One of the big questions flying around as a result of the "BitTorrent installs" lately:
Is getting this on a system a valid excuse for an illegal file sharer?
And, in an even more extreme scenario, would someone willingly install this on their PC, just to get hold of pirated files and then claim no responsibility for what happened? Well, let's take a look...
First off, I think both of the above can be answered in one shuddering word:
No.
Why is this? Well, let's roll with the "extreme" example and work backwards. All of a sudden, I'm seeing a whole bunch of posts on forums saying "Rootkits rule", and words to that effect. Good old Rootkit makers.
Whoops, sorry - Rootkit makers suck. They suck big time. And they still don't suck as much as the Rootkits themselves.
"Oh well. I usually don't like root-kit makers but this is totally cool"
If you think having your machine turned into a zombie, and all your personal data syphoned off for the sake of being able to "justify" a few crummy movie files on your PC is a good thing, I'd like to mention at this point that I am indeed the wallet inspector and I've come to check your change.
As for purposely installing the rootkit and getting tons of illegal movie funnage onto your PC, then claiming no responsibility when the feds kick your door down at 3AM or whatever, well, that isn't really going to work either.
1) We first saw this install take place on a sample selection of PCs infected with the original Lockx.exe Rootkit bundle. Though there are still lots of machines out there with this on, not all of them got the BitTorrent install - and they stopped the distribution almost as quickly as it started.
2) The people behind this are still piping movies - this is evident from some of the comments I've seen on various forums. The problem is trying to work out exactly what slice of (potentially) a few hundred thousand infected users these guys have designated as guinea-pigs.
Again - if initially infected by this thing, you don't automatically get BitTorrent installed - you'd get a Rootkit. You may get some Adware. You'll probably get a few bonus Trojans and Viruses, too.
But BitTorrent? Not at the outset. And are you willing to let all that junk sit there while you await pirated-movie heaven? I doubt it.
3) This is the killer - the bad guys choose what films to pipe onto your PC, not you. This means episodes of Timon and Pumba, and (of course) Mr Bean. This does not mean Star Wars 15 and Spider-Man 5.
If you're a mega-leet movie pirate, are you going to install a hit-it-and-hope Rootkit package, or just go to your regular file-swapping place and get hold of the file you want with little to no effort?
Exactly.
So, in summary - I wouldn't rely on the "It was the virus wot done it, Guv" defence.
Yep, the title is a mouthful but you heard it correctly: those crazy guys behind the Middle-East connected Rootkit-powered Botnet (phew! mouthful alert) experimented with something I haven't seen before, and we have the details over at Spywareguide.com.
In short - along with the second wave of installs that prompted FaceTime to go public with their findings (that would be my guys), the group behind all this auto-installed a version of BitTorrent onto the PCs already infected with the Lockx.exe Rootkit - crazy enough, yes? But then they went one further and started pumping movie files down the pipes, onto a sizeable chunk of those infected machines. You can, of course, see some of the BitTorrent files placed onto the PC in the lovely picture.
Why? Not sure. Some kind of proof-of-concept test-run? Highly likely. Especially as they cut it short, and went back to goofing around with more rootkits. Thing is, I've heard rumours (on the Internets) that some other hacking groups have picked this technique up, and will be running with it shortly.
Better to prepare the troops, right?
Bad enough these creeps are whacking PCs left, right and centre with Rootkits. Even worse that it looks like they're messing with BitTorrent and pumping movies all over the place. There's so many issues with that, I don't know where to start. What would the RIAA angle be on it? Or the other "kill the pirate" type groups? Would they crash down on anybody unfortunate enough to have ended up with this on board, their only "crime" to be whacked by a creepy Rootkit via IM?
Well, seeing as stories are currently flying about regarding people being sued for file-sharing (with no PC!), and Pearworks being rugby-tackled for providing a lyrics search facility, it's quite probable.
Now, last time I covered BitTorrent, everything went nuts and lots of people thought I had some kind of crazy "anti-filesharing" thing going on - because we all love BitTorrent forums being splattered with large Adware bundles, right? Dvorak - whoops. When the great "Avalanche" invasion begins, I'll let you know.
Doh.
The sad thing this time round is, I'm not even that surprised by this latest development - when you think about it, it's quite a shocker - but as this "top ten" list of spyware installs graphically illustrates, there's not a lot left to slap us upside the head anymore.
As an example of the kinds of crazy things people are now trying out, using infected PCs as guinea-pigs for whackjob experiments with BitTorrent, it deserves a mention at the very least.
This time round, we can be thankful it was just copies of Mr Bean(!) and Disney cartoons(!!). How about next time? If they're really malicious, they could pipe a user pretty much anything they feel like.
Illegal porn for the win? Quite possibly. Or how about some of those lovely spyware infected media files that were dug up not so long ago?
See where this one could go? The more you think about it, the nastier it gets.
And as we have seen with these guys (who are currently under investigation from the FBI and other Federal Authorities) - they don't get bored and go home. Hacking groups in the East are experiencing something of a Digital Renaissance at present - they're talented, they have the cash to fund their little games, and they're out to prove a point.
The whole Rootkit-powered Botnet thing that FaceTime cracked was amazing for it's depth of attack and the sheer cheek of what they were up to - but this takes things to a whole new level.
2006 - bound to be a vintage year. And I ain't talking about the wine...
Update - Over 1,000 "Diggs" on Digg.com, and an Eweek writeup. I'd like to apologise for the hundreds of websites now putting pictures of Mr Bean all over the place. Especially the one where he has the turkey on his head. Mr Bean does indeed ride again...
I got so much trouble on my mind - refuse, to lose!
