Softpanorama

May the source be with you, but remember the KISS principle ;-)
Contents Bulletin Scripting in shell and Perl Network troubleshooting History Humor

Malware Defense History

by Dr. Nikolai Bezroukov.

Copyright: Dr. Nikolai Bezroukov 1994-2013. Unpublished notes. Version 0.80.October, 2013

Contents : Foreword : Ch01 : Ch02 : Ch03  : Ch04 : Ch05 : Ch06 : Ch07 : Ch08 : Ch09 : Ch10 : Ch11 : Ch12 : Ch13


Chapter 8: Spyware

Introduction to spyware

So-called spyware are program that tracks your surfing, substitute ads in search results, delivers pop-up ads and could  collect other information about you. Spyware appeared on the radar screen of malware researches around 2000. One of the first cases was  Vx2  included in the AudioGalaxy Satellite file-sharing system. Users outcry got it removed in November 2001. then it was included in a "free" viewer for adult video content and the "free" products from Mindset Interactive.

Most spyware contains mechanism that make its removal difficult. As they are professionally programmed software systems their reverse engineering is difficult and their exact properties and mechanism used are not always uncovered.

Spyware became a huge problem in since approximately 2000.  Paradoxically this was the one of the first presents that new century brought to computer users.

As Jeffrey Benner  wrote in Wire Jan. 24, 2002 (http://www.wired.com/news/technology/0,1282,49960,00.html)

You may not have heard of the VX2 Corporation, but if you've downloaded Audio Galaxy lately, VX2 may know a lot about you. VX2's spyware program comes bundled with other software. Audio Galaxy, a company that makes Napster-style file-sharing software, delivered it for a short time last fall, but says it no longer does so.

The VX2 program is currently bundled with a free screensaver program from Aadcom, an Internet advertising company, and may be included in other popular file-sharing programs.

Like other spyware, the program, once installed, tracks which websites the user visits, and reports the information back to the company's servers to build a user profile. It also serves pop-up ads so they appear to be coming from websites that don't actually serve the ads. But that's not all it does. According to VX2's own privacy policy, "VX2's software also collects some information from online forms that you fill out." The policy statement assures users it has engineered the program not to collect sensitive data, such as credit card numbers. However, "if such data were -- despite VX2's best efforts -- ever inadvertently collected, VX2 would immediately purge such information from its database."

But that should offer little comfort, according to privacy expert Richard Smith, because there's really no way to verify what VX2 does with the data it collects.

"The privacy policy says a lot of nice things," Smith wrote in an e-mail, "but I am not sure what to believe because the company refuses to identify itself, and the e-mail address given in the privacy policy does not appear to be valid."

A similar flap arose a few weeks ago over "ClickTillUWin" spyware bundled with file-sharing programs Kazaa, BearShare and LimeWire. But VX2 may be even more dangerous.

Trying to get to the bottom of who is behind VX2, what information it collects and what it does with it is a case study in just how insecure a place the Internet can be.

The only contact information available on the company is a Hotmail address and a post office box in Las Vegas, Nevada. The address belongs to a company that specializes in setting up corporate shelters. E-mail to the Hotmail address went unanswered.

Even Audio Galaxy, which bundled VX2's software with its software for a 34-day period ending Nov. 4, 2001, said it doesn’t know anything about VX2. Audio Galaxy spokesman Michael Merhej said he had never even heard of VX2 until he received an angry inquiry about it earlier this week from the editor of a website called Portal of Evil.

"We know nothing about VX2," Merhej said. The VX2 program file (called vx2.dll) was part of an advertising graphics enhancer made by the Onflow Corporation, he said. Audio Galaxy offered the Onflow program as part of its software package from Oct. 1 through Nov. 4, 2001, Merhej said. The partnership was cancelled due to unpaid bills.

How Audio Galaxy could not know what it was delivering its customers baffled Portal of Evil editor Chet Faliszek, who described his website as "Yahoo for the strange." He published his article, about VX2, Audio Galaxy and Onflow on Tuesday. He stumbled onto the issue while investigating the origin of pop-up ads that appeared to be coming from his own site -- which he knew shouldn't have pop-ups.

"I was annoyed by these pop-ups," Faliszek said. He started digging, but ran into a wall of shadows, denials and false trails. He thinks the problem of sneaky programs like VX2 is growing, and something needs to be done. "Self-policing isn't working," he said. "I hate to say we need government intervention, but something needs to be done."

But Merhej discounted Faliszek concern as paranoia. "That Portal of Evil stuff: It was like one big conspiracy theory," he said. "There's no conspiracy, that I know of."

