Security News > 2005 > August > Adware Firm Accuses 7 Distributors of Using 'Botnets'
http://www.washingtonpost.com/wp-dyn/content/article/2005/08/16/AR2005081600727.html By Brian Krebs washingtonpost.com Staff Writer August 16, 2005 A major online advertising company that has been accused by security experts of fueling the spyware problem says it is taking legal action against seven people in six countries who, it claims, used viruses to spread ad software to thousands of computers without their owners' consent. In a lawsuit filed yesterday in a federal court in Washington state, Bellevue-based 180Solutions names seven of its affiliates -- individuals whom it paid to distribute the company's software, which causes advertisements to "pop up" depending on which Web sites the users visit -- and accuses them of installing it on thousands of Microsoft Windows PCs that they had infected with computer viruses. The company seeks unspecified damages and a halt to their distribution of its software. The legal action is the latest effort by 180Solutions to clean up its image following years of criticism for failing to more closely monitor its distributors and crack down on those who profit from installing its software illegally. Since January, the company says, it has severed ties with more than 500 distributors who were found to have installed its "adware" without the recipient's knowledge or consent. 180Solutions claims the affiliates used "botnets" -- large groupings of hacked, remote-controlled computers or "bots" -- to distribute and install their software. A single botnet can consist of thousands of computers, most sitting on desktops of innocent users who have no idea that a virus infection is allowing a hacker to use their PCs for illegal purposes. Online criminals have long used such networks to steal sensitive information from their victims, distribute junk e-mail and to wage debilitating "denial of service" attacks that inundate Web sites with so much bogus traffic that they can no longer accommodate legitimate visitors. A Business Opportunity Increasingly, however, botnets are being used to install spyware and adware. McAfee Inc., a computer security company based in Santa Clara, Calif., said it witnessed a 12 percent increase in the number of adware programs installed on computers in the second quarter of 2005, an increase it said was driven heavily by the proliferation of bot programs configured to install the adware. The legitimate distribution method for 180Solutions contractors is to embed computer code into their Web sites that asks each visitor for consent to install, in exchange for access to content on the site. Each time a visitor agrees, the Web site owner earns a small commission, usually between 5 and 20 cents. 180Solutions requires its partner Web sites to prompt visitors for approval, but security experts have documented hundreds of sites that use security holes in the visitor's browser to quietly install the adware without permission. Armed with a botnet of several thousand computers, distributors can make big money, and fast. LoudCash.com, a Quebec-based distribution firm bought by 180Solutions earlier this year, promises affiliates "big league payouts" and claims to offer the best per-installation rates in the industry, currently 25 cents. LoudCash's site features a "revenue calculator" which prospective affiliates can use to estimate their monthly earnings. An enterprising hacker controlling a network of just 5,000 PCs -- and at least half of the target computers are located in the United States -- that bot master could make as much as $744 a day, or $22,346.25 a month, according to the company's calculator. That sort of easy money is a strong draw for hackers who already control botnets and are willing to use them as platforms for spyware and adware, said Sam Norris, president of San Marcos, Calif.-based Changeip.com, a company that helps Web sites remain reachable at the same domain name no matter how frequently their numerical Internet address changes. These "dynamic DNS services" allow botnet operators to periodically change the location of the Web servers used to control their networks, thus making them much harder to detect or shut down. Norris said that each week he terminates several new Changeip.com accounts that appear to be connected with botnet and spyware activity. In the spring, Norris began tracking one customer who was using Changeip.com's services to control a botnet of 40,000 computers. Norris obtained a copy of the virus the customer used to infect machines and install the 180Solutions software; the programming code also contained an affiliate ID number issued by LoudCash. Norris alerted 180Solutions to the activity, and the advertising company said it later traced that affiliate ID to one of the defendants. The bot program directed computers to download and install 14 different adware products, more than half of which were produced by 180Solutions, Norris said. The virus also included at least 30 other features, including the ability to capture all of the victim's Web traffic and keyboard keystrokes -- with a particular interest in Paypal user names and passwords. Other programs installed by the bot allow the attackers to peek through the user's Webcam, or steal PC game registration keys. The lawsuit alleges that the defendants -- Eric de Vogt of Breda, the Netherlands; Jesse Donohue of South Melbourne, Australia; Khalil Halel of Beirut; Imran Patel of Leicester, England; Zarox Souchi of Toronto; Youri van den Berg of Deventer, the Netherlands; and Anton Zagar of Trbovlje, Slovenia -- used botnets to install 180Solutions' software. The company has notified the FBI about its findings, but an FBI spokesman declined to say whether the agency was investigating the claims. Five of the defendants were contacted by washingtonpost.com but have not responded to requests for comment. 