23 replies to this topic

[TeMerc]

Paperghost, noted MS MVP has an excellent blog and has recently decided to take on the thugs at Direct Revenue. Much in the same way Webhelper has chronicled the Transponder Gang, Paperghost will also expose these scumbags for what they really are, greedy, lowlifes using the uneducated Internet user as their way to riches. He has given me permission to reprint his writeups as they proceed. Exposure is our best weapon against them. I'll keep this thread updated as he posts more info.


Originally Posted May 31
A Revolution is the Solution...

...and here it is. I had intended to go to London for a holiday, but it seems my best bit of online jibber-jabber actually took place a world away from modems, telephone sockets and keyboards that continually GET STUCK ON CAPS LOCK>

And so, one furtive meeting at a payphone later (seriously, why can't these guys meet up in Burger King like everyone else) and I had myself an audience. It came to me a while ago that we security researchers are almost cheating ourselves in the race to find new malware. By the time we've bust the doors down, cuffed everyone in sight, pepper-sprayed the occupants and wrote a load of stuff about horrible installs, in many cases, the damage has already been done. It's quite rare that we get there first.

There is, however, a group of people that tend to stumble across brand new infections weeks (or in some cases) months before anyone else claps eyes on them. These people are the great digital-disenfranchised, friend of no-one and enemy of all, if you believe the popular press. They may not go looking for this stuff - often, it's a by-product of whatever else they're looking for and so the initial discovery becomes discarded.

Not anymore, however.

Full Read @ VitalSecurity.org

===============================================

Friday, June 03, 2005

Direct Revenue: BUSTED!

Let it never be said that I don't carry out a threat. After that little escapade, I wonder if Direct Revenue really expected anything less. Allow me to recap: Aurora. Nobody likes it. Everybody has it. No-one can find an install site.

Sunbelt Software threatened. Claims of legitimacy from Direct Revenue.

Paperghost: R0xoring the b0xor.

I've had a particular site on the radar for some time now (initally playing with it a good while back), but the dayam thing went down before I could save any evidence. I know a number of other people have this one in their sites too. However, in an act of total stupidity, the people behind this site brought it back online, and it's a decision they'll likely regret for some time.

The time for babble is done - let's cut right to the chase. The following pictures will say it far, far better than I ever could.

Let me recap this. Pore over every single word of it:

"Aurora is the brand name of one Ad Client which, as stated above, is only installed upon affirmative acceptance of the EULA".

Now, they must do EULA stuff like that before EVERY install. Even something as nasty as, say, Ceres? (which is basically Aurora by another name). There could never be any confusion as to exactly which EULA they mean in any given installation, could there?

Wrong. Prepare to watch the plot thicken.

Full Read @ VitalSecurity.org

[wng_z3r0]

Go Paperghost go!

[TeMerc]

Sometimes, words fail me. It's as if the Gods themselves decided to confirm in 100 foot high burning letters what Wayne Porter stated just a few days ago regarding the future of Malware (Greynets).

I've stated for a long time that the installs would get bigger (you have DSL? Great! We'll hose your bandwidth along with your PC!), though these installs would need something a little more sophisticated than a "You're our 1000th visitor! Click here, you've won a speedboat" banner ad. And, thundering into the world of P2P are a series of what can only be described as mega-installs. You may get some content with it, but the programs that lurch onto your PC mean you won't be sampling it anytime soon.

First there was the 8MB install. Ooh, we said. That's a whopper. Then there was Bube, with its 100+ individual items of Malware, Spyware and Trojans. Ouch, we said. That'll hurt. After that came Adware that forced the .NET framework onto your PC (whether you wanted it or not), with a 65MB piece of frivolity. Er...hang on, we said. That kinda' sucks.

And now....it looks like the once (vaguely) happy, clappy world of Bittorrent is being invaded with the marketing campaign to end all marketing campaigns. A concerted effort to get everybody's favourite piece of advertising genius into your lives...Aurora.

Maybe the reason why install sites are so thin on the ground is because there aren't any. Not a lot, anyway. It was obvious that Aurora was getting onboard somehow, but no-one seemed quite sure where from. When I think back now, to all those Hijack This logs posted on security forums...the answer was staring us in the face. Do a random Google search for Nail.exe and Aurora.exe, check out the forums and see what reoccurs, time and time again:

btdownloadgui.exe,

Otherwise known as Bittorrent. I checked hundreds of those dayam logs, and more often than not, it was chugging away in the background. No wonder none of the victims (or spyware experts) seemed to know what site Aurora was coming from - there was no site. It would have never occured to the end-users that it could have crept in by another means altogether.

