Spyware, Adware, Malware, Scumware Information And Updates

HACKERS TARGET WORD FLAW

antispyware@pcwash.com — Sat, 9 Dec 2006 07:03:32 -0500

HACKERS TARGET WORD FLAW A newly discovered flaw in Word is being exploited by hackers. The hole could allow an attacker to take control of an affected machine. Microsoft is currently working on a security patch for the flaw. It affects Word 2000, 2002 (XP), 2003 and Word Viewer 2003. Word 2004 for Mac is also affected, as is Works 2004, 2005 and 2006. Yikes! This could reach a lot of people! Until a patch is released, open or save Word files cautiously. Don't open files that arrive unexpectedly or come from an untrusted source – including Web pages.

Media Motor Shut Down

antispyware@pcwash.com — Wed, 15 Nov 2006 12:16:26 -0500

Media Motor Shut Down

A U.S. district court has shut down an operation that secretly downloaded multiple malevolent software programs, including spyware, onto millions of computers without consumers’ consent, degrading their computers’ performance, spying on them, and exposing them to a barrage of disruptive advertisements. The Federal Trade Commission has asked the court to order a permanent halt to these deceptive and unfair downloads, and to order the outfit to give up its ill-gotten gains.

The FTC charged ERG Ventures, LLC and one of its affiliates with tricking consumers into downloading malevolent software by hiding the Media Motor program within seemingly innocuous free software, including screensavers and video files. Once downloaded, the Media Motor program silently activates itself and downloads “malware” – software that is intrusive, disruptive, and makes it difficult for consumers to use their computers. Among other effects, the malware installed by the Media Motor program:

* changes consumers’ home pages;
* adds difficult-to-remove toolbars that display disruptive pop-up ads to consumers’ Internet browsers;
* tracks consumers’ Internet activity;
* generates disruptive and occasionally sexually explicit pop-up ads;
* adds advertising icons to consumers’ Windows desktop;
* alters browser settings;
* degrades computer performance; and
* attacks and disables consumers’ anti-spyware and anti-virus software.

Many of the malware programs installed by the Media Motor program are extremely difficult or impossible for consumers to remove from their computers.

The FTC charged that ERG Ventures and its affiliate Timothy P. Taylor have violated the FTC Act, which bars unfair and deceptive practices. Specifically, the FTC alleged that ERG Ventures and Taylor failed to disclose to consumers that the free software they offered the public was bundled with malware. The agency also charged ERG Ventures and Taylor with using a deceptive End User License Agreement, which gave consumers the option to halt the installation of all software from ERG Ventures, but secretly installed malware whether consumers accepted or rejected the terms of the EULA. The agency also charged ERG Ventures with unfairly downloading software that causes substantial harm to consumers. The FTC will seek a permanent halt to the illegal practices and will ask the court to order the defendants to give up their illegal gains.

The FTC complaint names ERG Ventures, LLC, doing business as ERG Ventures LLC2, Media Motor, Joysticksavers.com, and PrivateinPublic.com and its principals, Elliott S. Cameron, Robert A. Davidson, II, and Gary E. Hill, as well as Timothy P. Taylor d/b/a Team Taylor Made. The Commission vote to file the complaint was 5-0.

The FTC has set up two ways for consumers who have had experience with these defendants to contact the FTC with any information that may be relevant to the FTC’s action. Consumers can send e-mail to mediamotor@ftc.gov or call 202-326-3504 to leave messages.

The FTC’s case was brought with assistance from the Microsoft Corporation.

The U.S. Attorney's Office in Washington, D.C. is engaged in a parallel criminal investigation of the defendants in which search warrants were executed. These investigations demonstrate the joint commitment of the FTC and the Department of Justice to combat spyware.

Trojan Installs Anti-virus Software To Boot Competition Off Computer

antispyware@pcwash.com — Wed, 25 Oct 2006 10:17:57 -0400

Trojan Installs Anti-virus Software To Boot Competition Off Computer

A Trojan horse now making the rounds takes the unusual self-defense step of installing anti-virus software to scrub the victimized PC of competing malware, a security researcher said. According to Joe Stewart of Atlanta-based SecureWorks, the SpamThru Trojan adds a pirated copy of Kaspersky Lab's AntiVirus for WinGate to a cloaked folder on the compromised machine. The illegitimate anti-virus program scans the system for malicious code -- passing over SpamThru's own files -- and then deletes what malware it finds when the PC next boots.

Typical Trojan techniques stop at disabling existing anti-virus software, preventing AV products from retrieving signature updates, and to defeat the competition, blocking specific pieces of malware. "SpamThru takes the game to a new level," said Stewart in an online brief posted last week on the SecureWorks' Web site. "Ten minutes after the download of the DLL, it begins to scan the system."

SpamThru exhibits other sophisticated strategies, added Stewart, including using peer-to-peer (P2P) style command and control rather than the usual IRC (Internet Relay Chat). P2P control, which is being noticed in a growing number of Trojans, lets the creator maintain command even if most of the network of infected PCs is shut down.

"In case the control server is shut down, the spammer can update the rest of the peers with the location of a new control server, as long as he/she controls at least one peer," said Stewart.

New Tatu Trojan Strikes

antispyware@pcwash.com — Fri, 20 Oct 2006 13:06:16 -0400

Tatu Trojan strikes

THE SECURITY GUARDS over at Sophos are warning the Internet At Large about a new Trojan horse, which preys on pop-music fans and perverts alike by promising pictures and intimate details about the members of Russian pop group Tatu. Banito-BE, as the Trojan has been dubbed, is being mass-spammed to email users worldwide with the subject line 'Photos of TATU'. Attached are two promotional pictures of the ladies, named tatu_1.jpg and tatu_2.jpg, but there's also the suspiciously titled TATU.CHM. Which, as you may have guessed, is malicious.

This certainly ain't the first time celebrities have been roped into Trojan emails - Halle Berry, Anna Kournikova, Julia Roberts and Britney Spears have all been used to entice email users into dooming themselves.

Graham Cluley of Sophos comments: "This celebrity-related malware has not been designed for mischief-making - its purpose is financial gain," he says. "It's vital that users ensure their anti-virus software is up-to-date, or they could risk compromising both their PCs and their personal data."

Spyware infection prompts McDonalds MP3 recall

antispyware@pcwash.com — Thu, 19 Oct 2006 13:14:50 -0400

Spyware infection prompts McDonalds MP3 recall

More by this authorPublished Monday 16th October 2006 10:40 GMTGet The Register\'s new weekly newsletter for senior IT managers delivered to your inbox, click here. McDonalds Japan has launched a recall after discovering that MP3 players it offered as a prize were loaded with a particularly nasty strain of malware. Up to 10,000 people might have been exposed to the problem after claiming a Flash MP3 player pre-loaded with ten tunes and a variant of the QQpass spyware Trojan.

Punters received the contaminated gift after purchasing a large drink form the fast-food chain in Japan and submitting a serial number contained on the beverage holder as part of a competition, sponsored by McDonalds and Coca-cola. Users who connected the McDonalds-branded MP3 player to their Windows PC were exposed to spyware code programmed to transmit their web passwords and other sensitive information to hackers. The cause of the accidental infection is unclear but past experience suggests a contaminated machine involved in loading content onto the players is the likely culprit.

We answer 99.6% of all support calls within 5 seconds. Rackspace Managed Hosting with Fanatical Support McDonalds Japan has apologized for the cock-up and established a helpline designed to handle the recall of the infected MP3 players and send out uncontaminated music gizmos. A Japanese-language statement also explains how punters can cleanse potentially infected PCs.

Trojan Attacks Increase

antispyware@pcwash.com — Sun, 15 Oct 2006 17:46:20 -0400

Targeted Trojan attacks on the rise

On December 1, 2005, two email messages were sent from a computer in Western Australia to members of two different human rights organizations. Each email message carried a Microsoft Word document with a previously unknown exploit that would take control of the targeted person's computer and open up a beachhead into the group's network.

The attack failed, as did a second attempt to infiltrate the same human-rights groups a week later, due in no small part to an overabundance of caution on the part of email security provider MessageLabs, which initially blocked the emails based on the strangeness of the Word attachments. The attacks only targeted a single person at each organization and, after the two attempts, never repeated.

Such targeted Trojan horse attacks are quickly becoming a large concern for corporations, the military and political organizations, said MessageLabs security researcher Alex Shipp. The email security provider intercepted 298 such attacks between May 2005 and May 2006, and the threat of targeted Trojans is only increasing.

"If you haven't noticed these attacks and you are a big company, you have likely already been attacked," Shipp told attendees at the Virus Bulletin 2006 conference. "Your problem is no longer how do I avoid being attacked, but how do I find where I've been compromised."

Targeted Trojan horse attacks are quickly becoming a major issue for the antivirus and computer-security industries. Last year, computer emergency response groups in the UK, Canada and Australia warned of such attacks. While the United States Computer Emergency Readiness Team (US-CERT) did not issue a warning, security firms confirmed at the time that US government agencies and companies had already been targeted by such malicious software.

A major problem for large companies, government agencies and other potential targets is that antivirus software is not good at stopping low-volume attacks aimed at single companies. Traditional antivirus programs detect widespread attacks based on matching to a known pattern and do not fare well against low-volume Trojans. And even when they do detect such attacks, the larger volume threats are inevitably moved to the top of the firms' to-do lists, because they affect a larger number of customers, said antivirus industry insiders.

"There is no value whatsoever in having signature-based antivirus when facing a targeted attack," said Joshua Corman, host protection architect for Internet Security Systems (ISS). "We, the AV industry, haven't turned the corner in being able to detect these attacks consistently."

If a company misses the initial attack, the results can be costly, Corman said. He pointed to an example of one company, a pharmaceutical firm, that got infiltrated by a targeted Trojan attack. The company only realized it had been compromised when some valuable data was encrypted and the key held for ransom. The company had to pay and, after the incident, spent a month cleaning the compromised systems from its offices in three countries. Corman would not name the company, which became ISS client after the incident.