Look what I found - none other than Marketing Metrix Group - they live! Yes, that's right - the guys behind the, er, wonderful BitTorrent Adware installers that kicked off World War Three not so long ago have returned. When we last saw them (old version of their frontpage here), their site had been hacked, their empire crumbled to the ground, the BitTorrent bundles pulled from networks at something approaching warp-speed and companies were posting apologies left, right and centre.
I'm not surprised, given that there were incorrect / flawed licence agreements, apparently unlicenced copyrighted mediafiles (whose licencing responsibility lay with the companies whose software was bundled....whoops!), and (of course) the potential underage-pornography that Dave Methvin discovered in his continued investigation of the BitTorrent madness.
Well, guess what - I don't know if this is a coincidence. I don't know if MMG are involved in this latest escapade. But I do know from a fellow security pro that there is a new BitTorrent distribution campaign underway, and it is something of a biggie from all accounts.
And I quote:
They appear to have set up several blocks of IP addresses hosted on different servers across the country. There were more than 100 computers seeding each file, and a lot of them appear to be controlled by...
...But that would be telling, wouldn't it?
This investigation is only just getting started - expect multiple sources to be dig, dig, digging up information left, right and centre on this one. Last time someone attempted this, I descended upon them like some rage-fuelled demon from the pits of Hell itself, such was my anger at what was being perpetrated. This time round, the files are likely to be licenced correctly, the notification will be better and I severely doubt there will be any illegal content. Nothing could possibly be as messed up as last time.
However...
That doesn't mean I agree with it. BitTorrent represents something much better than a place where money can be made - it represents a thought, an idea that can help the little people, the lesser companies and the poorer man in many, many ways. As Bram Cohen, creator of BitTorrent once said:
"Distributing stuff that is clearly illegal with BitTorrent is a really dumb idea," said Cohen, who advocates using the software to distribute large uncopyrighted files such as open-source programs. "BitTorrent doesn't have any anonymity features. There are things about it that make it very incompatible with anonymity."
Though this new content is likely not illegal, it doesn't mean I want to see it going on. After what happened last time, the mere mention of "Bit" followed by "Torrent" is enough to make my blood boil. Then throw in "Bundle" and you have Black Steel in the hour of Chaos.
Yes, that's right - 180 Solutions thought it'd be a great idea to not only pursue Bittorrent installer bundles, but kind of mess up on the "this is what's included" front. Hmm....because the last coverage of this kind of thing generated so much good publicity, right?
Same old, same old? Blame the affiliates? Bore us all to death with a "whoops, we got them" and a "same time next month"?
You bet. So come with me and check out the latest great bit of kit in Bittorrent land...
Oh wow! Tiny white teen! Yeah, the tinier the better!...
Is it just me or does calling your bundle that seem somewhat dubious right from the getgo? Mind you, the last one was called "Super Young Hottie gets Fucked" so maybe it's part of a trilogy. Will I be able to get it on DVD? Anyway, running the thing presents an installer that is somewhat similar to the MMG effort, except this time round there seem to be even more omissions with regards anything approaching proper disclosure. For example:
Mediagateway is installed with no mention. Not even a whisper. As Dave Methvin over at PCPitstop.com mentions, this is now the responsibility of 180 Solutions, as it is a byproduct of CDT, a company they bought in March 2005.
Belarco's Shopathomeselect (mouthful alert!) has been bundled in with pornographic content - again. Last time, they had a good moan about this but didn't actually seem to do much about it. They have been informed of this bundle by Dave Methvin, but simply trotted out the same "Oh, that's awful! You wascally wabbbits, you!" line. Well, excuse me while I blow up some balloons and have a party. If they cared so much, would they not contact the distributors immediately and start screaming the place down? I know I would. Who knows, they might be doing that right now. Though I suspect they will do nothing until the next press release when it turns out they have been bundled with - you guessed it - more hot and horny hardcore. Again.
Isn't 180 Solutions supposed to have stopped bundling all non-180 Solutions products? Here is a guy from 180 Solutions. Watch as these words spill out of his mouth:
"One of the challenges with the business model in our space, where we work with distributors and affiliates, is that we don't have as much control as we like," said Todd Sawicki, director of marketing for 180Solutions. "This will give us more direct control over how our software will be downloaded."
Yeah - because this looks like direct control!
Did you buy them out and forget to put someone at the helm who might have thought this was the suckiest install ever? What's the point of buying a distributor of yours to cleanup dodge, when in reality dodge is being bulldozed and turned into a multistorey carpark with optional stains in the elevator and "interesting" smells?
Whatever happened to the code of conduct? Did it get stuck in said lift with a homeless guy and a bottle of the good stuff?
Anyway, back to the installer. Last time, you didn't actually have to agree to the licence to get your hands on the content. This time round, the force is strong and their Jedi skills have grown beyond the levels reached by MMG. This time - get this - you actually have to click "yes" to get the file! What a mind job. However, all is not well here. Upon install, all the products hooked themselves into the test PC, but my hornyporn seemed strangely absent. Where was it? Was there even any included?
Well, after some frantic digging, I finally discovered my Mpegs had been buried in a My Documents folder. Phew! And look - lots and lots of movie files! Value for money? Well, you know this is going to end badly. And this is how it went down. Click the image, spot the problem and win a coconut...
AAARGH! So let me get this straight - I installed all your stuff to make you some money, and I can't even watch my damn porno?!? Why do none of the files work? How come the advertising software runs without a hitch? Why are my porno Mpegs stuffed in some random folder I have to go looking for? Why isn't it plastered all over my desktop (Warning - exposed boobs and bums), where I can get a good look at it? If you're gonna' do it, at least do it right forGod's sake. I demand fully working, easy to find hardcore pornography for all the family!
