unlike even WhenU or Zango).  

Note the link to the desktop icons placed by the "sponsor".  One additional thing — I mentioned earlier that a large percentage of Messenger Plus! users are under 18. The "sponsor" displays pop-ups that are entirely inappropriate to tweens and young teenagers, ads for AdultFriendFinder and the like. 

One of the best sources of technical information and history for Messenger Plus! and the sponsor software, short of installing it yourself, is from another Microsoft MVP, Sandi Hardmeier, who has chronicled Messenger Plus! and its changes for several years now. 

Personally, I think Microsoft made a mistake in awarding Patchou and did the right thing by rescinding the MVP award.  If Messenger Plus! wasn't bundled with adware, I would feel differently. I understand that Patchou has to earn a living and I hear that he is technically astute and an excellent programmer, but in my opinion, an adware distributor should not be given the MVP award, especially when the adware in question has such disturbing, trojan-like behaviors. 

September 20th, 2006

Spyware pushers cash in big on zero day exploit

Posted by Suzi Turner @ 9:24 pm

Categories: Spyware/adware news, Spyware/adware warnings

Tags:

I expect that most readers have already read about the latest zero day exploit, Microsoft Vector Graphics Rendering Library Buffer Overflow, discovered by Adam Thomas of the Sunbelt Software research team on Monday. I’m not going into detail on it — there is plenty of information about the exploit already, on ZDNet here, Secunia, US-Cert, SANS, and Microsoft Security Advisory (925568). George Ou has blogged that hardware enforced DEP stops the exploit from launching. A BleedingSnort signature has been created for the VML exploit.

SocketShield from Exploit Prevention Labs is said to block the exploit. SocketShield has a 30-day trial and the free Link Scanner on their website will check any URL for the exploit code. Sleazy porn sites are using this vulnerability to drop massive spyware on unsuspecting users.  Roger Thompson of Exploit Prevention Labs called it a "massive malware run" with "drive-by attacks hosing infected machines with browser tool bars and spyware programs with stealth rootkit capabilities."

SunbeltBLOG lists nearly 50 threats being installed though this exploit, including familiar names like Virtumonde, BookedSpace, webHancer, SurfSideKick, Qoologic (also known as Qoolaid), Zenotecnico, TagAsaurus, with some trojan downloaders and a backdoor thrown in the mix. Many of these use affiliate programs where the affiliate gets paid per install, so somewhere affiliates of these adware/spyware companies are making a killing off this zero day exploit, trashing computers with their crapware. I have not tested this exploit yet, but it sounds like kind of payload that would render the machine nearly useless. 

September 8th, 2006

DollarRevenue adware pushed through bot net for huge profits

Posted by Suzi Turner @ 6:34 pm

Categories: Spyware/adware news

Tags:

German Honeynet Project researchers report that adware company DollarRevenue is directly linked to a bot net attack exploiting the MS06-040 server service vulnerability reported last month. Bot net trackers estimate that one malicious hacker alone earned $430 in one day by installing malware/adware programs on infected machines.  7,700 machines were hacked in 24 hours using the vulnerability, and massively flooded with DollarRevenue files by a single command from the controlling IRC server.  As reported by Ryan Nariane, Thorsten Holz, a project founder, said about this hacker:

"He’s earning more than $430 in a single day with DollarRevenue, and that’s not the only piece of adware he’s installing. He’s installing others and also renting his botnet out to spammers,"

Ugh!  I’ve experienced some massive DollarRevenue infestations myself as blogged here.  DollarRevenue is typically accompanied by other adware including the likes of Look2Me, Qoologic, TagAsauras, SurfSideKick, NewDotNet, ZenoTecnico, InternetOptimizer and so on.  I’ve blogged about DollarRevenue previously. In June, well known spyware researcher Patrick Jordan, aka Webhelper, had his site DDoS’ed by a trojan linked to DollarRevenue.

