Impact of Direct Revenue ruling

Eric Goldman, Marquette Law faculty professor has blogged about the Direct Revenue court ruling.

It seems he thinks it’s a big deal.

He thinks it may set a precedent that downloading Direct Revenue software could be considered a Trespass to Chattels (“a somewhat obscure tort action arising out of unauthorized dispossession, use, or interference with the tangible property of another.”). Wiki explaining the concept here.

Eric’s words:

“I trust we all can appreciate the floodgates of litigation that may open if undisclosed downloading of software (not just adware) onto a user’s computer can support a trespass to chattels claim (if you’re having trouble visualizing, just think two words: Flash and Java). We’ll have to see if the court puts any better parameters on its thinking at the summary judgment stage.”

Alex Eckelberry 
(Tip o’ the hat to Suzi)

180 solutions responds to the spyware/kiddie porn/spam zombie story

Got this last night as a follow-up to my post on the spyware/kiddie porn/spam zombie connection.   Direct Revenue has also been in contact with us about this.

Alex,

I’m Ken McGraw, Chief Compliance Officer for 180solutions. Thank you for letting us know about the instance you discovered where 180search Assistant had been distributed in conjunction with child pornography. With your help, we have been able to confirm this to be true and will be taking the following actions:

* Based on pressure from us, Simpel Internet has ceased all distribution operations until they can get better control of their affiliates.
* We will cooperate with law enforcement in any way we can to ensure that justice is brought in this case.
* In the next couple of days, once we have the name and contact information of the alleged child pornographer, we will file a civil lawsuit. All proceeds from this suit will be donated to a charity or organization whose mission is to protect children from online pornography or predation.

It goes without saying that child pornography is illegal and morally reprehensible. Fortunately, this is the first time in our six years of existence, to my knowledge, that we have been distributed with this type of illegal content. We deplore it. Distributing our products with such illegal content is specifically against our code of conduct and as such, we will continue to do everything we can to prevent our products from being distributed with it.

Sincerely,

Ken McGraw
Chief Compliance Officer
180solutions, Inc.

 

Sunbelt’s new pipe

Ok, this is severely nerdy/techie, but today Time Warner started installing the final few hundred feet of the conduit for our new OC-3 connection. (An OC-3 is a fairly large internet connection — about 155 megabits per second, roughly 100 times the speed of a T-1)

We’ve been running off of a T-3, with redundancy at an off-site facility. It’s taken months to lay the optics (including a delay to get by our nearby railroad tracks), but we’re almost there. Time Warner will probably end up installing an OC-12 for the building, of which we’ll get an OC-3 connection.

The connection is going into our second location here, the Clearwater Tower, which houses our technical staff.

The OC-3 is necessary for the kind of bandwidth we’ll be consuming with current growth, but also with SPECTRE, the web crawler we’re working on to find new spyware installs on the web.

We sometimes forget that internet connectivity relies on things like cutting apart pavements. So just for kicks I’ve posted pics and some videos below (thanks Dan):

(Click on pics to enlarge)

Videos (not optimized for low-bandwidth!): Video 1 Video 2 Video 3 Video 4 Video 5 Video 6

Alex Eckelberry

Beware of trojan malware masquarding as “Katrina” emails

From the Register:

The site exploits well-known IE vulnerabilities to install a variety of Trojans including Cgab-A, Borobot-P, Borobot-Q, Borodldr-H and Inor-R. Security firm Sophos reports that subject lines used in the malicious emails include, but are not limited to, the following:

Re: g8 Tropical storm flooded New Orleans.

Re: g7 80 percent of our city underwater.

Re: q1 Katrina killed as many as 80 people.

Alex

Sparring with Phishers

Update: See latest entry here.

Fun! Go to Phishfighting.com and fight slimeball phishers.

According to Debra Cliff at Online Crime Bytes,

“…there’s a way to get back at phishers … by inputting the phisher’s URL to a template at Phishfighting.com, which will send fake responses to the phish site every 20 seconds.

