From their website, which has apparently only changed recently:
Reaction from the crowd:
A (long) page of my experiences with Direct Revenue here. Document 75 from the NYAG Vs Direct Revenue (which features yours truly) here. Me going head to head with Direct Revenue here. Direct Revenue being completely and utterly owned here. Direct Revenue probably wishing they hadn't called me "deceptive" here.
As this is probably my last ever writeup regarding Direct Revenue, I thought I'd better make it count. With that in mind, I'd just like to send this message to everyone that ever worked there:
Of course, I'm not referring to your common or garden market-stall melons - oh no. I am, in fact, referring to the fine art of the porno popup. Ah, where would we be without frantic BLAAARGHWHATSTHATMIDGETDOINGTOTHEOCTOPUS - type howls of anguish, as six thousand individual popups lurch onto your PC at the exact moment your mother walks into the room with a "lovely cup of tea dear", before breaking down into hysterics wondering where her little Jimmy went wrong?
Ben Edelman wades bravely into the fray, taking one for the team and ploughing through pornographic popup after pornographic popup. It's okay, people - he's a trained professional. Never attempt this yourself, because a controlled environment (preferably with no priests, nuns or hysterical family members) is always called for in situations like this.
But wait - why exactly was Ben checking out these ads?
Well, he wanted to show us the kind of BANTHISSICKFILTH material that springs onto your PC when being led down PC hijack redirect Lane (like Memory Lane, but filthier). Not that I ever check out online dating sites, or anything like that. Er - well, maybe in the line of duty. And my fake profiles are purely in the interest of spyware research.
ANYWAY >>>>
Direct Revenue - who promised never to spring porno pops unless from "adult sites" - pop up a whole gaggle of pictures all about teens, really happy men and something that sounds a bit like "nasal" (but probably isn't). This happens by means of a whole bunch of redirects forced onto an infected PC.
Of course, we then get into the whole stupidity-fest of exactly what constitutes an "adult site", but as Ben says:
In this example, I did not request any adult web site. Neither did I actually view any adult material (prior to the material shown by Direct Revenue): The AdultFriendFinder page at issue cannot be categorized as "adult," because it includes no sexually-explicit images. In short, on these facts, I see a strong argument that Direct Revenue violated its duties under its settlement agreement.
Three oranges for a pound, and I'll throw in a banana!
At this point, not only would I like to hail Ben for another kickass writeup - I'd like to salute his mad crazy MSPaint skills (or whatever it was that he used). Because oh God, the amount of "things and stuff" he had to blank out in some of those screenies is just terrifying. In particular, his coverage of the Look2Me/ Ad-w-a-r-e daisy chain is a lesson in blanking out ruderies. I count at least thirty edits...God, I'd have got carried away and started drawing cowboy hats on everybody.
In any case, read, digest and then waggle a vaguely accusatory finger at Direct Revenue, ZenoTechnico, AlmondNet and, er, all the others. Or something.
We interrupt the Direct Revenue action to bring you this important broadcast - namely, a Podcast preview with both Wayne Porter and I, hosted by the truly awesome Jeff Molander, who recently did a whole bunch of interviews with Ben Edelman over at Thoughtshapers.com. Part one of two goes out on Thursday April 13th - be there, or be hexagonal.
Aaaand.....back to Direct Revenue, with a razor-sharp opinion on the whole "we use our powers for good now, instead of evil" spin at Realtechnews.com. Ouch.
...because you know you want it. And with that in mind, check out Wayne Porter slamming back into the mix and Suzi Turner (over at ZDNet) slapping a thunderously good summary of the events so far onto the table. So much has happened already that it's good to get a head-count, before the inevitable second wave of postings continue.
I also urge everyone who uses this site to take a second and vote for Suzi's writeup over at Digg.com. If just a handful of the visitors this site gets vote for her piece, you'll be helping to get the word out on these (frankly shocking) documents. They haven't hit the mainstream press yet, so it's up to us to fight the good fight and crank it up to 11, like those Spinal Tap guys.