DollarRevenue is known for its high pay outs to affiliates on a pay per install basis, which undoubtedly creates the motivation for these massive installs. DollarRevenue pays 30 cents per install in the USA, 20 cents per install in Canada, 10 cents in the UK, 1 cent in China and .02 cents in other countries. DollarRevenue.com describes their affiliate program here and here. Ryan Naraine describes the bot net operation involving DollarRevenue in more detail. 

Some anti-malware vendors describe DollarRevenue software as trojans, see McAfee’s description here, Symantec’s description here, CA’s description here. I’ve been infected with DollarRevenue software numerous times and have yet to see anything remotely resembling a EULA.  In my experience, DollarRevenue is always installed through an exploit with other malware, and DollarRevenue files initiate the installation of other malware/adware. I’ve seen spam bots and password stealing trojans installed along side DollarRevenue also. 

Who is responsible for DollarRevenue? Good question.  I wish I had an answer. The current dollarrevenue.com domain registration whois information shows private registration through Network Solutions. The DollarRevenue domain is hosted at IP 194.187.45.56 located in the Netherlands, but research shows their software is installed from multiple IPs and subdomains.

September 6th, 2006

FTC settles with Enternet Media for $2 million

Posted by Suzi Turner @ 7:06 pm

Categories: General, Spyware/adware news

Tags:

The Federal Trade Commission announced their settlement with Enternet Media for $2 million for putting spyware on users’ computers.

Under a stipulated final judgment and order, the defendants are permanently prohibited from interfering with a consumer’s computer use, including but not limited to distributing software code that tracks consumers’ Internet activity or collects other personal information, changes their preferred homepage or other browser settings, ‘Defendants also are permanently prohibited from making misleading representations.’ inserts new advertising toolbars or other frames onto their browsers, installs dialer programs, inserts advertising hyperlinks into third-party Web pages, or installs other advertising software code, file, or content on consumers’ computers.

The defendants also are permanently prohibited from making misleading representations regarding the performance, benefits, features, cost, or nature or effect of any type of software code, file, or content, including misrepresenting that the code is an Internet browser upgrade or other computer security software, music, song, lyric, or cell phone ring tone.

The order names Enternet Media Inc., Conspy & Co. Inc., Lida Rohbani, Nima Hakimi, and Baback (Babak) Hakimi, all based in California, whose software codes were “Search Miracle,” “Miracle Search,” “EM Toolbar,” “EliteBar,” and “Elite Toolbar.”

According to the FTC’s complaint, the Web sites of the defendants and their affiliates caused “installation boxes” to pop up on consumers’ computer screens. In one variation of the scheme, the boxes offered a variety of “freeware,” including music files, cell phone ring tones, photographs, wallpaper, and song lyrics. In another, the boxes warned that consumers’ Internet browsers were defective, and offered free browser upgrades or security patches. Consumers who downloaded the supposed freeware or security upgrades did not receive what they were promised; instead, their computers were infected with spyware that interferes with the functioning of the computer and is difficult for consumers to uninstall or remove.

The agency’s complaint also alleges that the defendants’ software code tracks consumers’ Internet activity, changes their home page settings, inserts new toolbars onto their browsers, inserts a large side “frame”or “window” onto browser windows that in turn displays ads, and displays pop-up ads, even when consumers’ Internet browsers are not activated.

The complaint against Enternet Media was filed last November. Case documents can be found here on the FTC website.

A description of Enternet Media’s Elitebar, also known as Elite toolbar, is here on Symantec’s site.

August 15th, 2006

The state of spyware according to Webroot

Posted by Suzi Turner @ 10:43 pm

Categories: Spyware/adware news

Tags:

Webroot released its quarterly report on spyware today, claiming spyware infection rates are at their highest since 2004. 

During the second quarter of 2006, Webroot researchers found that 89 percent of consumer PCs were infected with an average of 30 pieces of spyware – a slight increase from the first quarter of 2006 when infection rates returned to alarmingly high levels after a supposed lull in spyware infections during the second half of 2005. According to the report, new distribution channels, advanced spyware technologies and a reliance on free anti–spyware programs are all contributing factors to the startling increase.

