Beware friends asking for emergency money via Facebook chat.

Pic of Facebook scam logo.Scammers are a clever bunch. They’re always coming up with ways to try and separate you from your cash. Lately it involves hacking Facebook accounts and then scamming friends of the victim into sending them money. The folks over at The Consumerist have two recent examples of the scam being thwarted by vigilant would-be victims:

Kevin was worried. His friend Mike said over Facebook chat that he and his wife and kids were stranded in London after getting mugged. They needed money wired immediately to settle their hotel bill. This was especially worrisome because Mike was supposed to be recuperating in the hospital from head surgery… Then Kevin realized that someone had cracked his friend’s Facebook account and was impersonating him.

If you check out both articles you’ll note that in both cases it shouldn’t be too hard to figure out that it was a scam simply from the rather amusingly bad English coming from the fake friends. Though, considering how poor some American’s typing habits are, I can see how it could be difficult to tell with some people.

Still, the scam tends to follow the same pattern. Said friend is stranded in some foreign country after having been mugged with the thief making off with their wallets and cellphones. Could you, pretty please, wire them some huge amount of money via Western Union so they can pay off their hotel bill and make their flight out of the country that’s due to leave in a couple of hours. No, they can’t call you. No, they don’t want you to send someone to pick them up. Just send them the fucking money and stop asking so many difficult questions like why it was they slept with your step-father in high school (see the first link for that amusing twist).

In short, much like the Windows operating system, Facebook has become a big enough thing that it’s now the target of criminals the world over who hope to take advantage of the trust you may have that the person claiming to be your friend really is your friend. You should always keep in mind how piss-poor most people’s password choices are and the fact that Facebook is like a sieve security-wise before rushing off to lend a hand.

[UPDATED] Samsung appears to be installing keyloggers on new computers they sell.

Samsung Logo

Luuuuucccyyy! You got some 'splanin' to do!

Bought a Samsung computer recently? Might want to run a malware check on it as it appears they may be intentionally installing a keylogger on it without telling you. Security consultant Mohamed Hassan has written an article for Network World that explains how he discovered the software on two new Samsung computers he purchased:

While setting up a new Samsung computer laptop with model number R525 in early February 2011, I came across an issue that mirrored what Sony BMG did six years ago.  After the initial set up of the laptop, I installed licensed commercial security software and then ran a full system scan before installing any other software. The scan found two instances of a commercial keylogger called StarLogger installed on the brand new laptop. Files associated with the keylogger were found in a c:\windows\SL directory.

According to a Starlogger description, StarLogger records every keystroke made on your computer on every window, even on password protected boxes.

Hassan removed the software and continued on his merry way until some system trouble prompted him to return the laptop and purchase another higher-end Samsung from a different store. When he got home he found that it also had the StarLogger software on it:

Again, after the initial set up of the laptop, I found the same StarLogger software in the c:\windows\SL folder of the new laptop. The findings are false-positive proof since I have used the tool that discovered it for six years now and I am yet to see it misidentify an item throughout the years. The fact that on both models the same files were found in the same location supported the suspicion that the hardware manufacturer, Samsung, must know about this software on its brand-new laptops.

Once might have been an anomaly, but twice makes it pretty clear that this was by design. Given the fiasco with the Sony BMG rootkit a couple of years back you’d think Samsung would know better than to pull something like this, but, just like Sony before them, they tried to claim no knowledge of the software:

On March 1, 2011, I called and logged incident 2101163379 with Samsung Support (SS). First, as Sony BMG did six years ago, the SS personnel denied the presence of such software on its laptops. After having been informed of the two models where the software was found and the location, SS changed its story by referring the author to Microsoft since “all Samsung did was to manufacture the hardware.” When told that did not make sense, SS personnel relented and escalated the incident to one of the support supervisors.

The supervisor who spoke with me was not sure how this software ended up in the new laptop thus put me on hold. He confirmed that yes, Samsung did knowingly put this software on the laptop to, as he put it, “monitor the performance of the machine and to find out how it is being used.”

In other words, Samsung wanted to gather usage data without obtaining consent from laptop owners.