Is this a case of me having to jump back into the world of P2P? Of having to dig up more wonderful examples of how not to do things?
You bet. Polish the guns, get the horses ready and prepare to ride out. My gun is big, my horse is scary and my attention is focused on something new to play with. Heed my suggested words of wisdom and pull these things now, while things are still quiet.
I said some time ago that a Revolution was the Solution. When politicians, Governments and the other people you rely on to make things right let you down, the only thing you have left is a public voice. When that voice is amplified by the masses, you will instigate change in a way you never thought possible. Move those mountains, drain those oceans and make way for a shuddering blast, haymaker style, of overhelming public opinion and agreement. As long as we have that, the power to effect change will always remain.
This Revolution is now in full effect, and while the revolution will not be televised, it does not need to be. A few slabs of HTML will suffice. Make your banners, cover your faces with rags and step into the world of fighting the powers that be. Like the poem goes - this revolution will be no re-run. This revolution will be live.
And if Dave Methvin gets no answers from 180 Solutions or CDT?...well, we know what happened last time. Do we really need another few weeks of kicking ass and taking names? Massive, ugly revelations of things that should never have lumbered off the operating table?
Of course we don't.
So do us all a favour and finish that tombstone off, before I get my chisel out and set to work.
Someone just alerted me to an interesting read. Actually, two.
You may or may not have seen this - in it, the world and its uncle are accused of a grand Microsoft world domination takeover, with me at the helm. No doubt dressed in black robes and swinging a lightsaber. Well, you probably already saw my response to John C Dvorak, but what you might not have seen are some of the pieces springing up in direct contrast to what he wrote.
The first - Wayne Porter of XBlock systems. If I die young, I want "The Zaphod Beeblebrox of spyware fighting" stamped across my gravestone. Of course, I'll need 24/7 protection to ensure my remains aren't dug up and hung from a tree with a "BT Pwns jo0 sucka!!112" sticker pasted to my forehead.
The second - Steven J Vaughan-Williams, a fittingly musical surname to my vaguely witty title. In it, he calmly and rationally asserts why there is indeed no "grand conspiracy" against Bittorrent - only against the kind of marketing campaign we saw launched into it's relatively infestation-free world. You may remember the original article on EWeek - in it, a perfectly reasonable discussion about the MMG bundles that were filling up numerous sites in Bittorrent land was twisted into something that had no similarity to the original piece. A definite case of Rise, Lord Vader if ever there was one. Immediately, people started screaming for blood and, without actually checking the facts regarding what was actually going on (it seems), rafts of people jumped on the bandwagon, outraged that someone said Bittorrent itself was full of spyware.
The sad part was, nobody did. What we said was that a company called MMG was spreading a pile of installers across Bittorrent sites (not inside the client itself) that were not all they appeared to be. This represented the first major foray into Bittorrent land for the big players of Adware. Unfortunately for them, they didn't do their homework and (before you could blink), they were embroiled in questions regarding both the content MMG were providing, and the rather out of date licence agreements they were pushing. Companies that were desperately trying to prove they were "legit" were now watching any hard work done unravel at the speed of light, as more and more dubious stories emerged regarding the mediafiles - culminating in this.
With a handful of weblog articles, I managed to get a number of companies to actually say, Holy shit, this is actually getting worse by the second, and drop all connections with MMG. I'd like to think this was something of an achievement. Perhaps the Adware companies involved will look back and actually appreciate how hard I was on them, in retrospect of what was eventually found by Dave Methvin in one of the bundles. Talk about in the nick of time, eh? I wonder what would have happened if anyone had come out in MMG's defence before that (rather large) revelation.
However - then the bad winds blew. Like Yoda clambering through some air vents, I was forced to stand my ground in a blast of stupidly over the top hatred, from people who just didn't understand what this was all about. I don't know why this happens every time my site breaks a story, but I shouldn't have to expend a portion of research energy on "the flame wars". But if that's what it takes, so be it. I'm still here, and I don't give a rat's ass.
The emails, forum abuse, hundreds of spam flames which didn't make any sense - and this article, which simply prompted a deluge of hatred, detracting attention from a distribution campaign that now has a suggestion of totally illegal pornography to boot. What's even stupider is some of the journalists involved getting heaped with abuse too. I'm fairly certain none of those guys work for RIAA, or have teleconferences with Metallica.
My name was dragged through the mud, my knowledge, experience and previous work questioned, and I was held up to be ridiculed as an example of "the world's greatest Microsoft stooge". I wonder if you can get a mug with that on.
The craziest part was the phonecalls I recieved - some creepy, some utterly deranged. Honestly, I didn't realise some people got such a boner over shouting at people. I had my own little way of dealing with that, though. The best encounter was the guy who yelled when he connected, only to be totally and utterly confused when I pretended to be a sex line. "Village Chat", for men who like to be men. He'd hung up before I even told him it was £5.00 a minute.
Then the counterpoint started to thread it's way across the airwaves - more and more people from the antispyware industry not only confirmed what I had been saying all along, but added to the overall piece with new insights and revelations about MMG. Still, nobody listened and the flames continued. Then Eweek's Vaughan-Williams posted his view of the situation, and it does seem to suggest something has gone seriously wrong when a fellow Ziff Davis site feels the need to present an "alternate view" (read: asskick). I wonder if they all work in the same office and have bunfights across the desks.
End result? The arguments are still raging, but will likely die away as people get bored and move on to something else. The original body of evidence still stands, and I will likely post one more article on this entire fiasco if MMG ever manage to resurface and answer the questions we all want to hit them with. In particular, how they managed to have what looks like an affiliate of theirs screw up so royally, and how no stringent QC checks were in place.
