How deep does the IM rabbit hole go

Using established virus techniques to push a huge bundle of Adware in IM land is bad enough. But now it looks like someone has had the bright idea of pushing something on a bunch of kid-themed sites. In fact, they have been since last year. But what is the connection between this and current events? Let's look at the evidence.

My good friend Roger Karlsson of Kephyr.com heeded my call and let me know about a number of sites that push AIM chat / smiley tools. Nothing new about Adware being bundled there, you might say - though something approaching 20MB of unwanted software is never a good thing. These three sites have (for no apparent reason) an .exe sitting on them. This .exe is, you guessed it, a really bad thing. Agree to the install, and you're whackalised with unwanted installs. No EULA, nothing. Even more maddening, the sites have an "uninstall" page mentioning some of the programs, but what kid is going to scroll down to the bottom when a dialogue box is sitting in the middle of the page asking them to do something?

Roger leads you through the installs, with logs and images for you to get your teeth into. But are you ready for the twist? After playing with the install, I was amazed to find that the bundle, the installers, the places the files are called from and (more importantly) the icons left on the desktop are almost exactly the same as the IM installs covered previously. You even get Aurora with this one!

Check out the screenshot (click to enlarge)...note the exact same payload material. There's 180 SA, Media-Motor, Slotch, SideFind, Aurora and (because no crazy install would be complete without it), the WebSearch Toolbar agreement. Experiencing deja-vu yet? How about this - in the original installs, a bunch of desktop icons were added to the test system. Although I didn't include any screenshots of these, I kept hold of some and I'm rather glad I did. In addition, these icons were referenced previously. Think back to the article on Spywareguide.com. Flashback time: "...and numerous other toolbars, desktop icons and instant messaging software such as IMGiant" (is installed on the system). Well, check this out for compare and contrast!

The first screenshot is from the Buddy-icons.us installer (click to enlarge). Ignore the virtual bouncer popup and the WebSearch Toolbar agreement. Note the two icons I've highlighted - specifically, the text for the Joystick icon "Free games to win real cash", and the IMGiant Instant Messenger.

You can see where I'm going with this, can't you?

The second screenshot (click to enlarge) ties it all up in a neat little bundle. Though the majority of the icons are hidden by the explosion of popups, you can clearly see the text from the joystick icon and (more importantly) a clean view of the IMGiant Instant Messenger.

Joining the dots rules.

Of course, I have more logs which I'm sure Wayne Porter will be interested to see, especially as unwilling participants such as Amazon are now being dragged into the mix. This slow burner is now reaching melting point, and this is just the start.

Oh, and what was I saying about this file being a potential dry run? Well, these things have been sitting on some of these sites since as far back as October 2004 (the Google cache is a wonderful thing). If I was a betting man, I'd say this was the dry-run, and some of the players in these first bundles had been cut for whatever reason.

More than likely, that reason being that this thing sucked and they wanted no part of it. But to the unfortunate individuals whose software is chugging away in these bundles......

.........how do you not know about this?!