180Solutions attorney Kevin Osborn said the company does not know exactly how many illegal installations the seven former affiliates were responsible for, but estimates that in all they were paid at least $60,000 during the weeks and months that they worked for the company. Dealing With the 'Rogues' David DeLanoy, manager of partner development at 180Solutions, said the company's software is installed on about 20 million computers worldwide, but that so-called "rogue installs" account for just five percent of that user base. 180Solutions made more than $50 million in revenue last year through its software, which serves online advertisements for some of the nation's largest companies, including Cingular, Expedia.com, JP Morgan Chase, Monster.com and T-Mobile International. But 180Solutions' estimates don't sit well with Ben Edelman, a PhD candidate at Harvard University who has documented the most egregious practices in the adware industry. (Edelman was hired in 2003 as an expert witness by The Washington Post Co. and other news outlets in their lawsuit against the Gator Corp. -- now Claria Corp. -- one of 180Solutions' biggest competitors. The media companies accused Gator of serving pop-up ads over the Web publishers' pages without their permission. Gator later settled the suit.) "I'd estimate that more than half of [180Solutions'] 'users' have no idea they even have the software, let alone ever consented to installing it in the first place," Edelman said. "The company says in one breath that rogue installs account for just 5 percent of their user base, but they also say they have no real way of knowing which installs are legit, so I'm not sure how they could really draw that estimate." Edelman said that if the companies do know which installations were fraudulent, it should already have devised a way to remove them. "There is no reason for them to have waited this long, except to receive the revenue that those installs bring in," Edelman said. Eric Howes, a spyware researcher at the University of Illinois at Urbana-Champaign, said 180Solutions is not only a major cause of the spyware and adware problem, but that it also is in a position to significantly clean up the problem. Howes pointed to the turnaround in the past year of WhenU, once reviled for its aggressive adware installation tactics. Last year, for example, the company announced it would no longer allow partners to install its software through Microsoft ActiveX, a component of the Internet Explorer Web browser that adware company affiliates have long used to conduct illegal "drive-by" installations. "WhenU pretty much put an end to the problem of sleazy installs of its software, so we know it can be done," Howes said. "180's enforcement division has really got to get up to speed, because I've seen no evidence they have a robust enforcement division, other than when they occasionally track down leads that people in the anti-spyware community hand to them." DeLanoy said the company is putting new technologies in place that will allow it to better track how its software is installed and by whom, and ensure that users agree first. In the meantime, 180Solutions is using its ad-serving network to display pop-up notices warning customers that its software may have been installed on their computers without their consent and providing instructions on how to uninstall it. Later this year, the company also will begin uninstalling its software from computers on which it has reason to believe that the software was installed in violation of the company's terms, DeLanoy said. Changeip.com's Norris commended 180Solutions for its actions, but said the company and other adware vendors need to be far more aggressive in policing their affiliates. "Right now there are a lot of people distributing their software like this and getting away scot-free, and every day we're seeing more and more people getting into this," Norris said. Viruses and spyware have created a huge market for security software and services. At-home computer users invested more than $2.6 billion in software to protect their computers during the past two years, according to a study released this month by Consumer Reports. Even with those protections in place, however, consumers spent more than $9 billion on computer repairs and parts due to damage inflicted by viruses and spyware. © 2005 Washingtonpost.Newsweek Interactive _________________________________________ Attend ToorCon Sept 16-18th, 2005 Convention Center San Diego, California www.toorcon.org
News URL
http://www.washingtonpost.com/wp-dyn/content/article/2005/08/16/AR2005081600727.html