So with that partial mystery solved, there was only one thing left - go hunting. Shotgun in one hand and crucifix in the other (just in case), I've quickly discovered a whole world of agonised PC owners who have yet to march across security forums and cry out for help. Check this out...

Full Read, w\screenshots @ VitalSecurity.org

Reprinted with permission by Peperghost

[TeMerc]

Aurora install links wanted!

That's right, I want more...more! If you've been nailed (excuse the poor gag) by Aurora, either in P2P land or from a website you visited, please let me know and pass on the relevant URL or file-sharing link so I can go and have a look. I have plenty more in the pipeline for Direct Revenue. Send any and all information to paperghost@vitalsecurity.org.

Thanks.

Reprinted with permission by Paperghost

[TeMerc]

Direct-Revenue: VitalSecurity Info 'Misleading'

Spyware Floods In Through BitTorrent
By Ryan Naraine
June 15, 2005

BitTorrent, the beloved file-sharing client and protocol that provides a way around bandwidth bottlenecks, has become the newest distribution vehicle for adware/spyware bundles.

Public peer-to-peer networks have always been associated with adware program distributions, but BitTorrent, the program created by Bram Cohen to offer a new approach to sharing digital files, has managed to avoid the stigma.

Not any more, anti-spyware advocates warn.

According to Chris Boyd, a renowned security researcher who runs the VitalSecurity.org nonprofit resource center, the warm and fuzzy world of BitTorrent has been invaded by a massive software distribution campaign linked to New York-based adware purveyor Direct Revenue LLC.

"This is the marketing campaign to end all marketing campaigns," said Boyd, the Microsoft Security MVP (most valuable professional) known throughout the security industry by the "Paperghost" moniker.

In an e-mail interview with Ziff Davis Internet News, Boyd said rogue files have popped up occasionally in BitTorrent land but those were usually just random executables. "This is the first time I've seen a definite money-making campaign with affiliates, distributors and some pretty heavy-duty adware names," he added.

Boyd, widely known for chronicling spyware, hacking and malware exploits, has published details of the BitTorrent distributions and identified Direct Revenue and Marketing Metrix Group as the companies responsible for the rigged files.

More.......

Page 2

Direct Revenue admitted to using MMG to push Aurora distributions via BitTorrent, but insisted that the actual adware installation was done with adequate and up-front disclosure.

In an interview, Direct Revenue chief technology officer Daniel Doman said MMG is "one of many affiliates" used to distribute Aurora. "They [MMG] specialize in doing content distribution on peer-to-peer channels, and we think they provide an easy mechanism for people like us who want to monetize software or content."

Doman, a former director of engineering at DoubleClick Inc., said the increased visibility of Aurora and the "nail.exe" component was not the result of new installations, pointing out that Direct Revenue is auto-updating its file-naming convention to address criticisms that the adware program was hidden on purpose.

Doman described Boyd's posts on VitalSecurity.org as "misleading" and pointed out that the screenshots provided by the researcher "clearly show full disclosure" before the Aurora program is installed.

Full Read @ eWeek

[TeMerc]

Paperghost: My Response
...ahahahaha! Someone sounds rattled!

Where?

Here

In an interview just given with Eweek.com, a tale of two cities is presented - one where thousands of people have ended up with Aurora on their systems and wished they could get a can of industrial strength bug-spray to clean the dayam thing out.

The other is a place where Aurora is a "valuable marketing proposition" and everybody can't wait to have anything up to five advertising windows popped open at the same time.

In other words, Daniel Doman (chief technology officer for Direct Revenue) sounds a touch rattled by the increased attention paid to their "toy" - it's a long time since I saw someone come across as that defensive in an interview. Even better, he appeared to miss the point of this article completely. So in the spirit of fair play (and because I love stuff like this), what follows is a breakdown of the above article with my responses to this guy's vaguely panicked sounding "accusations". Don't worry, I'll be fine. I've seen Eric Howes do this hundreds of times...

Full Read, w\screenshots and detailed analysis @ VitalSecurity

[TeMerc]

Direct Revenue respond...

I have absolutely no problem with heaping out credit where credit is due - especially when that credit involves shutting down a rogue affiliate. Even more so when that rogue affiliate exists in the world of Adware - because all too often, it's the easiest thing in the world for the makers of the software installed to wash their hands of all responsibility. That has been a common staple of the Adware industry for years, and the most common excuse made when things go wrong.

