Category: client security

Challenges in securing end-user devices and other clients

Posted on

Does Jeeves Ask for Permission?

I continue my misleading installation series with a look at installation practices of Ask Jeeves. My new Ask Jeeves Toolbar Installs via Banner Ads at Kids Sites shows a misleading banner ad particularly likely to target kids. When users click on this banner, AJ neither shows nor references any license agreement. And AJ uses euphemisms like “accessible directly from your browser” rather than explicitly admitting that it will install a web browser toolbar.

But that’s not the worst of AJ’s practices. Over the past six months, I’ve captured a series of videos showing Ask Jeeves’ MyWay and MySearch software installed through security holes — without notice, disclosure, or consent. For example, in a video I made on March 12, I received more than a dozen different programs including the Ask Jeeves MySearch toolbar — without me ever requesting anything, and without me ever clicking “Yes” or “Accept” in any dialog box. Watch the video and see for yourself. Warning: The video is 16+ minutes long. Security exploit occurs at 6:00, and Ask Jeeves MySearch software is first seen at 15:50. In this same testing, I also received installation of 180solutions, multiple programs from eXact Advertising, the IBIS WebSearch toolbar, PeopleOnPage, ShopAtHomeSelect, SurfSideKick, WindUpdates, and many more. The underlying network transmissions show that the security exploit at issue was syndicated through the targetnet.com ad network — Mamma Media, publicly-traded on Nasdaq Small Cap.

I have other videos available upon request, including nonconsensual AJ installations dating back to November 2004. See also my November 2004 exploit video.

I’m surprised that Ask Jeeves allows these nonconsensual installations. Ask Jeeves is a publicly-traded company with a 10-digit valuation (slated to be acquired by InterActiveCorp for $1.85 billion). If Ask Jeeves staff made a serious effort to screen and supervise their distribution partners, they could prevent this kind of mess.

The biggest news last week was a lawsuit filed by the New York Attorney General’s office against Intermix Media, whose KeenValue, IncrediFind, and other programs show popup ads, add extra browser toolbars, and intercept error messages. These practices are objectionable in and of themselves, but the complaint focuses on the programs’ misleading installations. Sometimes the programs install with no notice at all, the complaint says, and sometimes only with hidden or misleading disclosures users are unlikely to notice or understand.

I have the sense that this suit is the first of many. There are certainly plenty of similar offenders, even big companies with major venture capital funding. I have often written about software from 180solutions, Direct Revenue, and eXact Advertising installing through security holes, practices I’ve continued to observe (including in the video linked above). And Claria’s tricky installations share many of the deceptive characteristics the AG attributes to Intermix, like hiding key terms in “lengthy, legalistic license agreements” and using “vague, incomplete” disclosure text. (See NYAG complaint (PDF), paragraph 9.) So I doubt the NY AG’s office would approve of the Ask Jeeves practices I’m documenting today, nor the other misleading tactics on my spyware installation methods index.

Posted on

Misleading Installations of the Week: PacerD, and Claria’s Dope Wars

It’s Monday morning, so time for more misleading installations. Just like last week, I couldn’t stop at only a single example; again I’m providing two.

PacerD’s misleading pop-ups ask users to “please click yes” to accept “free browser enhancements.” In fact what PacerD offers is an unusually large bundle of a dozen different programs, only some of them disclosed in fine print in PacerD’s mislabeled (apparent, purported) license agreement, which in turn is only shown at a user’s specific request. But click “Yes” once, and your computer will take a turn for the worse, with no subsequent opportunity to cancel.

The PacerD Installation Bundle

As usual, Claria’s approach is somewhat more subtle. When Claria bundles its advertising software with the “Dope Wars” video game, Claria prominently tells users that it will deliver advertising. But Claria mentions effects on privacy only midway through a 43-page license agreement, that begins with three tedious pages of all-caps text. My sense is that few “Dope Wars” players are likely to wade through this lengthy license. So if Dope Wars users install Claria, they’ll do so without first understanding what Claria will do to their PCs.

Claria’s Misleading Installation Methods – Dope Wars

On some level, these two installations could hardly be more different. PacerD installs a dozen programs from numerous different companies; Claria installs just one. PacerD shows a popup while users are just trying to surf the web; Claria’s interruption comes as users are trying to install software they actually want. But in relevant respects, I think these installations are surprisingly similar. For one, both seek to convert users’ computers into advertising channels — tracking what users do, and showing extra advertising. Also, both installations tell users something about the programs they are asked to accept, and both give savvy users an opportunity to learn more, but in each case the prominent on-screen text omits important facts users need to know in order to make sensible choices.

Posted on

Misleading Installations of the Week: Claria and 180 at Kids Sites

“Adware” companies say their businesses are predicated on user consent. (Claria: “… consumers who agree … “; 180: “permission-based … opt-in”). Notwithstanding, companies’ claims, there’s no doubt that this kind of advertising software is sometimes installed without consent. See the video I posted last year.

But what about those users who supposedly do consent to receive extra pop-ups? Why did they agree to receive extra advertising that so many other users seem to despise? My sense is that users often don’t understand what they’re getting — due to serious deficiencies in installation disclosures. In two new articles, I examine and analyze the installation procedures of Claria and 180, raising doubts as to whether users reasonably knew what would happen when they “accepted” these programs.

