Here’s a video taken last week by one of our spyware researchers of an exploit-driven installation of multiple malware and adware apps from a pornographic website

It’s from a child porn site and the disgusting images and the URL have been obfuscated (the website is being reported to the authorities).

The site is clearly linked with the very nasty vxiframe(dot)biz crew (purveyors of fun things such as Cool Web Search browser hijacks and the rest).

The researcher surfed to the site in question and immediately get hit with a security exploit that hijacked his browser, installed Spy Sheriff, and dropped a spam zombie/bot (not visible in the video) on his system. His browser window was then closed.

After a short bit he was presented with a combination of nags and ActiveX Security Warning prompts for CrazyWinnings (with Internet Explorer closed, mind you). The EULA for that installation is here.

Most users will never see that EULA, however, or the links to multiple other EULAs for the apps to be installed, which include:

– DirectRevenue/ABI/Aurora
– 180search Assistant
– SurfSidekick
– BullsEye Network
– ShopAtHomeSelect

Every time he cancelled the install he was presented with a nag to allow the install (all the while Spy Sheriff was warning him from the System Tray that his PC was infected).

After finally caving to the CrazyWinnings nag/prompt combo, his PC was deluged with the aforementioned adware. 266 new files (including 77 executables and 24 DLLs) were dropped on his PC and 516 new Registry keys were created.

180 Solutions did indeed pop up a prompt (called a “CBC Force Prompt”), but read the language of that prompt carefully and consider the context in which it is presented. 

He chose “Cancel”.

He was then confronted with this warning that unless he allowed the installation to continue, he may lose acces to a program he recently installed, as well as free games, music, toolbars, etc.

So he allowed the install, as one would assume users would, out of fear that their PCs or internet connections might break.

This installation was initiated by a security exploit, driven by a combination of bullying nags and warning prompts, and greased with false and deceptive claims from the parties involved. At no point was he ever shown a clear, conspicuous, and truthful description of the software to be installed, and at no time was meaningful consent ever gained to the installation of the software.

So!

Apart from the fact that 180Solutions’ and Direct Revenue software is being installed along a spam zombie and installed through a security exploit (both of which they will blame on a rogue distributor), why did DirectRevenue and 180solutions consent to the CrazyWinnings distribution, when notice and disclosure is so obviously poor (no EULA shown to the user, EULA contains only links to EULAs from multiple other adware vendors, etc.)?

(For the record, installation logs and copies of all files installed from that exploit have been archived.)

Alex Eckelberry