[ISN] Adware Firm Accuses 7 Distributors of Using 'Botnets'

InfoSec News isn at c4i.org
Thu Aug 18 03:08:21 EDT 2005


By Brian Krebs
washingtonpost.com Staff Writer
August 16, 2005

A major online advertising company that has been accused by security
experts of fueling the spyware problem says it is taking legal action
against seven people in six countries who, it claims, used viruses to
spread ad software to thousands of computers without their owners'

In a lawsuit filed yesterday in a federal court in Washington state,
Bellevue-based 180Solutions names seven of its affiliates --
individuals whom it paid to distribute the company's software, which
causes advertisements to "pop up" depending on which Web sites the
users visit -- and accuses them of installing it on thousands of
Microsoft Windows PCs that they had infected with computer viruses.  
The company seeks unspecified damages and a halt to their distribution
of its software.

The legal action is the latest effort by 180Solutions to clean up its
image following years of criticism for failing to more closely monitor
its distributors and crack down on those who profit from installing
its software illegally. Since January, the company says, it has
severed ties with more than 500 distributors who were found to have
installed its "adware" without the recipient's knowledge or consent.

180Solutions claims the affiliates used "botnets" -- large groupings
of hacked, remote-controlled computers or "bots" -- to distribute and
install their software. A single botnet can consist of thousands of
computers, most sitting on desktops of innocent users who have no idea
that a virus infection is allowing a hacker to use their PCs for
illegal purposes.

Online criminals have long used such networks to steal sensitive
information from their victims, distribute junk e-mail and to wage
debilitating "denial of service" attacks that inundate Web sites with
so much bogus traffic that they can no longer accommodate legitimate

A Business Opportunity

Increasingly, however, botnets are being used to install spyware and
adware. McAfee Inc., a computer security company based in Santa Clara,
Calif., said it witnessed a 12 percent increase in the number of
adware programs installed on computers in the second quarter of 2005,
an increase it said was driven heavily by the proliferation of bot
programs configured to install the adware.

The legitimate distribution method for 180Solutions contractors is to
embed computer code into their Web sites that asks each visitor for
consent to install, in exchange for access to content on the site.  
Each time a visitor agrees, the Web site owner earns a small
commission, usually between 5 and 20 cents. 180Solutions requires its
partner Web sites to prompt visitors for approval, but security
experts have documented hundreds of sites that use security holes in
the visitor's browser to quietly install the adware without

Armed with a botnet of several thousand computers, distributors can
make big money, and fast. LoudCash.com, a Quebec-based distribution
firm bought by 180Solutions earlier this year, promises affiliates
"big league payouts" and claims to offer the best per-installation
rates in the industry, currently 25 cents.

LoudCash's site features a "revenue calculator" which prospective
affiliates can use to estimate their monthly earnings. An enterprising
hacker controlling a network of just 5,000 PCs -- and at least half of
the target computers are located in the United States -- that bot
master could make as much as $744 a day, or $22,346.25 a month,
according to the company's calculator.

That sort of easy money is a strong draw for hackers who already
control botnets and are willing to use them as platforms for spyware
and adware, said Sam Norris, president of San Marcos, Calif.-based
Changeip.com, a company that helps Web sites remain reachable at the
same domain name no matter how frequently their numerical Internet
address changes. These "dynamic DNS services" allow botnet operators
to periodically change the location of the Web servers used to control
their networks, thus making them much harder to detect or shut down.

Norris said that each week he terminates several new Changeip.com
accounts that appear to be connected with botnet and spyware activity.  
In the spring, Norris began tracking one customer who was using
Changeip.com's services to control a botnet of 40,000 computers.  
Norris obtained a copy of the virus the customer used to infect
machines and install the 180Solutions software; the programming code
also contained an affiliate ID number issued by LoudCash.

Norris alerted 180Solutions to the activity, and the advertising
company said it later traced that affiliate ID to one of the
defendants. The bot program directed computers to download and install
14 different adware products, more than half of which were produced by
180Solutions, Norris said. The virus also included at least 30 other
features, including the ability to capture all of the victim's Web
traffic and keyboard keystrokes -- with a particular interest in
Paypal user names and passwords. Other programs installed by the bot
allow the attackers to peek through the user's Webcam, or steal PC
game registration keys.

