Zango, the FTC and...Licat

You'll have seen this information on any number of a zillion websites, but let's run with ZDNet because they rock:

Adware manufacturer Zango has reached an agreement with the Federal Trade Commission in response to charges that it breached federal law by deceptively installing advertising software on consumers' PCs without a clear means of removal.

According to the terms of the settlement announced Friday, Zango's principals--co-founders Keith Smith and Daniel Todd--must pay $3 million to cover illegally obtained profits. Additionally, the company must adhere to FTC regulations that bar it from loading programs onto customers' computers and monitoring them without their consent. The programs also must include a feature that allows customers to uninstall the software easily.

...however, the really interesting part for me is this:

Zango's executives pointed a finger elsewhere, claiming that the federal violations were due to third-party distributors rather than the software manufacturer itself. "We relied too heavily on our affiliates to enforce our customer notice and consent policies," said CEO Keith Smith. "Unfortunately, this allowed deceptive third parties to exploit our system to the detriment of consumers, our advertisers, and our publishing partners." Smith went on to say that Zango would "embrace the new standards" required by the FTC.

Better get embracing a little harder guys, because not so long ago (while compiling a series of upcoming SPG writeups on a particularly savage version of the Licat Worm that dumps as much crap on your PC as possible then randomly blue-screens it), look what popped up:

....whoops. For those of you in the cheap seats (click the image, you maniacs), it's a version of that stupid Sudoku game (which I loathe with a vengeance - we all know the best things to come from Japan are big choppy swords and cartoons with tentacles) provided by Zango. I would imagine the gooseberry behind these IM Infections makes some dough from each install (because otherwise what's the point of popping the box), but once again the pre-ticked agreement Zango employs is something of a pain here because of the way a lot of the installer prompts pop up on some kind of time delay. While the end-user is randomly clicking stuff on the desktop to make it go away, it's all too easy to accidentally click "Finish" and install the Zango Adware - for God's sake, sort your affiliates out or get rid of the pre-ticked box already.

If you like stuff that moves - I believe you young whippersnappers call them "movies" - here's a short clip (1.40MB Avi. file) of the already mangled desktop (TagASaurus! Hooray!) and the Zango box popping open, shortly before the VM Box bluescreens. You'll likely need the VMWare Codec to play it, which can be obtained here.

So, where do these wonderful installers come from?

Well, there's a whole pile of these Licat variants emerging from a number of sites related to Uglyphotos.net - a well known hijack site that's been causing problems for some time now. It's produced everything from bog-standard IM infections to files that send infection messages offline.

The offline message sending thing is pretty clever, actually - it takes advantage of the offline messaging feature of the new MSN Messenger program. I'm not sure if the Kaspersky guys ever got this offline message sending thing to work, but after a little Kung-Fu mayhem in the lab, wouldn't you know it if good old PG brought the smackdown:

...bada-bing!

Anyway, these infection files are pretty nasty and shunt a whole heap o'crud onto your PC.

In one case, we saw close to five hundred megabytes of individual files, programs and God knows what else installed on the target machine. As you can imagine, it wasn't particularly pleased about it and requested more leather belts to bite down on as the infection went about it's business.

A random selection of stuffage from a typical Uglyphotos install can be seen here, here and here. For those of you who prefer a more graphical snapshot of things, try here, here and here. In amongst the wreckage, you'll see everyone from UCMore to Dollar Revenue - looks like everyone is invited to the party! As mentioned earlier, the version that pops the Zango installer prompt has a nasty habit of blue-screening the computer too, and unless you know how to enter safemode with all networking stuff switched off, your PC will become a very expensive paperweight. Even then, there's no guarantee you'll bring it back to life - it took me frikkin' ages to get back into the infected PC.

Interestingly enough, digging through the code reveals what appears to be a name (highlighted in red, click to enlarge and all that jazz).

A handful of searches for Gerben eventually took me to a blank "placeholder" page, with an "OWNED" counter presumably keeping track of how many people have been leet hax0red by this awesome collection of IM infection files. When you check out the source code, you can see the guy's name - coincidence? Probably not:


...nice! You can see the OWNED counter at the top, there.

The conclusion of all this is that there's still a big pit of craptacular out there if you know where to look - and Zango will have to work extra hard to ensure they don't keep appearing in writeups like this one. Interestingly, Wired Magazine said that Ben Edelman "...has proof that Zango hasn't really cleaned up its act and that he'll post his proof in the coming weeks".

Should be an interesting couple of weeks.

More Coverage: WebProNews Slashdot