It's bad enough that the Adware guys don't seem to be able to police their own networks, but when the guys charged with actually distributing the stuff can't keep their own house in order, everyone involved is just asking for a big plate of trouble, with a side order of whupass to go.
Amazing as it sounds, the sorry case of the first major Bittorrent Adware marketing campaign has gotten worse, both in terms of what it means as a warning for those who ended up becoming involved and those who would possibly ever think of considering that this was, in any way, shape or form, a vaguely good idea.
Bittorrent didn't have this kind of problem before. The odd rogue Malware bundles, sure, but not a clear and concise marketing campaign. And as Dave Methvin of PCPitstop.com points out in his utterly explosive writeup, he had been tracking these things for quite some time too. Since May, as a matter of fact. And what he has potentially discovered, is enough to make every Adware company out there want to examine every single last detail of a distribution deal down to the last ounce in future...
Dave: In reviewing comments on BitTorrent forums, it appears that MMG's infected files had been posted as early as mid-April. Administrators of the BitTorrent sites removed the files and/or banned the users when someone reported them, but it sometimes took several days before this occurred. This provided a window of opportunity where the downloader would be unaware of the effects of MMG's file and continue to share it for others to download.
MMG seemed particularly busy with new files on Fridays, perhaps in the hopes that the admins would be away for the weekend and unable to clean up the mess for a while. Although I observed several files that were hundreds of megabytes during May, the later posts tended to be less than 50 megabytes; perhaps MMG was betting that more people would successfully download short files before warnings were posted and the files removed.
So here we have the first inkling of this infestation, which increased dramatically as time went on. The first "shocker" with this was that the MMG installers did not disclose every piece of software in every bundle - the second, that a mass of supposedly copyright protected mediafiles were being distributed, and neither the Adware vendors or MMG seemed to be able to say who exactly had responsibility to licence these files. So far we have undisclosed Adware, seemingly out of date installer licence agreements and potentially copyright infringing mediafiles which would potentially leave the end-user (who assumes the content is legit) in a world of RIAA fun and games. This is already (and you don't need me to point this out), a very bad thing.
However - things would get worse. Especially for the Adware companies who made such a massive mistake in getting involved in this distribution. I actually feel sorry for them - to a degree. As anyone who knows something about anything will generally tell you, play with fire enough times and...well, you can guess the rest. I would also like to state - emphatically - that none of the below accuses (or even suggests) the mentioned (and any unmentioned) Adware companies of being involved in creating, uploading, distributing or having anything at all to do with the media content mentioned, other than simply agreeing to have their software bundled with mediafiles provided by MMG (or some crazy affiliate of theirs who really have taken leave of all common sense). They couldn't possibly have forseen that things could go in such a wrong direction through the apparent actions of MMG, or else they wouldn't have gotten involved. Though maybe they should have forseen that, without screening every last ounce of what somebody actually plans to do with their particular distribution, you are just asking for a recipe laced with disaster.
180 Solutions, Direct Revenue, IBIS, Belcaro and a bunch of others have all ended up getting their software involved in a distribution campaign that, as Dave states in his article, potentially...
(Contained)"...adult videos (that) depicted young girls and implied they were under 18 years of age".
That isn't just huge, it's off the frigging scale.
Worse still, companies bundled in the MMG packages that Dave has spoken to have basically said, "None of this is our responsibility, it's MMG's" and (of course) MMG are nowhere to be seen. This is despite Dave trying endlessly to get someone, anyone, to actually take some responsibility for what started out as a "bunch of harmless Adware installs, fall for it and you're stupid, haha" and has ended up as a royal mess. Unlicenced content, undisclosed installs and potentially illegal pornogrpahy have all come flying out of the woodwork and although the UA issue will no doubt be investigated, as Dave quite rightfully points out, will anyone actually be penalised for any of this if the allegations are found to be true?
US and Canadian law says that any producer / distributor of porn needs to take reasonable steps to ensure the actors are 18 or over. This means proof of age, records kept etc. As it looks like a fair bit of this stuff was just whizzed from the Internet, there's a chance that some of this depicts actual under 18's. And even if they're not, you can still possibly get into trouble by claiming the actors involved are under 18.
Probably a bad move to have called them "Lolitas", then.
(5) It is not a defence to a charge under subsection (2) in respect of a visual representation that the accused believed that a person shown in the representation that is alleged to constitute child pornography was or was depicted as being eighteen years of age or more unless the accused took all reasonable steps to ascertain the age of that person and took all reasonable steps to ensure that, where the person was eighteen years of age or more,the representation did not depict that person as being under the age of eighteen years.
If the courts took a hard line on the strict letter of the law and classed this as UA pornography (and I should add, I'm not a lawyer in any way, shape or form so I honestly don't know what would happen if the girls in the video Dave mentions only appeared to be under 18, even though it was claimed that they were), then this would get real bad, real fast. And if the worst happens and it turns out this video actually does contain girls that are underage...
Then it's probably even worse for MMG that they are based in Canada.
CONCLUSION
So many things have gone wrong with this software distribution package, it's hard to know where to start. It seems like one bad turn of events has followed another, until it reaches the point where you have to wonder if all the Adware vendors simply picked MMG's name out of a hat at random. Actually, if they'd done that they would probably ended up with a better deal. What can we learn from this?
* In future, every single Adware vendor out there MUST have someone at the quality control helm when picking someone to distribute their software. Holy shit guys, there's now a whiff of possible underage pornography (or implied, which in Canada is just as bad. Did the MMG guys even know their own laws on this?)
