Select Page

Ben Edelman has a new piece up in which he documents an illegal force-install of 180solutions’ Zango Search Suite (Zango Search Assistant, Zango Toolbar, Media Gateway) on his test machine. While force-installs of 180’s software are certainly nothing new, this particular installation does present something of note: it seems the bad guys have figured out how to bypass 180’s new S3 (“Safe & Secure Search”) notice prompt, which is supposed to notify users of 180’s software and gain users’ consent to the installation of that software.

The S3 notice prompt was just one component of the larger “S3 technology” that 180solutions announced to the world back in September and October of last year. According to 180 (which was the target of a recent complaint by the CDT to the Federal Trade Commission) – S3 promised to help “prevent the suppression or manipulation of the user consent experience by rogue distributors who use botnets, Windows security holes and other illicit means to fraudulently install the company’s software onto computers without user consent.” All 180 affiliate distributors were forced to adopt S3-enabled installers by the end of 2005.

The bad guys, however, have already figured out how to circumvent this new notice prompt in order to install 180’s software without users’ consent, and Edelman’s piece points out just how trivially simple it was to do so. That the S3 notice prompt was rendered worthless so quickly should come as no surprise to anyone who has read Brian Krebs’ recent eye-opening piece on botnet masters who install 180’s software for profit — the “pay-per-install” money that 180 offers affiliate distributors is tempting enough to attract even outright criminal elements with little regard for the prohibitions and stipulations of affiliate contracts.

Although Edelman has refused to publicly divulge the source of the force-install he discovered (even his video is heavily edited), Sunbelt has tested the same installation and can confirm that the install operates in just the way that Edelman describes. This installation kicks off with a combined CHM and WMF exploit when users land on a certain web page, either by visiting the page directly or by being redirected to it through an exit prompt at another web site (as in Edelman’s case). The installation process automatically dismisses notice prompts for both Zango and YSBWeb (IST) without any user intervention or consensual action whatsoever. By the time this install winds down, users’ PCs have been buried under a bone-crushing load of adware, including:

Zango Search Suite
WhenU Save
YourSiteBar (IST)
TargetSaver
New.net
Webhancer
Regifast
Tagasaurus
Internet Optimizer
Surf Sidekick
Elitemediagroup
Command
QuickLinks
VaultSearch
Freeprod
Mirar Toolbar
Zenotechnico
ConsumerAlertSystem
WinFixer

It’s worth noting that this is not the first instance in which a much ballyhooed notice prompt that was incorporated into 180’s software to thwart rogue affiliate distributors has been circumvented. Almost one year ago Sunbelt documented the fact the 180solutions was itself bypassing its own “CBC Force Prompt” (a predecessor of the S3 notice prompt) in certain circumstances, rendering that allegedly improved form of notice and consent effectively worthless.

Note: although Sunbelt has reproduced the exploit install documented by Edelman, Sunbelt intends to honor Edelman’s refusal to identify the source of that install to the public, 180solutions, or any other adware vendor/distributor. Sunbelt will provide (and indeed already has provided) details of the install (including a video) to law enforcement and regulatory authorities as well as to recognized members of the press. For Edelman’s justification of his refusal to divulge the source to 180solutions, see here. Government officials and journalists interested in learning more about this installation should contact Sunbelt’s Director of Malware Research:

Eric L. Howes
ehowes (at) suneblt-software.com
727-562-0101 ext. 320


Fatal error: Uncaught wfWAFStorageFileException: Unable to save temporary file for atomic writing. in /home/eckelberry1966/public_html/sunbeltblog/wp-content/plugins/wordfence/vendor/wordfence/wf-waf/src/lib/storage/file.php:34 Stack trace: #0 /home/eckelberry1966/public_html/sunbeltblog/wp-content/plugins/wordfence/vendor/wordfence/wf-waf/src/lib/storage/file.php(658): wfWAFStorageFile::atomicFilePutContents('/home/eckelberr...', '<?php exit('Acc...') #1 [internal function]: wfWAFStorageFile->saveConfig('livewaf') #2 {main} thrown in /home/eckelberry1966/public_html/sunbeltblog/wp-content/plugins/wordfence/vendor/wordfence/wf-waf/src/lib/storage/file.php on line 34