The report states that the number of malicious websites increased from last quarter reaching 527,136.  Webroot claims the most prevalent trojan is Trojan–Downloader–Zlob with over a million traces detected. I don't know about Webroot's other statistics, but I do believe they are correct in saying Zlob is the most prevalent trojan. Zlob is typically responsible for downloading the rogue anti-spyware programs, like SpywareQuake, SpyFalcon, and so on. It seems like every week there is a new rogue anti-spyware program, typically downloaded by Zlob trojans. The most recent example I've seen, VirusRescue, has been written up here complete with screenshots.

August 14th, 2006

More disturbing long-tail content from Zango

Posted by Suzi Turner @ 6:12 pm

Categories: Spyware/adware news

Tags:

SunbeltBLOG asks “Is Zango partnering with a bunch of sickos? “ I won’t repeat much what’s posted there because it’s too disgusting, but here’s the first part.

unitedtoserve2005(dot)com redirects to a hard core porn site, search(dot)porn-info(dot)info, which offers “totally free porn videos”.

These are Zango porn videos — you watch them but get Zango spyware installed on your system.

More curious is that viewing unitedtoserve2005 with Javascript disabled brings up some very disturbing keywords, like the following (WARNING: very offensive language):

Just last week Zango was mentioned in the CDT report on adware advertising and the money trail. I’ve been so busy I haven’t kept up with all the news (hence no blogging), but CDT report is certainly worthy of delving into. Meanwhile Paperghost is still on the Zango trail at Vitalsecurity. There’s lots more on Zango and MySpace, Zango and Winamp, and now Zango video ads on The Guardian website. Recently Warner Bros. gave Zango a swift kick right out the door, so not all is peachy in Zangoland.

August 14th, 2006

Movieland.com sued for spyware

Posted by Suzi Turner @ 1:32 pm

Categories: Spyware/adware news

Tags:

Hot off the wires — I just got a press release stating Washington State Attorney General McKenna filed a suit against Movieland.com and 3 associates, all California based companies, for "installing software that takes control of a consumer’s computer by launching aggressive and persistent pop-ups that demand payment for a movie download service."  From the press release:

“The defendants in our suit promote a movie download service through Web sites including movieland.com that offer consumers a free three-day trial,” McKenna said. “After the trial period, consumers are inundated with pop-ups that appear at least hourly and subject the consumer to a 40-second payment demand that cannot be closed. These messages are generated by software installed on their computers that cannot be easily removed.

“To stop these aggressive pop-ups, many frustrated consumers ultimately give in to the defendants’ unfair tactics and pay anywhere from $19.95 to nearly $100 for the service,” McKenna said. “Thousands of consumers nationwide have complained to my office, the Federal Trade Commission, the Better Business Bureau and others about the defendants’ unfair practices.

Washington’s lawsuit charges Digital Enterprises, of West Hills, doing business as Movieland.com; Alchemy Communications, of Los Angeles; AccessMedia Networks, of Los Angeles; and Innovative Networks, of Woodland Hills, with violating the state’s Computer Spyware and Consumer Protection acts.  Two company officials are also charged in the suit: Digital Enterprises’ Easton A. Herd, and Alchemy’s Andrew M. Garroni. Both men live in Los Angeles.

If found liable, each defendant could be fined $100,000 per violation of the Computer Spyware Act and $2,000 per violation under the Consumer Protection Act. They may also be required to pay restitution to affected consumers.

A copy of the full complaint can be downloaded here (PDF). A description of the Movieland software can be found here. Movieland.com’s website is here (click at your own risk) — see talkbacks.

Related links at ConsumerAffairs.org, MovieLand denies it pipes spyware onto users’ computers; and at VCN.com, how to remove Movieland from your computer.

July 28th, 2006

Zango caught in lies about their software on MySpace?

Posted by Suzi Turner @ 12:26 pm

Categories: Spyware/adware news

Tags:

Zango's videos have been found all over MySpace, along with a number of sites pushing Zango videos to MySpace users without disclosing the presence of Zango. Profiles named Zango were found on MySpace and Zango later admitted an employee created the profiles and said it was a "mistake". It looked like at one point that Zango was being pushed out of MySpace, but, alas, that has not turned out to be the case, per Boyd here.

