Category: Uncategorized

You can see the possible future of Google through a little string of code.

There’s these little green bars on the side, which ostensibly show the amount of content available on the various sections of Google.

Google US users can see this by going to Google, then entering the text on this page into your browser address bar.

After entering the text, refresh the page and go searching.

(If you’re in the UK, you would replace google.com with google.co.uk, and if you’re in Australia, google.co.au, other countries the same thing).

Via LifeHacker, but Digg is where I got this code.  Other reference sites: imilly.com and Google Blogoscoped.

Good luck.

Alex Eckelberry

Back in February of last year, I blogged about “Why Adware works”.  The answer was simple:  It’s very profitable.  I detailed how much money Claria had made, based on information from their S-1 (the initial filing made with the SEC to go public). 

It’s not only Claria.  180Solutions is quite profitable, and has some flashy offices to show for it:

 I notice that each of the company’s departments is fitted with large, wall-mounted plasma screen televisions that display graphs charting 180’s daily and weekly sales and revenue numbers. The display nearest the marketing department showed that 180 pulled in more than $1 million in the past week alone serving ads to people who have its adware installed on their computers. Today’s estimated revenue is slightly more than $100,000; the graph showing how much the company has actually earned so far today reads $2,966, but then again it is just after 10 a.m.

Link here.

The profit extends throughout the entire distribution chain.  A fellow can set up a crappy little website with some stupid videos, and require that in order to watch the videos, you have to download a piece of adware. For each adware install, he gets $.25 from the adware company.  It’s small, but consider some guy with 5 websites that each have 1,000 downloads a day.  That’s $1,250 a day in almost pure profit. The adware company then sells advertising inventory (inventory that happens to be on the desktops of millions of PCs) for big bucks. 

Now, we see Direct Revenue was awash in cash, at least in one year we examine.  In 2004, the company made almost $30 million dollars in pre-tax profit on $38 million in revenue.

Link here.

Of course, this was back in the heyday of DR’s madness, and the numbers are certainly lower now.

The owners can also do well.  While salaries are just great, sometimes VCs will enter the picture, purchasing stock from the owners (this is usually done as an investment into the company and then the owners get the money distributed to them).  We know of three major adware players that have done distributions in this manner. (By the way, the VCs investing in these firms are not small time players, as we can see here, a list which has not been updated with the ABS Capital investment in WhenU and the follow-on investment by Trident.)

To wit, our Dear Friends Alan Murray, Daniel Kaufman, Joshua Abram and Rodney hook got a total of $12 million distributed to them from an investment by Insight Venture Partners back in 2004:

Link here.

It’s all about the money, idn’t it?

Alex Eckelberry
(With thanks to Ben Edelman)

(If you’ve come here from the PC Magazine story, you can find more of our posts on fake Codecs here.)

Emcodec, of the same ilk as Vcodec, is one of these fake “codecs” that doesn’t do any good for you. (Google search here).

It’s used as a way to get spyware on your machine.

Update: I had graphics on here but had to remove them as they were live linked to another site and not getting update.

Not surprisingly, V-Codec.com is hosted on Intercage, a notoriously spyware friendly ISP.

Beware of these fake codecs. They are bad news.

Alex Eckelberry
(Thanks to Sunbelt spyware researcher Adam Thomas and a hat tip to WinHelp2002 at SpywareWarrior.com)

Many of my faithful blog readers already know about this, but I thought I’d bring it up just in case.

There are two tools that Eric Howes, Sunbelt’s Director of Malware Research, has developed for the good of the community.

IE-SPYAD adds a long list of bad domains to the Restricted sites zone.  

Enough is Enough (EiE) securely configures the Internet zone. It is a pretty significant “lock-down” of IE and will give a system a much more secure configuration than the default options in IE, but many won’t be able to handle the hassle of adding frequently visited sites to the Trusted sites zone. In such cases, IE-SPYAD is a good alternative — less intrusive, yet still protective against known nasty sites.