Yeah, that’s a bullshit answer. Keyloggers don’t monitor performance, they monitor your fucking keyboard. Hence the name KEYLOGGER. This particular keylogger is also capable of taking screenshots and emailing them along with the captured data without you ever knowing about it. Imagine buying a brand new computer and doing some online shopping or banking without knowing that it’s recording everything you type and sending it back to the manufacturer. Well, some of you probably don’t have to imagine that happening to you.

I can’t think of a single legitimate reason for Samsung to be capturing that kind of data. What are they really using it for? How are they securing it? How long are they keeping it? What makes them think this is even remotely legal?

This is particularly annoying as I like a lot of things Samsung makes, the LCD monitors on my desk are from Samsung. I don’t own any computers made by them and I’ll definitely think twice before picking one up. The only question now is how long before the class action lawsuit is filed.

[Updated 9:35AM 3/31/11] Samsung didn’t waste anytime looking into this and it appears that they may be the victim of a false positive according to this article at CrunchGear:

Word comes from Samsung’s official Korean language blog, Samsung Tomorrow, that the company was able to recreate the incident and a keylogger is not on a factory-fresh notebook. The company states that the VIPRE security software used by the original whistleblower mistakenly reports the Microsoft Slovene language folder (c:\windows\SL) as the commercially available Starlogger keylogger. See the screenshot above for the proof — or if you have a R525 or R540 notebook, recreate the test yourself. As it sits right now though, it seems Samsung didn’t follow Acer’s lead and ship infected notebooks.

This is good news indeed. I can imagine Samsung wanted to nip this potential PR disaster in the bud as quickly as possible.

The security chip in that fancy new U.S. Passport? It’s made in Thailand.

The U.S. Government has been pushing what they consider a better passport since August 2007. It contains a contactless smart card in the back cover that contains the same data about you as what is printed in the passport itself. The idea is that this is supposed to make passport forgery impossible for the evil-doers of the world. The official website lists off several potential attacks which the cards are supposedly protected against including skimming, eavesdropping, tracking, and cloning.

Which all sounds really good except that since the cards were introduced a number of hackers and researches have demonstrated that almost of the protections in place can be successfully attacked and compromised with very minimal resources. The Wikipedia entry for biometric passports has the details and links about the attacks if you’re interested. It doesn’t help that not all of the security measures are mandated with things such as Active Authentication and Extended Access Control being optional.

In short, cloning data on a passport is not difficult at all nor is burning it to a blank passport, something that was done back in 2006 before they were even being issued regularly. More difficult is modifying the data as there is a cryptographic hash used to verify the data, but that relies on the scanner reading the passport making use of it (not all do).

You’d think, given all of the above, that the government would at least take steps to make sure the chips aren’t compromised before they’re ever issued. Perhaps, say, ensuring that they’re produced in a highly secure facility someplace within the United States?

Don’t be silly. The chips are currently being made in Thailand and have been for years:

Security of U.S. Passports Called Into Question – ABC News

The U.S. government agency that prints passports has for years failed to resolve persistent concerns about the security risks involved in outsourcing production to foreign factories, a joint investigation by ABC News and the Center for Public Integrity has found.

“On a number of levels this is extremely troubling,” said Clark Kent Ervin, a former inspector general at the Department of Homeland Security . “Something like that ought to be produced only in the United States, under only the most rigorous security standards.” A report on the outsourcing of U.S. passports to high-risk countries can be seen on World News with Diane Sawyer tonight.

Despite repeated assurances they would move production to the U.S., a key government contractor has continued to assemble an electronic component of the nation’s new, more sophisticated passport in Thailand.

The factory is near the same Bangkok suburb where a notorious terrorist extremist was captured in 2003. There have been bursts of violence in the industrial city, Ayutthaya, as recently as last month.

Both the inspector general at the Government Printing Office and the agency’s own security chief have warned specifically against producing the computer chip assembly in the Thai facility. One internal report obtained by ABC News and the Center for Public Integrity warned of a “potential long term risk to the [U.S. government’s] interests.”

All this bullshit talk by the Powers That Be about making things More Secure™ and not only are the chips being used easily cloned for a couple hundred bucks, but the factory that’s producing them is in an unstable area of a foreign country where terrorists are known to operate. The reason this is such a concern is because the U.S. Government, in its infinite wisdom, has made owning one of their fancy e-passports a shortcut past some of the more stringent security procedures  — one official describes it as an EZ-pass — that would otherwise apply to people entering the United States.