Ezone.com, a site targeting children, that nonetheless promotes 180solutions.Can we say that a user “consents” to an installation if the installation occurred after a user was presented with a misleading advertisement that looked like a Windows dialog box? If that advertisement was embedded within a site substantially catering to children? If that advertisement offered a feature known to be duplicative with software the user already has? If “authorizing” the installation required only that the user click on an ad, then click “Yes” once? If the program’s license agreement was shown to the user only after the user pressed “Yes”? These are the facts of recent installations of Claria software from ads at games site Ezone.com.

Details: Claria’s Misleading Installation Methods – Ezone.com

Turning to 180: Can we say that a user consents to an installation of advertising-display software where that installation is prominently described as removing advertisements? Where the installation description uses euphemisms like “show … sponsor websites” but never explicitly states that the program will show advertisements or pop-ups? Where the installation procedure never shows or even references a license agreement? And where all this occurs at sites catering to children?

Details: 180solutions’s Misleading Installation Methods – Ezone.com

Lots of companies want to take advantage of users who may be a bit confused, a bit naive, or a bit too quick to click yes. But where users are recruited at sites catering to children, where ads look like Windows messages, or where installation requests resort to misleading euphemisms, I’m not inclined to say that consumers “consent” to the resulting ads and to the resulting transmission of personal information.

Posted on

New Series on Spyware Installation Methods

So-called “adware” companies say nonconsensual installations of their programs are just an “urban legend.” (See section 7 of 180’s claims in a recent interview.) But when I talk to users whose computers have become infected, I’m consistently told that they don’t know how they got the unwanted programs, and they say they certainly didn’t consent. How can we understand this divergence? How are users PCs receiving this unwanted software?

My new Spyware Installation Methods sets out a taxonomy of the ways unwanted programs sneak onto users’ computers. Some installations rely on tricking users — for example, showing confusing popups, or claiming or suggesting that an installation is required to view a web site. Others install unwanted software in bundles with programs users actually want — sometimes telling users what they’re getting in fine print midway through long licenses, but sometimes not even including these minimal disclosures. Finally, some spyware sneaks in through security hole exploits — without any user consent at all, thanks to defects in users’ web browsers or other software. (See the security hole video and write-up I posted last fall.)

There’s lots to be done in documenting how unwanted software gets onto users’ PCs. My Installation Methods page indexes my work to date, to the extent it’s posted online. But I have much more documentation still to be posted — for example, scores more videos showing security exploits. I’ll be making additions in the coming months, as I find better ways to present this work clearly and efficiently, and as I find clients or other revenue sources to help support this work. (I’m still looking! Send suggestions.)


Diagram of the steps users must follow in order to attempt to learn what software 3D and BlazeFind will install on their PCs. Even diligent users ultimately have no way to know in advance what 3D will install on their PCs.Diagram of the steps users must follow in order to attempt to learn what software 3D and BlazeFind will install on their PCs.

Today I’m also starting what I intend to be a series of weekly updates to my site — tentatively entitled “misleading installation of the week.” Sometimes I’ll show massive security hole exploits that render users’ computers nearly useless, but sometimes I’ll post more “ordinary” infections that “merely” show extra ads or send users’ browsing habits to a remote server. At every turn I’ll emphasize the trickery common to most installation methods — the ways that substance (e.g. material omissions, euphemisms, confusing circumstances) and style (e.g. on-screen presentation format, window size and shape, link format) cause users to “accept” software that offers them little or no genuine benefit.

I’m starting this series with an analysis of software from 3D Desktop. 3D’s Flying Icons Screensaver bundles BlazeFind, which in turn bundles 180solutions and half a dozen other programs. To learn what’s included, users must puzzle through a dizzying array of licenses — scroll through one license to find a link to another; scroll through that agreement to find the URLs to others; perfectly retype those URLs; then read each of the resulting licenses. But even if users follow this lengthy procedure, 3D and BlazeFind will ultimately install programs beyond the programs the licenses specifically name. So even diligent users have no way to know in advance what 3D will do to their PCs. Plus, BlazeFind is overzealous in its claims of privacy protection: BlazeFind says the programs it installs don’t track users’ behavior, but my hands-on testing proves otherwise. Details:

3D Desktop’s Misleading Installation Methods

Interestingly, BlazeFind’s license mentions that BlazeFind is a product of CDT, a software distribution company recently purchased by 180solutions. 180 says the CDT acquisition is part of its effort to “clean up” its distribution methods. With practices like these, they certainly have plenty of work ahead. See also a recent Spyware Warrior analysis of other 180 claims and practices in need of correction or improvement.

Posted on

What P2P Programs Install What Spyware?


A misleading installation procedure -- with multiple licenses combined into a single scroll box, and offering to install programs without providing even a brief description of their purposes or effects.A misleading installation procedure — with multiple licenses combined into a single scroll box, and offering to install programs without providing even a brief description of their purposes or effects

Request a peer-to-peer filesharing program, and you may be surprised what else gets installed too. I’ve tested five major P2P programs and analyzed their bundled software. Licenses stretch to as long as 22,000+ words and 180+ on-screen pages. Some P2P apps add additional programs disclosed only in license agreement scroll boxes. And it’s not uncommon for a P2P app to create thousands of registry entries. But at least one major P2P program bundles no extra software at all.

