Categories

BitTorrent
Conferences
Direct Revenue
Julie Amero
Myspace
Podcasts
Postbag
The Big Ones
The Fourth Wall
Yapbrowser
Zango

Creative Commons License
All articles licensed
under a Creative
Commons License.  








Home | About me | Press | The Fourth Wall | Links

Wednesday, August 03, 2005

Instant Messaging Adware: First rogue affiliate dragged into the light?

To all those that create the kind of wonderful bundles we have seen of late, I say this - you cannot hide from me. You cannot escape the soul-crushingly obvious fact that, sooner or later, I am going to discover your secrets and blast them out into the open. And so here we are - a few articles into the IM Adware invasion, and faced with an install of massive proportions. Piles of unwanted software. Multiple points of entry. Websites galore popped open. No EULAs or warning in sight for everything but a single toolbar. What is the common thread? What is the tie that binds all this stuff together? Where is a good place to start, when you're hunting someone responsible for kickstarting an invasion not seen since men in black costumes jackbooted their way across Poland?

I'll tell you.

In a nifty piece of collaboration with Wayne Porter's elite XBlock team (who helped feed information into FaceTime's IMPact Center), we had arrived at our current destination. A few already documented installs, and nothing more. Time for the waiting game, crunching research and (hopefully) a little luck too.

Where was the break coming from?

As luck would have it, at the same time I was rummaging around on Japanese websites downloading .COM files (rather charmingly called "Dontfuckit.COM") that didn't appear to do very much, the XBlock team were analysing another file that did pretty much the same thing as the install covered here. A little more digging, and I stumbled across these guys, Softech-ltd.com, responsible for hosting the previously mentioned Dontfuckit.COM file.

Now, the curious thing about these installers is that they don't always appear to download the same programs each time they are run. Sometimes the download order is changed, sometimes new stuff takes its place instead. And as luck would have it, when running the file the XBlock team discovered on my testbox, something caught my eye in the traffic logger - no prizes for guessing what.

That's right, a familiar URL enters the fray - the good people of Softech-ltd.com. And the very first entry in the log, too! (The full URL for this file has been temporarily removed from the screenshot. In other words, I messed up with MSPaint. So sue me. It will return, however).

A quick clean up of my testbox, and I'm now dowloading the .EXE flagged in the log on its own, away from the rest of the mega-bundle. Because I have the faintest of suspicions about this file...

...and wouldn't you know it, if that file is responsible for the install of ALL of the below software, none of which displays a EULA of any description? Can you say rogue affiliate? Because we have a monster here! So, step right up...

searchmiracle.com
180 Solutions Search Assistant
shopathomeselect.com
internet-optimizer.com

...all your programs are being distributed in an outrageously vile fashion! (Click the image to enlarge). Doesn't this make you mad? Doesn't this make you want to go whackalise the affiliate responsible? It should - this is the kind of exploit that can completely shatter any attempt at cleaning up past mistakes. Arguing over spurious points and technicalities during a webpage install is one thing, but this is quite another.

And again - like the first few installs that have been covered so far, the only program that gives the user an option to install is WebSearch Toolbar. Note 180 Search Assistant running in the bottom right-hand corner, and the SearchMiracle toolbar running in IE, complete with "humorous" missing-in-action help page.

Want to know what I think the scariest thing about all this is? The amount of additional information in the log posted at Spywareguide.com. I can't even begin to imagine how long it would take to put all the economic slices together and build something approaching a clear tapestry with regards the who, what, when, where, why.

Over to you, Wayne?

posted by paperghost at 6:24 PM | Digg it!

All Content © Vitalsecurity.org 2006. The content of this site is entirely the opinion of Paperghost, and is in no way endorsed by FaceTime Communications. In other words - have a problem, come see me.