When asked about their presence on MySpace, Zango spokesman Steve Stratz denied targeting MySpace to Information Week:

Zango denied it was targets MySpace as a distribution resource. "Are we targeting MySpace?" asked Stratz. "No. Does our content show up on MySpace? Yes." 

Spyware researcher extraordinaire Chris Boyd, aka Paperghost of Vitalsecurity, has been pursuing Zango's entanglement with MySpace like a trusty hound dog on a trail. Now Boyd claims to have proof that Zango was, indeed, targeting MySpace.

  An anonymous tipoff (who claims they were an affiliate of Zango, but got fed up with them emailing him all the time) recently saw the whole "Zango on Myspace" thing and was surprised to see Zango claiming they have a "hands off" policy towards Myspace. [...]

Surprised, because he claimed they sent him what appeared to be a mass-mail shot from a Zango rep, showing all these fun ways to push Zango on Myspace. Intrigued (and having this confirmed by another source), a third person then went and sent me a copy of (what I presume) is the full Email, completely unnanounced. As you might have guessed, it's a rather spectacular read.

Boyd posted some choice snippets from the email, like this:

"Zango is fairly new with myspace sites and it took me some time to see what works and what doesn't."[...]

…more profitably, *go to a bunch of your friends* who have popular profiles and pay them (it's up to you so much. One of my partners said 5$..maybe offer to split the money with them?) to put a zango video into their profile through your site. This will give you hundreds of extra installs a day (this probably works even better than having them on your actual site).

Boyd has more from the email. Full read here.

Update: Boyd has posted the full contents, minus names, of the email as a text file here. There's more propaganda by the Zango rep about how to push the videos. 

A Zango gateway is a “door” that the visitor passes through to access free content on the  other side. The “key” to the “door” is installing zango. This is very popular. For a great example of what a  zango gateway looks like, go to www.musicvideocodes.info and click on any of the songs. You’ll see the Zango gateway (first make sure zango’s not installed on your computer: you can see the zango icon on your desktop).

Fascinating –  a Zango gateway.  No thanks. TechWeb contacted Zango for their response, and got Boyd's rebuttal to Zango. In typical Zango style, they dance around the issue and refuse to take responsibility.

July 18th, 2006

Vonage and spyware

Posted by Suzi Turner @ 12:10 am

Categories: Spyware/adware news

Tags:

What does Vonage have to do with spyware? Ben Edelman has the answer to that question. In his usual meticulous style, Ben has documented with screenshots, packet logs and diagrams the relationship between Vonage and spyware. Vonage is caught being advertised by pop-ups from Direct Revenue, Targetsaver and others, sometimes not in the appropriate circumstances. (See spyware popping porn in all the wrong places) Ben notes:

I have repeatedly observed Vonage buying "ordinary" spyware pop-up ads from vendors like 180solutions, Direct Revenue, and eXact Advertising. See e.g. the top thumbnail at right, a March 2006 screenshot of a Vonage ad appearing through Direct Revenue. See also my March 2005 report of Vonage ads appearing through eXact Advertising. These relationships add up to big money: BusinessWeek last week reported that Vonage paid Direct Revenue $31,570 in a single month of 2005 — a remarkable $110 for each customer Direct Revenue sent to Vonage. Meanwhile, in its litigation against Intermix, the New York Attorney General specifically documented Vonage’s ads appearing in Intermix KeenValue pop-ups.

Vonage ads are being injected by spyware into other companies’ sites — note that injected into, which raises legal concerns of copyright infringement, among other concerns. Catch the video of an ad injection by DollarRevenue. Vonage ads are also being delivered by spyware using banner farms. See Ben’s write up on the problem of banner farms here.

Ben notes that Vonage won an Effie award just last month for the effectiveness of their advertising. The Effie site seems to be unreachable at the moment, but perhaps someone ought to rethink that award – why award a company that advertises with spyware? Ben notes that most companies don’t necessarily intend to have their ads shown by spyware and has suggestions for how Vonage could stop their ads from being delivered by spyware.