My full article analyzes what programs come with what extra software. I have also posted screen-shots of each screen of the lengthy license agreements, and I’ve noted scores of license anomalies such as broken links, missing section-heading formatting and line breaks, important omissions, and surprisingly one-sided substantive provisions.

Details:

Comparison of Unwanted Software Installed by P2P Programs

Posted on

How VeriSign Could Stop Drive-By Downloads updated February 22, 2005

VeriSign hates spyware — or so suggests CEO Stratton Sclavos in a recent interview. Even his daughter’s computer got infected with scores of unwanted programs, Sclavos explains, but he says VeriSign is helping to solve this problem. The ironic reality is Sclavos’ daughter’s computer was most likely infected via popups that appeared trustworthy only thanks to certificates issued by VeriSign. If Sclavos is serious about cracking down on spyware, VeriSign can end many deceptive installation practices just by enforcing its existing rules.

Drive-By Installs, Digital Signatures, and VeriSign’s Role

In 2002, Gator introduced ActiveX “drive-by downloads” — popups that attempt to install unwanted software onto a user’s PC as a user browses an unrelated web site. Today, Windows XP Service Pack 2 offers some protection by blocking many drive-by installation attempts. But for users with earlier versions of Windows, who can’t or don’t want to upgrade, these popups remain a major source of unwanted software. (And even SP2 doesn’t stop all drive-bys. For example, SP2 users with Media Player version 9, not the new v10, are still at risk.)

Even though Microsoft can’t (or won’t) fully fix this problem, VeriSign can. Before an ActiveX popup can install software onto a user’s computer, the installer’s “CAB file” must be validated by its digital signature. If the signature is valid, the user’s web browser shows the ActiveX popup, inviting a user to install the specified software. But if the signature is invalid, missing, or revoked, the user doesn’t get the popup and doesn’t risk software installation.

Microsoft has accredited a number of providers to offer these digital certificates. But in practice, almost all certificates are issued by VeriSign, also owner of Thawte, previously the second-largest player in this space. (See a findlaw.com antitrust discussion message noting that, as of February 2000, the two providers jointly held 95% of the digital certificate market.)

Through existing software systems, already built into Internet Explorer and already implemented by VeriSign servers, VeriSign has the ability to revoke any certificate it has previously issued, disabling ActiveX installations that use that certificate. See VeriSign’s Certificate Revocation List server (crl.verisign.com) and Microsoft Certificates documentation of the revocation system.

I suggest that VeriSign can and should use its existing certificate revocation system to disable those certificates issued or used in violation of applicable VeriSign rules.

Examples of the Problem, and A Specific Proposal

Consider the three misleading ActiveX installers shown below. The first gives an invalid company name (“click yes to continue”). The second gives a misleading/missing product name (“virus free”). The third was shown repeatedly, between popups that falsely claimed “In order to view this site, you must click YES.” Click on each inset image to see a full-size, uncropped version.

An ActiveX installer with a misleading company name, purportedly "click yes to continue." An ActiveX installer with a misleading product name ("VIRUS FREE").

Each of these misleading installations is contrary to VeriSign contract, contrary to VeriSign’s duty to its users, and contrary to VeriSign’s many promises of trustworthiness. In the first installer, VeriSign affirmatively certified the “click yes to continue” company name — although it seems that there exists no company by that name, and although that company name is facially misleading as to the purpose of the installation prompt. In the second and third examples, VeriSign certified companies that subsequently used VeriSign’s certification as a necessary step in deceiving users as to the function of and (alleged) need for their programs.

Given VeriSign’s claims (such as its old motto, “the value of trust”), VeriSign should want to put an end to these practices. When VeriSign certificates are issued wrongfully (as in the first example) or are used deceptively (as in the second and third), VeriSign should take action to protect users from being tricked. In particular, when an application offers a facially invalid and misleading company name, VeriSign should refuse to issue the requested certificate. When an applicant violates basic standards of truth-telling and fair dealing, VeriSign should revoke any certificates previously issued to that applicant.

Why VeriSign Should Get Involved

VeriSign’s intervention would be entirely consistent with its existing contracts with certificate recipients. For example, section 11.2 (certificate buyer’s representations) requires a certificate buyer to represent that it has provided accurate information — including an accurate company name. The purported company name “click yes to continue” surely violates the accuracy requirement, meaning the certificate supporting the first popup above is prohibited under VeriSign rules.

Furthermore, VeriSign’s section 4 (“Use Restrictions”) prohibits using VeriSign certificates “to distribute malicious or harmful content of any kind … that would … have the effect of inconveniencing the recipient.” The dialers, toolbars, tracking systems, and advertising systems provided by the second and third popups are indisputably inconvenient for users. I claim the resulting software is also “malicious” and/or “harmful” in that it tracks users’ personal information, slows users’ computers, shows extra ads, and/or accrues long-distance or 900 number access costs. So these installation prompts also violate applicable VeriSign rules.