While MessageLabs might detect tens of thousands of copies of a typical mass-mailing computer viruses in a single day, the company is finding, at most, ten targeted Trojans a week, Shipp said. According to the data collected by MessageLabs, more than half of the 298 attacks detected over 12 months consist of a single email sent to a single person at a company. In total, 1,344 emails were sent during the period studied by Shipp. Military agencies, human rights organizations and pharmaceutical companies are some of the types of groups that are being targeted by specifically aimed attacks.

The attacks are also very well researched, Shipp said. One targeted Trojan was sent to five employees at one company - every single person was a member of the firm's research and development team.

"The bad guys have done their homework," Shipp said.

During the 12 months studied by Shipp, the majority of the Trojan horse programs, almost 70 per cent, used a malicious Word document as the vehicle for the attack. That's already changing, with PowerPoint and Excel documents now becoming popular, he said. The one type of document that oddly is not being used by attackers is the PDF format of Adobe Acrobat.

Shipp added that most companies cannot just block the problematic attachments, even if they realize the threat.

Most of the attacks come from the Pacific Rim, emanating from Internet addresses in mainland China, Hong Kong, Australia and Malaysia. However, one IP address that consistently attacks military installations comes from a computer in California. Shipp believes that the computer could have been compromised as part of a botnet.

In fact, Shipp believes that three major groups are involved. The first and largest group is the most active and uses a variety of different tactics, but most commonly uses a zero-day exploit in the attack. The researcher believes it is also possible that this group could be several independent actors. He feels more confident about the other two groups: One targets only Hong Kong companies with an attack once every three weeks or so, and the other attacks military sites from a computer in California about every two weeks.

The attack data underscores an overall trend in threats. While some hobbyist virus writers undoubtedly still exist, most malware is now written for profit.

"No one other than the kids want to infect a million people anymore," said Graham Cluley, senior technology consultant for antivirus firm Sophos. "You would rather deal with 50 or 100 systems at a time."

Sophos and other security companies are adopting better versions of behavioral blocking software to combat the threat. Traditional behavioral blocking stops a program that attempts a specific action, a technique that frequently flags legitimate programs as potential threats. Sophos instead characterizes programs by a collection of actions attempted by the program in a virtual sandbox and blocks the executable if the actions seems malicious. Called "behavioral genotype protection" by Sophos, the technique has already caught a number of targeted and low-volume attacks, Cluley said.

However, the antivirus industry is still moving too slowly, ISS's Corman said. The Trojan horse sold to private investigators by an Israeli couple took 18 months to detect.

"People in the industry keep talking about the Israeli Trojan horse, because that is one of the few public examples," Corman said. "But that's just one of hundreds, if not thousands, of successful attacks."

New MS Warning

antispyware@pcwash.com — Tue, 3 Oct 2006 13:37:53 -0400

Microsoft Warns of Attacks on Unpatched Windows, IE and Office Flaws

Microsoft is warning Windows users about three separate flaws widely deployed in the operating system that bad guys are using to install spyware when users merely visit a nasty Web site or open a maliciously crafted Powerpoint deck.

The flaw in the Windows OS was discovered back in July by researcher HD Moore of Breakingpoint Systems. The discovery came as part of Moore's month-of-browser-bugs experiment, in which he unveiled a new browser flaw each day for a month.

This particular Windows bug, which you may see referred to by the vulnerable component of the browser -- "WebViewFolderIcon setslice," can be exploited to install spyware on PCs merely when someone visits a malicious site with IE or opens a specially crafted e-mail (although Microsoft says that customers who are running Windows Server 2003 and Windows Server 2003 Service Pack 1 in their default configurations, with the Enhanced Security Configuration turned on, are not affected.)

Websense says its researchers have spotted this exploit on a number of sites known to be controlled by the same Russian hacking outfit that Security Fix previously credited with some fairly nasty past exploits. Websense notes that "the fact that they are using the exploit code poses a significant risk due because their ability to attract users to sites via search engines and email spam campaigns."

Meanwhile, Roger Thompson over at Exploit Prevention Labs reports that this flaw also is being used at sites that try to install the CoolWebSearch program, a family of pop-up ad spewing browser hijacking software that can be extremely difficult to remove from your system.

Microsoft is warning of yet another flaw in PowerPoint that criminals are using to install malware. Typically, these types of vulnerabilities have been used by groups to conduct very successful targeted attacks against businesses and the federal government, in most cases to install password-stealing tools. Microsoft says most of its currently supported versions of PowerPoint are vulnerable, including Microsoft PowerPoint 2000, Microsoft PowerPoint 2002, Microsoft Office PowerPoint 2003, Microsoft PowerPoint 2004 for Mac, and Microsoft PowerPoint v. X for Mac.

What's probably most interesting about this PowerPoint flaw, according to a blog post from anti-virus maker McAfee, is the fact that it appears that Microsoft's antivirus product added detection for this exploit back on Sept. 23, but the company didn't put out a public advisory on the threat until Sept. 27. McAfee said the delay suggests that "Microsoft's security team knew of this in-the-wild attack but did not make the information public." If true, that is pretty unfortunate.

Finally, there is yet another Internet Explorer bug being exploited in the wild, according to Microsoft. This one doesn't appear to be widely exploited yet, but that's probably a matter of time. Check out Sunbelt Software's write-up of a case they found of this thing being wielded to install malware.

A couple of points: If you use IE, consider upgrading to IE 7, which doesn't appear to be affected by any of this stuff. Also, as always, it's a good idea never to click on an attachment -- PowerPoint or otherwise -- sent to you in e-mail that you were not expecting. When in doubt, e-mail the sender and ask whether they really meant to send you that file and why you should open it. Also, scan all e-mail attachments with anti-virus software before downloading and opening them.

New IE Exploit Installs Malware

antispyware@pcwash.com — Wed, 20 Sep 2006 05:21:15 -0400

Hackers are taking advantage of a newly discovered vulnerability in Internet Explorer (IE) to install spyware on PCs that visit a number of Russian pornography sites. The malware, first reported Monday by researchers at Sunbelt Software Inc., takes advantage of an unpatched flaw in the way Microsoft Corp.’s IE processes Vector Markup Language (VML) code. VML is a language used to display graphic information on the Web. The attack appears to work on all versions of Windows running the IE 6 browser, said Eric Sites, Sunbelt’s vice president of research and development. “It’s not an operating system-dependent issue,” he said. Sunbelt first discovered the malware on a Russian porn site late Friday. “This site and a couple of others use an exploit kit called Web Attacker, and it looks like the Web Attacker kit has been upgraded to include this new exploit,” Sites said. Since Friday, Sunbelt noticed that the attack code has popped up on about a half-dozen Russian porn sites. In addition, since security researchers estimate that Web Attacker is used by nearly 1,000 Web sites, this latest exploit should soon become more widespread…. Source: Computer World

Adware and Spyware Will Continue Growing

antispyware@pcwash.com — Mon, 18 Sep 2006 16:42:04 -0400

Adware to Increase Exponentially, Study Shows

The amount of spyware and adware is expected to increase exponentially on the Internet, according to a recent study published by McAfee today. The study also points out that only one out of 33 Internet users can determine if a website is safe or malicious. This is certainly bad news to security experts, who are looking to intensify work to stop these "badware" applications. Even more shocking is the fact that many mainstream users can't decide if they're visiting a safe website. SiteAdvisor, a McAfee service, surveyed users to see which websites were free of spyware and adware - Only 3% correctly did so.

But, is this such a surprise? Ever-since early 200, the adware business has been booming. However, at fist, there were about 40 different families of adware. Now, nearly finished with this year, there are thousands upon thousands of different variants that are using increasingly better ways to infect your system with some truly nasty pieces of software (Trust me, I've seen them all - Being "the computer guy" means cleaning out your friend's PCs of spyware and adware). McAfee's study also gave researchers more insight into where this spyware was actually coming from - Another important question. Normally, you'd expect adult and pornographic websites to be the heavy hitters. On the contrary, celebrity and gossip/star websites lead the pack with 16.3% of all files being malicious. Following that was screensaver sites at 11.5%, and adult sites trailing with 11.4%.

To make sure that your system stays spyware-free, use a handful of good and well-known antispyware programs. Try AdAware SE Personal, Spyware Doctor, SpyBot Search & Destroy and Windows Defender. Having a software-based firewall, such as Zone Alarm is also suggested; They can block some of the most basic and sometimes more intrusive types of spyware that are trying to download themselves onto your computer. And of course, use an antivirus program to make sure you don't get hit with a virus, trojan or worm.

What's The Difference?

antispyware@pcwash.com — Sun, 17 Sep 2006 05:43:07 -0400

Viruses and Spyware - Are They Different?

A computer virus is a malicious self-replicating computer program that spreads by inserting copies of itself into other programs or documents, similar to the way a real virus operates. When the infected program or document is opened, the destructive action (payload) is repeated, resulting in the infection, destruction or deletion of other files. Sometimes the infected programs continue to function normally, albeit with the side effects of the virus; in other cases the original program is crippled or destroyed.

Technically, viruses are just one of several types of malicious software (malware), which differ mainly in the way they are transmitted. In common usage, the term virus is often used to refer to other sorts of malware such as worms, trojan horses and spyware. Following are definitions of each of those terms.

What is a Computer Worm?

A worm is a malicious computer program that is self-contained and does not need help from another program to propagate itself. Typically, they exploit the host computer's email transmission capabilities to send copies of themselves to everyone found in the email address book. Some even look in the cache of recently visited web pages and extract other email addresses to target.

The main difference between a computer virus and a worm is that a virus requires some action from a user to propagate, while worms replicate without any intervention. Another difference between the two is that worms generally do not harm the target computer, but can harm the surrounding network by clogging it with copies of itself. In some cases, a worm can spread so quickly within a large organization that the network either slows to a crawl or collapses under the strain.

What is a Trojan Horse?

A Trojan horse is a malicious program that is disguised as or embedded within legitimate software. The term is derived from the classical myth of the Trojan Horse. Such a program may look useful or interesting, but is actually harmful when executed. Examples may include web browser toolbars, games and file sharing programs. A Trojan horse cannot operate or spread on it's own, so it replies on a social engineering approach (tricking the user into taking some action) rather than flaws in a computer's security.

What is Spyware?