July 17th, 2006

Pushing Zango - out of MySpace

Posted by Suzi Turner @ 10:00 pm

Categories: Spyware/adware news

Tags:

Last week I blogged about Pushing Zango on MySpace and linked to Paperghost's blog asking if teenagers are being unwittingly used to push Zango on my space.  It looks like Paperghost (aka Chris Boyd) managed to create a bit of a stir on the subject and now it looks like Zango is on its way out. Chris' blog managed to get digged, slashdotted and boinged all within a few days. SecurityProNews discovered the culprits behind the two Zango profiles on MySpace and guess who — see Zango Admits to Placing MySpace Profiles. But, it was a mistake, of course. A Zango spokesperson was quoted stating:

"Those two test accounts were actually created by one of our developers who was exploring possible opportunities, but he didn't realize it was Zango business practice not to target MySpace," said Stratz. "He should not have been doing this, and we want to tell MySpace that we didn't mean to target them." The developer, said Stratz, would soon be deleting the profiles.

Right. Paperghost also found the guy responsible for pushing Zango in MySpace, link here. A few days later Paperghost declared victory. One site no longer has the Zango video for MySpace, but how many others are there still pushing Zango videos? This site continues to have the Zango videos and no doubt there are lots more. A Google search for MySpace videos brings up 111,000,000 hits! But not all of them have Zango videos — it would be interesting to know the numbers though.

While on the subject of MySpace, check out the warnings of other problems there. Webhelper discovered a MySpace Toolbar being installed from DollarRevenue by another adware company, RegiFast.com under very deceptive circumstances. I've had RegiFast downloaded through exploits and installed without notice or consent — that's not a nice company. Spywareguide blog also notes a MySpace hack — details at ChaseAndSam.com.

July 10th, 2006

Pushing Zango on MySpace

Posted by Suzi Turner @ 10:24 pm

Categories: Spyware/adware news, Spyware/adware warnings

Tags:

Chris Boyd asked the question yesterday, Teenagers used to push Zango on Myspace? It does indeed look like teenagers, and older MySpace users as well, are being used to push Zango and not making a dime for it.  But the Zango affiliates and Zango itself must be taking in lots of $$$. How is this happening?  There are dozens of websites, like this one, MYSPACE VIDEOS, (click at your own risk) offering free videos for MySpace users to put on their web pages. The catch is, when you click to watch a video, you get a prompt to download Zango. The html code is available right there on the page so MySpace users can copy and paste it to their own pages. Embedded in that code is a link to Zango and an ID, which looks like an ID for that particular video with an affiliate ID embedded in it.  Here's a portion of the code. I've broken the link for obvious reasons and removed a lot of characters from that ID.

src="http cds.zango.com/download.aspx?  Id=bf265f33e036180a63a5920ded2045b3406ae13a2=.wmv

Easy way to push Zango and make some extra $$$, yes?  That is, if you've no ethics or morals. I suspect the kids think it's ok — free stuff for their sites, but do they really know what they are doing?  Likely not.  Do you think they will read the EULA?  Not. Are many of them under 18, installing and unwittingly spreading Zango even thought the EULA says you have to be 18?  And the box saying "By clicking Play Now I am at least 18 and I agree to the terms of the License Agreement above" is pre-checked!  Screenshot here, from Chris's site. Once a user clicks Play Now, the download starts and they get Zango Search Assistant and Zango Toolbar. And the owner of the page where they got the html code for the video gets a payback.  There is something terribly wrong with that picture.

Oh, and Chris Boyd found two MySpace profiles (screenshot) named "Zango":

Both created on the same day and at the same time, one pushed a toolbar and programs designed to "protect kids from predators".

The other? Well, imagine the scene…you see this profile floating round in Myspace, decide to visit it and…

…a popup launches from the Myspace page, prompting you to accept a licence to play a videofile.

It looks like Jimmy Daniels doesn't think this is cool, either. See his write up Zango (180 Solutions) Abusing MySpace Users.  