VeriSign’s contracts grant VeriSign the power to take action. Section 5 explains that “VeriSign in its sole discretion retains the right to revoke [certificates] for [certificate buyers’] failure to perform [their contractual] obligations.” So VeriSign has ample contractual basis to revoke the misleading certificates.

Contractual provisions notwithstanding, I anticipate certain objections to my proposal. The obvious concerns, and my responses —

  • It’s too hard and too costly for VeriSign to find the wrongdoers. But VeriSign is a huge company, and a market leader in online security, infrastructure, and trust. Also, confirming the legitimacy of certificate recipients is exactly what VeriSign is supposed to be doing in the course of its certificate issuance. VeriSign charges $200 to $600 per certificate issued. At present it’s unclear what verification VeriSign performs — what work VeriSign does to earn $200+ for each certificate issued. The procedures I’m proposing might require a few new employees and some ongoing effort. But for a company precisely engaged in the business of certifying others’ practices, this testing is appropriate. Even if enforcement is costly, VeriSign stands to lose much more if it dilutes its brand and “trust” promise by failing to stop deceptive installations occurring under the guise of VeriSign certificates.
  • There are some difficult border cases. I agree that not all ActiveX installers are as outrageous as those shown above. For example, Claria’s installers lack the most outrageous of the deceptive practices above — they give Claria’s true company name, and they don’t explicitly claim that installation is required. Yet Claria’s installers still have major deficiencies. For example, Claria’s installers fail to admit that Claria software will not just “monitor” user information but also collect and store such data (in what is reportedly the seventh largest database in world), and Claria’s software repeatedly tries to install even if users decline when initially asked. What should VeriSign do with a case like Claria? I consider Claria’s installation practices deceptive and unethical, but I’m not sure it’s VeriSign’s role to make Claria stop. However, the existence of some hard decisions doesn’t mean VeriSign shouldn’t at least address the easy cases.
  • XP SP2 already solved the ActiveX problem, so this is irrelevant. I disagree. Tens of millions of users still run old versions of Windows. Some users can’t afford the cost of an upgrade (new software plus, for many users, faster hardware). Others cannot upgrade due to corporate policies or compatibility concerns. Then there are problems for which even SP2 doesn’t offer full protection: WindowsMedia files can still open ActiveX popups and installer decoys that try to trick users into authorizing installations.

VeriSign’s intervention would make a big difference. VeriSign could stop many misleading software installation practices, including those shown above, and block what remains a top method of sneaking onto users’ PCs. Unlike spammers who switch from one server to another, spyware distributors can’t just apply for scores of new digital certificates, because each application entails out-of-pocket costs.

Plans for an Enforcement Procedure

Enforcement of invalid company names would be particularly easy since VeriSign already has on hand the purported company names of all its certificate recipients. Entries like “click yes to continue” stick out as facially invalid. Simply reading through the list of purported company names should identify wrongdoers like “click yes to continue” — applicants whose certificates should be investigated or disabled.

It’s admittedly somewhat harder for VeriSign to stop certain other deceptive practices that use VeriSign-issued certificates. While VeriSign knows the company names associated with all its certificates, VeriSign’s systems apparently don’t currently track the purported product names signed using VeriSign certificates. Furthermore, VeriSign receives no special warning when a certificate recipient uses tricky JavaScript to repeatedly display an installation attempt or to intersperse displays with “you must click yes” (or similar) popups.

But VeriSign could at least establish a formal complaint and investigation procedure to accept allegations of violations of applicable contracts. Other VeriSign departments offer web forms by which consumers can report abuse. (See e.g. the SSL Seal Report Misuse form.) Yet VeriSign’s Code Signing page lacks any such function, as if wrongdoing were somehow impossible here. Meanwhile, those with complaints have nowhere to send them. Indeed, I’ve reviewed complaints from Richard Smith and others, flagging both wrongly-issued certificates and the need for a complaint procedure, and raising these issues as early as January 2000.

Of course, beyond receiving and investigating consumer complaints, VeriSign could also run tests on its own — affirmatively seeking out bad actors who use VeriSign certificates contrary to VeriSign’s rules.

Update: Reponses from VeriSign and eWeek’s Larry Seltzer

After I published the article above, I received two responses from VeriSign staff. Phillip Hallam-Baker, VeriSign’s Chief Scientist, wrote to me on February 4 (the day after I posted my article) to say that “Click yes to continue was disabled yesterday.” Staff from VeriSign’s “Certificate Practices” department subsequently wrote to discuss current practices and to ask what more VeriSign could do here. They all seemed pretty reasonable — willing to admit that VeriSign’s practices could be better, and interested in reviewing my findings.