You have the power to go kick some butt, via simple word of mouth (or, in this case, clicking some buttons). Use it.
Some random dude: "Do you have a newer, more stealthier version of your software we can try?"
Direct Revenue guy: "We have a very stealthy version of our adware product which we're happy to give u. Don't worry - if we do a deal - and a build together - these will not be caught".
Wait, when the Hell did the Adware guys start calling their own products Adware?!
Ah, the mysterious Document 75! What amazing secrets could be lurking behind it's sexy front cover? Why, it's...me! I'm honoured to be playing some small role in the shuddering haymaker that now strikes a blow for truth, justice and really awesome things. God bless the Internet.
Anyway, what's it all about? My most favourite Adware bust in the whole world, that's what. Take one dose of Aurora, mix with completely messed up Adware bundles being pushed across BitTorrent forums and you had the most explosive mix of the Summer. Oh, and John Dvorak.
Ironic that I was going to leave the story after the Eweek writeup, until I saw Daniel Doman calling this site "deceptive". At that point, the blood boiled and I set to work bringing down an entire distribution network. With some kickass backup from the Sunbelt guys, Wayne Porter, Suzi Turner, Dave Methvin, Ben Edelman and (probably) many more besides, the mission was accomplished. I'd put links galore in that last sentence, but it's gone Midnight here and I'm only able to type through sheer excitement.
Anyway - in the document, you can see the fantastic - lol - responses for each of my accusations. Which I then absolutely demolished with a ten-ton screaming juggernaut of Doom here.
Oh, what's that you say? This escapade finished off with MMG going kablammo, the bundles pulled and Dvorak got pwned by Eweek?
Ah, the memories....Dave Methvin tries to persuade Direct Revenue that checking out the MMG bundles that might contain, you know, illegal porn might be worth tackling. You can see what happened to Dave's complaint here. And there's one more trip down memory lane planned...
He is pulling out all the related documentation relating to the New York vs Direct Revenue case and oh my God, if it isn't amazing stuff. Check here, here and here for general hilarity.
My favourite notable quotable so far?
The one in the screenshot (click to enrage, I mean enlarge) where everyone is jumping for joy at learning how to "get around SP2 and Anti-Virus programs". Well done losers, that's a surefire way to make yourself look like you're doing something
a) illegal and b) totally and utterly disgraceful.
Yes, let's try and exploit something designed by Microsoft to secure the Operating system! That'll make us popular!....
....LOL.
And as for learning all about new English phrases ("Carrying coals to Newcastle", despite the fact that nobody has actually said that here since about, oh, 1963), here's another one....tough titties.
Permit me to be incredibly sadistic and laugh myself silly at Direct Revenue's complete and utter misfortune. That Spitzer dude has them in his sights - probably not a good thing. And after reading the documentation (see this Sunbelt post for full info), I can honestly say they deserve everything they get.
I've locked horns with Direct Revenue a number of times, and on each occasion I was confronted with the thought that they just did not want to take responsibility for their actions. The most public spat was (of course) this one - calling me deceptive was never going to work out for them, was it?
I love the part where it's revealed that they had a department named "Dark Arts". Is your flesh creeping yet? I mean...wow. I particuarly like the part where they resorted to threats and intimidation to silence their critics:
"In at least one instance, the respondents even hired a private investigator to threaten a critic who refused to bow to Direct Revenue pressure:
...perhaps a letter to his true home address showing that we know more about him will have results..."
Lovely.
The whole document is full of sordid, disgusting garbage like the above and should be read and re-read till your eyes melt. It's well beyond shape up or ship out time - if you've been screwing around, the piper is about to play. And in this case, we're in for one Hell of a tune...
What is it round here with balloons, clowns and parties lately? I swear I don't do weddings, birthdays and funerals. Yet I couldn't resist throwing some pies when I saw this story, over at the Spywarewarrior Weblog. Direct Revenue, involved in yet more affiliate gone wrong action.