The lawsuit alleges that the defendants -- Eric de Vogt of Breda, the
Netherlands; Jesse Donohue of South Melbourne, Australia; Khalil Halel
of Beirut; Imran Patel of Leicester, England; Zarox Souchi of Toronto;  
Youri van den Berg of Deventer, the Netherlands; and Anton Zagar of
Trbovlje, Slovenia -- used botnets to install 180Solutions' software.  
The company has notified the FBI about its findings, but an FBI
spokesman declined to say whether the agency was investigating the

Five of the defendants were contacted by washingtonpost.com but have
not responded to requests for comment.

180Solutions attorney Kevin Osborn said the company does not know
exactly how many illegal installations the seven former affiliates
were responsible for, but estimates that in all they were paid at
least $60,000 during the weeks and months that they worked for the

Dealing With the 'Rogues'

David DeLanoy, manager of partner development at 180Solutions, said
the company's software is installed on about 20 million computers
worldwide, but that so-called "rogue installs" account for just five
percent of that user base. 180Solutions made more than $50 million in
revenue last year through its software, which serves online
advertisements for some of the nation's largest companies, including
Cingular, Expedia.com, JP Morgan Chase, Monster.com and T-Mobile

But 180Solutions' estimates don't sit well with Ben Edelman, a PhD
candidate at Harvard University who has documented the most egregious
practices in the adware industry. (Edelman was hired in 2003 as an
expert witness by The Washington Post Co. and other news outlets in
their lawsuit against the Gator Corp. -- now Claria Corp. -- one of
180Solutions' biggest competitors. The media companies accused Gator
of serving pop-up ads over the Web publishers' pages without their
permission. Gator later settled the suit.)

"I'd estimate that more than half of [180Solutions'] 'users' have no
idea they even have the software, let alone ever consented to
installing it in the first place," Edelman said. "The company says in
one breath that rogue installs account for just 5 percent of their
user base, but they also say they have no real way of knowing which
installs are legit, so I'm not sure how they could really draw that

Edelman said that if the companies do know which installations were
fraudulent, it should already have devised a way to remove them.

"There is no reason for them to have waited this long, except to
receive the revenue that those installs bring in," Edelman said.

Eric Howes, a spyware researcher at the University of Illinois at
Urbana-Champaign, said 180Solutions is not only a major cause of the
spyware and adware problem, but that it also is in a position to
significantly clean up the problem.

Howes pointed to the turnaround in the past year of WhenU, once
reviled for its aggressive adware installation tactics. Last year, for
example, the company announced it would no longer allow partners to
install its software through Microsoft ActiveX, a component of the
Internet Explorer Web browser that adware company affiliates have long
used to conduct illegal "drive-by" installations.

"WhenU pretty much put an end to the problem of sleazy installs of its
software, so we know it can be done," Howes said. "180's enforcement
division has really got to get up to speed, because I've seen no
evidence they have a robust enforcement division, other than when they
occasionally track down leads that people in the anti-spyware
community hand to them."

DeLanoy said the company is putting new technologies in place that
will allow it to better track how its software is installed and by
whom, and ensure that users agree first. In the meantime, 180Solutions
is using its ad-serving network to display pop-up notices warning
customers that its software may have been installed on their computers
without their consent and providing instructions on how to uninstall

Later this year, the company also will begin uninstalling its software
from computers on which it has reason to believe that the software was
installed in violation of the company's terms, DeLanoy said.

Changeip.com's Norris commended 180Solutions for its actions, but said
the company and other adware vendors need to be far more aggressive in
policing their affiliates.

"Right now there are a lot of people distributing their software like
this and getting away scot-free, and every day we're seeing more and
more people getting into this," Norris said.

Viruses and spyware have created a huge market for security software
and services. At-home computer users invested more than $2.6 billion
in software to protect their computers during the past two years,
according to a study released this month by Consumer Reports. Even
with those protections in place, however, consumers spent more than $9
billion on computer repairs and parts due to damage inflicted by
viruses and spyware.

© 2005 Washingtonpost.Newsweek Interactive

More information about the ISN mailing list