Spyware is a type of malicious software designed to intercept or take partial control of a computer's operation without the informed consent of the user. While the term taken literally suggests software that surreptitiously monitors the user, it has come to refer more broadly to software that subverts the computer's operation for the benefit of a third party. In simpler terms, spyware is a type of program that watches what users do with their computer and then sends that information over the internet. Some spyware tracks what types of websites a user visits and send this information to an advertisement agency. More malicious versions try to intercept passwords or credit card numbers. Others may launch annoying popup advertisements.

Is AOL 9.0 Badware?

antispyware@pcwash.com — Wed, 30 Aug 2006 19:22:55 -0400

Anti-spyware Group Pegs AOL 9.0 As 'Badware'

Group says users should avoid installing the program because they say it interferes with computer use.

By Gregg Keizer Courtesy of TechWeb News

An anti-spyware group on Monday slapped AOL's client software with a "badware" label, and told users to avoid installing the program because it "adds software without disclosure" and "interferes with computer use." Stopbadware.org, a non-profit group headed by Harvard University and Oxford University, and backed by Google, Sun, and Lenovo, blasted AOL 9.0 for the kind of deceptive installation practices usually reserved for adware and spyware. In the past, Stopbadware.org has limited itself to pegging such dangerous programs as the file-sharing Kazaa peer-to-peer software, fake anti-spyware scanners, and screensavers bundled with Trojan horses and keyloggers.

According to the group's online alert, it considers the AOL software irresponsible for 8 different reasons, among them that it installs software such as the You've Got Pictures screensaver and ViewPoint Media Player without telling the user, that it adds the AOL toolbar to Internet Explorer without adequate disclosure, and that it fails to uninstall completely.

"We currently recommend that users do not install the version of AOL software that we tested, unless the user is comfortable with the level of risk we identify," the organization concluded in its online report.

AOL 9.0 is the free-of-charge software that the Virginia-based Internet service provider hands out to subscribers for connecting to, and accessing the Internet.

"These are all things that we had planned to address in the next version," said AOL spokesman Andrew Weinstein, who dismissed StopBadware.org's concerns as technicalities. "Clearly, we're not in the same category as the other types of software they're reviewed," Weinstein added. "We actually protect users from malware with AOL's security software."

According to Weinstein, the issues brought up by StopBadware.org will be corrected in the next major upgrade to the AOL client software, and may be fixed in the current version 9.0 with patch-like fixes. "We're looking at whether we can address these now," he said.

Child porn spam hides Trojan

antispyware@pcwash.com — Wed, 23 Aug 2006 10:25:09 -0400

Child porn spam hides Trojan

Cyber-criminals have launched a "massive spoof email attack" that accuses victims of being associated with a child porn site in a bid to trick them into downloading malware.

The messages, which use the subject line 'CP investigation was started', claim that the recipient's email address has been found in a child porn database discovered by the Association of Sites Advocating Child Protection (ASACP).

The email actually contains the Agent-CPK Trojan horse.

The ASACP has published a warning on its website, informing recipients of the message that they may be at risk of infection.

Part of the malicious email reads as follows:

'I'd like to inform you that investigating activity of the one of child porno sites; we found e-mails data base, in which was your e-mail . In view of this, I have two versions: either you are the client of this shop, or your e-mail appeared there accidentally. I sincerely hope that it was accidental coincidence and believe that you are interested in this version as well. If you show a good will, make modest, voluntary donation on our site [URL removed] I will be convinced in your being not implicated in this business.'

Attached to the email is a file called asset576.zip which unzips to a file called asset.txt.exe. Running thi

"The danger is that people may panic when they think their email address was found on a child abuse website, rush to open the attached file and become infected by a malicious Trojan," said Graham Cluley, senior technology consultant at Sophos.

"The ASACP is an entirely innocent party in this attack. It is simply the organisation's name that is being spoofed by the hackers in their attempt to infect innocent computer users."

How To Get Rid Of Movieland and Popcorn

antispyware@pcwash.com — Sat, 19 Aug 2006 07:24:47 -0400

How To Get Rid Of Movieland and Popcorn

This week, the state of Washington sued Movieland.com. The suit claims that the company uses spyware to trick users into signing up for its service. Users download a free trial. When the trial expires, they receive pop-ups saying they're legally obligated to pay for the service.

There has been numerous complaints about this company going back several months. There have been just as many received complaints about Popcorn.net, which is affiliated with Movieland. Movieland also runs a third download site, Moviepass.tv. All use the same tactics.

If you believe you're a victim of one of these sites, you can take action. Write to the attorney general's office in your state.

A lot of people are ticked off at Movieland. It produces a pop-up demanding payment for a supposed Movieland membership. Unfortunately, this is not a new tactic.

The MovieLand Web site claims to offer removal software. But it's yet another program to download. I would avoid any downloads from the site.

You will find these files associated with Movieland. Here is my list from Windows XP:

C:/Program Files/altpayv2
C:/Program Files/MediaPipe
C:/Program Files/p2pnetworks

Of course, these names may have already been changed by the author. For example, I've read that altpayv2 was previously named AltPayments. You should use updated anti-spyware programs to tackle these as well as older or newer variants of the Movieland infection.

AOL security tools raise adware questions

antispyware@pcwash.com — Fri, 18 Aug 2006 13:34:53 -0400

AOL security tools raise adware questions

Robert McMillan, IDG News Service

Just days after posting details of searches made by hundreds of thousands of subscribers, AOL is in hot water again with consumer advocates. This time the issue is with the company's Active Virus Shield anti-virus software, released last week.

At issue is the software's licensing agreement, which authorizes AOL to gather and share data on how the software is being used and permits AOL and its affiliates to send e-mail to users. "If you go through the installation, just as any normal user would, there is not the slightest hint of any advertising functionality or data gathering of any kind," said Eric Howes, director of malware research at anti-spyware vendor Sunbelt Software.

Active Virus Shield uses Kaspersky Lab's well-regarded anti-virus software, and comes with an optional security toolbar that blocks pop-up ads and manages passwords. The software is available for free to anyone who wishes to download it.

Although security experts, including Howes, say that Active Virus Shield does not behave in a malicious fashion or serve up unwanted ads, some are concerned that the product's end user license agreement (EULA) would allow AOL to send spam or serve up adware at some point in the future. "If it actually does any of the things stated in the EULA, we would actually flag it as spyware," said Christina Olson, a project manager with Stopbadware.org.

The Active Virus Shield agreement gives AOL much broader rights to collect information and then to share that information with third parties than typical EULAs, observers said.

A prohibition against blocking ads also caught Olson's attention. "If you have any ad-blocking software up, you're basically violating their EULA, which is ridiculous," she said.

AOL's licensing problems come at a sensitive time for the company. Earlier this month the Internet service provider weathered a public relations disaster after an AOL researcher inadvertently exposed data on about 19 million Web searches performed by 658,000 users.

AOL said it now plans alter the licensing agreement. "We are updating the EULA to address any concerns," said Andrew Weinstein, a company spokesman. "We are reserving the right solely to send periodic marketing e-mails that users will have the choice to opt out of."

Adding to AOL's troubles is the fact Active Virus Shield's security toolbar is based on a product with a questionable reputation. An earlier version of this software, known as the Softomate toolbar, is flagged as adware by Kaspersky's own anti-virus products.

"We don't use the earlier code because it was used by a malware provider," Weinstein said. "That's why Kaspersky looks for it."

While AOL's toolbar is not considered to be adware, observers say that AOL, which prides itself as a fierce opponent of adware and spyware, could have based its own toolbar on a better product. "I don't understand how a legitimate company like AOL provides software that can be classified as rogue," said Aviv Raff, a security researcher based in Israel.

After examining AOL's toolbar, Raff discovered a flaw in the software that would allow hackers to change the toolbar's configuration options. While the flaw does not in itself present a security risk, it could be used in combination with other types of malicious software to do things like pop up bogus search results, he said.

"The problem is similar to the Sony rootkit issue," Raff said referring to Sony BMG Music Entertainment's notorious copy protection software, which was found to be the source of security issues late last year. "A big company chose an external company's software and rebranded it as their own, later to discover it might be bad after all," he said.

Movie download service faces spyware lawsuit

antispyware@pcwash.com — Thu, 17 Aug 2006 10:36:27 -0400

Movie download service faces spyware lawsuit

Invasive pop-ups ignite legal rumpus

Washington State is suing a movie download service over allegations that it used spyware to promote its business.

Movieland.com and its associates allegedly used malware tactics to bombard punters with aggressive pop-up ads that demanded payment for its download service. The lawsuit, brought by Washington State attorney general Rob McKenna, is the second lawsuit filed under the state's Computer Spyware Act.

"The defendants in our suit promote a movie download service through websites including movieland.com that offer consumers a free three-day trial," McKenna said in a statement.

"After the trial period, consumers are inundated with pop-ups that appear at least hourly and subject the consumer to a 40 second payment demand that cannot be closed. These messages are generated by software installed on their computers that cannot be easily removed.

"To stop these aggressive pop-ups, many frustrated consumers ultimately give in to the defendants' unfair tactics and pay anywhere from $19.95 to nearly $100 for the service," he added.

After thousands of punters complained to the Federal Trade Commission and other agencies over movieland.com's sales tactics, the State of Washington began a seven month investigation which led to lawsuits against a number of firms including Digital Enterprises, of West Hills, doing business as Movieland.com; Alchemy Communications, of Los Angeles; AccessMedia Networks, of Los Angeles; and Innovative Networks, of Woodland Hills.

Each is charged with breaching Washington State's Computer Spyware and Consumer Protection Acts. Two Los Angeles-based men - Digital Enterprises boss Easton A Herd and Alchemy's Andrew M Garroni - are also named in Washington's lawsuits.

The defendants could be fined up to $100,000 per violation of the Computer Spyware Act and $2,000 per violation under the Consumer Protection Act if Washington's civil lawsuit finds them liable. They may also have to stump up compensation to aggrieved punters.

The defendants sell a subscription-based entertainment service that offers access to a variety of movie clips (including porno flicks) via websites including movieland.com, moviepass.tv, and popcorn.net. Punters are offered a free, three-day trial offer that requires users to download software. Once this trial period expires, billing software is activated that allegedly bombards punters with invasive pop-up ads demanding payment.

These messages, which read, "Click 'Continue' to purchase your license and stop these reminders", take up much of a user's screen and hinder their ability to work on their PCs.