Despite, you know, claiming to have canned rogue affiliate action.
Oh dear.
By the same token, this shouldn't come as a shock - remember their tasty burger not long after the announcement? Looks like they're going to have to order some more cakes and a party hat too!
So, what is the deal with Direct Revenue? To me, it looks like they are keeping "select" affiliates on board - and if some of those affiliates appear to spring from Crack sites from time to time, well, who cares, right? It's surely just a "one off" and will never happen again. Oh, no guvnor. As I've mentioned before, there will no doubt be some groovy gravy excuse as to why this is, in fact, legit, you damn meddling limey. And as for all you antispyware "zealots", grrr - curse you too! (Shakes angry fist, probably at the night sky and there's all this cool thunder and lightning and that).
Sure I have - here, for example, where I highlight some of the strange behaviour exhibited by "affiliates" of Direct Revenue. The Maxifiles site is one of a bunch with "Maxi" in the title - most of which are French, and many of them are interconnected in some way, shape or form.
Well, turns out that (while using the Maxifind toolbar), one of the search results brought the researcher who found it to a phishing site that attempts to cash in on the name of Webroot. Ouch.
...thanks to Mike Burgess for giving me a heads up on this one. Recently Direct Revenue stated that they were "pulling out of third party affiliate distribution". The only exception would be companies they had direct relationships with. This should mean (in theory) that everything is now 100% above board, with no sprinkles of controversy. Right? Well, what do we have here but something approaching an invasion from the East...the French are overrun with installs and they're heading our way! The question is - what do they do, how did they get there and (more importantly)...is everything nice and clear, disclosure wise?
How about (in this order) - don't know, not sure and probably not?
You probably already clicked the image above - if not, shame on you - but this site clearly installs various stuffage from the ABI Network...aka, Direct Revenue. In their favour, these guys do use a lovely little tickbox to show you accept the terms and conditions. Great - except, unless you have Javascript switched on in IE (because this is, of course, an IE-based install) you will not see this popup - you'll just merrily sail into the install itself. Woohoo!
Now, how many people who actually use IE have javascript switched on anymore? I have to tell you - I don't. I'm guessing a lot of others out there are the same way.
Click the image...YAWSA LLC (not to be confused with YOWZER, humorous catchprase from Happy Days) want to hit you upside the head with an ActiveX install from....ABETTERINTERNET?!?
Wait a minute, isn't that the old name of the installer stuff? Now I'm really confused - click the link, and you then see this. A redirect page with the message that "abetterinternet.com is now bestoffersnetworks.com".
Oh. Well. That's all right, then.
Actually - no it isn't. I haven't even installed anything yet and I have Centralspeed, ABI Network, YAWSA LLC, Betterinternet and Bestoffersnetworks buzzing around my head (along with the ghost of Potsy Webber). According to legend, I'm a Master Spyware Samurai (it's true. Alex E said so). Yet even I am somewhat baffled by the plethora of names on display. Can you imagine the confusion on the part of a regular end-user?
All we want to know is - who does the software belong to, what does it do and how do I get rid of it. That's it.
In this case, it looks like Direct Revenue's name change anticshave made a difference - the difference being, the whole process now blows even more.
Anyway, here's my results - I suck! Yay! (click the image to see just how much I suck!) I have no idea what this Flash-based tool does to come up with the scores on the doors, but it looks like the awesome power of the Interweb Gods have at last deserted me. Well, either that or IT PULLS A RANDOM FIGURE OUT OF THE AIR EACH TIME.
I'll let you be the judge of that. My interest now stems from what you get in return for five seconds of flash animated hilarity. And as luck would have it, you get....this. A lovely .dll that - well - doesn't seem to do very much at all, actually. And that's when you know you're onto a winner. It's all the hidden stuffage that goes on behind the scenes. And yet...do a search on the CLS...er - the CSLI - er....the funny number thingy you get with installers, and you return a whole bunch of HJT logs sweeping their way across French security forums.
Merci!