Alex Eckelberry

Pretty interesting today from the EFF:

“The evidence that we are filing supports our claim that AT&T is diverting Internet traffic into the hands of the NSA wholesale, in violation of federal wiretapping laws and the Fourth Amendment,” said EFF Staff Attorney Kevin Bankston. “More than just threatening individuals’ privacy, AT&T’s apparent choice to give the government secret, direct access to millions of ordinary Americans’ Internet communications is a threat to the Constitution itself. We are asking the Court to put a stop to it now.”

Link here.

Alex Eckelberry
(Thanks Jarrett)

Amazing but true. DR is bombastically and self-rightously rebutting the NY AG’s lawsuit. It’s almost funny if it weren’t so sad.

“This lawsuit is a baseless attempt by the Office of the Attorney General to rewrite the rules of the adware business. It focuses exclusively on the company’s past practices – practices we and other industry leaders changed long ago [how long is “long ago”? The AG’s investigation has evidence from as late as June of last year of pernicious practices – ed] – and says not a word about what we’re doing today,” said a company spokesperson. “We are proud of our products and the value they bring to both advertisers and consumers — the former by delivering positive, measurable results for their ad dollars, and the latter by offering free content and applications in exchange for viewing a few targeted advertisements per day.

“Mislabeling our products as ‘spyware’ does a disservice not only to our company, but also to the public by creating an atmosphere of hysteria, confusion and inaccuracy.” Direct Revenue’s software adheres to the following fundamental principles:

Consumer Consent: we obtain explicit and affirmative consent from the computer user prior to installation, and we tell the user–in plain English–that the software they are about to download is advertising-supported.

Easy Removal: we make it easy to remove our software, both by supplying a link directly from every advertisement to a consumer opt-out process, and by being listed in Add/Remove Programs.

No Personally Identifiable Information: We collect no Personally Identifiable Information (PII) about our users.

Control of Distribution: We do not use third-party affiliates to distribute our software.

“Moreover, Direct Revenue is a member of the Network Advertising Initiative, has pledged to adhere to TRUSTe’s proposed adware guidelines, and already adheres to HR 2929, even though it has not been enacted. This suit complains solely about past practices – practices, in fact, that were consistent with those of virtually all of the leading players in the rapidly evolving adware industry, including some publicly-traded companies much larger than Direct Revenue. The OAG knows that none of the challenged practices have been in use for at least six months and that this case will change nothing about our business model going forward.”

Direct Revenue is represented by the Andrew G. Celli, Jr. of New York law firm Emery Celli Brinckerhoff & Abady LLP.

“While we emphatically believe that all of the contested past practices were in fact legal, we have made a good faith effort to settle this matter with the Office of the Attorney General. To that end, we offered the Office of the Attorney General a resolution of this matter which would provide a blueprint for other adware companies to comply with the Attorney General’s view of the law and afford the broadest possible protection to consumers. The Office of the Attorney General refused,” said Celli. “Accordingly, we will defend our conduct vigorously and we are confident that the courts will bring clarity and a satisfactory conclusion to our case.”

Direct Revenue’s founders are represented by Richard Strassberg and David Goldstone of Goodwin Procter LLP.

Link here.

While DR may have changed its ways, the Spitzer lawsuit is about a fairly staggering amount of things that occurred during their investigative period last year. A review of the evidence is damming.

Alex Eckelberry

There is a new paper out by Lih Wern Wong that I would recommend that dissects the Registry.  While the viewpoint is primarily forensics-based, it’s a worthwhile read for general security researchers who want to learn more about the subject.

Windows registry contains lots of information that are of potential evidential value or helpful in aiding forensic examiners on other aspects of forensic analysis. This paper discusses the basics of Windows XP registry and its structure, data hiding techniques in registry, and analysis on potential Windows XP registry entries that are of forensic values.

Link here, with a hat tip to Jamie Morris. 

Update: From Jamie Morris at ForensicFocus:

One of our list members, David, has very kindly created and supplied me with a PDF
version of the paper. It can be downloaded here.  Thanks David!