Phishfighters is the brainchild of Robin Grimes, a Web developer by day, who got sick of submitting junk mail data on the 5-10 phishes he receives each day and set out to do something about it.

“The point is to send so many fake responses to the phishers that they have to sort through too much data to determine what’s real and what’s fake,” he told me in a telephone interview this morning.”

Alex Eckelberry

Direct Revenue misery

On the heels of reports that Direct Revenue (makers of wunderspy programs like Aurora) has had a fairly large layoff,  they get another nasty: A court ruling not entirely in their favor.  The ruling can be downloaded here.

The ruling was part of a class action lawsuit by The Collins Law Firm

David Fish, the lawyer leading the charge against Direct Revenue, emailed this comment to me today:

I believe this is a giant first step forward for those who are overwhelmed by the intrusion on their computers of unwanted files and advertisements.  We intend to continue our vigorous prosecution of this case.  Here are some interesting comments from the judge’s 29 page ruling: 
 In permitting claims to go forward for trespass to personal property, consumer fraud, negligence, and computer tampering, the Court noted that “many companies and computer users consider pop-up advertisements and Spyware an Internet scourge” (p. 17) and that the allegations in the lawsuit “reflect the frustration of many computer users” (p. 18). 

 The advertising defendants argued that they had no knowledge of a trespass taking place or “knowledge of DirectRevenue’s unlawful activities”.  However, the Court relied on legal precedent that “it is not necessary that the actor [i.e. the advertiser] should know or have reason to know that such intermeddling [i.e., the pop-up advertisement] is a violation of the possessory rights of another” (p. 19-20). 

 

In response to an argument that individual advertisements can be easily closed, so they cannot cause a legal injury, the Court ruled that this:

 

“ignores the reality of computer and Internet use, and plaintiff’s allegation that part of the injury is the cumulative harm caused by the volume and frequency of the advertisements.  The fact that a computer user has the ability to close each pop-up advertisement as it appears does not necessarily mitigate the damages alleged by plaintiff, which include wasted time, computer security breaches, lost productivity, and additional burdens on the computer’s memory and display capabilities”  (p. 21). 

 

The next step in this case is that the Plaintiff will ask the Court to permit the claims of hundreds of thousands of computer users to be heard in a single lawsuit (i.e. a “class action”). 

 

Suzi at ZDNet blogs more on the issue here.   Quoting Suzi:

 

“..Direct Revenue argued that the court ought to dismiss the case because Plaintiffs (i.e., the users) must have seen the End User License Agreement (EULA) and clicked through to agree to it, thus effectively telling a court of law that its software is always installed with the user’s full knowledge and consent, despite numerous statements indicating otherwise by users seeking help to remove it… The judge, in fact, evidently did not agree.” 

 

Alex Eckelberry

 

The minute by minute nightmare of New Orleans

Misc links:

Directnic is a domain name registrar in New Orleans that has employees there trying to keep the servers up.

One of their employees is running a blog here. Pictures, and graphical moment-by-moment descriptions of the choas that has gripped the city are on the blog.

Moment by moment news here. GREAT list of blogs here.

Hans Eisenman mentions two good links: A collection of photos of Katrina devastation and the latest on Katrina charity scams. Be careful. See FEMAs offical list of donor sites.

Other links: The Katrina Help wiki and an incredible amount of stuff going on at Craigslist/New Orleans; as well as this one on before and after sat pics. Tech community helping.

More sat pics of Katrina.

Help: Quick and easy is the Red Cross, as low as a $5 donation. There’s also eBay GivingWorks, where you can buy products that direclty benefit charities. More recognized charities on this offical list of donor sites.

Alex Eckelberry

All access pass to Sunbelt

I was followed around recently by Robert LaFollette, our creative director, for a video tour of Sunbelt.

So if you’ve ever wondered what it’s like here at Sunbelt, click here to watch the movie. There’s a big version and a small one. If you can handle the download, get the big one.