How the Hell can this be anything even approaching good PR for anyone who got involved with MMG? You would think companies who pull in as much revenue as the companies I've examined over the past few weeks would get their top legal brass to check every last aspect of a deal like this out, who licenced what files, if anyone would actually have a problem with the chosen method of supply (in this case, the Bittorrent network) and (more importantly) - that no-one from the company charged with throwing these files around would, in a fit of madness, start passing around what according to Dave appears to be possibly illegal content. And if it's not illegal, merely hinting at it (Lolita? Please!) cannot be condoned either. It's a bad idea, a big mistake and infinitely more dubious than any potentially "screwy" install. In other words, if you're going to show "pretend" illegal pornography and also infer that it is by calling it "Lolita", what (really) is the difference in intent and execution between that and the real thing? Are both possibilities not equally sickening?
It's also rather disappointing to see the lack of response Dave has had on this. You would think when something like that was suggested, people would be absolutely falling over themselves to help out. However, it looks like no one is willing to actually drag the guys from MMG into their office and scream at them for ten hours straight in an effort to find out exactly what in God's name they were playing at. It is to the credit of most (if not all) companies that they have apparently severed links with MMG now this has come to light. The problem is that much, much more now needs to be done to make sure something like this does not happen again.
* No more "Adware Bundles" - ever. Though the usual rogue affiliates will continue to do stuff like that regardless of what the parent company does to try and stop them, you would think when the parent company itself has some sort of oversee of the whole project, they would try to ensure that things wouldn't go so utterly tits up as this one has. Apart from the fact that these bundles just tend to kill the host system - how does that make anyone any money - it's obvious that you cannot hope to police your networks in any way, shape or form.
Especially if the guys you picked to distribute your software in the first place managed to screw up so royally.
* Keep away from "new!" channels of distribution, on the basis that people will think it's a "really good idea". They won't. They'll think it will suck. And seeing as how Bittorrent was pretty damn clean to begin with, it was only a matter of time before too many of these files would be available and they would stick out like a big, fat sore thumb.
The only real "good" news from all this is that no-one in their right mind will ever be so silly to attempt a campaign like this in Bittorrent land ever again. Especially bearing in mind what has been found in the PCPitstop article. I still cannot believe that I am sitting round discussing major companies that have managed to wander into something like this by accident. It simply boggles the mind. These are companies that have tried (in some cases) to straighten up some of their installs, their business practices and lots of other things, and then they go and get themselves caught up in something that could undo any good work done purely by association with MMG. If I worked for any of those companies right now, I'd be majorly pissed off. I'd be asking questions. I'd be thinking how on Earth anyone could have allowed this to happen.
For years, we have predicted that, eventually, Adware companies would end up getting stung in a big way by one of these things. The funny thing is, I always thought it would be at the hands of a rogue affiliate - not the company faced with distribution of said software. You know, the seemingly legit guys that the Adware companies have checked out thoroughly and paid lots and lots of money to do it right.
The question now is, what will the Adware vendors mentioned previously do about this? If I were them, I'd be marching down to Canada with a large piece of wood and an angry team of lawyers demanding answers. If the underage porn allegations prove to be true, this will be one stink that will never, ever go away for anyone caught up in the crossfire.
And if it turns out that MMG themselves have a rogue affiliate that has caused this problem, then I would predict that would hopefully mean the end of every single affiliate scheme out there for a very long time.
But that still then leaves the problem of who to actually blame.
This is how John C. Dvorak's article begins. It's a lofty piece, full of astounding claims, incredible payoffs and tantalising climaxes.
Unfortunately, it's also complete and utter nonsense. In an amazing piece of trollishness, he attempts on a grand scale to divert attention from what is possibly the MMG installer's lowest depth yet. I will post the second part of this update sometime later today - prepare to be amazed. I'll cut through John's points nice and quick, no hanging him out to dry like Direct Revenue this time.
John: There is no spyware in BitTorrent.
Nobody said there was.
John: There is no way BitTorrent is being tricked into delivering spyware.
Nobody said Bittorrent could be tricked. Last I hard, Bittorrent was an unthinking, unfeeling program. You can't generally "trick" things like that.
John: What specific to BitTorrent is infected? Is it the BitTorrent initiation files?
Is this guy listening? Maybe he should, you know, read the article. You are indeed correct - the client does not contain Adware. But seeing as how nobody said it was in the first place, I don't see the relevance in mentioning it. John: Or is it the payload? If it's the payload (the media file, for example) then what's it got to to do with BitTorrent per se? Nothing, that's what.
Actually, it's got everything to do with it. Bittorrent didn't have this kind of problem before. The odd rogue Malware bundles, sure, but not a clear and concise marketing campaign. And as someone will point out sometime later today, these installers have actually been tracked since May - and my God if he hasn't found something potentially ready to blow the lid off the Adware industry forever.
Let's jump back to John for a second... John: So again I ask what's this got to do with BitTorrent per se? If BitTorrent didn't exist this file could still be traded in any number of ways. Nothing would change. BitTorrent in this instance is merely the download mechanism. You'd STILL get the spyware if you used something other than BitTorrent. Spotlighting BitTorrent is a cowardly way to discredit the product.
What a strange comment. In case you hadn't noticed, Bittorrent was the primary method of distribution for these installers. You wouldn't get these MMG Adware (because it's Adware, John, not Spyware) bundles from anywhere else on a grand scale, because it didn't exist anywhere else save for a handful of EDonkey distros. If the distribution method for the MMG bundle had been Email, Browser holes or FTP then the "source of these Aurora installs" would have been detailed as those particular programs instead. What's it got to do with Bittorrent, I hear you ask repeatedly? Oh, I dont know, maybe the fact that THIS IS WHERE MMG WERE DISTRIBUTING THE BUNDLES WE'RE DISCUSSING.
Back to John...
