Select Page

We’d like to bring readers up to date about the illegal force-install of 180solutions’ Zango Search Suite software that Ben Edelman documented on Monday.

As we noted late Monday, 180solutions issued a press release in which the company claimed to have identified and shut down the perpetrator of the force-install documented by Edelman. 180solutions also claimed to have “re-messaged” all the victims of that particular force-install.

From 180solutions’ press release:

“Despite an unprecedented effort by some industry critics to keep secret the critical information that would have led to a quicker shutdown of the fraudulent behavior, the company, through its own policing mechanisms, was able to track down the nefarious actor responsible and shut him down. This rogue publisher will not receive any payment for these installs and as stated in the Code of Conduct, will be subject to further financial penalties and legal action … While a non-trivial software hack was used in this instance to subvert the consent process, the S3 functionality enabled the company to go back and re-message every user who received its software from “Sniper84” and provide them a one-click uninstall.”

As it turns out, the claims made in this press release were innacurate.  When 180 issued the press release, 180 had not yet shut down the perpetrator of the illegal force-installs documented by Edelman, and 180 had not yet re-messaged the victims. 180solutions had managed to shut down someone going by the online name of “Sniper84” for violations of the ZangoCash affiliate agreement, but Sniper84 was not the party responsible for the bad installs documented by Edelman. 

They have issued a blog posting, entitled “Mea culpa”:

On Monday, we announced we had shut down a hacker responsible for forcibly installing our software. Those forcible installs were done without our authorization and were contrary to our policies. At the time, we believed this was the same individual Ben Edelman had (cryptically) described, but purposefully not fully identified, in a post to his website earlier that same day. 

As it turns out, we didn’t get Mr. Edelman’s guy on Monday. The guy we got on Monday, Sniper84, was also installing our software in the same unauthorized manner. The hacker Mr. Edelman discovered, csk2000, was shut down early Tuesday afternoon after we were finally able to identify him in the course of our ongoing investigative efforts. (Security researchers at Sunbelt Software have since confirmed that we found the “correct” culprit on Tuesday.)

So only later -– sometime on Tuesday or early Wednesday did 180 finally manage to shut down the true perpetrator of the exploit-driven installs Edelman found.

How do we know this?

Well apart from 180’s blog posting, it had struck us as odd that 180 would have managed to identify and shut down the party responsible for the installs discovered by Edelman so soon. 180’s press release came within hours of Edelman’s own report, and Edelman had purposefully not identified the web site at which the exploits were being performed. Moreover, Sunbelt’s own investigation had turned up nothing to point to any person going by “Sniper84.”  How could 180 figure out this puzzle so quickly?  If 180 could figure this out substantially on its own, why had 180 needed Edelman’s initial report in order to take action here.

Also puzzling was the fact that our infested machines had not been “re-messaged” with a “re-opt-in” box and “one-click uninstall,” as 180 claimed had been done for victims of the rogue installs.  We browsed on multiple test machines, but we never got this prompt, and neither did Edelman.

A Sunbelt researcher re-staged the exploit on Tuesday morning, confirming that the perpetrator’s 180 installation files still worked as usual.  This fact is revealing, because 180’s installation system lets 180 halt installation by distributors who have been ejected from 180’s distributions program. If 180 had actually managed to shut down the perpetrator of the installs documented by Edelman, as 180 claimed Monday, the Zango installer used in those exploits would not have worked on Tuesday. But it did.

On Wednesday we continued to monitor our test machines. Late afternoon on Wednesday one of Sunbelt’s researchers again re-staged the exploit with the Zango installer used by the perpetrator. This time, the installation of Zango software was stopped in its tracks, telling us that 180 had finally managed to shut down the right perpetrator.

We asked Ben Edelman how 180 could so quickly have identified the perpetrator of the force-installs he documented, especially since Edelman had not disclosed the web site where he found those installs. Edelman pointed to his video which, though scrubbed clean of any info identifying the site, did contain one key bit of data: the extraordinary speed with which the S3 consent box had been dismissed by the exploit software. That bit of data could be used, Edelman noted, to single out these nonconsensual installs in 180’s logs and database: Just look for programs installed less than one second after users were (purportedly) asked for permission. Comments made by 180 spokesperson Sean Sundwall to eWeek seem to confirm Edelman’s suspicion:

180 would have spotted the illegal installs earlier, but lacks an integrated system for monitoring telltale signs of rogue behavior, like an unusually high rate of user acceptance of the 180 software (the rate is typically between 5 and 10 percent), or an unusually rapid consent to the license agreement, Sundwall said.

So, although 180 did eventually identify the perpetrator responsible for the illegal force-installs documented by Edelman, they had not shut down that rogue distributor by Monday, as they incorrectly claimed in their press release.  Instead, 180 wouldn’t actually shut down this installer until sometime Tuesday or Wednesday (the time between our two re-tests of the Zango installer used in the exploit-installs).

Needless to say, this episode points out that the much-ballyhooed S3 technology is not sufficient to block “rogue” distributors. 180’s S3 technology failed to guarantee that users would always have to consent to the installation of 180’s software (as 180 claimed it would) and 180 failed to shut down the perpetrator responsible for the rogue installs exposed by Edelman before it rushed out its press release on Monday.

We are satisfied that the perpetrator of these rogue installs has been shut down.  But 180’s S3 technology has turned out to be far less robust and effective in combating rogue distributors than 180 would have internet users believe.  

 

Eric Howes
Director of Malware Research
Sunbelt Sofware