But VX2 remains a mystery. Merhej passed the buck for the program onto Onflow, but in a statement made to POE, Onflow also denied any involvement with VX2. "We have absolutely nothing to do with VX2," the statement read. "We have never even heard of it until today."

There was a middleman in the deal. Audio Galaxy actually received the Onflow software package through Mindset Interactive, an advertising agency. Neither Onflow nor Mindset Interactive responded to requests for comment.

Other early "spyware perpetrators"

Alexa

We've received many requests as to whether Alexa is spyware or not. Well, the Alexa toolbar which is available for download contains spyware agents whereby information about your web surfing is gathered for statistics purposes. Whether or not the owner of Alexa does other things with this information is not known. If you wish to use some of the Alexa functions, it is best to go to http://info.alexa.com and get the information you want from the web site itself. About the traffic ranking: many (new) web site owners are abusing the system, and are generating page views using robots. We monitored one new shareware web site which has literally gone from nowhere to the TOP 5000 and is climbing further at an unprecedented rate. NO WAY JOSE. Why do the abusers bother? To fool advertisers and potential buyers of the site. New web sites that are 100% database driven (and nowhere to be found in any major search engine), simply do NOT generate such traffic in such a short time. IT TAKES YEARS!! HEY, WE KNOW!! Until Alexa does something to prevent this kind of abuse, their traffic rank system is unreliable and does not necessarily reflect the reality.

Aureate / Radiate

Their technology can be instantly embedded in any software product to give advertisers the ability to target software users while they are using the software. Registering Aureate embedded software does not ensure Aureate will be uninstalled or will stop transmitting information. The Aureate technology is not stopped by firewalls. Radiate can deliver precise audience targeting, rich media, advertisements can be viewed when users are not connected to the Internet, splash screens, dynamic messaging, customized demographic collection and real-time surveys. Aureate components include adimage.dll, advert.dll, amcis.dll, amcis2.dll, anadsc.ocx, anadscb.ocx, htmdeng.exe, ipcclient.dll, msipcsv.exe and tfde.dll. Other components may have been added.

Conducent Timesink

Their technology utilizes the Internet to dynamically deliver content to desktop software. Once the content is received it can be displayed at any time in the application. Content activity information such as advertising impressions and click through data is recorded and sent back to Conducent for daily reporting. Conducent does not provide users with an uninstall feature. Their software provides real-time ad targeting campaigns through the Timesink component TSadbot.exe. Conducent has formed strategic partnerships with most of the major Internet advertising networks. The following files are used: tsadbot.exe in C:\Program Files\TimeSink\AdGateway, tsad.dll, vcpdll.dll and FlexActv.dll in C:\Winnt or C:\Windows, Addon2VB.dll in C:\Winnt\System or C:\Windows\System. Right clicking on the filename, the Properties tab shows Conducent Technologies Inc. You can delete the TimeSink directory, the files, and the Registry entries. Look in Hkey_local_machine\Software, Hkey_current_user\Software. Look also for entries in Hkey_local_machine\Software\Microsoft\Windows\Current Version\Run and in Hkey_local_machine\Software\Microsoft\Windows\Current Version\Shareddlls .

Cydoor

This technology can be activated both in online and offline modes. The technology's architecture can be integrated into any software program. Cydoor can update or rotate banner ads not only when users are online, but also when they are offline. Upon installation of a software application integrated with our advertising technology, Cydoor Technologies sets a numerical identifier on your computer. The following files are used in C:\Windows\System: cd_clint.dll, cd_gif.dll, cd_swf.dll and cd_load.exe. You can delete the C:\Windows\System\Adcache directory. Then remove all instances from the Registry. Look in Hkey_local_machine\Software, Hkey_current_user\Software. Look also for entries in Hkey_local_machine\Software\Microsoft\Windows\Current Version\Run and in Hkey_local_machine\Software\Microsoft\Windows\Current Version\Shareddlls

Comet Cursor

A browser extension that gives web sites the power to change the cursor, substituting any image or animation instead of the arrow. Comet Systems receives web log information: cookies, referrer id's, IP addresses and other system information using a unique identifier system. Each time a user clicks on site content that information is stored anonymously. Comet uses this aggregated usage information to determine which cursor content is most popular as to improve the content selection and performance of the site. To prevent Comet Cursor from automatically installing itself in your MS Internet Explorer, make sure "Installation of Desktop Items" is disabled or set to Prompt in the Security settings for Internet and Restricted Zones, Download Signed Active X Controls should be set to Prompt (under Tools | Internet options). Netscape users should have Require Manual Confirmation of Each Install checked under Edit | Preferences | Advanced | Smart Update. If these settings do not stop automatic installs, check your 'trusted' applications under Edit | Preferences | Navigator | Applications.