Add to this the link between this site and a bunch of other French sites - in particluar, Maxifiles.com - and you have the beginnings of a mystery steeped in Eiffel Towers, stripey jumpers and those long brown loaf things that everybody pretends to like.
So...back to Direct Revenue. I think we can all agree the scenario above is not the clearest of installs - in fact, peppering so many names all over the place merely adds to the confusion. So in this respect, has their brand change been a good thing? Well, not when companies are calling them about ten different names under the sun in one install. Urgent message for DR - you might want to resend that whole memo thing about clearer branding to your partners again. It might be, you know, useful and stuff.
And what of YOWSER, sorry, YAWSA LLC? Well, a quick Google suggests they are an American company - however, they keep getting mentioned on French websites. Better yet, here is an earlier version of the install. Tantalisingly, they seem to suggest this earlier version installed a toolbar.
I'm not done yet, either. Here is an install from some random Messaging service. Aha! A Java applet, with YAWSA LLC on it. Note that there's no attempt to disclose exactly what's lurking behind this applet, either. If the end-user accepts it, you end up in advert heaven. Catcher.dll is installed, and here is what the big guns have to say about it:
And yet another Maxi(insert your own word here) domain, too! Je voudrais etre baguette!
So...what is it to be? Either these guys are one of the affiliates that Direct Revenue have washed their hands of, but have somehow slipped through the net. And are pushing undisclosed installers like the Shorty hijack - totally unacceptable. In which case, Mr Direct Revenue should be whipping out his Pwnage gun right about now.
Or...
...these guys are one of Direct Revenue's "direct partners" and the whole thing is hunky-dory, there's no issue with installs like the above because of x,y and z spurious reasons and all is well with the world. Is it just me, or does this last prospect fill you with a sense of same old, same old?
Just kidding on the exploding galaxy thing, but Direct Revenue have indeed made some changes to their cash-cow (click the image to see some nifty re-branding action). And here comes the science part...
In a nutshell, they're now calling everything "The Best Offers Network". They've already been using that name for about a year, but they liked it so much they decided to splatter it all over everything, crazy paintball style.
This is what they're offering the advertisers:
Best Offers Behavioral is a contextual and behavioral online advertising offering.
Best Offers Keyword is a search and keyword-related online advertising offering.
This is what they're offering the end-users - check out the last one in particular:
The value proposition to consumers is clear in exchange for seeing a few relevant ads per day, the consumer can use the software for free. Examples of free software include iWatchNow (coming soon), an online video service with the world's largest selection of cult and classic movie downloads, and IDTheftRadar, an application to safeguard users against online identity theft.
iWatchNow - new, can't wait to see it. IDTheftRadar - I double-damn bacon genius-burger can't wait to see that one.
MyPCTuneup? Now called "Best Offers Uninstall". It's a nice name change, but does the damn thing actually work now or what?
For partners...
The Best Offers creates the opportunity for developers of content and software to generate income from each permission-based consumer download.
Permission based....there's the catch, isn't it? How many non-permission based installs do we see every single day? I won't even bother filling this paragraph with links to spurious installs (even though it's crying out for them), because frankly I can't be bothered. I feel like I've done that a thousand times and more already. Just Google "Aurora" and scroll about halfway down the page. You'll see what I mean.
More importantly than a few cosmetic changes - does Aurora (for example) now come with a built-in EULA or anything that remotely says what it is, what it does, before install?
Or does it still rely upon the website it launches from to spill the beans?
I haven't had a chance to try it yet. Watch this space.
The full press release can be seen here. More interestingly, I've heard rumours that Direct Revenue are making partners who use affiliates walk the plank. I wonder if this will make any noticable difference in the amount of hopeless installs we all know and love so much. Or if this is just a bunch of stuff designed to put lots of "mind-distance" between past mess-ups and the current wave of legal-type action going on at the moment.
I got so much trouble on my mind - refuse, to lose!