In contrast, I was struck by the response from eWeek‘s Larry Seltzer. Larry apparently spoke with VeriSign PR staff at some length, and he liberally quotes VeriSign staff defending having issued a certificate to “Click Yes to Continue.” Saying that I “may have jumped to a conclusion,” Larry seems to credit VeriSign’s claim that the bogus certificate problem was “basically all over” as soon as (or even before) I posted my article. I emphatically disagree. There are hundreds (thousands?) of certificates that continue to break VeriSign rules — for example, claiming to be security updates when they are not, or claiming “you must press yes” when they’re not actually required. (See also VeriSign-issued certs supporting misleading popups shown at Google Blogspot.) VeriSign may prefer not to enforce its own rules, prohibiting “distribut[ing] malicious or harmful content of any kind … that would … have the effect of inconveniencing the recipient.” And Seltzer may think VeriSign shouldn’t have such rules. But the rules do exist — VeriSign itself wrote them! — and the rule violations are clear and ongoing. That VeriSign revoked a few egregious certificates after I posted my article doesn’t mean VeriSign’s practices are up to par otherwise. What about all the other certs that break the rules?

Finally, Seltzer claims that VeriSign told me Click Yes to Continue is a valid company name. Nope. First, the premise is wrong; that’s just not a valid company name, because it’s facially misleading. Second, VeriSign never told me any such thing: I have carefully reviewed my email records, and no VeriSign staff person made any such statement. (To the contrary, see the Hallam-Baker quote above, admitting that Click Yes was in violation and was disabled.) Maybe VeriSign should spend more time investigating its rule violations, and less time trying to smear those who criticize its poor enforcement record.

Posted on

Media Files that Spread Spyware updated January 3, 2005

Users have a lot to worry about when downloading and playing media files. Are the files legal? Can their computers play the required file formats? Now there’s yet another problem to add to the list: Will a media file try to install spyware?

When Windows Media Player encounters a file with certain “rights management” features enabled, it opens the web page specified by the file’s creator. This page is intended to help a content providers promote its products — perhaps other music by the same artist or label. However, the specified web page can show deceptive messages, including pop-ups that try to install software on users’ PCs. User with all the latest updates (Windows XP Service Pack 2 plus Windows Media Player 10) won’t get these popups. But with older software, confusing and misleading messages can trick users into installing software they don’t want and don’t need — potentially so many programs that otherwise-satisfactory computers become slow and unreliable.

Screen-shot of the initial on-screen display. If users press Yes, scores of unwanted programs are installed onto their PCs. Click to enlarge.Screen-shot of the initial on-screen display. If users press Yes, scores of unwanted programs are installed onto their PCs.

I recently tested a Windows Media video file, reportedly circulating through P2P networks, that displays a misleading pop-up which in turn attempts to install unwanted software onto users’ computers. I consider the installation misleading for at least three reasons.

  1. The pop-up fails to name the software to be installed or the company providing the software, and it fails to give even a general description of the function of the software.
  2. The pop-up claims “You must agree to our terms and conditions” — falsely suggesting that accepting the installation is necessary to view the requested Windows Media video. (It’s not.)
  3. Even when a user specifically requests more information about the program to be installed, the pop-up does not provide the requested information — not even in euphemisms or in provisions hidden mid-way through a long license. Clicking the pop-up’s hyperlink opens SpiderSearch’s Terms and Conditions — a page that mentions “receiving ads of adult nature” and that disclaims warranty over any third-party software “accessed in conjunction with or through” SpiderSearch, but that does not disclose installation of any third-party software.

Screen-shot of my Program Files folder, showing some of the programs installed on my test computer.Screen-shot of my Program Files folder, showing some of the programs installed on my test computer.

On a fresh test computer, I pressed Yes once to allow the installation. My computer quickly became contaminated with the most spyware programs I have ever received in a single sitting, including at least the following 31 programs: 180solutions, Addictive Technologies, AdMilli, BargainBuddy, begin2search, BookedSpace, BullsEye, CoolWebSearch, DealHelper, DyFuca, EliteBar, Elitum, Ezula, Favoriteman, HotSearchBar, I-Lookup, Instafin, Internet Optimizer, ISTbar, Megasearch, PowerScan, ShopAtHome Select, SearchRelevancy, SideFind, TargetSavers, TrafficHog, TV Media, WebRebates, WindUpdates, Winpup32, and VX2 (Direct Revenue). (Most product names are as detected by Lavasoft Ad-Aware.) All told, the infection added 58 folders, 786 files, and an incredible 11,915 registry entries to my test computer. Not one of these programs had showed me any license agreement, nor had I consented to their installation on my computer.

I retained video, packet log, registry, and file system logs of what occurred. As in my prior video of spyware installing through security holes, my records make it possible to track down who’s behind the installations — just follow the money trail, as captured by the “partner IDs” within the various software installation procedures. When one program installs another, the second generally pays the first a commission, using a partner ID number to track who to pay. These numbers make it possible to figure out who’s profiting from the unwanted installations and, ultimately, where the money is going.

Figuring Out Who’s Responsible

Most directly responsible for this mess is ProtectedMedia — the company that caused my computer to display the initial misleading pop-up shown above. ProtectedMedia invited the installation of some unwanted programs, which in turn installed others, but ProtectedMedia could readily stop these behaviors, e.g. by disabling its misleading pop-up installation attempts.

Screen-shot of the icons added to my test computer's desktop. Note a new link to Dell -- an affiliate link such that Dell pays commissions when users make purchases after clicking through this link.Screen-shot of the icons added to my test computer’s desktop. Note a new link to Dell — an affiliate link such that Dell pays commissions when users make purchases after clicking through this link.

