DescentBB

16th April 2006
What ho, reading public. Got a load of software-related updates coming up for you soon, but in the meantime I thought I'd just pass by to mention a shows update, and briefly ponder how exactly Direct Revenue can still claim innocence after their e-mails show they were quite aware of the accuracy of the accusations posted by myself, Webhelper, and other spyware researchers over the last five years (to which their only previous response was legal threats against us).

Their counter-argument appears to be that they've stopped doing the zero-notice/browser-exploit installs since they noticed the Attorney General investigating them... so that's all right then.

180solutions and the kidporn browser
So while I'm here pretending to keep this log updated on a regular basis, I thought I'd drop some adware video science atcha again. Since that's what all the cool kids do these days, and that.

This one concerns our good friends at 180solutions, another company who claim to have cleaned up—evidently this excuses all the illegal installs of the past, still serving up unwanted ads to their hapless victims. Not to mention their ownership of the erstwhile CDT-Inc: previously number-one bundler of third-party spyware (including 180's) to the CWS browser-exploit gangs*. How wonderful to live in this world of instant forgiveness for all the harm you do, and get to keep the ill-gotten profits too.



This video [left] demonstrates 180's new ‘S3’ installer system. And it looks good to start with: we deliberately download and install a program called ‘YapBrowser’ bundled with the Zango toolbar and ads delivered by the latest descendent of the nCase spyware. Unlike the instances documented by Ben, there is no browser exploit here; nor is the install button clicked automatically for us. The software, including the actual YapBrowser program itself, is downloaded from the 180 Zango servers (see HTTP logs).

[Video encoded as MPEG-4 ASP in AVI. As such you will need either a codec such as DivX or XviD (Windows binaries), or a standalone player such as VLC, if you don't already have one. Parts of the video are obscured for reasons about to become obvious; full lossless video available if any researchers actually need it.]


So all seems fine until we actually try the YapBrowser program, by clicking on its system tray icon. It then reveals itself to be an embedded IE instance with all the browser features removed, and some toolbar icons nicked from Firefox. It starts off, naturally enough, at yapsearch.com, a typical poor-portal strewn with pay-per-click search links, same as you always find as your homepage when you get hijacked by a CWS infection.

Strangely enough, none of these links are working at the time of writing, so in exchange for installing 180's intrusive software you get a browser whose homepage is stuck on a portal with no working links. Another great Zango “value proposition”.

But the really funny bit (or, well... disturbing really, I suppose, but by this point nothing surprises me) is what happens if you get bored of the broken search site, and try to use the browser to go anywhere else. Type a URL into the address bar at the top—any URL, or anything at all, or nothing—and the browser sends you straight to an advert page. An advert page for hardcore child porn sites.

You 'eard. Software downloaded from 180's servers promoting kidporn. Keepin' the internet free, there.

So who is this ‘Enigma Global Inc’ that the YapBrowser installer claims is responsible for the program? The language in the licence agreement, claiming that the software contains no “Grecian horses” suggests English isn't their first language, that's for sure; the site are hosted at Pilosoft, one of the largest US ISPs for the Russian-language adult webmaster community and their security exploits, hijackers and PPC sites collectively known as CWS.

The whois information for yapcash.com, the affiliate scheme for the yapsearch.com site, is given as “John Malkovich”—obviously fake, but with a probably-not-fake e-mail address at yahoo. The same details are used for a group of sites at Eltel, a Russian ISP, including one site that redirects the user to browser exploits at paradise-dialer.com, which load trojans, spyware (via the CWS Cactus group) and dialers (from PremiumBilling, aka Coulomb).

Paradise-dialer's whois places it as part of the CWS group known as Dimpy, aka BigBuks. Since the BigBuks whois is also given by mix-click, referred to by the yapbrowser/yapsearch whois, and the aforementioned servers at Pilosoft and Eltel (as well as the paradise-dialer server also at Pilosoft just a few IP addresses away) run many other sites that link back to browser exploits and child porn promotions run by BigBuks, it seems reasonable to assume that they are the same group of people.

(Again, full list of domains/info available to security researchers, but contains much that is unsavoury indeed. Visting any of the domains mentioned here is an extremely bad idea.)

Nice to see 180 is still picking their partners so very well. (And cheers to Mike Burgess on the MVP spyware list for spotting YapBrowser!)