According to Washington State's investigation, there's no obvious way to minimise or close the Windows (or to remove the software that generates the pop-ups), so users are obliged to sit through a 40 second video featuring a woman making claims that punters are legally obliged to cough-up payment because they "failed to cancel" during the trial period.

"The defendants' claim that users are legally obligated to pay for their service lacks merit because consumers did not provide knowing consent to the installation of the relentless pop-up demands," McKenna said.

"Furthermore, computer owners are not responsible to satisfy contracts that other people, including minors, entered into while using a computer."

Social Networks, Now With Spyware

antispyware@pcwash.com — Wed, 16 Aug 2006 16:15:44 -0400

Social Networks, Now With Spyware

When college officials warn incoming students about the dangers of MySpace and Facebook, they tend to talk about thorny issues like privacy and personal responsibility. But campus-network administrators probably would like to see the topic of computer security get at least a brief airing.

After all, social-networking sites have become breeding grounds for viruses and spyware, according to a new report. The study—one in a monthly series conducted by ScanSafe, an online security firm—found that one in 600 social-network profiles contains some sort of malware, reports ElectricNews.

Not all social-networking sites are equally dangerous, though: Facebook, which restricts access to users with campus e-mail addresses, is less virus-ridden than wide-open competitors like MySpace.

New IRCBot attacks unpatched W/2000 systems

antispyware@pcwash.com — Mon, 14 Aug 2006 07:00:01 -0400

New IRCBot attacks unpatched W/2000 systems

A generic IRCbot called MocBot by some AV vendors has been adpated to use a recently developed MS06-040 exploit. The Windows MS06-040 patch fixes critical security issues for a recently discovered "Server" service vulnerability. This protective patch was issued on August 8th by Microsoft. Now five days later, this new IRC-MocBot attack is now in the wild.

It will automatically affect unpatched W/2000 systems (unless firewall controls to block ports 139 and 445 are in place). This IRCbot can also potentially spread through AOL Instant messaging traffic.

On infected systems, it hides as a Windows Genuine Advantage (WGA) Registration service and instability will result with improper removal. Finally, Trend is reporting a 2nd variant so this new malware model may be adaptable to creating new variants to bypass AV detection as it emerges. Please install all available Microsoft security updates (esp. MS06-040) for the best level of protection.

Tags: IRCbot |MOCbot

Skype malware scam targets Turkey

antispyware@pcwash.com — Fri, 11 Aug 2006 10:36:04 -0400

Skype malware scam targets Turkey

The Keyser Söze of spyware

Spyware authors have crafted a new attack that poses as an invitation to Turkish people to try Skype, the popular IP telephony application. Instead of being able to download the popular VoIP application, punters responding to Turkish-language emails containing the bogus offer will be directed towards a fake site.

This bogus site contains a malicious file, skypekur.exe, posing as Skype software. If executed, the malware application installs multiple password recovery tools designed to harvest passwords from IM applications, email clients, and FTP programs on compromised machines. Passwords, once extracted, are sent to hackers for later abuse.

Malicious emails punting the bogus offer were intercepted by net security firm SurfControl earlier this week. Malware posing as Skype software is rare but not unprecedented. This attack is doubly unusual because most malware solicitations are written in English. By targeting Turkish users of Skype, ne'er do wells have developed a niche-form of social engineering attack targeting an audience that's less familiar with malware.

Tags: Malware |Skype

Colleges Brace for Malware Wave

antispyware@pcwash.com — Thu, 10 Aug 2006 10:43:07 -0400

Colleges Brace for Malware Wave

By John P. Mello Jr.

"Every year a quarter of the students are moving on, so those e-mail addresses are no longer valid," explained Andres Kohn, vice president for product management for Proofpoint. "That huge churn creates a lot of garbage aimed at invalid addresses, which is why universities usually have a higher percentage of spam than most other organizations."

Making the Case for Enterprise Mobility: Wireless Management and Spend Control. Find out how AT&T was able to reduce spiraling enterprise mobility costs and boost the efficient use of assets.

While returning to school may only be a fleeting thought for most students at this time of year, it's top of mind for the folks charged with keeping university networks free from a host of electronic nasties.

"Fall is definitely the worst time for viruses and things wrong with computers on the network," Tim Cantin, IT Director for Wellesley College in Wellesley, Mass., told the E-Commerce Times.

Colleges and universities have some unique security problems facing their networks, noted Andres Kohn, vice president for product management for Proofpoint, of Cupertino, Calif., a provider of anti-spam and e-mail security software for large enterprises.

One of them is the nature of their users. "They're a transient population with little control over them," he told the E-Commerce Times.

That's very evident in the fall, Kohn maintained. "Kids come back from the summer with their laptops that have been all over the place and are usually highly infected with viruses," he observed.

One of the first things universities try to do in the fall, he said, is track down who is infected, what they're infected with and clean them up.

Another challenge to the system is the churn in e-mail addresses at an educational institution in a given year.

"Every year a quarter of the students are moving on, so those e-mail addresses are no longer valid," Kohn explained. "That huge churn creates a lot of garbage aimed at invalid addresses, which is why universities usually have a higher percentage of spam than most other organizations."

He noted that at one of Proofpoint's customer universities, all spam was quarantined. "When we scanned the quarantine, more than 90 percent of the e-mail in there was going to invalid e-mail addresses."

It can be difficult to impose uniform rules on a university network to beef up security, Kohn added.

"With all the different constituencies -- the students, the faculty, the staff -- everyone wants things done a little bit differently, so they really have to manage a very flexible system that meets everybody's needs," he explained.

"In companies," he continued, "the system administrator just says, 'This is how we're going to do it, and you're going to be happy with it.' In a university, it's a lot harder to do that."

Harder, but not impossible. At Wellesley, for instance, the college had installed a product from Cisco Systems called "Network Access Control" (NAC), formerly Clean Access.

"When you put a computer on the network, it stops you from doing anything until you log into the network server," IT Director Cantin explained.

"Once you log in," he continued, "it puts an agent on your desktop. That agent checks your machine to make sure it's up to date and configured the way we want."

He added that since last summer, the school has added another layer of security to that. It checks a machine to make sure it has one of several antivirus programs installed on it.

In addition, the university has an anti-spam, antivirus screening program running on its main mail server.

P2P Waning

Although problems caused by peer-to-peer (P2P) programs seemed to have abated, Cantin is skeptical about the lull.

"I think there's a false sense of security there," he said. "I don't think that problem is going to go away too quickly. We need to keep on top of that one."

Keeping on top of what noxious computer offerings incoming freshman may bring with them, though, can be a challenging task.

"With teenagers in any setting, no one can predict," said David Karp, director of product marketing at Ipswitch, a software maker in Lexington, Mass. "They're going to come up with something -- the next file-sharing monster, the next Napster, the next viral site like Facebook or MySpace -- and folks over 20 are just not going to see it coming

Social sites a breeding ground for malware

antispyware@pcwash.com — Thu, 10 Aug 2006 10:33:57 -0400

Social sites a breeding ground for malware:

Harmful software another threat to children

By Maxim Kelly, ElectricNews.net

Social networking sites are behind a surge in viruses, spyware and other "nasty stuff", according to web security firm ScanSafe's monthly report.

According to an analysis of more than 5bn web requests in July, ScanSafe found that, on average, up to one in 600 profile pages on social networking sites hosted some form of malware.

The company also reported that the use of social networking sites, often assumed to be popular only among teens, accounted for approximately one per cent of all internet use in the workplace.

"Social networking sites have been newsworthy because of the concern over our children's safety, but beyond unsafe contact with harmful adults, these sites are an emerging and potentially ripe threat vector that can expose children to harmful software," ScanSafe chief executive and co-founder Eldar Tuvey said. "Users are frequently subject to unwanted spyware and adware that can compromise their PCs, track online behaviour and degrade PC performance."

The majority of malware identified by ScanSafe was spyware and adware, and ranged from the more benign programmes that track usage to difficult-to-remove spyware which may redirect a user to dodgy websites.

Social networking sites like Facebook, which typically use a university or college email address to verify a user's identity, and LinkedIn, a site used for business networking, tended to be more secure than "open" social networking sites, according to ScanSafe.

The research also revealed the presence of referrals to adult-themed dating sites on social network sites popular with teens.

"The presence of adult-oriented adware is disturbing, not only because much of it is inappropriate content for minors, but because underage users may not be in a position to consent to installing adware or understand the end-user licence agreement," Tuvey said.

Web viruses identified and blocked by ScanSafe before a virus' signature (i.e. the code which antivirus software uses to identify it) became available accounted for nearly 13 per cent of all web viruses blocked by the company in July.

Tuvey commented that there may be some seasonality to web viruses and spyware but the number of unidentified viruses remains relatively constant.

The ScanSafe Global Threat Centre processed more than five billion web requests in July, and reported that it blocked 238 unique viruses - 75 of which were new or unique viruses.

Tags: Malware |Scansafe |FaceBook

FTC Wants Spyware Reported

antispyware@pcwash.com — Thu, 3 Aug 2006 10:56:08 -0400

The Dilemma of Reporting Spyware Attacks

The FTC is encouraging businesses to inform them when exploited by spyware, but some observers say that doing so may cause more headaches for those who come forward.

LAS VEGAS — The Federal Trade Commission is asking corporations to report incidents when they are victimized by spyware attacks, but some experts say the process of doing so puts businesses in a tricky position, where they must weigh the benefits of pursuing malware code distributors against the potential for legal recrimination.

Speaking at a roundtable discussion on the topic of spyware at the Black Hat Briefings security conference being held here July 31 through Aug. 3, Eileen Harrington, a deputy director in the Bureau of Consumer Protection at the FTC, said that companies will need to be more forthcoming if they are to help the agency track down malware writers and take those individuals to court.

While companies must be held responsible for any mistakes they make that leave computer networks and sensitive data exposed to attacks, law enforcement officials need private-sector organizations to contribute more actively if the FTC is going to make headway in tracking down those responsible for the programs, she said.

"Companies need to report problems to help us do our jobs. If you have the appropriate security measures in place, you shouldn't be afraid to contact us," Harrington said. "Where liability can arise on the part of the private sector is when personally identifiable information on an [IT] system has not been reasonably protected. What constitutes 'reasonable' varies from case to case, and we will sue companies when those steps are not in place."