But who pays ProtectedMedia? As I started to follow the money trail, I was surprised to see that some of the unrequested programs receive funds from respected online merchants. Several of the spyware installations added new toolbars to my computer’s browser and new icons to my desktop. If users click through these links, then make purchases from the specified merchants, the merchants pay commission to the affiliates who placed these toolbars and icons on users’ PCs. Even large, otherwise-reputable companies pay commissions through these systems, thereby funding those who install unwanted software on users’ computers. In my testing, I received affiliate links to Amazon, Dell, Hotwire, Match.com, Travelocity, and others. Many of these links pass through affiliate tracking networks LinkShare and Commission Junction.

Of course, these merchants may not have intended to support spyware developers. For example, merchants may have approved the affiliates without taking time to investigate the affiliates’ practices, or the affiliates’ actions may be unauthorized by the merchants. (That’s what Dell said when I previously found Dell ads running on Claria.) In future work, I’ll look in greater detail at which merchants pay affiliate commissions to which spyware programs, and I’ll also further document which merchants purchase advertising from companies whose software sneaks onto users’ computers.

Other companies partially responsible for these practices are the providers of the unwanted software — companies that pay commissions to distributors foisting their software onto users’ computers. In general there’s no reason to expect honorable behavior by providers of unwanted software. But some of the programs I received come from big companies with major investment backing: 180solutions received $40 million from Spectrum Equity Investors; Direct Revenue received $20 million from Insight Venture Partners; and eXact Advertising (makers of BargainBuddy and BullsEye) received $15 million from Technology Investment Capital Corp. With so much cash on hand, these companies are far from judgment-proof. Why are they paying distributors to install their software on users’ computers without notice and consent?

The problematic installations ultimately result from the “feature” of Windows Media Player that lets media files open web pages. But most users will only receive the contaminated files if they download files from P2P filesharing networks. Of course, rogue media files are but one way that P2P networks spread spyware. For example, users requesting Kazaa receive a large bundle of software (including Claria’s GAIN), after poor disclosures that bury key terms within lengthy licenses, without even section headers to help readers find what’s where. Users requesting Grokster receive unwanted software even if they press Cancel to decline Grokster’s installation (details).

Ed Bott offers an interesting, if slightly different, interpretation of these installations. Ed rightly notes that users with all the latest software — not just Windows XP Service Pack 2, but also Windows Media Player 10 — won’t get the tricky pop-ups described above. Ed also points out that Windows Media Player displays of ActiveX installation prompt pop-ups are similar to deceptive methods users have seen before, i.e. when web sites try to trick users into installing software. True. But I think Ed gives too little weight to the especially deceptive circumstances of a software installation prompt shown when users try to watch a video. For one, legitimate media players actually do use these prompts to install necessary updates (i.e. the latest version of Macromedia Flash), and Windows Media Player often shows similar prompts when it needs new codecs or other upgrades. In addition, the unusually misleading (purported) product name and company name make it particularly easy to be led astray here. Users deserve better.

Posted on

Video: eBates Installed through Security Holes

I’ve long been a fan of online shopping site Ebates. Sign up for their service, visit their web site, click through their special links to merchants (including merchants as distinguished as Dell, Expedia, IBM, and L.L. Bean), and earn a small cash back, generally a few percent of your purchase.

But another side of Ebates’ business has become controversial: Ebates uses a software download called “Moe Money Maker” (MMM) to automatically claim merchants’ affiliate commissions, then pay users rebates — even if users don’t visit Ebates’ web site, and even if users don’t click through Ebates’ special links.

Why the controversy? I see at least two worries:

1) Aggressive software installations.

  • Partial screen-shot taken from video of Ebates installation through a security hole, without any notice or consent.Partial screen-shot taken from video of Ebates installation through a security hole, without any notice or consent.

    Users visiting ebates.com can receive MMM software merely by filling out a form and failing to uncheck the “I would like to download MMM” checkbox (checked by default).

  • Users downloading certain third-party programs (screen-savers and the like) receive MMM as part of the bundle — disclosed, in my testing, but often with a long license in a small box, such that many users don’t fully understand what they’re getting.
  • Most troublingly, there have been persistent allegations of Ebates installed without any notice or consent whatsoever. I had always discounted these allegations until I saw the proof for myself earlier last month. See video of Ebates MMM installed through security holes.

2) Claiming affiliate commissions that would otherwise accrue to other affiliates. Many web sites receive affiliate commissions when users make purchases through special links to merchants’ web sites. (See e.g. Lawrence Lessig‘s “Get It Here” page.) Network rules (Commission Junction , Linkshare) prohibit Ebates from interceding in these transactions; instead, the independent web sites are to receive the commissions for purchases through their links. But Ebates’ software sometimes claims commissions anyway — specifically contrary to applicable rules. These behaviors have been alleged and reported for years, and recently documented in a series of videos (videos of particular interest. Apple, Cooking.com, Diamonds International, JJill, Lillian Vernon, Sharper Image, Sony). If Ebates’ prohibited interventions were only temporary, they would be easy to sweep away as mere malfunctions. But when problems continue for years, to Ebates’ direct financial benefit and to others’ detriment, the behavior becomes harder to disregard.

