180 Solutions playing with fire...and Java applets

"I was surfing with the Mozilla 1.7 browser, so I wasn’t that worried about getting hit with spyware or adware. Boy, did I get a surprise." - Suzi, Spywarewarrior.com

Looks like the "Java applet install of doom" is slowly working it's way across the web, as Suzi of Spywarewarrior.com has just covered yet another install using this method - however, in this case it's exploring the wonderful world of EULA-missing hijackings by supposedly "reformed" 180 Solutions.

Hot on the heels of joining (and killing) COAST, Adware companies claiming a new found respectability are seemingly hiding their EULA agreements very well - so well, in fact, that you don't actually see them. For information purposes, I should point out that 180 Solutions wre included in the original Java applet install - however that fact got buried under a pile of people screaming "Heresy" regarding Firefox. Well, they're all busy playing with the Lyricspy .Xpi file now, so we should be able to get a good look at this without worrying about figures on grassy knolls and walking down dark alleyways (though I studied martial arts in a car park in China, so I'm pretty hardcore anyway).

A direct quote from Suzi - it's long(ish), but every bit of it is needed:

"Since I see Java applets all the time at some of my favorite sites, I don’t worry too much about them. I even see plenty of Java applets that have expired digital certificates, as this one at spazbox.net did. So clicked through the Java applet just as I normally do.

I should have looked more carefully at that Sun Java applet “Warning” box: the applet was from Integrated Search Technologies (IST), a well known adware vendor. Once I clicked through that “Warning” box, a whole load of adware installed without ever even offering to show me a EULA or Privacy Policy. Among the programs installed were ISTBar/XXXToolbar, PowerScan, and SideFind. All of those are programs from Integrated Search Technologies, a company which is often confused with CDT, perhaps because their programs are often installed together.

But there was another program that installed—again, without showing me so much as a or Privacy Policy: the 180search Assistant. What was more surprising, it turned out that the version of the 180search Assistant installed was the new version 6, which was “certified” by EULACOAST and which is supposed to display a notice/disclosure screen (known as the “CBC Force prompt”) to users."

Whoops!

The rest of Suzi's writeup is here. It's interesting reading - especially when talking about the way someone has apparently tampered with the Sais.log (this records browsing history, 180-specific install details etc) to make it look like the end-user had agreed to various installs when they hadn't!

If you didn't know what to look for, you wouldn't be aware of this "fun feature" 180 Solutions has dredged out of the depths. Suzi tested this on her Java applet install, so I thought it would be fun to go back to Lyriscpy.com and revisit an old friend - no, not Neil Diamond, the Java applet.

Sure enough - after running some more tests on the Lyriscpsy install, I found that the Sais.log values had been altered there, too. So what does this mean? I'll put it in big fat red letters, hopefully big enough for the 180 Solutions guys to get the message...because I know we're all hearing it loud and clear:

180 SOLUTIONS IS STILL INCLUDED IN STEALTH INSTALLS!!!!!!