Look what I found - none other than Marketing Metrix Group - they live! Yes, that's right - the guys behind the, er, wonderful BitTorrent Adware installers that kicked off World War Three not so long ago have returned. When we last saw them (old version of their frontpage here), their site had been hacked, their empire crumbled to the ground, the BitTorrent bundles pulled from networks at something approaching warp-speed and companies were posting apologies left, right and centre.
I'm not surprised, given that there were incorrect / flawed licence agreements, apparently unlicenced copyrighted mediafiles (whose licencing responsibility lay with the companies whose software was bundled....whoops!), and (of course) the potential underage-pornography that Dave Methvin discovered in his continued investigation of the BitTorrent madness.
Well, guess what - I don't know if this is a coincidence. I don't know if MMG are involved in this latest escapade. But I do know from a fellow security pro that there is a new BitTorrent distribution campaign underway, and it is something of a biggie from all accounts.
And I quote:
They appear to have set up several blocks of IP addresses hosted on different servers across the country. There were more than 100 computers seeding each file, and a lot of them appear to be controlled by...
...But that would be telling, wouldn't it?
This investigation is only just getting started - expect multiple sources to be dig, dig, digging up information left, right and centre on this one. Last time someone attempted this, I descended upon them like some rage-fuelled demon from the pits of Hell itself, such was my anger at what was being perpetrated. This time round, the files are likely to be licenced correctly, the notification will be better and I severely doubt there will be any illegal content. Nothing could possibly be as messed up as last time.
However...
That doesn't mean I agree with it. BitTorrent represents something much better than a place where money can be made - it represents a thought, an idea that can help the little people, the lesser companies and the poorer man in many, many ways. As Bram Cohen, creator of BitTorrent once said:
"Distributing stuff that is clearly illegal with BitTorrent is a really dumb idea," said Cohen, who advocates using the software to distribute large uncopyrighted files such as open-source programs. "BitTorrent doesn't have any anonymity features. There are things about it that make it very incompatible with anonymity."
Though this new content is likely not illegal, it doesn't mean I want to see it going on. After what happened last time, the mere mention of "Bit" followed by "Torrent" is enough to make my blood boil. Then throw in "Bundle" and you have Black Steel in the hour of Chaos.
That's right - in the midst of Orion "Superscam" Holtby bouncing around the place, we now have the judge's decision on the Direct Revenue class-action thingie (thingie - technical term). The interesting issue here is that this potentially leaves the door open for more of these fun trips to court. Looks like the days of being able to blame naughtyness on affiliates will no longer cut any ice.
Come gather ye' round, little Children! At this point I feel I should whip out some sort of Olde Worlde instrument, and play some plinky-plunky tunes whilst singing tales of how the mighty Orion scammed almost everybody out there - 180 Solutions, this one goes out to you babe - however, if their lawyers get hold of him, I think the only Olde Worlde instrument whipped out would be a TORTURE RACK.
Wayne Porter's weblog is currently (what we like to call in the trade) a double bacon genius burger. Not only are the details leaked from his Four Tomes of Grey going to make your head spin, we are currently awaiting the second coming, and by that, I mean the guy who spilled this whole story in the first place, David Eastbrook.
In fact, he has already served up an ace or two with the second installment of the Four Tomes - in which an application called Tinkopal seems to draw up yet more connections with Direct Revenue than they would probably like to hear. Check out the funky EULA Analysis, the history of the file and wait in wonder for the next installment. This party is just getting started, and the options Wayne puts out into the void are as follows:
1) Direct Revenue was a victim like everyone else as Orion stiffed them on paying the invoices. 2) Did Direct Revenue know Orion had no intent to pay and were they in cahoots? He does seem to be distributing toolbars and not buying media. 3) Is Direct Revenue simply stupid enough to keep working with an individual that has a track record for not paying up?
Now, I've spent quite some time exploring the mind of Direct Revenue - played with the files, toyed with the bundles, listened to their CEO say that this site rOx0rs teh box0rs (kind of)...but this is something entirely new and unexpected. It looks like an advertising model that has plenty of scope for abuse has indeed potentially brought the house down, and one can only wonder at the reaction of anyone foolish enough to have gotten involved on an intimate level with Orion Holtsby, only to see crazy amounts of information now flooding out that would be better buried under a huge rockpile.