Alex Eckelberry

Ben Edelman has been posting new documents from the New York Attny General’s lawsuit as fast as he can.  There’s much more that’s been posted, including a couple of emails from one of the VC firms that invested in them (here and here).

There’s also a number of references to “WebHelper”, who is actually now our spyware researcher Patrick Jordan (he joined us in July of last year but had been doing consulting work for us several months prior to his coming on board), and we now find he was being researched by a private investigator, as this email from Gary Kibel at Direct Revenue’s law firm shows:

But there’s so much more.

Sit back this weekend, grab a big cup of coffee and read these documents.  They are just unbelievable.  And to those adware “apologists” who read my blog and occasionally post, these exhibits are your homework. 

You’ll understand why we’re all such “zealots”.

Alex Eckelberry

Patrick Jordan, one of our senior spyware researchers, is listed as a stalker (webhelper4u.com) by Direct Revenue (this was prior to him being employed by Sunbelt).

Stalker?  Jeez, I thought the term “zealot” was the preferred term by adware guys.

Alex Eckelberry

Death threats to Direct Revenue.  Link here.

Alex Eckelberry

We have not seen any cases of this exploit in the wild, but there’s a proof of concept at the Secunia site and it’s something to be aware of.

There is a new exploit which allows hackers to obfuscate the real URL being shown, useful for phishing attacks. This is a practice called address bar spoofing, and enables the hacker to make an address bar show a different URL than what is actually loading.  This particular exploit creates a race condition between a Macromedia Flash file and web content being loaded.

In a test available at Secunia, Google is showing, but the page is different:

The way to mitigate this exploit is to turn off active scripting, which is also a valid mitigator for the currently active “createTextRange()” vulnerability (in fact, turning off Active Scripting in general is a very good idea, if you can handle the hassle). 

Suzi over at Spywarewarrior told me that she had success mitigating the exploit by simply setting “Allow sub-frames to navigate across different domains”  to Disable (or Prompt).  Screen shot below:

I tested this fix and it works on this test case, but there are no guarantees.   Disabling Active Scripting is your best bet.

Secunia advisory here via CNET.

Alex Eckelberry

Well, nothing like the Direct Revenue documents just exposed on Ben Edelman’s site.  We have obtained, from an anonymous source in the advertising industry, an email that Bill Day, CEO of WhenU, sent out today to advertisers who have a relationship with WhenU. 

---

From: Bill Day
Sent: Wednesday, April 05, 2006 11:24 AM
To: Bill Day
Subject: WhenU, “adware” and you

Hi,

 

Many of you know me from my days as CEO and founder of About.com, and you may also know what I’ve done at WhenU – not just talked about doing, but actually done – to demonstrate that “adware” can show respect for a consumers’ right to control the desktop and be a valued part of the behavioral targeting mix.

You also probably know that NY’s Attorney General just sued Direct Revenue, that the Center for Democracy and Technology recently “outed” advertisers who work with 180solutions, and that Claria is trying to unload its desktop advertising assets.  

 

Looks like the other  players are mortally wounded or limping away – all except WhenU. 

 

WhenU is growing. Why?  And what does it mean to you and the rest of the online advertising industry?

When I took over as CEO in late 2004, WhenU was already better than the other guys, and ready to take innovative new steps to provide even greater transparency in getting and keeping permisson from consumers to deliver targeted advertising.  We eliminated affiliate distribution, put our toll-free number on every ad served, capped frequency to an average of 1-3 ads per day, and made it even easier for people to opt-out than to opt-in.  As a result, we have a better business than the other players . Our click-through and conversion rates are rising; our revenue and reach are growing.  Last week, we even got a nice nod in the New York Times and a great write up in this month’s Inc. Magazine.

 

The moral of the story is: good business practices equal good business. 