Meanwhile, Ebates has inspired copy-cat programs with similar business models but even more controversial execution. I’ve recently made literally scores of videos of eXactAdvertising‘s CashBack by BargainBuddy installed through security holes, and also of TopRebates/WebRebates installed through security holes — always without any notice or consent whatsoever. These programs remain participants in the Commission Junction and LinkShare networks — presumably receiving commissions from these networks and their many merchants (CashBack merchants, TopRebates merchants). I’m surprised that so many merchants continue to do business with these software providers — including so many big merchants, who in other contexts would never consider partnering with software installed without notice and consent.

I think the core problem here is skewed incentives. Affiliate networks (CJ and LinkShare) have no financial incentive to limit Ebates’ operation. Instead, the more commissions claimed by Ebates, the more money flows through the networks — letting the networks charge fees of their own. In principle we might expect merchants to refuse to pay commissions not fairly earned — but merchants’ affiliate managers sometimes have secondary motives too. In particular, affiliate managers tend to get bonuses when their affiliate programs grow, which surely makes them particularly hesitant to turn away the large transaction volume brought by MMM’s automatic commission system. That’s not to say some merchants don’t knowingly and intentionally participate in Ebates — some merchants understand that they’ll be paying Ebates a commission on users’ purchases even when users type in merchants’ web addresses directly, and some merchants don’t mind paying these fees. But on the whole I worry that Ebates isn’t doing much good for many merchants, even as its software comes to be installed on more and users’ PCs, with or without their consent.

The Ebates Money trail: users -> merchants -> affiliate networks -> Ebates -> Ebates distributors”>The Ebates Money trail: users -> merchants -> affiliate networks -> Ebates -> Ebates distributors</p> </div> <p><a name=For users who share my continued interest in following the money trail, the diagram at right summarizes Ebates’ complicated business model. Users make purchases from merchants, causing merchants to pay affiliate commissions (via affiliate networks such as LinkShare and Commission Junction) to Ebates. Ebates in turn pays commissions to those who cause its software to be installed, including those installers who install Ebates’ software through security holes, without notice or consent.

Ebates Terms & Conditions Allow Removing Other Programs

Finally, note that Ebates has joined the ranks of software providers who, in their EULAs, claim the right to remove other software programs. Ebates’ MMM Terms & Conditions demand:

“Ebates may disable or uninstall any other product or software tool that might interfere with the operability of the Moe Money Maker Software or otherwise preempt or render inoperative the Moe Money Maker Software … In installing the Moe Money Maker Software, you authorize Ebates to disable, uninstall, or delete any application or software that might, in Ebates’ opinion nullify its function.”

Ebates is right to worry that a user can only successfully run a single automatic commission-claiming program. But this license language allows Ebates to delete far more than competing commission programs. For example, if Ad-Aware removes MMM as spyware, thereby “interfering with the operability” of MMM, then the license purports to give Ebates the right to remove Ad-Aware.

Update (December 15): Ebates staff wrote to me to report that they have narrowed the clause quoted above. Ebates’ current Terms allow disabling only “shoping or discount software,” not general-purpose software removal tools like Ad-Aware. Ebates staff further note that they have never exercised the rights granted under the prior Terms text. However, Archive.org reports that Ebates’ Terms included the broad “any application or software” language as long ago as August 2003.

Thanks to Ian Lee, Internet Marketing Strategist & Affiliate Manager of ADS-Links.com, for recommendations on video production methods.

Posted on

Direct Revenue Deletes Competitors from Users’ Disks updated February 8, 2005

For companies making programs that show users extra pop-up ads, one persistent problem is that users are bound to take action once their computers get too clogged with unwanted software. Find a removal tool, hire a technician, reinstall Windows, buy a new computer, or just stop using the Internet — whatever users do, the pop-up companies won’t make any more money if users don’t keep surfing, and don’t keep clicking the ads. The problem is all the worse because so many unwanted programs install others (usually in exchange for a per-install commission). So if a user has one program showing extra pop-ups, the user might soon have five more.

What’s an “adware” company to do? Direct Revenue has one idea: Delete its competitors’ programs from users’ hard disks. With the other programs gone, users’ computers will run more or less as usual — showing some extra ads from Direct Revenue, but perhaps not attracting so much attention that users take steps to remove all unwanted software.