John: Whatever the case, someone managed to get his discovery of spyware (spyware is news?) into CNet News, eWeek, and IDG News service, as well as hundreds of blogs talking about how BitTorrent was an "adware distribution vehicle." Hey, BitTorrent will distribute whatever you choose to distribute.
John: Where Is the News Reporting? What bothered me the most about this episode was that there was no reporting whatsoever regarding the BitTorrent as spyware claims (Whoops, wrong again, no one said Bittorrent was Spyware!) or even the credibility of the renowned MVP Chris Boyd.
Use BitTorrent and you'll get spyware. BitTorrent sucks, and oh, Microsoft has something better, although it's never been shipped—but it's better!
Well done - completely wrong on all counts. Nobody said Bittorrent "sucks", and the accusations that any of these articles imply Microsoft's "Avalanche" P2P system is "better" than Bittorrent is also stupid. Microsoft's Avalanche has never been mentioned on this site, once. Furthermore, all of the Bittorrent articles here are clearly aimed at both MMG and the Adware companies involved. The only affiliation I have with Microsoft is that they awarded me an MVP on the basis of this work - funnily enough, a mass Apache server hack. Note that says Apache, and not Windows Server. If Microsoft do something stupid, I quite happily say so. If they do something good, I quite happily say so. But I have absolutely no interest in their "Avalanche" system whatsoever. I'm surprised Redmond's legal team haven't already kicked your door down and dragged you out for "questioning". Especially when the earliest story I could find on it was from the 16th June, - funny, considering I've been chasing these previously-elusive Aurora Bittorrent bundles since May the 11th.
I would also mention the fact that your article keeps repeating that "the client is infected? bittorrent is infected? bittorrent was tricked?" again and again. Why is this?
Ah - perhaps because your article is structured in such a way that on page one, you are clearly insinuating that I say that the BT client is "infected" until about halfway down the page, then drop it - by which point, anyone stupid enough to get bored of reading (yet understand your subtext) then goes and rants about me saying the Bittorrent client was "infected". I did wonder why so many people started questioning my ability to examine Bittorrent source code in the comments. Was it a slow news day or something?
Has anyone from any of the companies involved turned around and said, hey man, there were only like, five installer bundles out there, maxiumum? Has MMG come out fighting and refuted any of the claims? Or did they get their site hacked, not come back online (as you would reasonably expect them to actually remember to bring their site back up) and absolutely disappear from public view? Did anyone from the Antispyware industry such as Wayne Porter, Alex Eckelberry, Suzi Turner , Wayne Cunningham or anyone working on the numerous security forums out there come out and refute any of this? Or did they all agree with me instead, as they have all done their own research into this as well, leading to numerousposts like this.
It also makes me laugh that the Admins of the sites I helped out personally were incredibly pleased that someone was finally highlighting these installers that, frankly, nobody wanted. I'm guessing admins of other legit sites would no doubt feel the same way. If they're happy with the end result, then I could care less for your blatant attempt to stir up some controversy. The constant refusal of people to look at this issue from a Tracker / Torrent Admin's perspective (or even an end-user who is at risk from falling for something like this) is incredible. It almost makes me think you have a hidden agenda of your own.
Later on today (at some point), I will be posting something that will put your "piece" into sharp focus, and provide a cutting and exact reason as to why this particular type of bundle deserves to have made front page news - regardless of the distribution method.
But thanks for the extra traffic, it's appreciated.
I have absolutely no problem with heaping out credit where credit is due - especially when that credit involves shutting down a rogue affiliate. Even more so when that rogue affiliate exists in the world of Adware - because all too often, it's the easiest thing in the world for the makers of the software installed to wash their hands of all responsibility. That has been a common staple of the Adware industry for years, and the most common excuse made when things go wrong.
So with that in mind, I will happily publish the below letter from Direct Revenue. I'm still going to write about installs that I feel to be rogue, I'm still not impressed with the whole Aurora issue, and I still don't agree with many of the practices employed by various companies whose products fall (rightly or wrongly) under the banner of "Adware". I also take issue with the article regarding Aurora's distribution being labelled as "deceptive". Apart from that, it certainly doesn't fix the problem overnight - it's just one small chunk of rogue site gone wrong action shut down - but it would be unrealistic to assume such a thing could be achieved with no time given to set things straight.
Simply writing about what's out in the wild has had an impact, and has resulted in the following. I'll give Direct Revenue a little breathing space now - they're likely aware of the issues, problems and maybe even controversy surrounding Aurora...I've made my point. And I don't need to keep banging on about it. So as a result of the below action taken, I will (for now) retreat back into the shadows and give them some time to see if they can sort out some of these botched installs. June 16, 2005
Mr. Christopher Boyd Vitalsecurity.org
Thank you for posting the video on Vitalsecurity.org today showing an improper download of Direct Revenue Software. We have identified the third-party distribution channel responsible for the download in question, confirmed that the download of our software was occuring in breach of our distribution agreement and without user consent and, as is our policy in such matters, we have shut down the distribution channel responsible for the offence.
Well done - it's a start.
Incidentally, I just saw this - I would like to point out no-one at this site has confirmed (or indeed definitively stated) that any of the media files included in the MMG bundles were unlicenced, as MMG have not (to my knowledge) made any public statement concerning this one way or another.
In an interview just given with Eweek.com, a tale of two cities is presented - one where thousands of people have ended up with Aurora on their systems and wished they could get a can of industrial strength bug-spray to clean the damn thing out.
The other is a place where Aurora is a "valuable marketing proposition" and everybody can't wait to have anything up to five advertising windows popped open at the same time.