So with that in mind, I will happily publish the below letter from Direct Revenue. I'm still going to write about installs that I feel to be rogue, I'm still not impressed with the whole Aurora issue, and I still don't agree with many of the practices employed by various companies whose products fall (rightly or wrongly) under the banner of "Adware". I also take issue with the article regarding Aurora's distribution being labelled as "deceptive". Apart from that, it certainly doesn't fix the problem overnight - it's just one small chunk of rogue site gone wrong action shut down - but it would be unrealistic to assume such a thing could be achieved with no time given to set things straight.

June 16, 2005Mr. Christopher BoydVitalsecurity.orgVia email:Thank you for posting the video on Vitalsecurity.org today showing an improper download of Direct Revenue software. We have identified the third-party distribution channel responsible for the download in question, confirmed that the download of our software was occurring in breach of our distribution agreement and without user consent and, as is our policy in such matters, we have shut down the distribution channel responsible for the offense.Direct Revenue

Well done - it's a start.

Full Read @ VitalSecurity.org

Reprinted with permission by Paperghost

[TeMerc]

PCMag:Paperghost Scheming Against Bittorent

By John C. Dvorak

Simple Lies, Told as Fact. There is no spyware in BitTorrent. There is no way BitTorrent is being tricked into delivering spyware. We hear that BitTorrent files are "infected." What specific to BitTorrent is infected? Is it the BitTorrent initiation files? Or is it the payload? If it's the payload (the media file, for example) then what's it got to to do with BitTorrent per se? Nothing, that's what.

Someone took an executable file, which in one instance is distributed as a Family Guy episode. Instead of just being an .avi or .mpg file, it's an .exe or some other executable. Executing the file results in a load of spyware being installed. So again I ask what's this got to do with BitTorrent per se? If BitTorrent didn't exist this file could still be traded in any number of ways. Nothing would change. BitTorrent in this instance is merely the download mechanism. You'd STILL get the spyware if you used something other than BitTorrent. Spotlighting BitTorrent is a cowardly way to discredit the product.

The Root of the Accusations. This was all begun by a Microsoft MVP character named Chris Boyd, who is always described as a "renowned" security expert. By whose standards is he renowned? Has he written books? Academic papers? Articles? What exactly besides blogging? So where does this assertion come from? The blog?

He posted his BitTorrent discovery on his security blog here. He discovered that the Aurora spyware is on machines that also have BitTorrent installed and implies that BitTorrent has more to do with it than a casual coincidence. Does this guy know that BitTorrent is a downloading system and people who do a lot of downloading tend to have it on their machines? The cause and effect logic here eludes me. Is he saying it's impossible to get Aurora without BitTorrent?

Full Read @ PCMagazine

Read my reply over at the PCMag forums here

Edited by TeMerc, 22 June 2005 - 12:20 AM.

[TeMerc]

Paperghost Replies to John Dvorak:

Simple facts, told as lies
Simple Lies, Told as Fact.

This is how John C. Dvorak's piece begins. It's a lofty piece, full of astounding claims, incredible payoffs and tantalising climaxes.

Unfortunately, it's also complete and utter nonsense. In an amazing piece of trollishness, he attempts on a grand scale to divert attention from what is possibly the MMG installer's lowest depth yet. I will post the second part of this update sometime later today - prepare to be amazed. I'll cut through John's points nice and quick, no hanging him out to dry like Direct Revenue this time.

John: There is no spyware in BitTorrent.

Nobody said there was.

John: There is no way BitTorrent is being tricked into delivering spyware.

Nobody said Bittorrent could be tricked. Last I hard, Bittorrent was an unthinking, unfeeling program. You can't generally "trick" things like that.

John: What specific to BitTorrent is infected? Is it the BitTorrent initiation files?
Is this guy listening? Maybe he should, you know, read the article.

John: Or is it the payload? If it's the payload (the media file, for example) then what's it got to to do with BitTorrent per se? Nothing, that's what.

Actually, it's got everything to do with it. Bittorrent didn't have this kind of problem before. The odd rogue Malware bundles, sure, but not a clear and concise marketing campaign. And as someone will point out sometime later today, these installers have actually been tracked since May - and my God if he hasn't found something potentially ready to blow the lid of the Adware industry forever.

Full Read @ VitalSecurity.org

[TeMerc]

Amazing as it sounds, the sorry case of the first major Bittorrent Adware marketing campaign has gotten worse, both in terms of what it means as a warning for those who ended up becoming involved and those who would possibly ever think of considering that this was, in any way, shape or form, a vaguely good idea.