Direct Revenue’s End User License Agreement provides, in relevant part:

“[Y]ou further understand and agree, by installing the Software, that BetterInternet and/or the Software may, without any further prior notice to you, remove, disable or render inoperative other adware programs resident on your computer …”

In my recent testing, I’ve observed the removals Direct Revenue’s EULA seems to anticipate. And I’m not the only one: I’ve just received a copy of a lawsuit filed by Avenue Media, complaining that Direct Revenue is “systematically deleting Avenue Media’s Internet Optimizer without users’ knowledge or consent.” Indeed, in my November 17 testing, I found that software installed on my PC by ABetterInternet (a product name used by Direct Revenue) received the following instructions from its targeting server, calling for the removal of Avenue Media’s Internet Optimizer:

request for instructions from server

POST /bi/servlet/ThinstallPre HTTP/1.1

Host: thinstall.abetterinternet.com

begin response from server

excerpted to show only removal
code targeting Internet Optimizer

HTTP/1.1 200 OK
Date: Wed, 17 Nov 2004 15:31:00 GMT
Server: Apache/2.0.46 (Red Hat)
Content-Length: 3881
Connection: close
Content-Type: text/xml

list of running processes to stop (“kill”)

<install><action type=”KillProc”>
<proc exe=”optimize.exe” />
</action>

start of an “.INF” file
(in usual Windows .INF format)


<action type=”installINF”>
<inf section=”DefaultInstall”>

[DefaultInstall] …
DelReg=RegistryEntries
DelFiles=ProgFiles,systemFiles

registry entries to be removed


[RegistryEntries] …
HKLM,SOFTWARE\Microsoft\Windows\CurrentVersion\Run,”Internet Optimizer”

files on disk to be removed

[ProgFiles]
Internet Optimizeractalert.exe,,,1
Internet Optimizeroptimize.exe,,,1
Internet Optimizerupdateactalert.exe,,,1

In my testing, Direct Revenue’s software acts on these instructions — stopping the optimize.exe task (Internet Optimizer’s main program), then deleting the associated registry entries and program files. So I think Avenue Media is correct as to the basic facts of what’s happening. Conveniently, in tests beginning on November 17, I even made videos showing Internet Optimizer’s software being deleted — files eerily disappearing as Direct Revenue’s software deleted Internet Optimizer along with other targeted programs.

How do I happen to have records, logs, and even videos of events occurring several weeks ago? As it turns out, both Internet Optimizer and Direct Revenue were unwanted additions to my test PC: Both were installed through security holes, much like the installations I documented in my Who Profits from Security Holes? write-up and video last month. I’ve been making more such videos — roughly one a day for the past few weeks. So I’ve repeatedly seen Direct Revenue removing Internet Optimizer.

In my security-hole videos, I never saw nor accepted any Direct Revenue license. So, at least as to me, Direct Revenue cannot convincingly cite its EULA to defend its removal of Internet Optimizer. (See also my recent analysis of Gator’s EULA.) However, my test PC became noticeably faster after Direct Revenue removed other unwanted programs that had been installed through security holes. So, for some consumers, Direct Revenue’s removal of competitors’ programs may offer a useful if surprising benefit. (Compare: Radlight removing Ad-Aware, without any apparent benefit to consumers.)

Case documents: Avenue Media v. Direct Revenue

As promised: Internet Optimizer’s case documents, alleging claims under the Computer Fraud and Abuse Act as well as for tortious interference with economic relations:

Complaint: Avenue Media, N.V. v. Direct Revenue LLC, BetterInternet LLC (PDF)
Memorandum in Support of Temporary Restraining Order (PDF)
Declaration of Moses Leslie (PDF)
Response by Direct Revenue (PDF) and supporting declaration of Joshua Abram (PDF)

Avenue may be suffering from wrongful behavior by Direct Revenue, but note that Avenue has problems of its own. In my tests, Avenue’s software (like Direct Revenue’s) was installed without any notice or consent whatsoever. (Again, I have video proof.) However installed, Internet Optimizer’s primary function is to show extra advertising, primarily by replacing web browser error messages with its own ads — not a feature most users request. In addition, Internet Optimizer’s EULA admits to tracking web sites visited and keywords searched. Finally, Doxdesk reports that Internet Optimizer has (or recently had) security holes that risk unauthorized installation of other software.

Update (February 8, 2005): Avenue Media and Direct Revenue have reportedly reached a settlement. No money will change hands, but the companies have agreed to no longer disable each other’s software.

More on Direct Revenue

Removing competitors’ programs is not Direct Revenue’s only controversial activity. Direct Revenue’s core business is showing extra pop-up ads. Which ads? Covering which sites? Early next year, I expect to release a report detailing some of the advertisers supporting Direct Revenue, and showing some ads Direct Revenue targets at certain web sites. Advance access available by request.

I also plan to present the sensitive information sent by Direct Revenue to its servers. In recent testing, I’ve seen Direct Revenue collect each user’s ethernet address or “MAC address” — a unique identifier permanently associated with each network card (i.e. with each computer). Direct Revenue also transmits users’ Windows product IDs — of particular interest due to their use in Microsoft’s product activation system.

I have recently observed that Direct Revenue tracks the .EXE names of all running tasks, specifically checking for installations of certain competing programs (including Gator and 180solutions) and for certain spyware-removal programs (including Ad-Aware and PestPatrol). Direct Revenue checks for these programs in the same way it checks for Internet Optimizer — suggesting that Direct Revenue might also target some or all of these programs for automatic deletion, just as it automatically deleted Internet Optimizer in the log shown above. That hypothesis is more than speculative: My November videos and packet logs show Direct Revenue deleting not just Internet Optimizer but also ActAlert/DyFuCa, EliteToolbar, and others.

Finally, note that Direct Revenue recently received $20 million of funding from Insight Venture Capital Partners, as well as $6.7 million from Technology Investment Capital Corp (TICC).