The folks over at philosecurity.org have a great interview with an adware author article that anyone using Windows who’s interested in keeping the PC secure should read. Matt Knox is a developer who worked for a rather notorious adware company called Direct Revenue for awhile. In the course of the interview he discusses why he took on the job:
S: Let’s back up a second. Why did you write adware?
M: I was utterly and grindingly broke for a little while. I started working on SPAM filtering software. That work got noticed by [Direct Revenue], who hired me to analyze their distribution chain. For a little while, the site through which all their ads ran was something like top 20 in Alexa. Monstrous, really huge traffic. Maybe 4 or 5 months into my tenure there, a virus came out that was disabling some of the machines that we had adware on. I said, “I know enough C that I could kick the virus off the machines,” and I did. They said “Wow, that was really cool. Why don’t you do that again?” Then I started kicking off other viruses, and they said, “That’s pretty cool that you kicked all the viruses off. Why don’t you kick the competitors off, too?”
It was funny. It really showed me the power of gradualism. It’s hard to get people to do something bad all in one big jump, but if you can cut it up into small enough pieces, you can get people to do almost anything.
As adware became more widespread and the potential profits became apparent programmers started including code that would kick competing software off the PC as well as keep anti-virus applications from disabling them. An arms race soon broke out with folks trying to figure out how to keep their programs from being detected and removed. An increasingly complex technique that is referred to as persistence:
So we’ve progressed now from having just a Registry key entry, to having an executable, to having a randomly-named executable, to having an executable which is shuffled around a little bit on each machine, to one that’s encrypted– really more just obfuscated– to an executable that doesn’t even run as an executable. It runs merely as a series of threads. Now, those threads can communicate with one another, they would check to make sure that the BHO was there and up, and that the whatever other software we had was also up.
[…] We did create unwritable registry keys and file names, by exploiting an “impedance mismatch” between the Win32 API and the NT API. Windows, ever since XP, is fundamentally built on top of the NT kernel. NT is fundamentally a Unicode system, so all the strings internally are 16-bit counter Unicode. The Win32 API is fundamentally Ascii. There are strings that you can express in 16-bit counted Unicode that you can’t express in ASCII. Most notably, you can have things with a Null in the middle of it.
That meant that we could, for instance, write a Registry key that had a Null in the middle of it. Since the user interface is based on the Win32 API, people would be able to see the key, but they wouldn’t be able to interact with it because when they asked for the key by name, they would be asking for the Null-terminated one. Because of that, we were able to make registry keys that were invisible or immutable to anyone using the Win32 API. Interestingly enough, this was not only all civilians and pretty much all of our competitors, but even most of the antivirus people.
We also wrote a device driver and then a printer driver. When you write a device driver you get to do all sorts of crazy things, even crazier than the things you typically get to do in Windows. This was right around the time that the company [got sued by Eliot Spitzer and started shrinking ]. They made a somewhat poor business decision at the same time to get visible, and they branded their ads and everything at the same time that they were having me kick all of our competitors off and we were doing all that persistence stuff.
Eventually Direct Revenue shut down in mid-2007 and a final judgment in the lawsuit levied a $1.5 million fine against the company’s four founders—Joshua Abram, Daniel Kaufman, Alan Murray, and Rodney Hook—which seems like a lot until you consider that the company made more than $80 million in just three years with the founders themselves earning around $28 million. Proving once again that being a total douchebag can be very profitable indeed even when you get sued.
In addition to reading about the techniques used to keep the software on your PC the other fascinating insight comes from how the money is made. Remember the entry I wrote yesterday about how there appears to be a credit card scam making money 25 cents at a time over thousands of credit cards? Adware profits work on a similar principle:
The good distributors would say, ‘This is ad-supported software.” Not-so-good distributors actually did distribute through Windows exploits. Also, some adware distributors would sell access. In their licensing terms, the EULA people agree to, they would say “in addition, we get to install any other software we feel like putting
on.” Of course, nobody reads EULAs, so a lot of people agreed to that. If they had, say, 4 million machines, which was a pretty good sized adware network, they would just go up to every other adware distributor and say “Hey! I’ve got 4 million machines. Do you want to pay 20 cents a machine? I’ll put you on all of them.” At the time there was basically no law around this. EULAs were recognized as contracts and all, so that’s pretty much how distribution happened.
Multiply 4 million machines by 20 cents each and you get $800,000 from just one advertiser. As anyone who’s been infected with adware knows there’s often at least four or five clients of any particular company.
Linux fans will be happy with Knox’s suggestion for avoiding adware on their PCs:
S: In your professional opinion, how can people avoid adware?
M: Um, run UNIX.
It also helps to avoid using Internet Explorer if you have to run a Windows box (or just stubbornly insist on doing so as I do).