And now here comes the snippet, for those who can't be bothered clicking:
The age of adware is finally facing extinction. This week, some 40 employees were laid off at Direct Revenue and its subsidiary, Soho Digital. This after the company has received a torrent of negative PR, direct and indirect, as an adware vendor. As a friend of mine said the other day, the gig is up. Who needs to download a "free screensaver" that runs ads? There are a billion free screensavers out there that don't. Need CD ripping/burning software? Why download? It's baked into your OS.
Ouch, that's a stinger! Anyway, I wandered over to the Direct Revenue website to see if this was mentioned. Of course - it isn't. But guess what I did find? Direct Revenue singing this site's praises for the third time, in the form of a PDF detailing the interview their new CEO had with Newsweek.
"We are now defining a strategy to move forward and improve our practices. If the anti-spyware community can help us identify things that are happening that are not in compliance with what I want our practices to be, then I welcome their input. I think that Vitalsecurity.org is one example [of a blog that pointed out a problem with unapproved installations of Direct Revenue's ad clients, and thereafter Direct Revenue fixed it]." Jean-Philippe Maheu, Direct Revenue CEO
Interesting! A while back Brad Stone (Newsweek reporter well known for excellent pieces about the Adware / Spyware scene) got in touch and asked me a few questions. I'm sure he won't mind me mentioning that the Direct Revenue CEO had dropped me into the conversation, though at that point I had no idea as the context. Well now I do, and an "I love Vitalsecurity.org" T-Shirt is in the post.However...the full article does raise some more questions, and I'm interested to see what the answers may bring...
"Aurora was introduced six weeks before I joined. Our distribution is getting cleaner and cleaner and we have a lot of quality controls that we put in place. When we see exploits, or ways for our software to be downloaded without proper disclosure, we do terminate our distribution. We've done that a few times over the past two months."
Well, check this out, JP - you're clearly aware of this site and what fun we have here(!), but I can still see those wonderful IM virus-installers chugging away and (at present) still installing Aurora (and other software, to be fair) with no EULAs displayed at all.I would say the guys behind these installs are most likely breaking every rule in your naughty affiliate book, so I would say to you -Why are these installs still taking place?And more to the point, would you like to see exactly why people hate Aurora so much? I present for your viewing entertainment, the standard uninstall process that faces a "customer" of the Aurora ad-client. Yes, you guessed it - it sucks.
Here we have a standard PC with Aurora installed on it, and nothing else advert-wise. Pretty soon, Aurora pops open its first window (click to enlarge). Unfortunately it's blank, which doesn't make a very good screenshot so I added my own picture. Does that mean I get ten zillion pounds because you all saw it?So anyway - I click the question mark to see what this Aurora thing is. Imagine my dismay when the damn tell-me-about-it page doesn't work. A few more goes, and I finally get something to read. Okay, so I now have to go visit some other website (or at least, attempt to, because my desktop is now buried under anything up to five other Aurora windows of various shapes and sizes).
Mypctuneup.com, here we come...wait! What's this, sneaking in under the radar? Aurora is already on my system, and is already fully functional. So why the Hell is Nail.exe appearing on my system just after I hit the Aurora uninstaller website?! Check out the Snoop log - you can clearly see Nail.exe stumbling onto the scene not long after Mypctuneup.com is opened up. Coincidence? Bad timing? Act of God? Who knows, but as the song goes, whoop, there it is! You know the drill by now, but click that sucker to enlarge and be glad this isn't your PC.
At this point, you're probably wanting to see something interesting regarding Nail.exe, right? Well today is your lucky day! Check this out for what should be filed in the very, very odd pile - this screenshot shows Nail entries in both the Prefetch and the Windows directories. But while the Prefetch entry has the correct date, the Windows entry shows as the 24th of September, 2001?!