eZula / KaZaa Toptext

Sells targeted traffic based on the content of everyone's web page without having to develop any content of their own. There is a new file sharing system launched in the wake of the MP3 war called KaZaa. When you install KaZaa you get a spyware virus installed on your computer. Toptext takes control of your browser and makes changes to everything you read on the Internet (like Flyswat), which qualifies it as a hacking program as well. It changes the way you'll browse forever.

NOTE: the latest version of this program also installs the following spyware agents: Cydoor, Webhancer and New.net.

TopText operates with a browser to highlight words on every web page, inserting a yellow background behind keywords that have been purchased through their media sales company eZula, Inc. If a web user clicks on one of those yellow highlighted words on a web page, the user is sent to the site of the company paying the most that day for each click-through. If a user whose browser is infected with TopText visits your web site, they will be offered links to competitor's web sites for every keyword they find on your site for which they have a buyer.

This is not much different from the Smart Tags system that Microsoft announced for their Windows XP browser. Media and webmaster outrage caused Microsoft to cancel the release of that feature, for the time being that is. Several download web sites are actively helping this kind of virus to spread, as long as it pays, I guess. SimplytheBest.net does not. We don't like this invasion of privacy and will not in any way assist in spreading the use of this program. This spyware agent is very hard to get rid of so your best option is to never download it in the first place. Look for alternatives instead that offer the same functionality without the spyware agent.

You can remove EZula instances from the Registry:

HKEY_CLASSES_ROOT\EZulaBoot.InstallCtrl.1
HKEY_CLASSES_ROOT\EZulaBoot.InstallCtrl.1
HKEY_CLASSES_ROOT\EZulaBootExe.InstallCtrl
HKEY_CLASSES_ROOT\EZulaBootExe.InstallCtrl.1.
HKEY_LOCAL_MACHINE\Software\CLASSES\AppID\eZulaBootExe.EXE
HKEY_LOCAL_MACHINE\Software\CLASSES\AppID\{C0335198-6755-11D4-8A73-0050DA2EE1BE}
HKEY_LOCAL_MACHINE\Software\CLASSES\TypeLib\{3D7247D1-5DB8-11D4-8A72-0050DA2EE1BE}
HKEY_LOCAL_MACHINE\Software\CLASSES\TypeLib\{C0335197-6755-11D4-8A73-0050DA2EE1BE}
HKEY_LOCAL_MACHINE\Software\Microsoft\Code Store Database\Distribution Units\{3D7247DE-5DB8-11D4-8A72-0050DA2EE1BE}
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ModuleUsage\ C:/WINDOWS/Downloaded Program Files/eZulaBoot.dll

And in HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Doc Find Spec MRU you'll find an entry for EZulaboot.

And from your harddisk:

C:\WINDOWS\Downloaded Program Files\InstallCtrl.class, which mentions two files it depends on ezulaboot.dll and ezulaboot.inf.
C:\WINDOWS\eZulains.exe
C:\WINDOWS\APPLOG\ezulains.lgc

You can use AD-aware to get rid of Toptext, but it will cause problems with your Internet connection and so forth. Best way to go is not to download and install ANY spyware. It's getting more difficult to get rid of them and even to find them. After using AD-aware you can double check the Registry by doing a Find for eZula.

You can also visit the WhirlyWiryWeb.com web site for more information on eZula and Toptext. They also feature a script which checks if you have Toptext installed and a complete Toptext removal guide.

Flashpoint / Flashtrack

Yet another spyware agent called FlashTrack has made its entrance into your PC and your web surfing experience. FlashTrack's website claims that the program monitors queries from 27 search engines in over 50 languages, and performed by users who have mistakenly downloaded it, and pops up ads targeted to specific search terms, which by the way seem to be emanating from the web site you just visited. It is installed with software of which we do not know the list at this time. FlashTrack allows the media buyer to purchase media based on any URL visited and any keyword typed into any of the major search engines. FlashTrack further enhances the media buy through time-of-day based ad serving, frequency capping and seven differing web usage occasions to determine the type of web usage being conducted by the user. All of this real-time data mining is designed to effectively segment the optimal audience (it may be YOU). To remove the Flashtrack spyware agent you can get FTunin.exe from the Flashpoint web site.