Bittorrent didn't have this kind of problem before. The odd rogue Malware bundles, sure, but not a clear and concise marketing campaign. And as Dave Methvin of PCPitstop points out in his dynamite writeup, he had been tracking these things for quite some time too. Since May, as a matter of fact. And what he has potentially discovered, is enough to make every Adware company out there want to examine every single last detail of a distribution deal down to the last ounce in future...

Dave: In reviewing comments on BitTorrent forums, it appears that MMG's infected files had been posted as early as mid-April. Administrators of the BitTorrent sites removed the files and/or banned the users when someone reported them, but it sometimes took several days before this occurred. This provided a window of opportunity where the downloader would be unaware of the effects of MMG's file and continue to share it for others to download.

MMG seemed particularly busy with new files on Fridays, perhaps in the hopes that the admins would be away for the weekend and unable to clean up the mess for a while. Although I observed several files that were hundreds of megabytes during May, the later posts tended to be less than 50 megabytes; perhaps MMG was betting that more people would successfully download short files before warnings were posted and the files removed.

So here we have the first inkling of this infestation, which increased dramatically as time went on. The first "shocker" with this was that the MMG installers did not disclose every piece of software in every bundle - the second, that a mass of supposedly copyright protected mediafiles were being distributed, and neither the Adware vendors or MMG seemed to be able to say who exactly had responsibility to licence these files. So far we have undisclosed Adware, seemingly out of date installer licence agreements and potentially copyright infringing mediafiles which would potentially leave the end-user (who assumes the content is legit) in a world of RIAA fun and games. This is already (and you don't need me to point this out), a very bad thing.

However - things would get worse. specially for the Adware companies who made such a massive mistake in getting involved in this distribution. I actually feel sorry for them - to a degree. As anyone who knows something about anything will generally tell you, play with fire enough times and...well, you can guess the rest. I would also like to state - emphatically - that none of the below accuses (or even suggests) the mentioned Adware companies of being involved in creating, uploading, distributing or having anything at all to do with the media content mentioned, other than simply agreeing to have their software bundled with mediafiles provided by MMG. They couldn't possibly have forseen that things could go in such a wrong direction through the apparent actions of MMG, or else they wouldn't have gotten involved. Though maybe they should have forseen that, without screening every last ounce of what somebody actually plans to do with their particular distribution, you are just asking for a recipe laced with disaster.

180 Solutions, Direct Revenue, IBIS, Belcaro and a bunch of others have all ended up getting their software involved in a distribution campaign that, as Dave states in his article, potentially...


(Contained)...adult videos (that) depicted young girls and implied they were under 18 years of age.

That isn't just huge, it's off the frigging scale.

Full Read @ VitalSecurity.org

[TeMerc]

Wayne Porter writes his opinions on John Dvorak's(PCMag, above post) artcile slamming Paperghost\Chris Boyd.

Today I have my sleep-deprived EEG. The only painful aspect to this procedure is having to stay up all night so I can be properly "sleep deprived". In order to do that I have dedicated a significant portion of the late night to an entry about Mavens and Misinformation and some of the latest antics going on in the pay-for-performance install world.

Mavens are knowledgeable people. While most consumers wouldn't know if a product were priced above the market rate by, say, 10 percent, mavens would. Bloggers who detect false claims in the media could also be considered mavens.

In the spyware/adware world Mavens are especially important. I have a dazzling collection of Mavens that I rely on to help me synthesize the information vibrating on the Net everyday. Many of them are household names in the anti-spyware business like Suzi Turner, Eric Howes, Ben Edelman, Alex Ekleberry, Chris Boyd, Dave Methvin, Bill Pytlovany, and Mike Healan to name only a few. These are people I admire for their breadth of knowledge and willingness to share it. (It also amazes me how frequently people who are willing to share their knowledge get attacked from left-field.)

So color me stunned when I start hearing reports that Chris Boyd was the "evil mastermind" behind a plot to discredit BitTorrent and to advance Microsoft's future foray into P2P. To think I thought conspiracy theories only came from affiliate la-la land?

Eventually I discovered the "conspiracy theory" was coming from of from this piece called The Scheme to Discredit BitTorrent (see above post)by John Dvorak. I could go to great lengths defending Boyd's inititial article but it is very clear that he can defend himself as he systematically goes through every piece of misinformation with facts.