In other words, Daniel Doman (chief technology officer for Direct Revenue) sounds a touch rattled by the increased attention paid to their "toy" - it's a long time since I saw someone come across as that defensive in an interview. Even better, he appeared to miss the point of this article completely. So in the spirit of fair play (and because I love stuff like this), what follows is a breakdown of the above article with my responses to this guy's vaguely panicked sounding "accusations". Don't worry, I'll be fine. I've seen Eric Howes do this hundreds of times...
In the red corner: ...Chris Boyd, a renowned security researcher who runs the Vitalsecurity.org
nonprofit resource center, the warm and fuzzy world of BitTorrent has been invaded by a massive software distribution campaign linked to New York-based adware purveyor Direct Revenue LLC.
"This is the marketing campaign to end all marketing campaigns," said Boyd, the Microsoft Security MVP (most valuable professional) known throughout the security industry by the "Paperghost" moniker.
In the blue corner:
...Direct Revenue chief technology officer Daniel Doman said MMG is "one of many affiliates" used to distribute Aurora. "They [MMG] specialize in doing content distribution on peer-to-peer channels, and we think they provide an easy mechanism for people like us who want to monetize software or content." Ding-ding, round one...
1)Direct Revenue admitted to using MMG to push Aurora distributions via BitTorrent, but insisted that the actual adware installation was done with adequate and up-front disclosure.
Okay Daniel, tell me - the ONLY place an Aurora / Ceres install is disclosed is here:
All the components of this install - the MMG front-end, the WinRaR self-extracting executable and (of course), the adware bundle are all completely seperate...it's not like they're all fused together in one massive slab of programming. So with that in mind, how could you guarantee that all of these files contain links to the relevant licence agreements? Is there some heavy-duty smackdown waiting in the wings for MMG should such a thing occur? Surely there's no way MMG would ever manage to do such a thing - install something without clear and full disclosure?....
That's right - someone at MMG was obviously off sick that day, because there is, and I'm going to put this in big red letters so nobody misunderstands - AN INSTALL OF 180 SOLUTIONS SEARCH ASSISTANT WITHOUT ANY FORM OF LICENCE AGREEMENT DISPLAYED.
Unless it's written in invisible ink, your claims that MMG disclose all of the installs in those bundles has already been blown out of the water, and I haven't even started ranting yet!
Ding-ding, round Two...
2)Doman, a former director of engineering at DoubleClick Inc., said the increased visibility of Aurora and the "nail.exe" component was not the result of new installations, pointing out that Direct Revenue is auto-updating its file-naming convention to address criticisms that the adware program was hidden on purpose. Okay, so we heard it again - Direct Revenue absolutely does not install anything without full and clear consent. Ever. It just doesn't happen.
Well, what a pity, because everyone needs to go download this video and see Direct Revenue's software (and I'll say this in big, red letters so nobody misunderstands) -
In fact, here's a whole page full of spurious installs that are performed with no warnings!
Hey Daniel, are you wishing you hadn't bothered yet?
Ding-ding, round three...
3) He acknowledged that a "grey area" exists in the timing of the disclosure, but insisted that it was done in full compliance with existing laws. "We require all our distributors to fully inform end users about what is being installed. It's a clear opt-in procedure," he said.
...though it's a grey area you'll happily reside in, yes? If you're so confident people will keep Aurora on board, why not actually put the disclosure in an area that radiates a lower shade of grey? What about this install from Fasterxp.com, where Buddy.exe appears to come from a totally different website than the originating source? More timing issues! Perhaps we should all chip in and buy Direct Revenue a stopwatch? And why, if the MMG licence agreement is so upfront, does it not say anywhere that you can run the supplied mediafile (through the WinRaR self-extracting executable) WITHOUT INSTALLING THE ADWARE?
Doman described Boyd's posts on VitalSecurity.org as "misleading" and pointed out that the screenshots provided by the researcher "clearly show full disclosure" before the Aurora program is installed.
"The user is downloading something through BitTorrent that is ad-supported and [Boyd's screenshot] shows the disclosure that is provided. The idea that somehow the download is surreptitious is wrong. It's very apparent that if the BitTorrent user goes through with the MMG download, they agree to install the ad-supported software."
Hey Daniel - without wanting to sound picky, you missed the entire point of this article. The piece was merely highlighting where the apparent flood of Aurora installs was coming from. Nobody accused you of "surreptitious installs". In fact, you'll see I was actually rather generous, taking into account all of the above:
"As always, Direct Revenue do the absolute bare minimum to claim they have covered themselves with their ad-spewing nightmares."
Very generous! Riddle me this:
Why does the licence agreement in these MMG installs show a generic licence agreement that does not mention Aurora / Ceres, rather than the Aurora / Ceres specific licence agreements? Could it be that if the end-user knew what was going to be placed on their system - namely, the frankly scary Aurora - they would flat out refuse the install? Aurora, so beloved by the general populace that companies with Aurora in their name are now resorting to putting pages like this up because they're getting so much grief aimed at them? And I quote...
"Neither Aurora Networks nor any of its employees are in any way associated with this obnoxious behavior or the miscreants responsible for their creation."
Ouch!
Ding-ding, final round...
4) Answer this for me - we have already seen:
a) A MMG install of 180 Solutions where no licence agreement is displayed b) A raft of videos displaying elements of Direct Revenue software being installed with no warning, licence agreement, informed consent or anything else (quick! Blame the affiliates!) c) A bunch of "grey area" installs that you are apparently quite happy to continue with, as it just about falls inside the long arm of the law. Well done.
Here is one final question for you:
Taken into account the behaviour mentioned above by MMG, can you absolutely, positively guarantee that every single mediafile included on those installers - including The Club By Paul Oakenfold 2005, System of a Down: Mesmerize (the full album!) and an episode of Family Guy - have all been licenced for use? Because it's funny - the MMG installer is rather cagey regarding licenced content, and virtually every program I have seen - ever - where licenced content was concerned slapped a big, fat warning that the content was okay to be there in the first place.