The proposition is enough to strike fear in the hearts of business executives and IT administrators, as they must consider the implications of admitting an attack and lending a hand versus not reporting a security lapse that allows the spyware to take root and do damage. In addition to the promise of potential fines and legal action from agencies including the FTC, companies must also take into consideration the fact that their corporate image could be tarnished by the related publicity fallout.

However, Harrington said that by reaching out to the FTC, companies may also reduce any fines they receive as a result of being found liable for a data breach. She also admitted that the Washington-based agency has retired some of its own computers "to the closet" that became too loaded with malware programs to be considered useful.

"If you had a data breach and didn't have proper protections in place, you may wind up on the other end of enforcement, but we're likely to find out about it anyway," the FTC official said. "If you let us know, it may also mitigate in some way the nature of any [penalties] sought by the FTC."

Another panelist, Andre Gold, chief information security officer for Houston-based Continental Airlines, shook his head and smiled as Harrington described the need for companies to report their major security incidents. His comments summed up the reaction of many Black Hat attendees, who appeared flummoxed by the notion of trying to stop spyware distributors while protecting the interests of their own companies.

"It's definitely concerning when you're being asked to go to the FTC and you might be told that you haven't done a good enough job," Gold said. "I don't think that model works very well."

Another alternative for companies troubled by the dilemma of how to share their attack information is to work with researchers who can report incidents to law enforcement without handing over specific corporate information, said panelist Ari Schwartz, deputy director of the Center for Democracy and Technology.

While some believe the spyware problem has faded somewhat, with the large volume of attacks of previous years being replaced by more targeted campaigns against specific companies or groups of end users, new figures indicate that the malware format continues to proliferate.

According to the latest research collected by Webroot Software, to be published in the Mountain View, Calif., company's quarterly malware report later this month, there were more than 100,000 new sites discovered between April 1 and June 30 that were found to be distributing spyware and other malicious programs. The company has unearthed some 527,000 malware sites since launching its research in 2004.

While 67 percent of the new sites were hosted in the United States, compared with Germany, which ranked second with only 7.5 percent of the spyware distributors, Webroot Chief Technology Officer Gerhard Eschelbeck said the people behind the efforts are likely distributed around the globe. The predominance of spyware sites in the United States is likely driven by criminals' desire to steal money from American companies, he said.

Spyware programs used to deliver Trojan viruses are also on the upswing, according to Webroot. The company found that 31 percent of the spyware programs it intercepted during the second quarter carried Trojans, compared with 19 percent during the same time frame last year, and 14 percent two years ago.

Warner Bros To Sever Ties with Zango

antispyware@pcwash.com — Sat, 29 Jul 2006 15:03:19 -0400

Warner Bros To Sever Ties with Zango

Well, that certainly did not take very long. According to the Washington Post,

Warner Bros. Studios, home to Bugs Bunny, Scooby Doo and Harry Potter, said yesterday that it plans to terminate a business relationship with Zango Inc., an adware company that has been offering free games on the Warner Bros. Web site in exchange for permission to install a computer program that could push advertisements and pornography. It's unknown how long the link was on the site. However, after the link it was noted on blogs yesterday, consumer groups that work to protect children from the dangers of the Web began to speak out. The issue also revived the debate over mainstream corporations that support, through business relationships, the seedier side of the Web.

Looks like the ads have already been removed from the site and if you try to access the Zango page, it redirects to the homepage. What took them so long? ;) Something I did notice from the Washington Post article was the contrasting attitudes from Warner Bros and Zango.

A Warner Bros rep said,

In a statement issued yesterday, Warner Bros. said that its agreement with Zango was contingent upon "Zango's ability to satisfy a rigorous set of adware/trackware integrity requirements" and that Zango agreed that "no one accessing Zango's network from the Warner Bros. site would receive inappropriate material." "We take this issue very seriously at Warner Bros. and we have maintained all along that if Zango does not meet any one of these criteria, we will terminate the deal," the statement read.

While a Zango rep said,

Zango spokesman Steve Stratz said the promotion of its software on a kid-oriented site was a case of "ad inventory mix-up." While the company does not target its software at children, "it's not our job to police the Warner Bros. site," he said. Very serious versus a mix-up. Wonder why the "I am 18" checkbox was already checked on the Warner Bros site? Does that say serious to you?

Zango Didn't Actually Stop User From Pushing Spyware Videos On MySpace

antispyware@pcwash.com — Thu, 27 Jul 2006 10:50:05 -0400

Zango Didn't Actually Stop User From Pushing Spyware Videos On MySpace

Earlier this month, we had a story about how someone was trying to trick MySpace users into putting videos on their site that, as part of the process, would push any visitors to install Zango's adware/spyware offering. The folks at Zango struck back with an odd defense -- first admitting that it was an employee who put up the videos, but that it wasn't sanctioned by the company at all. They then said that they forbid affiliates from posting to MySpace -- and even though some ignore it, they've been able to effectively catch those affiliates and "deal with them." That might sound familiar. After all, this is the same company (under a previous corporate name) that claimed not so long ago that it had new technology to deal with rogue affiliates -- even as it's been shown time and time again that those rogue affiliates still exist widely. However, the company's effectiveness in "dealing with" rogue affiliates looks even more ridiculous today as the same researcher who discovered the MySpace videos has determined that the same exact user is pushing new Zango-infested videos on MySpace. In other words, Zango's definition of "dealing with" this rogue affiliate is to let whoever it is keep doing what they were doing -- just having them move it to a different page. If they are so against rogue affiliates (that is, when they're not rewarding them), then why did they leave this account active?

Tags: zango

Illicit Adware Infects MySpace Users

antispyware@pcwash.com — Tue, 25 Jul 2006 16:43:57 -0400

Illicit Adware Infects MySpace Users

Up to a million users of MySpace and other sites serving up an ad for patio furniture this month may have been infected with surreptitious adware.

Delivered by ad networks, a banner ad for DeckOutYourDeck.com that ran on MySpace and other sites earlier this month was rigged to install up to five adware programs on the computers of users browsing an unpatched version of Internet Explorer, reports PC Mag (via MarketingVOX). When malware security analyst Michael La Pilla of VeriSign's iDefense reported the problem, MySpace had already taken down the ad and was attempting to find the culprits.

iDefense estimates that the adware was installed on 1.07 million computers and was served on MySpace, Webshots and possibly Facebook pages, reports CIO Today. La Pilla found that the install program initiated by the banner ad contacted a Russian-language web server in Turkey that tracks the PCs on which the program has been installed.

Microsoft users who had not installed a Microsoft patch related to Windows Metafile (WMF) image files were vulnerable. Those using Firefox version 1.5 or later were protected.

MySpace chief security officer Hemanshu Nigam said in a statement: "This is a criminal act. This ad is being delivered by ad networks who distribute these ads to over a thousand sites across the Internet in addition to ours. We are working to have these ad networks remove this ad so that they do not appear on our site. At the same time we strongly urge all Internet users to follow basic Internet security practices such as running the latest version of the Windows operating system, installing the latest Windows security patches, and running the latest anti-spyware and anti-adware software. If users have applied the simple patch available from Microsoft.com, they will not be vulnerable to this criminal act."

Spyware Rakes In Billion$

antispyware@pcwash.com — Sun, 23 Jul 2006 05:51:30 -0400

Spyware developers net huge profits, outrage

With annual revenues of $2 billion, pop-up ads are a high-stakes game

Consumers have strong opinions about Direct Revenue's software. "If I ever meet anyone from your company, I will kill you," a person who identified himself as James Chang said in an e-mail to Direct Revenue last summer. "I will f------ kill you and your families." Such sentiments aren't unusual. "You people are EVIL personified," Kevin Horton wrote around the same time. "I would like the four hours of my life back I have wasted trying to get your stupid uninvited software off my now crippled system."

Sifting through a stack of customer complaints in June, 2005, a Direct Revenue employee decided to tally the most frequently used words of aggression: "die" (103 times), "f------" (44), and "kill" (15). Douglas Kee, then Direct Revenue's chief of quality assurance (QA), ribbed colleagues in an e-mail that with all the death threats, it was a "good thing QA sits farthest away from the entrance."

According to angry consumers and the New York State Attorney General, Direct Revenue makes "spyware." These programs track where you go on the Internet and clutter your screen with annoying pop-up advertisements for everything from pornography to wireless phone plans. Spyware can get stuck in your computer's hard drive as you shop, chat, or download a song. It might arrive attached to that clever video you just nabbed at no charge. Web security company McAfee Inc. estimates that nearly three-quarters of all sites listed in response to Internet searches for popular phrases like "free screen savers" or "digital music" attempt to install some form of advertising software in visitors' computers. Once lodged there, spyware can sap a PC's processing power, slow its functioning, and even cause it to crash.

This explains the vitriol aimed at Direct Revenue. The company, located in a loft above a clothing boutique in New York's hip SoHo district, has been a pioneer in a seamy corner of the booming Net advertising industry. Although it is small by some corporate standards, having generated sales of about $100 million since its start in 2002, its programs have burrowed into nearly 100 million computers and produced billions of pop-up ads.

Direct Revenue's swift rise illustrates the intertwining of spyware and mainstream online marketing. The Web is the hottest game in advertising, but what's rarely acknowledged is the extent to which unsavory pop-ups boost the returns. Here's how it often works: Sellers of advertising, ranging from giant Yahoo! Inc. to much smaller networks, recruit clients, tally the clicks their ads generate, and charge accordingly. But then Yahoo and the other advertising companies sign up partners that distribute the ads beyond their own sites in return for a fee, and those partners sign up other partners. Down the line, a big piece of the business winds up in the hands of outfits like Direct Revenue, which disseminate the ads as pop-ups and share revenue with their more mainstream partners. Some advertisers say their messages have appeared in pop-ups without their permission. Others seek out pop-ups, and Direct Revenue frequently sells ads directly to such advertisers.