July 6th, 2006

Direct Revenue plotted to hijack your computer

Posted by Suzi Turner @ 9:39 pm

Categories: Spyware/adware news

Tags:

Fascinating article here in BusinessWeek Online with never before published details about Direct Revenue’s inner workings and the people involved. There are a lot of juicy tidbits, including how the Dark Arts department crafted software "torpedoes" to kill competitors’, other adware vendors, software. Then CEO Joshua Abrams is quoted as saying "it’s a license to kill" in a February 2004 email. Direct Revenue was the target of a lawsuit by competitor Avenue Media over that practice. CNET News called it Adware cannibals feast on each other. (Loved the title!)

The article mentions some of Direct Revenue’s advertisers including big names Cingular Wireless, J P Morgan Chase, Delta Airlines, all *former* advertisers and Vonage which is apparently still using Direct Revenue. Shame on them! The article states Vonage did not respond to inquiries.

When the terror named Aurora was unleashed by Direct Revenue in spring of 2005, "disaster ensued":

Disaster ensued, as Aurora paralyzed thousands of computers. Matt Oettinger, who ran media operations at Fastclick, an advertising network that bought ads from Direct Revenue, found his home PC afflicted by Aurora, e-mails in court filings show. In June he ordered all Fastclick ads disentangled from Aurora. Branko Krmpotic, the managing director of Technology Investment Capital Corp., which had invested $6.7 million in Direct Revenue, also caught the Aurora bug and couldn’t kill it, according to e-mails. Eventually, Direct Revenue had to send its customer support director to fix Krmpotic’s machine. After receiving complaints about Aurora, Insight Venture, another major investor, told the company to remove Insight’s name from the Direct Revenue Web site. Fastclick declined to comment; Krmpotic didn’t return calls.

The company machines were plagued by their own creation as well, with one sales staffer reporting over 30 pop-ups a day and her machine locking up 4 times.  At any rate, the article is a great read if you’ve been following the news on Direct Revenue. If you missed it in April, I blogged that Ben Edelman has posted all the court documents from the New York Attorney General’s lawsuit against Direct Revenue — more fascinating reading can be found there.

June 23rd, 2006

The perpetual malware distribution site lives on

Posted by Suzi Turner @ 9:08 pm

Categories: Spyware/adware news

Tags:

In the course of my work, I see or hear about a lot of sites used for phishing and for distribution of malware. There are teams of people working constantly toward getting these shut down, but some just keep distributing malware even after the ISP/hosting company is notified. Security expert Jose Nazario of Arbor Networks blogged about one such site today. This site has been in operation since at least 2002 and is based in the UK.  The site in question lives at IP address 217.73.66.1 (link to whois at domaintools.com). Nazario has a screenshot of a directory listing at the site, showing malware files with dates ranging from 11-Feb-2002 to 19-June 2006. Nazario states there are a "few thousand" files and explains:

So, what do all of these files do? They’re small agents - just downloaders really - that use the browser to change the dial-up networking settings to get you to dial a for-pay service..essentially, billing you and fueling them. Visit a malicious site, your browser starts to install this and voila, you’re hosed.

Nazario states it’s been in use since 2002 and that he’s tried to get the site shut down.

What’s more, this has been going on since at least 2002! According to this Computer Associates (CA) write-up, this is well-known and no one has done anything about it. :-/ I have been pinging a few sites about takedown, because it’s active malware.

Emphasis mine. The link at CA describes "ComLoad" and calls it a RAT (Remote Administration Tool) from vendor Coulomb Internet Payment Systems. Coulumb describes themselves as a ISP on their website here. Coulumb is also known for their porn dialer (CA’s description); Symantec’s description is here.

Looking at the whois information for that IP address again, the IP block belongs to Coulumb. 

inetnum:   217.73.66.0 - 217.73.67.255
netname:   COULOMBNET
descr:    Coulomb Ltd

person:    Ben Daniel
address:   Coulomb Ltd.
address:   First Floor
address:   2 East Street
address:   Fareham
address:   Hampshire

There’s a phone number and email address as well. This is public record, by the way. Anyone can do a whois look up and find the same info.

