Yapbrowser: serves up Zango and...child porn?

Looks like another bad day for 180 Solutions.

After Mike Burgess highlighted a new install doing the rounds, some of us in the security community have been playing with it and the results are pretty shocking, in an "oh no not again" kind of way.

Andrew Clover has a rather interesting runthrough here, and you can read my thoughts on the app below. It once again goes to show the hopelessness of trying to maintain affiliate networks where software installs are concerned, and (sadly) will come as no great surprise that someone is gaming the Adware system. For the billionth time.

Andrew has also put a short movie file together, where you can see exactly what Yapbrowser does. Of course, he's obscured the illegal images, and you'll need to download this Codec to view the movie.

Wait, did I say illegal images?

That's right, because we're going to look at a browser search tool, which installs Zango (180 Solutions) software, discloses it, doesn't try to install via a hijack but....and I quote Andrew:

Type a URL into the address bar at the top- any URL, or anything at all, or nothing - and the browser sends you straight to an advert page. An advert page for hardcore child porn sites.

Whoops.

Yapbrowser comes in two different flavours - Adult (complete with the Latin text left over from whatever template they used), and Regular. Regardless of which one you download, they both seem to (not) work equally badly. In fact, the "adult" version doesn't actually work at all, because the download link is bogus. And don't add in what you would imagine the download url to be - you'll be redirected to the UA porn site in the screenshot. Minus the blanked out images.

Another quote from Andrew at this point:

The whois information for yapcash.com, the affiliate scheme for the yapsearch.com site, is given as "John Malkovich" - obviously fake, but with a probably-not-fake e-mail address at yahoo. The same details are used for a group of sites at Eltel, a Russian ISP, including one site that redirects the user to browser exploits at paradise-dialer.com, which load trojans, spyware (via the CWS Cactus group) and dialers (from PremiumBilling, aka Coulomb).

A reputable bunch of people, there! Thank God for being able to weed out the bad actors. I'd hate to think that anyone could've discovered this thing serves up child porn by, you know, running the bugger in a Q&A department. It's not like it's a hidden Easter egg, for God's sake - you come across it by using the primary function of the browsing applicaton. You know, the big, green "Go" button.

Oh well.

There are also some earlier mentions of this thing here, April 7th. Numerous CWS groups are listed, from a document found on a hijack site:

We uncovered a document in Russian at instme.biz and just last Friday at highconvert.com we snagged an updated copy of how they operated in Russian:

...it refers to the yapsearch.com which also includes the yapbrowser.com which they bill it as safe:

"..There is a 100% guarantee no system infection will occur when using our software. YapBrowser is the only browser which gives you safe search and browsing capabilities..."

Yes, incredibly safe. Apart from the go-to-jail-inducing child pornography. No shock that Yapbrowser is mentioned in the same breath as numerous exploits, hijacks and keyloggers.

Highlights from the video:

00:19 seconds: Full disclosure of the Zango software about to be installed, with accept / decline options.

00:23 seconds: The Zango software begins to download onto the PC.

00:46 seconds: Yet another notification, this time from the Yapbrowser application, stating that it doesn't contain anything harmful(!) such as "Bookmarks", "Grecian Horses" and the like. Phew, that's a relief.

1:11 minutes: He clicks the green "go" button, and....child porn! Not just any old UA porn, mind you, but the stuff you have to pay for. $79 for a month, no less.

1:31 minutes: He does a search for the word "Spam" in the Yapbrowser search bar, and the screen goes blank.

1:46 minutes: He types in Microsoft.com, hits the "go" button, and....more child porn!

The slogan for Yapbrowser is "Don't waste your time".

How appropriate.

And, once again, we find a major Adware distributor caught up in the nasty side of the web. This will probably mean another addition to the 180 Solutions in 365 days list. At this rate, Spywarewarrior might have to add a whole new page. As for me, well, 180 already labelled me a wild eyed fanatic (no doubt foaming at the mouth and waving the village idiot bell):

Paperghost and other fanatics, after months and months of saying we don't provide any content in exchange for showing ads, now object to the content we do provide.

...so I'm probably beyond all hope.

However, it's a nice feeling to wake up every morning and know that I've contributed to the general health and wellbeing of our Online world in some small way. I imagine the other "fanatics" feel the same. I can't even begin to get my head around what it must be like, to be contributing to the problem via hopelessly stupid installs like these and seemingly offering up nothing but spin, insults and continued problems galore in return. Sorry guys, but we've heard it all before. This isn't the first screwball install, and it won't be the last, will it?

Stick that in your longtail and smoke it. Oh, and try shutting down Yapbrowser while you're at it. K thx bye.

/ Edit - Just been informed that Techdirt has just picked this up. And of course the ever-rocking Sunbelt guys too. Wayne Porter revisits the ghosts of the past. Meanwhile, Suzi Turner picks up the pieces over at ZDNet and glues them all together. Realtechnews offer up an opinion here.

And the Yapbrowser domains are all down...