Oh, but that’s not the best part. No, the cherry-on-top that I just know you’re going to love is the fact that there is absolutely nothing in place to make sure blanks don’t fall into bad guy’s hands:

GPO’s inspector general has warned that the agency lacks even the most basic security plan for ensuring that blank e-Passports — and their highly sought technologies – aren’t stolen by terrorists, foreign spies, counterfeiters and other bad actors as they wind through an unwieldy manufacturing process that spans the globe and includes 60 different suppliers.

This disturbs Rep. John D. Dingell, D.-Mich., who wrote letters to the agency two years ago raising questions about passport production.

“Regrettably, since then, our fears have been realized because the inspector general and other people in charge of security at the government printing office have pointed out that the security is not there,” Dingell told ABC News. “There is no real assurance that the e-passports are safe or secure or are not in danger of being counterfeited or corrupted or used for some nefarious purposes by terrorists or others.”

Feel safer yet? Oh, and there are stolen blanks out there from several different countries including a big heist of U.K. blanks in 2008.

Supposedly, most of the production of the chip has already been moved out of Thailand and officials are pledging to have the last bits moved out by the end of July. Also, as far as anyone is aware, no one has successfully made a forgery of a biometric passport using cloned data and a stolen blank chip. Given the number of vulnerabilities that have already been demonstrated it’s probably only a matter of time before someone figures out how to clone and modify a passport that’ll pass as real.

Sadly, all of the concerns and problems with this system were known by the U.S. back in 2004 having been raised by numerous security and privacy experts. Rather than take the time to address the issues raised they decided to just ignore them instead and pressure everyone else to adopt our flawed standard. That is, after all, the American way.

The TSA incompetently posts its secrets on the Internet.

What a sad fucking joke the Transportation Security Administration has turned out to be. Not only they do engage in security theater that does little to nothing in preventing actual threats, not only have they removed any desire I might have had to fly anywhere anytime soon, but now they’ve gone and posted their entire screening manual online:

Massive TSA Security Breach As Agency Gives Away Its Secrets – ABC News

In a massive security breach, the Transportation Security Administration (TSA) inadvertently posted online its airport screening procedures manual, including some of the most closely guarded secrets regarding special rules for diplomats and CIA and law enforcement officers.

The most sensitive parts of the 93-page Standard Operating Procedures were apparently redacted in a way that computer savvy individuals easily overcame.

The document shows sample CIA, Congressional and law enforcement credentials which experts say would make it easy for terrorists to duplicate.

Here you go, terrorists! Everything you need to bypass our shitty security system! It includes a detailed listing of the limitations of our x-ray machines and the fact that we only check 20% of checked bags by hand. Those two bits of information alone should make smuggling a bomb into the luggage compartment a lot easier to do. You’re welcome!

“This is an appalling and astounding breach of security that terrorists could easily exploit,” said Clark Kent Ervin, the former inspector general at the Department of Homeland Security. “The TSA should immediately convene an internal investigation and discipline those responsible.”

Gee, ya think?

“This shocking breach undercuts the public’s confidence in the security procedures at our airports,” said Senator Susan Collins, R-Me., ranking Republican member of the Senate Homeland Security and Governmental Affairs Committee. “On the day before the Senate Homeland Security Committee’s hearing on terrorist travel, it is alarming to learn that the Transportation Security Administration (TSA) inadvertently posted its own security manual on the Internet.”

I hate to be the one to tell the good Senator this, but most folks already have little confidence in the security procedures at our airports.

OK, perhaps “most” is an overstatement, but there’s a lot of us who have little confidence in the TSA and this certainly justifies that lack of faith.

“This manual provides a road map to those who would do us harm,” said Collins. “The detailed information could help terrorists evade airport security measures.” Collins said she intended to ask the Department of Homeland Security how the breach happened, and “how it will remedy the damage that has already been done.”

My guess is they’ll come up with even more annoying and pointless procedures that’ll further depress airline profitability causing more of them to go belly up. Soon you won’t be able to take anything onto the plane and everyone will have to fly 90% naked wearing only loincloths which will have to be inspected by TSA agents with very cold hands.