 

Leaders lead.  Count on us to continue to be a leader here.  WhenU’s goal isn’t to be the last man standing in the “adware” space.  Our goal is to change the space – so that truly permission-based desktop advertising earns its place in the behavioral targeting mix and the Internet becomes a safer place for users and marketers alike.

 

All of us at WhenU look forward to continuing to treat our twin masters – consumers and advertisers – with the utmost respect and transparency.  I encourage you to contact me directly if you have any questions or comments.

 

Best, 

 

Bill

---

  

Alex Eckelberry 

Ben Edelman has been putting up additional documents from Elliot Spitzer’s suite against Direct Revenue as fast as he can.  These are the exhibits referenced in the highly damning affirmation and petition written by NY AG attorney Justin Brookman. There’s more being put up regularly, so check back.

Here is the documentation of a completely corrupt organization.  Solely for personal gain, officers of Direct Revenue lived, ate and breathed to rape the machines of unknowing Internet users.  

Some tasty snippets:

Exhibit 2 -146-page compilation of December 1, 2005 interrogatory responses and attachments. Includes the following:

Discusses Direct Revenue’s installation counts. (2)

Discloses revenues ($6.9 million in 2003, $39 million in 2004, $33 million in January-October 2005). (4) Discloses revenues from installing other vendors’ software ($4 million for January-October 2005). (4)

Discusses the role and effects of Insight Venture Partners’ 2004 purchase of 25% of Direct Revenue for $12 million, and Direct Revenue’s borrowing from Insight and Technology Investment Capital Corp (TICC), $21.7 million total in 2004. (4-5) Shows specific 2004-2005 distributions to Direct Revenue’s senior staff, totaling more than $27 million. (6)

Discusses the ad networks used to track advertising display, including Aquantive’s Atlas and DoubleClick. (8) Discusses other sources from which Direct Revenue receives ads, including LinkShare and eBay Shopping.com .(8)

Exhibit 4 – Direct Revenue LLC agreement. Reports Joshua Abram as 36% owner, Daniel Kaufman as 32% owner, Alan Murray as 27% owner, and Rodney Hook as 5% owner.

Exhibit 5 – User complaints and threats, and Direct Revenue’s responses (including jokes)….

Exhibit 6 – 122-page compilation of January 17, 2006 interrogatory responses and attachments….

Discusses the limited circumstances in which Direct Revenue elected to automatically remove its software from users’ computers after concluding that installations were nonconsensual. Argues that such automated removal constitutes “throw[ing] the baby out with the bathwater” because it would (purportedly) not be “in the best interests of the many users who had accepted [Direct Revenue’s] value proposition.” (2-6)

Discusses disclosures shown to Lycos users as to “the search panel feature of your Internet Explorer program” being “under new ownership.” (11-13)

…Discusses a “KZ Torpedo” to remove unknown other software. (23-34)

…Presents Direct Revenue’s records of specific users, including users’ IP addresses. (36)

Exhibit 18 – Discussion with Holistyc of distribution methods. Discusses possible use of “tricks” to improve installation rates, as well as methods of “dogting SP2 and anti-virus programs ”

Exhibit 19 – Discussion of a Microsoft invitation to a September 2004 “Microsoft VC Roundtable.” Admits that Direct Revenue “takes advantage of their [Microsoft’s] vulnerability and poor design.”

Two words: Treasure trove.

Link here.

Alex Eckelberry

McAfee just bought SiteAdvisor.  I think this is a smart move, although to be honest, I’m surprised that one of the large search engines didn’t buy the company.  It would have been an ideal way to assure safer surfing.

While terms were not disclosed, I would venture to guess that the deal was probably in the range of $15–$20 million (that is pure speculation on my part).  

I like SiteAdvisor and recommend it.  McAfee made a good move here.

Link here.