I don’t know what laws there might be in the UK about operations such as Coulumb, but I believe it would be illegal in the US. Just look at the FTC’s complaint against Seismic Entertainment, et al, for example.

So what to do since this malware distribution sites lives on, unchecked? Nazario’s recommendation:

If you want to protect your users, consider blackhole’ing this malicious network: 217.73.64.0/20, belonging to AS16238. So far nothing, but long term suspicious activity there. And here I thought this was new, sadly it’s not!

If any folks from the UK happen to read this blog, you might consider contacting your MP as this spyware fighter did.

Update June 24: UK spyware fighter Nellie2 has blogged about this situation and is ready to take action.

June 23rd, 2006

Claria wants you to uninstall their software

Posted by Suzi Turner @ 8:00 pm

Categories: Spyware/adware news

Tags:

Claria, formerly known as Gator, issued a statement on their website stating that all GAIN software will stop displaying pop up ads on July 1, 2006. That sounds like a good thing, yes? Claria will cease supporting all GAIN supported applications on October 1, 2006. They say the software may not function properly after that time, but, if you don’t uninstall the software now, it will continue to "collect data about your web usage from your computer for research and other purposes as described in our Privacy Statement until September 30, 2006".

If you currently have any GAIN-Supported software installed on your computer, Claria recommends uninstalling them now. Since Claria will no longer support these applications in the near future, there is the possibility that they will cease to function properly. You can continue to use these products if you choose, and will no longer receive GAIN branded pop up and pop under ads after June 30, 2006. This doesn’t mean that you won’t receive other pop up and pop under ads from other web properties — you just won’t receive any from the GAIN Network.

There’s a link to help you determine what GAIN supported programs you might have, and a list of the GAIN apps here. In the course of research, I’ve installed all the GAIN apps at one time or another, and I didn’t find any with a value proposition good enough to make me want to keep them. I don’t think anyone will be mourning the loss of Claria’s GAIN supported apps, but I could be wrong…

Claria is not disappearing from the scene, though. No siree. They now have PersonalWeb, which is still in beta.

PersonalWeb is advanced personalization technology combined with something Web users utilize every day — a browser Home page. Our Beta is a demonstration of how Claria technology can drive automatic Web content targeting, organization and discovery to create a simpler, more relevant Web experience.

Thanks, Claria, but I think I’ll pass on this one. If you are thinking about using PersonalWeb, I’d suggest reading the privacy policy first.

Credit: Thanks to Richard Smith for the link.

June 19th, 2006

Spyware fighter under DDoS attack by DollarRevenue trojan

Posted by Suzi Turner @ 7:30 pm

Categories: Spyware/adware news

Tags:

My good friend and colleague in the spyware fighting business, Patrick Jordan, aka Webhelper on the forums, has been under a DDoS attack since June 16 at his website, webhelper4u.com. I’m not linking to his site in order to conserve his bandwidth.  Here’s what he posted.

Updated: 19 June, 2006 05:12 PM

As of June 16, 2006, I have been under a DDos attack from a trojan installer that DollarRevenue.com began using which was called from one of the Russian VladZone gangs sites and which with my current hosting company, I cannot block the attacks which in 3 days went over 125 Gig in bandwidth usage of my alloted 200Gig per month. They are putting url addressess to free web pages designed to load my sites pages as if they were images and with the use of a trojan from the VladZone and bundled in DollarRevenue.com infestations, I cannot and will not put all my time into fighting groups that have been running since 2003 and authorities around the world have not been able to stop.

This is not the first time anti-spyware websites have been attacked by the malware pushers. In 2004 several well known sites in the anti-spyware community were hit, including Spywareinfo.com, TomCoyote.org, Merijn.org (maker of HijackThis and other anti-spyware tools) CastleCops.com (formerly ComputerCops.biz), Safernetworking.org (home of Spybot Search & Destroy), and Net-Integration (no longer online) were DDoSed for weeks upon weeks. Last year Ben Edelman’s site was also attacked.

I previously blogged about DollarRevenue and the massive infestations that come with their malware, probably due in part to their high affiliate pay per install rates.