Aurora install source revealed, and 175 Megabytes of televisual terror

Sometimes, words fail me. It's as if the Gods themselves decided to confirm in 100 foot high burning letters what Wayne Porter stated just a few days ago regarding the future of Malware (Greynets).

I've stated for a long time that the installs would get bigger (you have DSL? Great! We'll hose your bandwidth along with your PC!), though these installs would need something a little more sophisticated than a "You're our 1000th visitor! Click here, you've won a speedboat" banner ad. And, thundering into the world of P2P are a series of what can only be described as mega-installs. You may get some content with it, but the programs that lurch onto your PC mean you won't be sampling it anytime soon.

First there was the 8MB install. Ooh, we said. That's a whopper. Then there was Bube, with its 100+ individual items of Malware, Spyware and Trojans. Ouch, we said. That'll hurt. After that came Adware that forced the .NET framework onto your PC (whether you wanted it or not), with a 65MB piece of frivolity. Er...hang on, we said. That kinda' sucks.

And now....it looks like the once (vaguely) happy, clappy world of Bittorrent is being invaded with the marketing campaign to end all marketing campaigns. A concerted effort to get everybody's favourite piece of advertising genius into your lives...Aurora.

Maybe the reason why install sites are so thin on the ground is because there aren't any. Not a lot, anyway. It was obvious that Aurora was getting onboard somehow, but no-one seemed quite sure where from. When I think back now, to all those Hijack This logs posted on security forums...the answer was staring us in the face. Do a random Google search for Nail.exe and Aurora.exe, check out the forums and see what reoccurs, time and time again:

btdownloadgui.exe,

Otherwise known as Bittorrent. I checked hundreds of those damn logs, and more often than not, it was chugging away in the background. No wonder none of the victims (or spyware experts) seemed to know what site Aurora was coming from - there was no site. It would have never occured to the end-users that it could have crept in by another means altogether.

So with that partial mystery solved, there was only one thing left - go hunting. Shotgun in one hand and crucifix in the other (just in case), I've quickly discovered a whole world of agonised PC owners who have yet to march across security forums and cry out for help. Check this out...

The Install

Let me make this clear - though I'm covering just one of these installs, there appear to be a whole slew of them doing various creepy things. Check out this particular thread for evidence of that. All the renegade Bittorrent files you can eat, kids! 6 whole pages worth, and that's just from one site!

And so, it's time for the dance. We start off, as all good Bittorrent downloads do, with this familiar sight:



So far, so good. Within the hour, you'll be watching an animated psychopathic baby attempt to take over the world through the medium of song. However - the more observant will notice the Licence Agreement mentions some familiar names:



As with so many of Direct Revenue's installs, it should be mentioned that (once again), the licence agreement is a general one, instead of the Ceres / Aurora specific pieces. Hardly an accurate and informative disclosure of what is about to happen to the PC in question! As always, Direct Revenue do the absolute bare minimum to claim they have covered themselves with their ad-spewing nightmares. You might not like YourSiteBar, but at least they give a link to a relevant privacy policy!

In addition, nowhere does it mention that you don't have to agree to the above adware in order to run the desired media file. Cancelling the above agreement will bring it up a few more times, until eventually a WinRAR self-extractor will appear, allowing you to watch your film / program / whatever.

Deceptive? My God, yes, I'd say so.

And you know what's coming now, don't you? That's right, a totally messed up desktop. Below, you can see no less than FIVE Internet Explorer windows forced open, 3 Ceres windows (sometimes Aurora is installed rather than Ceres), Slotch, Bullseye Network, 180 Search Assistant, SideFind, Search Miracle and YourSiteBar - all of these opened up within the space of around a minute or less. I'd also like to mention that upon further investigation, WhenU were NOT a part of this bundle. There's an advert pop-up window that displays a blue figure very similar to the WhenU logo. However, I can confirm that this software is not related to WhenU in any way. See the article update at the bottom for more information.

Aside from that, a number of programs were found lurking in the Start Menu, including Powerscan (FIND YOUR PORN! HIDE IT! ITS THE WIFE!) , and a number of other "valuable additions" - but here's the desktop:



The scary part is that I am still finding new programs and bits of Adware on the system - certainly a LOT more stuff than was even hinted at in the utterly useless Licence Agreement.

And the people behind it?

These guys. With their "unique" P2P distribution methods, they seem to have fingers in pies all over the place, ranging from Bear Share and Kazaaa to WinMX and (of course) Bittorrent. I had originally thought this might be this group of online marketeers, but some nifty searching by a website regular soon put paid to that theory. I'm rather glad about that, as the original suspects just seemed too...well...happy?

Conclusion

I've seen some dubious installs in my fun-packed career as a spyware researcher, but this one takes first prize. Although 175 megabytes is not the sum total of the Adware installed, in real terms, because the main point of this package is to hit you with Adware (and not give you a half hour cartoon that you could have taped for free), 175 megabytes is the overall size of the intent, and that's what matters. Someone out there is quite happy for people to gobble up bandwidth and sit around for three or four hours, only to come back to the PC and promptly whack it with all kinds of junk.

If it was made clear that the Adware was optional then this wouldn't sit as badly as it does with me - but yet again, the parties involved have chosen methods that sit right on the borderline of respectability.

Ultimately, it won't be people like me that take Direct Revenue down, or even Antispyware vendors. It will be every single angry individual who has fallen for scams like this and become obsessed with gaining some kind of payback, however small. People like 3DJelly, a newcomer to my forum who provided me with the link to this install, who are so sick of tactics like these that they will continue to feed guys like me with URLs, files, scams and rumours that we will explore and create a whole heap of noise about.

Ultimately, they will drive the Nail in Aurora's cross - we're just providing a very large hammer to knock it in.

/ EDIT - Apparently MarketingMetrixGroup.com was just hacked. I would like to say (as someone who works in security and has experienced such a tactic) that defacing a webpage, whatever the intention, is not the answer, totally illegal and just creates more problems. I'd also like to mention that upon further investigation, WhenU were NOT a part of this bundle. There's an advert pop-up window that displays a blue figure very similar to the WhenU logo. However, I can confirm that this software is not related to WhenU in any way. Their inclusion in the finished piece was an accidental leftover from draft stage. Apologies to WhenU.