Alex Eckelberry

I’ve written about this subject before, and today there was an article in the WSJ yesterday on the same thing:  Ads showing up in places the advertisers really don’t want them: 

Glitches have occurred for mundane reasons. The Christian Children’s Fund bought ads on the largest online ad network, Advertising.com, which is owned by AOL, and specified that the ads not appear near any provocative content. But Advertising.com says it mistakenly turned off its content filters for an unspecified period of time last month, and the Christian Children’s Fund ad ended up next to an article about a sexual position in the sex section of About.com, which is owned by New York Times Co. The Disney ads were also placed by Advertising.com on About.com’s sex section during that time.

More here via MediaPost.

Alex Eckelberry

This mouse has a built-in mike.

Link here.

Alex Eckelberry
(Hat tip to Steve Bass)

The Attorney General of New York, Eliot Spitzer, today announced that it had sued Direct Revenue, perhaps the most notorious and hated adware/spyware distributor of them all.

Press release:
http://www.oag.state.ny.us/press/2006/apr/apr04a_06.html

Affirmation of Justin Brookman:
http://www.oag.state.ny.us/press/2006/apr/Direct%20Revenue%20Affirmation%20of%20Justin%20Brookman.pdf

Petition:
http://www.oag.state.ny.us/press/2006/apr/Direct%20Revenue%20Verified%20Petition.pdf

The Brookman Affirmation (76 pages) is a hair-raising read in which OAG investigators document the reprehensible software installation and pop-up advertising practices of Direct Revenue. Still more damning, though, is the avalanche of internal email that OAG investigators quote, revealing that DR execs were not only well aware of the fact that most users did not meaningfully consent to the installation of their software and had no clue as to how to remove the software from their systems, but that they knew full well that DR’s distributors and sub-distributors were engaged in illegal installation practices and yet took no actions to stop those practices or police the distributors (at least not until OAG investigators were on the case).

Also of interest is the fact that DR execs obsessively monitored anti-spyware web sites, organizations, and companies for any sign of criticism and were not shy about issuing legal threats and, in one case, hiring a private investigator to bully critics into silence. The Brookman Affirmation acidly remarks:

Yet the individual respondents became blase even about the shame of operating one
of the most reviled companies in America. Forwarding a critical Information Week
article, one of the company’s venture capital partners cavalierly noted, “At
least we’re not Ebola.”

To those of us who have followed the outrageous practices of this company over the years, there is little here that is completely new. What is remarkable, though, is that we now have an account of these practices all under one cover and thoroughly documented using internal company sources.

Highly recommended reading.

Eric L. Howes
Director of Malware Research
Sunbelt Software

“Internet Explorer has encountered a problem and needs to close”
If you get a message that says IE has encountered a problem and needs to close, it may be because you need to update the Pdm.dll file. Or you can work around the problem by disabling script debugging. For information on both solutions, see KB article 293623 here.  

How to Enable Audible Caps Lock Warning
It’s easy to hit the Caps Lock key by mistake and find yourself typing in capital letters. Worse, if you don’t know Caps Lock is on, your password may be rejected for no apparent (to you) reason. You can use the built-in ToggleKeys feature to sound an audible warning when you hit Caps Lock, Num Lock or Scroll Lock. Here’s how:

1. In Control Panel, click Accessibility Options.
2. Click the Keyboard tab.
3. Check the Use ToggleKeys checkbox.
4. Click OK.

How to Manually Start the Process to Remove XP
If you want to remove Windows XP from your computer but you can’t start the operating system in Normal or Safe mode, you can manually start the removal process by using a startup disk for an earlier operating system such as Windows 98 or Me. For step by step instructions on how to do so, see KB article 312569 here.   

Use Group Policy Editor to Manage Local Computer Policy
You can use Group Policies in Windows XP to create configuration settings for specific user accounts or for the computer by editing or creating Group Policy Objects. These include registry-based policies, security options, software installation, scripts options and folder redirection configurations. To do this, you use the Group Policy Editor tool while logged on with an administrative account. To find out how to use the Group Policy Editor, see KB article 307882 here.