Oh, and there’s some extra footage after the final title sequence…

Alex Eckelberry
President

Buy a Motion Computing tablet PC, get CounterSpy for free

Motion Computing preinstalls CounterSpy with their L-Series tablet PCs.

Clarification: In order to get CounterSpy pre-installed, you need to buy the MotionPak, a $35 option.  It includes a bunch of software, including Microsoft OneNote, Alias SketchBook Pro, Farstone VirtualDrive and more.

Alex Eckelberry

 

Does Microsoft want to be your phone company?

From CIBC:

“Yesterday after the close, Microsoft announced the acquisition of privately held Teleo, a provider of voice over Internet protocol (VoIP) technology.  Teleo’s technology was designed to enable users to make PC-to-PC, cell phone, and land line calls.  Through the acquisition, Microsoft plans to combine Teleo’s technology and expertise with its existing VoIP investments to further develop the product and service offerings of MSN.  Terms of the deal were not disclosed.  Internet content providers such as Yahoo!, Google and AOL (Time Warner) have moved aggressively to bolster their VoIP technologies as part of their service offerings.  While Microsoft already has an existing VoIP service with its MSN Messenger service, we believe this acquisition as another sign of Microsoft playing catch up with the ‘Net leaders. (BR)”

This Katrina was no pretty lady

This is a really, really bad scene right now with our neighboring states of Mississippi, Alabama and Louisiana (we’re in the Tampa Bay area of Florida, and were unaffected by the storm).

The situation in New Orleans is devastating. We’re talking about a city that will be shut down for quite some time.

Powerful pictures here.

Give if you can. Quick and easy with the Red Cross donation form.

Alex Eckelberry

My website ain’t in Kansas no more

Kansas City Economic Development webserver hacked (article here).

“It looked like it was being used as a drop box for a variety of cyber vagrants,” Ballew said, adding that the unauthorized traffic included mostly software programs and encrypted files.

But he said the agency had learned a lesson from the incident.

“In this day and age, Web hosting is something you ought to leave to professionals,” he said

Alex Eckelberry

Correction, from Mark: “A common mistake: Kansas City is the name of two cities, the larger of the two is Kansas City, Missouri; across the state line is the much smaller Kansas City, Kansas. In this case, the EDC is part of Kansas City, Missouri.”

Well, he just ruined my headline!

Sunbelt wins 8 Windows IT Pro Reader’s Choice awards

Well this was a rather pleasant surprise. We just won eight Windows IT Pro Reader’s Choice awards.

(Windows IT Pro is one of the leading enterprise IT mags.) 

Alex Eckelberry

The now infamous Regedit vulnerability

Last week, Secunia published an advisory on a new vulnerabilities found in Windows. An exploit can take advantage of a weakness in Regedit, allowing a hacker to put a long string in the registry to hide a command. News.com advisory picked it up on Friday.

From Secunia: “The weakness is caused due to an error in the Registry Editor Utility (regedt32.exe) when handling long string names. This can be exploited to hide strings in a registry key by creating a string with a long name, which causes this string and any subsequently created strings in the key to be hidden. Successful exploitation e.g. makes it possible for malware to hide strings in the “Run” registry key. However, these hidden strings created after the string with the overly long name will still be executed when the user logs in.”

However, someone actually has to get in to your system to implant this registry key.   So it’s not a “run for the hills” type scenario, despite breathless reports to the contrary. But it is something to take note of.

Two SANs bulletins, here and here. “An overly long registry entry can be added, but won’t be shown by regedit and regedt32. Even better, all registry entries that get added afterward under the same key, even if not overly long, will be hidden as well…This allows to add hidden entries under the famous HKLMSoftwareMSWindowsCVRun. Entries that you can’t see with regedit, but that will just as faithfully get run at startup. ” This can happen right now on fully patched systems.