Luckily, I thought I'd help out with this little mystery, so good news - I'll be checking to make sure all of the Bittorrent files have been signed off correctly! I don't mind putting my years as an intellectual property copyright licencer to good use!
And with that in mind, let's get to the knockout blow - the Licence Agreement for MMG's installer. Important parts highlighted in red:
Our software installation is preceding the source file you have chosen to download. The license agreement of the source file is not covered in this agreement. You will likely be presented with the Source file License agreement during the installation of the source file. Again this agreement pertains only to the software installation process of the Metrix Marketing Group’s 3rd Party Software. This agreement pertains only the software that will be installed should you choose to accept these terms and conditions. We make no representations or warranties with respect to ownership of or copyrights, if any, in the source file software / or digital content that our affiliates distribute. We do not represent others who may claim to be authors or owners of copyright or other rights thereto. Affiliates must obtain all permission(s) when required and are solely responsible for determining the existence of such rights, satisfying any copyright and other use restrictions...and our affiliates expressly assume all responsibility for observing applicable laws of copyright, literary right, trespass, conversion, property right, privacy, publicity, and libel.
Wait - did that just say the guys whose software is bundled with the MMG installer are responsible for licencing that copyrighted content?
I think they did! Way to shaft the guys who are paying you to distribute their software, MMG! Hey, Direct revenue, 180 Solutions, SearchFind, YourSearchBar and everyone else - I really hope you guys sorted out all that boring copyright stuff with Fox, Sony and all those other big, scary legal-type guys...
...then reassemble themselves with a bang. Confused? Well, I took another trip into Bittorrent land, which is currently rounding up the wagons, painting the town red and hoping for a Clint Eastwood style miracle if their forums are anything to go by.
The problem? A pesky bunch of rogues who have rolled into town with snake-oil and a nasty line in Adware...
It seems MarketingMetrixGroup have friends other than Direct Revenue. Their buddies 180 Solutions are also part of the same pow-wow, and you'd think they would have more sense than to let some (presumably) rogue affiliate go nuts with their software, after the whole Spazbox deal which left them looking rather silly, as well as reducing any gains they had made in the "Improve your reputation" department. However, lightning often strikes twice, and here's another well deserved bolt from the blue for 180 Solutions...
...and lets get it on!
...with a super young hottie. Now, I don't know about you, but super young hotties cause me nothing but trouble. Every single damn time a "super young hotty" creeps up to you online, they arrive with the promise of red-hot love action, then disappear into thenight, leaving you short of cash and full of advertising programs. And so it is with this charmingly named installer, "Super young hotty gets fux0red" (Can you spot which word I amended there?)
My passions inflamed with the promise of a seductive cyber-vixen, I rather foolishly run the installer - again, from MMG, with the now familiar installer blurb. Play close attention to the wonderful chaps named in the agreement:
Now, of the above mentioned companies, only one will actually appear on your system. I'll give you a clue - its Abetterinternet. However, a certain bunch of guys are so desperate to get a piece of this hot n' horny install that they aparrently steamroller their way onto your PC without so much as a whisper! Cue pesky varmint number two...
Huh?!? Let's check that again - 180 Solutions?? But - those guys are supposed to be legit! Those guys are supposed to declare everything! Births, deaths, crazy installs - the lot! Could it be another case of rogue affiliate-itus? Another case of 180 Solutions claiming no responsibility for their hopeless affiliate / distributor selection and monitoring? Could this be an install of 180Search Assistant where a EULA of any description is NOT displayed? Step up to the plate, 180 Solutions Privacy Pledge:
* Our programs are only downloaded with user consent and opt-in.
* All 180solutions’ third-party distributors are required to clearly label that our programs are bundled with their products and to provide consumers with the option to agree to the licensing agreement before they install it. We police distributors to ensure our disclosure rules are adhered to and we prohibit “drive-by” or “silent” installations. Our code of conduct requires that the user is fully aware of and agrees to our End User License Agreement (EULA).
Excuse me, but - whoops! You did it again! Because not only is the aforementioned EULA nowhere to be seen, the only "opt-in" here is for a bunch of other stuff the end-user could well do without! And to prove there's no smoke without fire, here's a shot from the desktop shortly after 180 Search Assistant is installed...
Hmm...making more money through unauthorised installs - nice! What's that? You don't have enough money yet? Ah well, best pop something up on the user's desktop like this then...
Point 1 - This is an advert for Zango, a product of 180 Solutions.
Point 2 - Zango is only downloaded with user consent and opt in.
Point 2 is taken from the Zango privacy pledge. Note the italics - emphasis mine. Now, Adware companies are notorious for attempting to wriggle out of things with semantics and "what's written down". So someone write this down and win a prize if you can tell me:
Where the Hell is the opt-in, the user consent, the privacy policy, the notice of what Zango does anywhere on the above advert? There's nothing except a big red "DOWNLOAD NOW!!!" button. There's nothing to opt in to. Claiming that "consent" is obtained when hitting the download button is spurious, at best.
And consent to what, exactly? Without that EULA information presented, there's nothing to consent to. All you're doing is downloading a file. Would they download it if presented with the EULA beforehand? Possibly not. Informed consent is entirely absent without leave.
They can't wriggle out of this, because they quite clearly say "Downloaded" in their privacy pledge. So there. In addition, the above ad is hosted by Zango themselves, so they can't scream AFFILIATE!!! all over the place either. They did that themselves. So in my eyes, any validity their "privacy pledge" has is flushed right down the pan with that one advert.
And before 180 starts crying that they clearly state when installing that Zango displays ads, let me do this right now:
Categories