Computer Doesn’t Shut Down Properly if Selective Suspend is Enabled
If your computer no longer shuts down correctly (for example, it hangs after you select Restart or Turn Off) when you’ve attached a USB mouse, keyboard or other input device, this may be because selective suspend is enabled and the device doesn’t support this feature. There are a couple of workarounds for this problem. To find out more about them, see KB article 315664 here.

How to Change the Windows Logon Screensaver
When you start Windows, if you don’t click a user name on the Welcome screen or press CTRL+ALT+DEL to log on if prompted, after ten minutes the default Windows logon screensaver will start. You can change this logon screensaver by editing the registry. Here’s how:

1. Click Start | Run.
2. In the Open box, type: regedt32 or regedit.
3. Click OK.
4. In the registry editor, navigate to this key: HKEY_USERS.DEFAULTControl PanelDesktop
5. In the right pane, double click SCRNSAVE.EXE.
6. Type the filename of the screensaver you want to use as the logon screensaver in the Value Data field of the Edit String dialog box.
7. Click OK.
8. Close the registry editor.

Note that if the screensaver file is stored in a location other than the System32 folder, you must type the entire path in the Value Data field.

How to View and Remove Installed Updates
Want to see which updates have been installed on your system? Suspect a recent update is causing your crashes or other problems and want to remove it? Here’s how:

1. Click Start | Control Panel and then click the Add | Remove Programs icon.
2. With Change or Remove Programs selected in the left pane, click the checkbox “Show updates” at the top. This box is not checked by default.
3. Scroll down to Windows XP – Software Updates in the currently installed programs and updates list.
4. To remove an update, click it to highlight it, then click the Remove button.

How to recover from a corrupted registry
If your Windows XP computer won’t boot because of corruption in the registry, you may get an error message that says XP can’t start because a specified file is missing or corrupt, or you may get a Registry File Failure stop message (c0000218). You can use the recovery console to back up your registry files, delete the existing registry and use the repair folder files to boot into XP with a clean set of registry files. The step-by-step process is described in KB article 307545 here.   

Can’t access CD-ROM after removing Easy CD Creator
Some folks have discovered that after they remove the Easy CD Creator software from their computers, they can no longer access the CD-ROM drive and get various error code messages. To fix the problem, you may need to modify the registry. For instructions, see KB article 314060 here.   

And a final bonus: Transl8 Txt Msgs
Befuddled by the seemingly foreign language in which your kids communicate on their cell phone SMS service? Wanting to get started with text messaging yourself but don’t know all those abbreviations that everyone uses? Here’s a web site that will help you to “make sense of txt lingo.” You can either type in the SMS message and the site will translate it to plain English, or type in your message in English and the site will spit out its SMS equivalent. Link here.

Deb Shinder

I’ve been a wee bit light on the blogging lately. Truth is, I took my family out of town on a vacation last week and tomorrow I’m going to InfoSec with a number of other Sunbelters.

In the meantime, Eric Howes and Eric Sites here at Sunbelt have been holding down the Blogging Fort, and occasionally, others jump in here as well to post a quick note.

I hope to be back in the swing of things toward the end of the week.

Alex Eckelberry

Jimmy Daniels has done an interview with a former 180solutions employee. Everyone should check it out. click here

Jimmy: Being on the technical side of it, I would imagine you’ve had to uninstall 180 many times from family and friends pc’s, as I have. Got any good stories there?

ex180: Uninstalls? Yeah. I’ve taken it off my neighbors computer a couple times He has three girls and it finally got so bad that I rebuilt his laptop and installed vmware, then decreed that he was the only person in the house allowed to use the computer without starting vmware first and surfing from it. He backed it up and has been happy ever since. I remember my first embarrassing experience was my fifth day at the company… I got a call from a non-technical co-worker at my previous job to help her uninstall n-case. She knew who I went to work for and it was before the uninstallation stuff was so widely available on the web. That was humiliating… I was like, “wow… people warned me about this place before I came and here’s so-and-so needing help to get this crap off her machine”. Ouch.

Eric Sites
VP of Research & Development
Sunbelt Software