The TSA claims the manual is old and outdated, but I’d be claiming that too if I had caused such a massive fuck up. They’ve asked for the original version to be taken offline, but it’s too late to put that genie back in the bottle. Once it hit the net it was all over the world in short order and there are plenty of places you can read it. Wanna read it for yourself? Even ABC News has a copy of it online for your planning convenience.

No need to thank the TSA. They’re not listening to you anyway.

Viruses can infect your PC with child porn.

As if you really needed yet another reason to make sure your computer is patched and you have a decent anti-virus solution installed, now comes word that an infected PC could lead to you being charged for having child pornography:

An Associated Press investigation found cases in which innocent people have been branded as pedophiles after their co-workers or loved ones stumbled upon child porn placed on a PC through a virus. It can cost victims hundreds of thousands of dollars to prove their innocence.

Their situations are complicated by the fact that actual pedophiles often blame viruses — a defense rightfully viewed with skepticism by law enforcement.

“It’s an example of the old `dog ate my homework’ excuse,” says Phil Malone, director of the Cyberlaw Clinic at Harvard’s Berkman Center for Internet & Society. “The problem is, sometimes the dog does eat your homework.”

via AP IMPACT: Framed for child porn — by a PC virus by AP: Yahoo! Tech.

It shouldn’t come as any surprise considering that many trojans and viruses are designed to allow full access to your PC for any of a number of nefarious purposes be it the sending of spam email to launching DDoS attacks. It was only a matter of time before someone thought to use them as a handy repository for their child porn.

It is possible to successfully defend yourself in cases where you’re a victim of a computer virus, but it’s not cheap and it still destroys your reputation:

Fiola and his wife fought the case, spending $250,000 on legal fees. They liquidated their savings, took a second mortgage and sold their car.

An inspection for his defense revealed the laptop was severely infected. It was programmed to visit as many as 40 child porn sites per minute — an inhuman feat. While Fiola and his wife were out to dinner one night, someone logged on to the computer and porn flowed in for an hour and a half.

Prosecutors performed another test and confirmed the defense findings. The charge was dropped — 11 months after it was filed.

The Fiolas say they have health problems from the stress of the case. They say they’ve talked to dozens of lawyers but can’t get one to sue the state, because of a cap on the amount they can recover.

“It ruined my life, my wife’s life and my family’s life,” he says.

The folks at F-Secure Corp. estimate that at any given time 20 million of the 1 billion Internet-connected PCs are infected with viruses that could give the bad guys full control. That estimate sounds a little conservative to me, I suspect it’s much higher than that. So make sure your systems are patched and secure. An ounce of prevention could save you a lot of trouble later.

Trying out Microsoft Security Essentials.

Microsoft entered the free anti-virus utility arena today with the release of Microsoft Security Essentials:

Microsoft Security Essentials provides real-time protection for your home PC that guards against viruses, spyware, and other malicious software.

Microsoft Security Essentials is a free* download from Microsoft that is simple to install, easy to use, and always kept up to date so you can be assured your PC is protected by the latest technology. It’s easy to tell if your PC is secure — when you’re green, you’re good. It’s that simple.

Microsoft Security Essentials runs quietly and efficiently in the background so that you are free to use your Windows-based PC the way you want—without interruptions or long computer wait times.

Early reports from folks that participated in the beta and others who have tried the final product are that it’s pretty good so I thought I’d give it a shot. It’s most attractive feature is that it’s relatively lightweight, the Vista/Win 7 (64 bit) install was 4.71MB and XP was 8.61MB, and it has a low impact on system resources. I’ve been running the free version of Avast Anti-Virus for home users for a few years now and it does a pretty good job, but can slow your system down a bit at times. One big advantage of Microsoft’s solution over Avast’s is that I’ll no longer need to reapply for a license key once a year. Not that it was ever a huge burden, but it’s nice not to have to worry about it.

Assuming, of course, that I decide to stick with it. Already after install it managed to detect a dormant trojan on my system which Avast had missed. The trojan wasn’t running as it had never been launched, but it was still surprising to see it was on my system. Avast probably would’ve caught it if I were to launch it, but it’s always best to catch it before it ever gets a toehold on your system. I suspect it tagged along on a recent ISO burning utility I downloaded to fill an immediate need as I couldn’t find my Nero Burning ROM discs. The folks over at ArsTechnica are impressed with it as well.