Spyware rakes in an estimated $2 billion a year in revenue, or about 11percent of all Internet ad business, says the research firm IT-Harvest. Direct Revenue's direct customers have included such giants as Delta Air Lines and Cingular Wireless. It has sold millions of dollars of advertising passed along by Yahoo. And Direct Revenue has received venture capital from the likes of Insight Venture Partners, a respected New York investment firm.

Many of those impressive ties have frayed or ripped apart recently as Direct Revenue has struggled to fend off a lawsuit filed in April by New York Attorney General Eliot Spitzer. The state court action alleges that Direct Revenue crossed a legal line by installing advertising programs in millions of computers without users' consent. Shining a light on the shadowy spyware trade, the suit asserts that the company violated New York civil laws against false advertising, computer tampering, and trespassing.

This article is based in part on more than 1,000 pages of Direct Revenue's internal e-mail and other documents included in court filings. BusinessWeek has reviewed additional documents and interviewed dozens of industry insiders, including 12 current and former Direct Revenue employees and executives.

The company denies any wrongdoing. In a filing in June, it calls the Spitzer suit "much ado about nothing" and defends its past practices as "commonplace" in the industry. It calls its programs "adware" and says it has notified consumers when putting the programs on their computers. It insists that some of the methods Spitzer assails "were long ago changed." And it argues that by accepting its ads, consumers get popular software applications free of charge that otherwise can cost up to $30 apiece.

In the wake of the litigation, Direct Revenue has shrunk in size, but it remains an important player on the spyware scene. Thousands of people still complain each month to Web security firms about new computer infections caused by Direct Revenue programs (although many users are baffled about what's causing the maladies). And a new generation of spyware purveyors of equal or greater potency is imitating Direct Revenue's strategies, infuriating customers, and threatening to taint the larger business of online advertising. Chances are you have some of their handiwork hidden within your hard drive right now.

Direct Revenue's origins trace the rise of what might politely be called one of the more freewheeling sectors of Internet commerce. The company's sales philosophy, according to current and former employees, was heavily shaped by Jesse Stein, a Wharton School-educated marketer whose successes before joining the company included selling VigRX, an herbal penile-enlargement supplement. VigRX may sound familiar because, to win customers, Stein inundated e-mail in-boxes with spam promoting the product. In 2003, when the ABC News 20/20 program identified what it said were the biggest online spammers, it featured VigRX and showed one of Stein's e-mails. He reveled in the notoriety. On his desk at Direct Revenue, Stein, now 36, kept a framed 20/20 screen shot of his VigRX spam, former colleagues say.

His eventual boss, Joshua Abram, came to online hawking from a different angle. His family has a rich history of public service. Abram's late father, Morris, was a civil rights activist in the 1960s who later served as president of Brandeis University and U.S. ambassador to the U.N. under President George H.W. Bush. Joshua's sister, Ruth, heads the Lower East Side Tenement Museum in New York.

In 1999 Joshua Abram helped start Dash.com, a benign precursor to later spyware operations. Dash attached an unobtrusive horizontal bar to the bottom of a computer user's Web browser. As the user moved around the Internet, Dash would note the sites being visited and offer relevant text ads inside the narrow bar. Dash went out of its way to ask users' permission to install the ad bar, and the company even shared its fees with consumers who made purchases. But Dash's tactful text ads drew relatively few clicks, and its fee-sharing became an administrative nightmare. As the Internet market imploded in 2001, Dash folded.

Abram, known for wearing stylish suits amid a sea of techie grunge, kept developing ad software with several colleagues. They joined a broad post-bust move toward treating customers with less respect. One of the new spyware variants he helped create was called VX2, which a former colleague and computer security professionals believe was named after the deadly, undetectable VX nerve agent. In 2002, Abram, a father of two and husband of a fashion-industry executive, started Direct Revenue. His co-founders were fellow Dash alumnus Daniel Kaufman and a pair of data-mining entrepreneurs from a company called Pipe9, Alan Murray and Rodney Hook. The next year, Direct Revenue did business with and then acquired Stein's online ad agency, forming a spyware powerhouse. Stein declined to comment. The four founders didn't respond to numerous inquiries.

By early 2004, Direct Revenue, with Abram as CEO, had settled into its SoHo loft, employing two dozen programmers and salespeople. Current and former staff members say the place had an informal, often cynical atmosphere. The unsophisticated computer users subjected to Direct Revenue's ads had a nickname among some staffers: "trailer cash."

Knowledgeable consumers can reduce the risk of spyware infection by using widely available security software and steering clear of free online goodies. Direct Revenue and its rivals -- companies with such names as eXact Advertising and Zango -- say they employ "user agreements" that notify individuals when they are about to download their software. But the agreements typically can be found only by clicking on links deep within separate legal agreements related to the online freebies. The documents tend to be lengthy and opaque. Large numbers of Internet users who lack adequate security software and fail to read the legalese make themselves vulnerable.

Once embedded in your hard drive, spyware communicates via the Internet with the company that produced it. The company's computer keeps track of your online meanderings and sends you pop-up ads relevant to the sites you visit. The travel-booking sites Travelocity and Priceline.com have both been direct customers of Direct Revenue. People who picked up Direct Revenue spyware and then perused flights on Travelocity might find their screens obstructed by a pop-up for Priceline, or vice-versa. The travel sites say they stopped doing business with the company earlier this year.

Direct Revenue and other ad software creators struggle to balance an impulse to pump out waves of profitable pop-ups against the danger of enraging consumers who lose control of their computers. "Most of these companies can't overcome their desire to make the most money right away," says Sam Curry, vice-president for product management at Computer Associates International Inc. in Islandia, N.Y.

From early on, a small group of programmers at Direct Revenue focused on how to protect their employer's programs once they were lodged in a computer, current and former employees say. The team called itself Dark Arts after the term for evil magic in the Harry Potter series. One of the biggest threats Dark Arts addressed came from competing software. The presence of multiple spyware programs can so cripple a computer that no ads manage to get seen.

Dark Arts crafted software "torpedoes" that blasted rival spyware off computers' hard drives. Competitors aimed similar weapons back at Direct Revenue's software, but few could match the wizardry of Dark Arts. One adversary, Avenue Media, filed suit in federal court in Seattle in 2004, alleging that in a matter of days, Direct Revenue torpedoes had cut in half the number of people using one of Avenue Media's programs. The suit settled without money changing hands, according to an attorney for Avenue Media, which is based in Curaçao. "This is ad warfare," explains former Direct Revenue product manager Reza Khan. "Only the toughest and stickiest codes survive."

In light of the Dark Arts stratagems, Direct Revenue management in early 2004 procured from its lawyers a modified user agreement that would supposedly be shown to PC owners. Within the densely written seven-page document was a declaration that Direct Revenue "could remove, disable, or render inoperative other adware programs resident on your computer, which, in turn, may...have other adverse impacts on your computer."

Abram presented the new agreement to his troops with an impudence befitting the Dark Arts crew. "It's a lawyer-approved license to kill," the CEO said in a February, 2004, e-mail. He urged some restraint because at the time potential investors were examining the company: "I would think twice about going too aggressively on the offense during [due] diligence." But he added: "Obviously, if we find someone is slaughtering us in the interim, we should not wait to counter."

"It was like a big game of Dungeons & Dragons," a current Direct Revenue manager says, and it was becoming lucrative. An ad software shop generally charges advertisers up to a penny a day for each computer that showcases its ads. A company with access to 10 million computers can make about $100,000 a day. With its "install base" soaring to more than 20 million computers by late 2004, Direct Revenue's annual sales rose 450percent, to $39 million. Its four founders took home a combined $23 million, with Abram enjoying the biggest share: $8.1 million.

This cash geyser drew investors' attention. Insight Venture Partners, which has among its advisers Robert E. Rubin, former Treasury Secretary and now chairman of the executive committee at Citigroup, poured in $27 million, court filings show. Andrew J. Levander, a lawyer for Insight, says the firm's pre- investment due diligence "did not raise any issues concerning the lawfulness of Direct Revenue's disclosure and distribution practices." Rubin wasn't involved with the investment, Levander says. When Insight learns of complaints, he adds, it works with the company to address them.

Complaints were certainly not in short supply. "You have 24 hours to provide me with a removal tool for your piece of crap spyware program," Joe LoMoglio e-mailed the company in September, 2004. "Your pop-up ads popped up a few porn sites while my 6- and 9-year-old children were using the computer." Reached by e-mail, LoMoglio says the company "refused to respond."

As Direct Revenue surged in late 2004, its hyperactive sales force profited as well. Several top performers took home more than $300,000 apiece that year, current and former employees say, and a celebratory mood enveloped the fourth-floor ad-sales department. On Friday afternoons, employees opened bottles of beer, and Paul Nute, a top sales executive, occasionally blasted the pop song "Everybody's Working for the Weekend."

Nute had a trademark line for corporate sales pitches, according to current and former sales employees. "It's like crack," he would say. "Once you try it, you'll keep coming back for more." Nute declined to comment.

By early 2005, Direct Revenue had notched deals with JPMorgan Chase, Delta, and the Internet phone company Vonage, according to former sales staffers and Direct Revenue documents. Cingular Wireless spent more than $100,000 a month at the peak of its relationship with Direct Revenue, current and former employees say. Direct Revenue put Cingular pop-ups in front of other phone companies' Web sites and news sites such as the one affiliated with tech magazine Wired. Vonage, meanwhile, was billed $110 for each customer that Direct Revenue delivered, according to a sales report from July, 2005. For that month, Direct Revenue billed Vonage for 287 new customers, or $31,570.

JPMorgan Chase confirms that it advertised with a Direct Revenue unit through the middle of last year, but says it was unaware of any spyware activity. Delta and Cingular declined to comment. Vonage didn't respond to inquiries.

By mid-2005, Direct Revenue had grown to more than 100 employees, and its practices were drawing public notice. Bloggers, invoking the right to be free of uninvited ads, singled out Direct Revenue. Benjamin Edelman, a prominent Internet consultant and spyware foe in Cambridge, Mass., tried to shame advertisers away from Direct Revenue by displaying on his site the names of companies that appeared in Direct Revenue pop-ups. Jules Neuringer, owner of Portronix, a Brooklyn (N.Y.) computer-service firm, says that during this period about a dozen of his small-business clients complained about Direct Revenue spyware. Of these, he says he "was never able to bring an infected computer back to pristine operating condition."