You can try to remove it yourself. FlashTrack installs its software in a directory called c:\program files\ftapp. Before you delete this file, you must remove it from the registry and restart the computer.

On Windows 95/98/Me, enter this command at the command line:
"%WinDir%\SYSTEM\regsvr32.exe" /u "C:\Program Files\ftapp\ftapp.dll"

On Windows NT/2000/XP, enter:
regsvr32 /u "%ProgramFiles%\ftapp\ftapp.dll"

Then remove the file and the directory program files\ftapp.

Flyswat

A search enhancement for MSIE. To install and use it, Active X controls and plug-ins in IE's security setting must be enabled. Flyswat is also bundled with some other applications. The service logs anonymous click-streams as users navigate the Internet. The data has no personal demographic information. Flyswat uses the information for product enhancement and shares it with partners. Uninstall it via the Add/Remove Programs function.

Gator

Gator helps you to fill out forms and remember usernames and passwords of sites you frequently visit. You may even have credit card information readily available when you wish to purchase something online. A very dangerous thing to do. Your personal information is stored on your computer in an encrypted file. Gator accesses this personal information, using your IP address. Gator targets consumers based on site visitation and historical behavior. Gator provides aggregate statistics about its customers, traffic patterns and related site information to third-party vendors. As banners from sites you visit are being served, Gator will show their advertiser's banners instead.

GoHip

A browser extension that installs a program called 'Windows Startup' in your Start menu. This cutie will reconfigure your browser's setting for Startup page. It also attaches an advertisement to every message you send and as such works like the new Sircam virus. GoHip places a file in your Windows directory that sets your AutoSignature, changes your search page and sets your start page. The executable program is called 'winstartup.exe' and is usually located in C:\Windows. You can delete this EXE and remove the Startup entry. GoHip removal can also be done using the GoHip 'remove.exe'. Download it here. Save it to your desktop and run it, then reboot.

Hotbar

This is a fairly new one. We received their unsolicited e-mail through one of our e-mail addresses and it reads as follows:

Hi, I thought you might be interested in a marketing program that will place your clients' logo and link on 4,000,000 users' Internet Explorer browsers specifically when users visit relevant sites or search for related keywords. Hotbar's recently released toolbar allows for this non-intrusive targeted advertising via buttons that change while users surf to relate to the websites they visit so for instance a Web Hosting advertiser can place their button on our bar that will appear when users visit other web hosting sites. Alternatively we can deliver a flash popup to any url you choose on a cpc basis. You determine which sites you want your ad to appear on and when a user visits any of those sites we'll send your pop up. We can generate targeted traffic for any category of advertiser. Please contact me if you are interested in more information. Best, E. M., Business Development Manager, Hotbar.com, Inc.
 
Hotbar collects and stores information about the web pages you view and the data you enter in search engine search fields while using the software (some browser toolbar you can download for free). While using the Hotbar toolbar, Hotbar uses this information to determine which ads and buttons are displayed in the toolbar and which ads to show your browser (including Flash popups). As the above unsolicited e-mail states: they can deliver a flash popup to any url the advertiser chooses. When you visit web sites with the toolbar installed (the "Service"), Hotbar collects information about the web sites you visit and the pages you view. Hotbar stores your IP address, domain name, URL of the web page you are visiting, information about your browser, information about your computer's operating system, your Hotbar cookie number and the date/time the above information is logged. When you type search terms into a search engine, the search term you entered is transmitted from your computer and stored by Hotbar. Also stored is what toolbar buttons you click on, what links within the toolbar buttons you click on, the amount of time you have used it during each session, what browser skins you have downloaded during any given session, and if you have encountered forms where you have entered your personal information, this may be stored as well (if the site you entered the information at, forwards the entered information via form scripts). Hotbar serves ads from some well known ad networks. Amazingly, this program received a 5-star rating from ZDnet?

Why would anyone want a toolbar in their browser showing advertising buttons (don't we get enough advertising in one day to last us a lifetime?) and why would anyone want the 'non-intrusive' popups with every web site visited?

ISTbar

ISTbar is an MSIE toolbar, homepage and search hijacker provided by Integrated Search Technologies/CDT Inc. It installs several spyware agents mainly by ActiveX drive-by download (yes you read it correctly) on affiliate sites and delivers mostly porn ads. Details here.
ISTbar also installs porn pop-up producer RapidBlaster and the download assistant DownloadPlus.