What amazes me is how easy it is for someone to take fragments of a story and twist it into a conspiracy theory. This is the type of action I would expect from a mob not a computer magazine. Boyd's blog didn't outline anything that Dvorak insinuates, and after reading Dvorak's article I really wonder if he actually read the original or it was a knee jerk reaction to what he was seeing in the media coverage? Blaming the media for shoddy coverage is fair game, but blaming the objective researcher is not very fair.

Full Read @ ReveNews

I stronlgy urge all to read the entire thread, its well worth it.

[TeMerc]

Now eWeek Jumps On Dvorak

By Steven J. Vaughan-Nichols
June 23, 2005

Opinion: But there is way too much crazy talk going on about Avalanche, BitTorrent and adware.

John, John, John. John Dvorak, what were you thinking?

In his recent column, The Scheme to Discredit BitTorrent, Dvorak gets so much wrong about BitTorrent, its security problems, Microsoft and Avalanche that's it hard to know where to begin.

So, let's just walk down Mr. Dvorak's column, shall we?

First, is Microsoft really taking aim at BitTorrent, the justifiably popular peer to peer protocol? Yes, I know that Bram Cohen, BitTorrent's inventor, thinks so, but is it really?

Both Cohen and Dvorak describe Microsoft's Avalanche project as vaporware.

Ah, actually, it's not even that. It never was.

I don't need to explain this, though. I'll let Kevin Schofield, Microsoft Research's general manager for strategy and communications.

Full Read @ eWeek

[TeMerc]

Someone just alerted me to an interesting read. Actually, two.

You may or may not have seen this- in it, the world and its uncle are accused of a grand Microsoft world domination takeover, with me at the helm. No doubt dressed in black robes and swinging a lightsaber. Well, you probably already saw my response to John C Dvorak, but what you might not have seen are some of the pieces springing up in direct contrast to what he wrote.

The first- Wayne Porter of XBlock systems. If I die young, I want "The Zaphod Beeblebrox of spyware fighting" stamped across my gravestone. Of course, I'll need 24/7 protection to ensure my remains aren't dug up and hung from a tree with a "BT Pwns jo0 sucka!!112" sticker pasted to my forehead.

The second- Steven J Vaughan-Williams, a fittingly musical surname to my vaguely witty title. In it, he calmly and rationally asserts why there is indeed no "grand conspiracy" against Bittorrent - only against the kind of marketing campaign we saw launched into it's relatively infestation-free world. You may remember the origiinal on EWeek - in it, a perfectly reasonable discussion about the MMG bundles that were filling up numerous sites in Bittorrent land was twisted into something that had no similarity to the original piece. A definite case of Rise, Lord Vader if ever there was one. Immediately, people started screaming for blood and, without actually checking the facts regarding what was actually going on (it seems), rafts of people jumped on the bandwagon, outraged that someone said Bittorrent itself was full of spyware.

The sad part was, nobody did.

Full Read @ VitalSecurity.org

[TeMerc]

Aurora's latest distribution source?

A wonderful game of connect the dots is being played out...and it looks like we have a winner. When a raft of circumstantial evidence is available, putting the pieces together usually solves the puzzle. And what a puzzle it has been! A globe-spanning paperhunt, multiple translations and a whole bunch of testing has driven me to one conclusion...Aurora has a new home.

But where could it be?

Stay tuned to find out. All I'll say for now is...a while back, Wayne Porter mentioned "classic greynets" and "daisy-chained" installations on his ReveNews blog. Looks like his prophecy has been fulfilled...!

Vital Security.org

[TeMerc]

Aurora Adware bundle hits Instant Messaging

The thing about timed explosives is, you're never quite sure when they're going to go off. And in this case, something that was posted on my forum some weeks ago has lain dormant, unwilling to co-operate. That is, until a few days ago. Wayne Porter has often said (and I agree) that Greynets are the future of Malware (and other Ware) installs. Most of the "big" stories I've covered have involved some pretty zany techniques to get things onto your system. And Aurora has managed to find itself installed in everything from Bittorrent media bundles to multi-webpage EULA funfests. In fact, I'm convinced if you looked in my underpants right now, Aurora would be down there too.

Omnipresent doesn't come into it.

But yet again, I am forced to look in slack-jawed amazement at the - er - ingenuity?...of the Aurora affiliates so desperate to get it onto your PC that they really will stoop to any means necessary to make their dough. Come with me, into the new Adware-bundle battlefield....Instant Messaging.

Full Read w\screenshots @ VitalSecurity.org