The upshot is that you now have even less of a reason not to have an up-to-date anti-virus utility on your system. Between all the free options already out there and this new almost no-hassle offering from Microsoft there’s no good reason not to protect yourself.

So let me get this straight…

People on the terrorist watch list can’t fly on airplanes, but they can still buy guns and explosives?!?

From February 2004 to February 2009, 963 background checks using the FBI’s National Instant Criminal Background Check System “resulted in valid matches with terrorist watch list records; of these matches, approximately 90 percent were allowed to proceed because the checks revealed no prohibiting information,” the GAO report says. About 10 percent were denied.

“Under current law, there is no basis to automatically prohibit a person from possessing firearms or explosives because they appear on the terrorist watch list,” wrote the GAO’s director of homeland security and justice issues, Eileen R. Larence.

“Rather, there must be a disqualifying factor (i.e., prohibiting information) pursuant to federal or state law, such as a felony conviction or illegal immigration status.”

Does this seem stupid to anyone other than me? Granted a lot of folks are on the TWL that shouldn’t be, but what’s the point of not letting them fly if you’re going to let them buy guns and explosives?

How ATM skimming is done.

There’s been a lot of articles over on The Consumerist about ATM skimming, how it’s done, and how you can protect yourself. Today they linked to a clip from a UK show called The Real Hustle that lays out exactly how the scam is done. I’m not sure if the increase in the number of articles about ATM skimming is due to it happening more often or because folks are just more aware of it, but I thought it’d be useful to post that YouTube clip here for folks that don’t follow my shared Google Reader notes:

In short, pay attention to the ATMs you use. If you suspect it may be tampered with alert the bank and/or the police and don’t use it. At the very minimum you’ll want to shield the input of your PIN number when doing the transaction.

As I watched this clip all I could think of was why don’t we have a show like this here in the States?

Wired’s Mathew Honan experiments with Location-Aware software.

One of the features of the newer iPhone’s and Google Android based cellphones allow the phone, and any applications you’re running on it, to determine where you are to varying degrees of precision. Using a combination of cell towers (500 meters), Wi-Fi (30 meters), and GPS (10 meters) and various software packages that make use of that info you can literally broadcast your whereabouts to the whole world pretty much continuously. 

This opens up all sorts of interesting possibilities, both good and bad, and has attracted a growing group of people practicing a Location-Aware Lifestyle. Wired magazine’s Mathew Honan decided to try spending a few weeks living the lifestyle to see what it was like:

The location-aware future—good, bad, and sleazy—is here. Thanks to the iPhone 3G and, to a lesser extent, Google’s Android phone, millions of people are now walking around with a gizmo in their pocket that not only knows where they are but also plugs into the Internet to share that info, merge it with online databases, and find out what—and who—is in the immediate vicinity. That old saw about how someday you’ll walk past a Starbucks and your phone will receive a digital coupon for half off on a Frappuccino? Yeah, that can happen now.

Simply put, location changes everything. This one input—our coordinates—has the potential to change all the outputs. Where we shop, who we talk to, what we read, what we search for, where we go—they all change once we merge location and the Web.

I wanted to know more about this new frontier, so I became a geo-guinea pig. My plan: Load every cool and interesting location-aware program I could find onto my iPhone and use them as often as possible. For a few weeks, whenever I arrived at a new place, I would announce it through multiple social geoapps. When going for a run, bike ride, or drive, I would record my trajectory and publish it online. I would let digital applications help me decide where to work, play, and eat. And I would seek out new people based on nothing but their proximity to me at any given moment. I would be totally open, exposing my location to the world just to see where it took me. I even added an Eye-Fi Wi-Fi card to my PowerShot digital camera so that all my photos could be geotagged and uploaded to the Web. I would become the most location-aware person on the Internets!

People, particularly younger folks, already put out a lot of information about themselves on the Internet. I’m guilty of this myself with this blog. Not only do I have my real name on it, but there’s a fairly detailed history of the major ups and downs of my life over the past seven years in the archives. Everything from my best friend being needlessly killed by a traffic cop and how I dealt with the loss to my eventual downsizing from Ford Motor Company and the long struggle to get back on my feet. My politics and religious outlook are extensively documented as is the general area that I live in. SEB is the number one search result on Google when you type in “Les Jenkins” followed by some poor bastard who shares my name that works at Colorado One Mortgage.