Lions Pride Enterprises / Blazing Logic / Trek Blue

We received quite some complaints about two programs in particular: Spyware Nuker and NoPop!. Since we didn't have any information on these two programs, and could not verify it for ourselves, we went searching, and we found the following articles (judge for yourself):
CamTech 2000 Newsletter | Spyware Nuker Reviews | Newsgroup (note the ad on top? | SpywareInfo Newsletter

Lop (C2Media)

We've been getting reports about lop.com placing spyware agents on user's systems. We've had a look and it seems that if you use their site they collect data using cookies (cookies are a technology which can be used to provide you with tailored information from a Web site. A cookie is an element of data that a Web site can send to your browser, which may then store it on your system). The lop.com site makes use of cookies for the following purposes: user targeting and research & development, and if you install their (toolbar' you'll get spied on (in cooperation with DoubleClicks and the Network Advertising Initiative (NAI) both serving the ads). To remove this toolbar: select 'Uninstall' from the 'Help menu' of the software you installed, or if you are not sure which piece of software you installed you can run their toolbar uninstaller available here or use Ad-Aware. We're not clear as to what exactly lop.com does with the data and if 'things' are served even after leaving their web site. We'd like some more feedback on this.

Mattel Brodcast

Utilizes its DSSAgent.exe to send information from user computers to Mattel. It also sends unsolicited information on product offerings and discounts to users. It is mostly spread among the Mattel product lines for children.

Morpheus

Users wanting the functionality of KaZaa can download Morpheus, but Morpheus contains spyware agents as well. Morpheus has licensed the technology of Gnutella for use in the Morpheus program.

Realplayer

The well-known RealPlayer also seems to be full of spyware agents. We have not tested each version ourselves, but many complaints have been coming in about this. From what we can gather the Basic version may not be infested, but the full version is (for which you have paid for). If you remove the spyware agents, the program won't run anymore. To avoid their spyware agents from taking control keep RealPlayer from loading on startup. Use a firewall when using it on the Net. Go into Preferences and disable any option that allows the player to call home. So, if you're in need of a media player, try downloading some from this page.

Songspy (IMG Entertainment)

Songspy is a new music sharing program and states that it is 100% freeware. According to Songspy, you aren't tracked, logged or monitored for analysis by the client software. The spyware agent uses port 5190. Once it connects to their server there is no disconnecting possible and your hard drive is openly available for 'sharing'.

Web3000

Their ad shows up above banner ads and it travels with you to all the sites you visit. You'll see text messages on the upper right corner of your browser, and there are splash screens or pop-up offers, and a button in the lower right area of your screen may try to sell you something. They analyze the number of users, visited pages, amount of time spent there and incoming addresses. Registering software embedded with Web3000 does not ensure the software will stop transmitting your private information. The Web3000 network ads component runs independent of the inflicted spyware program. The ad component allows the network to serve you advertising in your browser whenever and wherever you are on the Internet. Messages are delivered via browser headlines, splash screens, status bar messages and newsletters. Web3000 replaces winsock32.dll and other Windows system files.

WebHancer

WebHancer provides a traffic measurement service that uses a client agent that is installed on user machines. It gathers information such as visited web page address, web page size, web page load time, web page completion state and network delay time. The latest version has features including cross-site and on-site web analytics and performance analysis. The installation is hidden and triggered by the installation of software that is bundled with it. Incorrect removal procedures will destroy your Internet connection. The running WebHancer process appears in the Task List of Windows as Whagent. Any of the following files in your Windows directory indicate the presence of WebHancer: webhdll.dll, whagent.inf, whInstaller.exe, and whInstaller.ini. According to Webhancer you uninstall as follows:

  1. go to Start / Settings / Control Panel and double-click on the "Add/Remove Programs" icon.
  2. select the program called "Webhancer Customer Companion" and click the Add/Remove button.
  3. once the program has been uninstalled, restart your computer.

We suggest to do the following as well:

  1. check your Windows directory for these files (webhdll.dll, whagent.inf, whInstaller.exe, whInstaller.ini) and delete them.
  2. delete the WebHancer folder in your Program Files directory (if still there). Reboot if you can't delete a file called wbhshare.dll.
  3. clean up your default Temp directory (used for placing files during installation).

Justice?

What do you think about this?


Zoo

VX2 and derivatives

coolwebsearch

Recommended Links

Softpanorama hot topic of the month

Softpanorama Recommended

Top articles

Sites

Advertising Spyware VX2 RespondMiter (vx2.dll) - Blackstone Data Transponder - Sputnik - Aadcom - NetPal - TPS108

VX2.BetterInternet - Remove VX2.BetterInternet - VX2. ... -- list of files