Direct Revenue insiders knew they were alienating consumers and even made tentative moves to clean up their act, court filings show. But when the result was fewer people getting stuck with its software, Direct Revenue pulled back from reforms.

In early 2005 the company was bundling its products with a file-sharing program called Morpheus, which users could download onto their computers. Morpheus required that Direct Revenue make its software easy to spot in a computer's "Add/Remove" panel, which is the registry where a user can find most legitimate software and delete it. Direct Revenue agreed at first but after a few months noticed that thousands of new users it gained via Morpheus were quickly deleting the ad software. Kaufman, a co-founder of Direct Revenue, sent an e-mail to colleagues in February, 2005, saying the company should drop the Mr. Nice Guy routine. "We need to experiment with less user-friendly uninstall methodologies," he wrote. The distribution agreement with Morpheus ended within three months.

The same ambivalence was evident in April, 2005, when Direct Revenue released a concoction known as Aurora. The program clearly labeled ads as coming from the company, a gesture designed to build credibility. But Aurora had powerful features that fought off competing spyware and security programs. The company also raised the number of pop-ups it sent users to as many as 30 a day.

Disaster ensued, as Aurora paralyzed thousands of computers. Matt Oettinger, who ran media operations at Fastclick, an advertising network that bought ads from Direct Revenue, found his home PC afflicted by Aurora, e-mails in court filings show. In June he ordered all Fastclick ads disentangled from Aurora. Branko Krmpotic, the managing director of Technology Investment Capital Corp. (TICC), which had invested $6.7 million in Direct Revenue, also caught the Aurora bug and couldn't kill it, according to e-mails. Eventually, Direct Revenue had to send its customer support director to fix Krmpotic's machine. After receiving complaints about Aurora, Insight Venture, another major investor, told the company to remove Insight's name from the Direct Revenue Web site. Fastclick declined to comment; Krmpotic didn't return calls.

Even Aurora's creators fell victim as the program froze computers at Direct Revenue. One sales staffer, Judit Major, documented receiving more than 30 pop-up ads in one day, according to e-mails. Her computer crashed four times. "We are serving WAY TOO MANY pops per hour," wrote Chief Technology Officer Daniel Doman in a June e-mail to the company's brass. "If we overdo it, we will really drive users to get us the hell [off] their machine. We need to BACK OFF or we will kill our base."

By then consumer complaints were pouring in to Attorney General Spitzer's office. He filed suit in April, after his staff had hauled away 150 boxes of the company's e-mails. Spitzer alleges that he found numerous examples of Direct Revenue spyware downloaded with misleading user agreements or no disclosure at all. In many cases, the download was performed by a distributor on behalf of Direct Revenue, but company executives repeatedly conceded in e-mail that users were in the dark about how its programs got into their computers. This, Spitzer argues, amounts to illegal deception.

A Direct Revenue spokesman, Michael Spinney, says the company is "mystified" by Spitzer's allegations. It cleansed its practices more than nine months ago, Spinney says, and now puts its name on all its pop-up ads. It also now makes its software available for deletion in a computer's Add/Remove Programs registry and has limited its use of distributors. Before these changes, Spinney asserts, Direct Revenue employed practices common in its industry. He wouldn't comment on Spitzer's individual allegations.

The anti-spyware activists and computer security firms confirm that Direct Revenue has dropped its most destructive programs, such as Aurora. But they emphasize that the company continues to cause serious headaches. Tokyo's Trend Micro Inc. offers an online service that scans customers' troubled computers. In April it identified Direct Revenue's spyware as the culprit in 9,400 computer scans. That's down from 14,000 in January, but it represents a substantial level of annoyance. "Direct Revenue is still on everyone's top 10" of reviled spyware companies, says Anthony Arrott, Trend Micro's spyware research manager.

Deborah Maradei-Ugel, a loan officer in Santa Clarita, Calif., says she receives more than 20 pop-ups a day on her home computer as a result of Direct Revenue spyware. She complained to the company, but removal instructions it sent her are impossible to follow, she says. Her machine frequently stalls and requires restarting. "You hit your computer," she fumes, "but it doesn't help."

The way Direct Revenue describes its software during the download process remains vague and misleading, Edelman and other critics say. The company now bundles ad programs with Kazaa, an online service offering music and other digital content. Kazaa gives users a choice between a $30 version of its program and a free version labeled "ad supported." But few ordinary consumers would understand that ad-supported means they get separate software from Direct Revenue that will monitor them online and serve a steady stream of pop-ups, Edelman says. ">Kazaa declined to comment.

Direct Revenue has lost business and reduced its headcount to a couple dozen employees. The four founders still own 55percent of the company, according to Spitzer's filing, and Abram is still seen around the office in his sharp suits. But he no longer serves as CEO. Sales gurus Stein and Nute have moved on to another Internet venture. Many major companies, such as Cingular and Yahoo, have severed connections with Direct Revenue. But the ads of others, including Vonage, continue to appear in Direct Revenue pop-ups. Insight and TICC remain investors.

Among Direct Revenue's alumni, pride over technical cunning mingles with regret for exasperating so many computer users. After waffling on the issue during a long interview, one former Dark Arts wizard sighs and sums up his version of the company credo with an elegiac observation by abolitionist Frederick Douglass: "Find out just what any people will quietly submit to and you have found out the exact measure of injustice and wrong which will be imposed upon them."

Vishing?

antispyware@pcwash.com — Sat, 22 Jul 2006 06:33:35 -0400

Vishing?

According to USTelecoms Crossroads Express July 17, 2006 issue, A new telephony-based version of "phishing" dubbed "vishing" has evolved from traditional Web-based phishing scams. The new technique has been used by criminals to collect details from credit cards, including the three-digit CVV security code, expiration date and account number. "Vishing" scams usually begin when the criminal gets a cheap and easily available VoIP number and then configures an automated dialing system to call people. When the call is answered, an automated recording alerts the person that his or her credit card has been compromised and the consumer should call a phone number immediately to correct the problem. The phone number is often a toll-free number with a spoofed caller ID of a legitimate financial company.

A computer-generated voice then instructs listeners to enter their 16-digit credit card number, expiration dates and verification codes. Once this information is entered, the "visher" has the information necessary to place fraudulent charges on the consumer's card. Never call a telephone number provided in a phone call or an e-mail regarding possible security issues with a credit card or bank account. Only the phone number on the back of a credit card or bank statement is a valid number to discuss credit card account information.

Tags: vishing |phishing

Hacked Ad Seen on MySpace Served Spyware to a Million

antispyware@pcwash.com — Thu, 20 Jul 2006 12:00:44 -0400

Hacked Ad Seen on MySpace Served Spyware to a Million

An online banner advertisement that ran on MySpace.com and other sites over the past week used a Windows security flaw to infect more than a million users with spyware when people merely browsed the sites with unpatched versions of Windows, according to data collected by iDefense, a Verisign company.

Michael La Pilla, an iDefense "malcode" analyst, said he first spotted the attack Sunday while browsing MySpace on a Linux-based machine. When he browsed a page headed with an ad for DeckOutYourDeck.com, his browser asked him whether he wanted to open a file called exp.wmf. Microsoft released a patch in January to fix a serious security flaw in the way Windows renders WMF (Windows Metafile) images, and online criminal groups have been using the flaw to install adware, keystroke loggers and all manner of invasive software for the past seven months.

The Deckoutyourdeck ad launching the WMF exploit. Internet Explorer users who visited a Web page containing this ad and whose IE was not equipped with the WMF patch would not get that warning. Rather, their machines would silently download a Trojan horse program that installs junk software in the PurityScan/ClickSpring family of adware. This stuff bombards the user with pop-up ads and tracks their Web usage. Only a little more than half of the anti-virus programs used at anti-virus testing service AV-Test.org flagged the various programs that the Trojan tried to download as malicious or suspicious.

Pop-up ads generated by ClickSpring adware. Using software that captures and analyzes Web traffic, La Pilla found that the installation program contacted a Russian-language Web server in Turkey that tracks how many times the program was installed, presumably because most of this adware is installed by third parties who get paid for each installation. The data there indicate that the adware was installed on 1.07 million computers, La Pilla said, adding that all seven of the Internet addresses contacted by the downloader Trojan appear to be inactive at this time.

The Turkish Web site that counts installations. La Pilla said he also spotted the ad trying to serve up adware on Webshots.com, a popular photo-sharing site. It's not clear when this particular campaign started, he said, but an anonymous user at the invaluable CastleCops security forum posted information about a similar attack spotted on MySpace on July 12. Users at this online gaming forum apparently spotted the same WMF exploit being served via the DeckOutYourDeck ad as early as July 8.

A WHOIS database search for Deckoutyourdeck.com listed a fax machine as a contact phone number, but also contained an e-mail contact at RedTurtleInvestments.com. A WHOIS search on that domain turned up an address at Springfusion.com, which appears to be a fairly new online-affiliate marketing company. Springfusion.com is registered to a guy in Seattle, who -- when I contacted him via e-mail -- replied that he was not connected with any of the sites I looked up.

Springfusion.com's home page. What is clear from this attack is that there are plenty of people who still haven't installed this security update from Microsoft. It's also fairly obvious that scammers and online criminals are targeting high-traffic Web sites. Alexa currently rates MySpace as the sixth most-visited site on the Web (Webshots.com earned a distant 137th most-visited ranking).

I left a message with Webshots and with MySpace's media hotline, and will update this post if I hear anything from either of them.

Update, 2:50 p.m. ET:A Webshots vice president called back to say the company didn't have any information on the attack, but that it was investigating. Also, I changed the text above to reflect a clarification from La Pilla, who said while the counter page was written in Russian, the site itself is hosted in Turkey.

RFID Technology Vulnerable To Malware

antispyware@pcwash.com — Tue, 18 Jul 2006 18:16:43 -0400

RFID Technology Vulnerable To Malware

By Doug Caverly

RFID tags may become commonplace in the future, but not a lot of people are looking forward to widespread implementation. There was already concern that these "smart barcodes" would allow consumers' habits to be more easily tracked, and that the technology could facilitate identity theft. It turns out that RFID tags can transmit computer viruses, as well.