For all that I put on SEB there are some folks who put me to shame particularly on sites like Facebook and MySpace. You may recall a few months back an entry I wrote about a woman who had been emailing me about her “psychic visions” of my future. I mentioned in a comment that I was able to track down where she lives (to a specific street address), how big a house she owns, how much she bought it for, how many pets she has, what musical instrument she’s trying to teach herself to play, what books shes been reading, her daughter and son-in-law’s name, where they lived, when their wedding was supposed to happen, and a whole host of other personal info with nothing more than her email and IP address. That’s pretty impressive, but even that pales to what some folks make available and then when you add location-awareness into the mix you make it all that much more immediate. Which could have its downside:

The trouble started right away. While my wife and I were sipping stouts at our neighborhood pub in San Francisco (37.770401 °N, 122.445154 °W), I casually mentioned my plan. Her eyes narrowed. “You’re not going to announce to everyone that you’re leaving town without me, are you? A lot of weirdos follow you online.”

Sorry, weirdos—I love you, but she has a point. Because of my work, many people—most of them strangers—track my various Flickr, Twitter, Tumblr, and blog feeds. And it’s true; I was going to be gone for a week on business. Did I really want to tell the world that I was out of town? It wasn’t just leaving my wife home alone that concerned me. Because the card in my camera automatically added location data to my photos, anyone who cared to look at my Flickr page could see my computers, my spendy bicycle, and my large flatscreen TV all pinpointed on an online photo map. Hell, with a few clicks you could get driving directions right to my place—and with a few more you could get black gloves and a lock pick delivered to your home.

To test whether I was being paranoid, I ran a little experiment. On a sunny Saturday, I spotted a woman in Golden Gate Park taking a photo with a 3G iPhone. Because iPhones embed geodata into photos that users upload to Flickr or Picasa, iPhone shots can be automatically placed on a map. At home I searched the Flickr map, and score—a shot from today. I clicked through to the user’s photostream and determined it was the woman I had seen earlier. After adjusting the settings so that only her shots appeared on the map, I saw a cluster of images in one location. Clicking on them revealed photos of an apartment interior—a bedroom, a kitchen, a filthy living room. Now I know where she lives.

Think about that for a moment. Her being in an apartment would make any attempts at larceny a bit more difficult, but what if she lived in a single family home in a suburb? Take the geo-location data on the pictures and look it up in Google Maps—yes you can use latitude and longitude in Google Maps—drop down to Street View and you could even see what the house looks like so long as Google has been through that neighborhood.  Above and beyond simply showing folks where to go to score a nice flat screen TV, this could also potentially be used to allow people to find you anywhere you happen to be making it a boon for potential rapists, stalkers, and plain old crazy people. Those, of course, are worst-case scenarios so let’s not dwell on them too much. Instead just consider how creepy it is that Honan was able to pick a perfect stranger out in a park and with just a little effort peer at the filthy living room in her apartment.

The technology is not without its upside though. Honan talks in the article about how it actually made him more social as friends who had seen he’d be in their area would turn up to hang out for a few minutes and touch base. Additionally some of the tools he was using allowed him to learn more about the area he was in, find the cheapest gas prices, and discover new places to eat he’d never realized were there before. And it’s not as though you have to make use of the tools that expose your precise location every second of the day. The whole article is worth a read if for no other reason than to educate yourself on what’s possible. Right now you have to put some work into setting yourself up to be so exposed, but developers are working to make doing stuff like that easier all the time so it may not be too long before you could set yourself up to broadcast your location constantly without realizing it.

It never hurts to be well-informed.

The battle to keep adware on your PC.

The folks over at philosecurity.org have a great interview with an adware author article that anyone using Windows who’s interested in keeping the PC secure should read. Matt Knox is a developer who worked for a rather notorious adware company called Direct Revenue for awhile. In the course of the interview he discusses why he took on the job:

S: Let’s back up a second. Why did you write adware?