That's pretty impressive, considering Aurora and Nail weren't even out back then.
Onto the final chapter of this crazy story. I downloaded the Aurora removal tool from the website and got ready to rumble. Clicking it, I looked on in amazement as....well, click the image and see for yourself. OH NOES!!112 just about sums it up, methinks.
So let me get this straight - so far, we have had...an Aurora description page that is up and down like a yoyo, Nail.exe appearing for no apparent reason whilst visiting the Aurora uninistall site and (to top it all off), the damn uninstaller not actually doing very much apart from convincing the end-user that hitting the PC with a hammer is a very good idea.
But here comes the punchline, kids!
At this point, the desperate user will probably remember good old Windows add / remove programs. That won't let you down, right? Well...actually....
Shave and a haircut, two bits (or, to put it another way, click the image to enlarge). You'd never have believed it, but this is a complete and utter waste of time too!Try removing the ABI network from here, and you get....a popup telling you to visit Mypctuneup.com!!!!
Am I the only one that thinks this digital merry-go-round is anything but merry? Maybe this is some kind of joke at my expense, but what in God's name does the average user do at this point apart from download a shedload of antispyware applications and blitz the hard-drive? Who on earth could possibly justify these kind of antics as an integral part of everyday internet activities?
Sorry, JP, but you have to admit - this really does suck. Bottom line, you may well be reforming the more "disagreeable" elements of the online advertising world that currently exists, but the above is a daytrip to lunacy city-central and I'm only holding a one-way ticket.
For now, I'm holding onto that Vitalsecurity.org T-Shirt.
The thing about timed explosives is, you're never quite sure when they're going to go off. And in this case, something that was posted on my forum some weeks ago has waited silently, unwilling to co-operate. That is, until a few days ago. Wayne Porter has often said (and I agree) that Greynets are the future of Malware (and other Ware) installs. Most of the "big" stories I've covered have involved some pretty zany techniques to get things onto your system. And Aurora has managed to find itself installed in everything from Bittorrent media bundles to multi-webpage EULA funfests. In fact, I'm convinced if you looked in my underpants right now, Aurora would be down there too.
Omnipresent doesn't come into it.
But yet again, I am forced to look in slack-jawed amazement at the - er - ingenuity?...of the Aurora affiliates so desperate to get it onto your PC that they really will stoop to any means necessary to make their dough. Come with me, into the new Adware-bundle battlefield....Instant Messaging.
Flashback...
Because every great story needs a lead-in, right? A long time ago (but not in a galaxy far, far away) there was IRC. IRC was a wonderful thing. Full of people saying R0xor(z)((!!112)). Then those crazy crapware installers thought it was better used as a jump off for Trojans, Bots and Malware. Some of these things are pulsating beacons of infective rage and woe betide the hapless user that stumbles into a rogue channel and / or network unprepared. Well....
Take one common or garden IRC Trojan - in this case, W32/Sdbot-AAH. Its usual weapon of choice is called Poker3.exe. This can do lots of things, like remotely install new code, steal passwords, all kinds of lovely things. Modify it (apparently), and then while that's coming to the boil...
Study some Instant Messaging virus techniques. One of the most popular is throwing out a link to the end-user that then (typically) whacks them with a virus, directs them to a rogue IRC channel or something equally malicious. How about Prex.AM, that spreads via MSN Messenger? Yeah, that'll do nicely! Do you take credit cards? Because I have no shortage of details I can use!
This new infection seems to use a combination of the above two exploits. And it looks like the poker3.exe has been modified, because when hit with the original install, you most definitely do not get whacked with a super-fun Adware bundle. More your common or garden Trojan / Virus / IRC "thing".
Categories
Reaction from the crowd:
A (long) page of my experiences with Direct Revenue here. Document 75 from the NYAG Vs Direct Revenue (which features yours truly) here. Me going head to head with Direct Revenue here. Direct Revenue being completely and utterly owned here. Direct Revenue probably wishing they hadn't called me "deceptive" here.