In other words, a hacker can implant a long string into the Run section of the Registry. Regedit can’t actually “see” it. When you re-start your computer, it will happily run.

This vulnerability has been confirmed on fully patched Windows 2000 and XP systems. Other systems may be at risk.

Here is what you can do right now. Run this tool from SANS which will tell you what extra long entries you have in the registry. It looks for values in excess of 254 characters. (Another option is to open up a command prompt (Start/Run/Cmd) and type “reg query HKLMSoftwareMicrosoftWindowsCurrentVersionRun”, but I wouldn’t bother with that).

And wait for the patches to come forth from various vendors.

Alex Eckelberry
(Tip o’ the hat to Eric Howes)

The spyware/kiddie porn/spam zombie connection

Here’s a video taken last week by one of our spyware researchers of an exploit-driven installation of multiple malware and adware apps from a pornographic website

It’s from a child porn site and the disgusting images and the URL have been obfuscated (the website is being reported to the authorities).

The site is clearly linked with the very nasty vxiframe(dot)biz crew (purveyors of fun things such as Cool Web Search browser hijacks and the rest).

The researcher surfed to the site in question and immediately get hit with a security exploit that hijacked his browser, installed Spy Sheriff, and dropped a spam zombie/bot (not visible in the video) on his system. His browser window was then closed.

After a short bit he was presented with a combination of nags and ActiveX Security Warning prompts for CrazyWinnings (with Internet Explorer closed, mind you). The EULA for that installation is here.

Most users will never see that EULA, however, or the links to multiple other EULAs for the apps to be installed, which include:

– DirectRevenue/ABI/Aurora
– 180search Assistant
– SurfSidekick
– BullsEye Network
– ShopAtHomeSelect

Every time he cancelled the install he was presented with a nag to allow the install (all the while Spy Sheriff was warning him from the System Tray that his PC was infected).

After finally caving to the CrazyWinnings nag/prompt combo, his PC was deluged with the aforementioned adware. 266 new files (including 77 executables and 24 DLLs) were dropped on his PC and 516 new Registry keys were created.

180 Solutions did indeed pop up a prompt (called a “CBC Force Prompt”), but read the language of that prompt carefully and consider the context in which it is presented. 

He chose “Cancel”.

180-1

He was then confronted with this warning that unless he allowed the installation to continue, he may lose acces to a program he recently installed, as well as free games, music, toolbars, etc.

  180-2

So he allowed the install, as one would assume users would, out of fear that their PCs or internet connections might break.

This installation was initiated by a security exploit, driven by a combination of bullying nags and warning prompts, and greased with false and deceptive claims from the parties involved. At no point was he ever shown a clear, conspicuous, and truthful description of the software to be installed, and at no time was meaningful consent ever gained to the installation of the software.

So!

Apart from the fact that 180Solutions’ and Direct Revenue software is being installed along a spam zombie and installed through a security exploit (both of which they will blame on a rogue distributor), why did DirectRevenue and 180solutions consent to the CrazyWinnings distribution, when notice and disclosure is so obviously poor (no EULA shown to the user, EULA contains only links to EULAs from multiple other adware vendors, etc.)?

(For the record, installation logs and copies of all files installed from that exploit have been archived.)

Alex Eckelberry

Life in Tampa Bay

Off topic: When people hear that we’re in Florida, they almost inevitably assume that we’re in South Florida (e.g. Miami). We’re actually in Tampa Bay (Clearwater), which is a completely different place. Set on the Gulf of Mexio, it’s a charming area, which doesn’t get nearly as hot as our southern neighbor and even has mildly chilly winters—so north-easterners don’t have to throw out their sweater collection.

We often relocate people from other parts of the country to work for Sunbelt, and one such hire was Robert LaFollette, our Creative Director. He set up a blog which details his new life down here, but most stunning is his collection of photographs. Check out his blog at here and his photography website here (not all of the pics are from Tampa–many are from his home state of Ohio and other places).

Alex Eckelberry