M: I was utterly and grindingly broke for a little while.  I started working on SPAM filtering software. That work got noticed by [Direct Revenue], who hired me to analyze their distribution chain.  For a little while, the site through which all their ads ran was something like top 20 in Alexa. Monstrous, really huge traffic. Maybe 4 or 5 months into my tenure there, a virus came out that was disabling some of the machines that we had adware on. I said, “I know enough C that I could kick the virus off the machines,” and I did. They said “Wow, that was really cool. Why don’t you do that again?” Then I started kicking off other viruses, and they said, “That’s pretty cool that you kicked all the viruses off. Why don’t you kick the competitors off, too?”

It was funny. It really showed me the power of gradualism. It’s hard to get people to do something bad all in one big jump, but if you can cut it up into small enough pieces, you can get people to do almost anything.

As adware became more widespread and the potential profits became apparent programmers started including code that would kick competing software off the PC as well as keep anti-virus applications from disabling them. An arms race soon broke out with folks trying to figure out how to keep their programs from being detected and removed. An increasingly complex technique that is referred to as persistence:

So we’ve progressed now from having just a Registry key entry, to having an executable, to having a randomly-named executable, to having an executable which is shuffled around a little bit on each machine, to one that’s encrypted– really more just obfuscated– to an executable that doesn’t even run as an executable. It runs merely as a series of threads. Now, those threads can communicate with one another, they would check to make sure that the BHO was there and up, and that the whatever other software we had was also up.

[…] We did create unwritable registry keys and file names, by exploiting an “impedance mismatch” between the Win32 API and the NT API. Windows, ever since XP, is fundamentally built on top of the NT kernel.  NT is fundamentally a Unicode system, so all the strings internally are 16-bit counter Unicode. The Win32 API is fundamentally Ascii. There are strings that you can express in 16-bit counted Unicode that you can’t express in ASCII. Most notably, you can have things with a Null in the middle of it.

That meant that we could, for instance, write a Registry key that had a Null in the middle of it. Since the user interface is based on the Win32 API, people would be able to see the key, but they wouldn’t be able to interact with it because when they asked for the key by name, they would be asking for the Null-terminated one. Because of that, we were able to make registry keys that were invisible or immutable to anyone using the Win32 API. Interestingly enough, this was not only all civilians and pretty much all of our competitors, but even most of the antivirus people.

We also wrote a device driver and then a printer driver.  When you write a device driver you get to do all sorts of crazy things, even crazier than the things you typically get to do in Windows. This was right around the time that the company [got sued by Eliot Spitzer and started shrinking ]. They made a somewhat poor business decision at the same time to get visible, and they branded their ads and everything at the same time that they were having me kick all of our competitors off and we were doing all that persistence stuff.

Eventually Direct Revenue shut down in mid-2007 and a final judgment in the lawsuit levied a $1.5 million fine against the company’s four founders—Joshua Abram, Daniel Kaufman, Alan Murray, and Rodney Hook—which seems like a lot until you consider that the company made more than $80 million in just three years with the founders themselves earning around $28 million. Proving once again that being a total douchebag can be very profitable indeed even when you get sued.

In addition to reading about the techniques used to keep the software on your PC the other fascinating insight comes from how the money is made. Remember the entry I wrote yesterday about how there appears to be a credit card scam making money 25 cents at a time over thousands of credit cards? Adware profits work on a similar principle:

The good distributors would say, ‘This is ad-supported software.” Not-so-good distributors actually did distribute through Windows exploits. Also, some adware distributors would sell access. In their licensing terms, the EULA people agree to, they would say “in addition, we get to install any other software we feel like putting
on.” Of course, nobody reads EULAs, so a lot of people agreed to that. If they had, say, 4 million machines, which was a pretty good sized adware network, they would just go up to every other adware distributor and say “Hey! I’ve got 4 million machines. Do you want to pay 20 cents a machine? I’ll put you on all of them.” At the time there was basically no law around this. EULAs were recognized as contracts and all, so that’s pretty much how distribution happened.

Multiply 4 million machines by 20 cents each and you get $800,000 from just one advertiser. As anyone who’s been infected with adware knows there’s often at least four or five clients of any particular company.

Linux fans will be happy with Knox’s suggestion for avoiding adware on their PCs:

S: In your professional opinion, how can people avoid adware?

M: Um, run UNIX.

It also helps to avoid using Internet Explorer if you have to run a Windows box (or just stubbornly insist on doing so as I do).