Melanie R. Rieback, Patrick N. D. Simpson, Bruno Crispo, and Andrew S. Tanenbaum have published a paper called "RFID Viruses and Worms." In it, they reveal some disturbing information. "Up until now, everyone working on RFID technology has tacitly assumed that the mere act of scanning an RFID tag cannot modify back-end software, and certainly not in a malicious way. Unfortunately, they are wrong.

"In our research, we have discovered that if certain vulnerabilities exist in the RFID software, an RFID tag can be (intentionally) infected with a virus and this virus can infect the backend database used by the RFID software. From there it can be easily spread to other RFID tags." The paper goes over three possible scenarios in which this could be exploited in a harmful fashion.

It also details how to create such worms and viruses. This isn't quite as bad as it sounds, the group explains. "When talking to people in charge of RFID systems, they often dismiss security concerns as academic, unrealistic, and unworthy of spending any money on countering, as these threats are merely ‘theoretical.' By making code for RFID ‘malware' publicly available, we hope to convince them that the problem is serious and had better be dealt with, and fast."

Let's hope this full disclosure works to the public's advantage.

Majority Of Companies Infected With Malware

antispyware@pcwash.com — Wed, 12 Jul 2006 10:18:44 -0400

84% of companies have had a virus, worm or trojan horse infection through email?

Osterman Research has just released a study of email security trends, and has this interesting statistic:

Eighty-four percent of organizations have had a virus, worm or Trojan horse successfully infiltrate their network through email, while 54% of organizations have had such a threat successfully enter their network through the Web. However, only about one in five organizations have been infected by a public instant messaging (IM) network worm or virus.

Through email? To me, this highlights how dangerous it is to rely on only one vendor for your email antivirus.

Use a multi-engine approach. Our own email security product for Exchange, Ninja, uses multiple antivirus engines, so of course I’m biased here.

But so do others — Microsoft Antigen and even GFI. You can also use one AV product on the Exchange server, and another at the gateway. But relying on one engine alone seems to me to be asking for trouble.

Alex Eckelberry

Tags: worm |trojan horse |network worm

Zango Adware Found On MySpace

antispyware@pcwash.com — Tue, 11 Jul 2006 11:14:31 -0400

Zango Adware Found On MySpace

By Gregg Keizer, TechWeb Technology News

After a security researcher said Monday that MySpace users were spreading adware through the social networking service to ring up ad fees from Zango, the Bellevue, Wash. marketing company admitted one of its own developers had set up the MySpace profiles. Zango, however, said the developer was acting without approval and in ignorance of the company's "hands-off" policy regarding MySpace.

Chris Boyd, the director of malware research for security vendor FaceTime, said he found a pair of MySpace profiles tagged "Zango," the new name for the controversial adware maker 180solutions. And each profile pushed adware. One of the profiles used video to entice MySpace visitors to download Zango Assistant and Zango Search Toolbar, which users had to accept if they wanted to view the clips.

"Just who is pimping these things?" Boyd asked, then pointed out Myspace Graphics Help, a site that included copy-and-paste code to add Zango-distributed videos; the code, says the Myspace Graphics site, can be added to MySpace profiles or comments. Anyone who clicks on a MySpace-placed video created by such code, of course, must download Zango's adware to watch the clip.

The profiles were a mistake, countered a Zango spokesman Monday. According to Zango's Steve Stratz, the two spotted by Boyd were created by a company developer based in its Montreal office. (In April 2005, Zango, formerly 180Solutions, acquired Montreal-based CDT, at that time one of its largest adware-distributing partners.)

"Those two test accounts were actually created by one of our developers who was exploring possible opportunities, but he didn't realize it was Zango business practice not to target MySpace," said Stratz. "He should not have been doing this, and we want to tell MySpace that we didn't mean to target them." The developer, said Stratz, would soon be deleting the profiles.

Boyd took Zango to task nonetheless.

"This is a relatively new viral approach," said Boyd. "We've seen spam and porn bots on MySpace before, but not adware from a quote-legitimate-unquote adware company," he said.

Boyd's contention was that unscrupulous Zango partners are getting MySpace users -- many of whom are teenagers -- to do their dirty work by spreading the necessary ad-tracking and ad-displaying software.

"Pasting the code for the [video] into the MySpace profile and having it autoplay when you visit the page is enough to have the [Zango] license prompt appear," said Boyd. "Easy as pie."

But although a Zango EULA (end-users license agreement) pops up on coded MySpace profiles, it's too easy for users to assume the dialog's from MySpace, not an adware vendor, argued Boyd. He found more than two dozen sites similar to Myspace Graphics and "I didn't see one actually mention the fact that in return for these [video clips], you'd be pimping Zango."

Zango, however, countered that its license agreement "could not be any clearer" and that it would be obvious to anyone that the download was not originating with MySpace.

Zango, which until early June was called 180solutions, has spent months cleaning up its distribution network -- in the past it blamed "rogue" distributors for installing its software without users' permission -- and to be a better Internet citizen.

Then Zango's vice president of business development, York Baur, said that "we've fixed [those] problems to the extent they can be fixed. This [business] model works, and we're very proud of the model we've built."

Stan Monlux, senior director of business development, weighed in Monday on the MySpace issue by denying that the network's accounts were allowed to register as partners -- and thus receive payments -- and arguing that it wasn't up to Zango to police the sharing of its content.

"We get applications from MySpace account holders all the time," said Monlux, "but MySpace has a policy of not allowing any third-party advertising. Partners need to own a top-level domain, as well, and obviously MySpace profiles don't meet that requirement. Those two rules basically say that we're not going to be contracting with anyone on MySpace." But, Monlux went on, Zango's "invested significant financial resources creating content for people to share. We certainly don't discourage sharing it."

In other words, if someone on MySpace decides to insert video clips or games (which Zango also produces) on his or her profile, that's okay with Zango.

"A partner can't place Zango content on a MySpace site," said Monlux, "but if someone goes to a partner's site, takes Zango content, and puts it on his MySpace profile, that's not a violation of our terms of agreement."

In instances like that, Monlux said, the partner would be compensated for any downloads made of Zango adware from the MySpace sites. And the Myspace Graphics Help site named by Boyd is a Zango partner, Monlux acknowledged.

MySpace, however, bans advertising on members' profiles, and specifies that "prohibited activity includes but is not limited toaccepting payment or anything of value from a third person in exchange for your performing any commercial activity on or through the MySpace Services on behalf of that person."

MySpace was not immediately available for comment on whether adware downloads violate its terms of service.

Zango denied it was targets MySpace as a distribution resource. "Are we targeting MySpace?" asked Stratz. "No. Does our content show up on MySpace? Yes."

"Why go to all the trouble of pimping your own vids when you can have random teenagers on MySpace do it for you?" Boyd responded. "Talk about an all time low."

The two sides -- adware provider and security researcher -- couldn't be farther apart, and Zango's Stratz made it sound as if that would always be the case.

"We know where Boyd and other like him stand, and they know where we stand," Stratz said.

Tags: Zango |180Solutions |adware

Adware Worth Billions

antispyware@pcwash.com — Mon, 10 Jul 2006 10:45:37 -0400

Adware scumbags rake in $2 billion a year

Business Week has a big piece about Spyware developers net huge profits, which focuses on Direct Revenue, a company that has "generated sales of about $100 million since its start in 2002".

Direct Revenue's direct customers have included such giants as Delta Air Lines and Cingular Wireless. It has sold millions of dollars of advertising passed along by Yahoo. And Direct Revenue has received venture capital from the likes of Insight Venture Partners, a respected New York investment firm.

The travel-booking sites Travelocity and Priceline.com have both been direct customers of Direct Revenue. People who picked up Direct Revenue spyware and then perused flights on Travelocity might find their screens obstructed by a pop-up for Priceline, or vice-versa. The travel sites say they stopped doing business with the company earlier this year.

One of the more interesting parts of the story covers the wars between adware vendors who try to destroy each others' programs. Direct Revenue had a team called Dark Arts:

On a nice note, some of Direct Revenue's investors and staff were also hit by its Aurora program:

Comment: Direct Revenue is being sued in New York, and "the suit asserts that the company violated New York civil laws against false advertising, computer tampering, and trespassing." But you have to wonder why the world's governments, trade and trading standards authorities have responded so feebly, if at all, to the spyware and malware industries.

My recommended action is to write, email or even phone a complaint to every company whose unwanted advertising is served by any malware on your PC. Tell them you object and that you will boycott their businesses, and will tell all your friends to do the same. Customer services and advertising departments and chief executives are good targets. Direct Revenue apparently infected about 100 million PCs. You can bet that 100 million personal complaints to Vonage, Delta, Travelocity etc would get their attention.

Tags: direct revenue |spyware |adware

Links for 2006-06-09 [del.icio.us]

Sat, 10 Jun 2006 00:00:00 PDT

Backdoor-AFN
Get rid of and completely remove worms like Backdoor-AFN from your system.
Remove Search123
Search123 is a BHo or browser helper object that you may want to remove.
stop spy software
Stop all sorts of spy software with Spyware Nuker.
Remove TrojanDownloader.Win32.Qoologic
Will I be able to rid myself of TrojanDownloader.Win32.Qoologic?
viewpoint media
Viewpoint media and it's associated player and toolbar can be safely removed by using Spyware Nuker.
Blakharaz
Eliminate and get rid of all sorts of spying agents including Blakharaz.
Remove TrojanDownloader.Win32.Vivia.e
Can you show me what program to use to uninstall TrojanDownloader.Win32.Vivia.e
free spyware protection download
Use the link on this page for your very own free spyware protection download.
AllHyperlinks
Discover how to get rid of adware toolbars like AllHyperlinks.
BackFire
Securely remove spyware like BackFire from your PC with Spyware Nuker.
Adware Portalscan
Yet another slimy piece od ad ware that can find it's way into your system.
Dialer Trojan
Dialers, spy programs and browser hijacker removal is secure with Spyware Nuker
Remove VX2.VoiceIP
Having adware like VX2.VoiceIP usually means your drowning in pop-ups.
Malware Adware Spyware
Scumware - parasites, keyloggers and malicious programs are all removed by Spyware Nuker
EasyInstall
EasyInstall is an adware and malware type program that can be deleted with the help of Spyware Nuker.