Tests and Scans
P2P Downloads Fuel Spyware
June 21, 2005
PC Pitstop has previously examined the dangers in P2P software bundles but there are also dangers in the files you can get from these networks. Last week, Chris Boyd (a.k.a. PaperGhost) of VitalSecurity.org published the first public information of spyware installs created by a company named Marketing Metrix Group (MMG). In many ways, though, that is the last chapter of the story. During May and June, MMG was pelting BitTorrent sites with a steady stream of spyware-infested downloads. The incident shows how the adware industry lacks either the skill or the will to police their distribution channel, and how users are usually the victims of their shortcomings.
The first time I encountered one of the MMG files in mid-May, it installed a witch's brew of spyware, adware, trojans, and toolbars. The payload included 180Solutions, BargainBuddy, ExactSearchBar, IBIS Toolbar, ContextPlus, ShopAtHomeSelect, Direct Revenue, and UCMore. Several other pieces of software were running that provided their owners with an ongoing ability to install anything they might require in the future.
In reviewing comments on BitTorrent forums, it appears that MMG's infected files had been posted as early as mid-April. Administrators of the BitTorrent sites removed the files and/or banned the users when someone reported them, but it sometimes took several days before this occurred. This provided a window of opportunity where the downloader would be unaware of the effects of MMG's file and continue to share it for others to download.
MMG seemed particularly busy with new files on Fridays, perhaps in the hopes that the admins would be away for the weekend and unable to clean up the mess for a while. Although I observed several files that were hundreds of megabytes during May, the later posts tended to be less than 50 megabytes; perhaps MMG was betting that more people would successfully download short files before warnings were posted and the files removed.
All of the MMG files shared similar traits. They were enticingly labeled to maximize interest in them, though the content varied; adult videos, cartoons, games, and pirated software were all used as bait. There was always an exe file installer, often wrapped by a ZIP or RAR archive to disguise this fact. When the installer ran, it displayed a license from Metrix Marketing Group (the company calls itself Marketing Metrix Group on its web site) and required the user to agree before continuing. Next, it installed its payload of adware and spyware. In the final step, it extracted whatever content was implied by the original file name and deposited it on the system.
MMG's financial model is enviably efficient. By using P2P networks to spread its files, MMG only needs to use a few computers as "seeds" to get the downloading started. Once the file has been picked up by dozens or hundreds of other PCs, they will help do the dirty work at no cost to MMG. With its large initial payload of adware, each successful install might have yielded as much as two dollars.
The question is, was MMG directly pocketing all the profits from these installs, or were they just being paid a flat rate by some other distributor? MMG made its services available directly to adware makers; their web site showed HotBar.com as a customer, and 180Solutions said they were using MMG in conjunction with PartyPoker.com. The MMG web site shows flat rates for distributing files on several P2P networks, so perhaps the trail doesn't end at MMG. The MMG web site (marketingmetrixgroup.com) was hacked on June 17th and has been down since then, so there's no way to contact MMG directly to find out where this trail leads.
We Didn't Know
Due to the nature of the content bundled with this particular file--an adult video--I attempted to contact the companies involved to ask their policies about bundling their products with adult content. I received answers from everyone except UCMore, which never sent any reply despite several attempts to contact them. In subsequent conversations, I offered to provide documentation of my findings including screen shots, the actual downloaded files, and network traces of the activity during the install.
With two exceptions mentioned below, each company I contacted expressed surprise that their products were being distributed with adult content. Joanna Culbertson of the Belcaro Group, makers of ShopAtHomeSelect, said "We're a family-owned business; there's no way we'd want our product to be involved with pornography." Robert Bogdanoff at IBIS, maker of the WebSearch toolbar, said "The activities you describe should not be associated with any of our products. We haven't received any complaints about this, but we'll certainly look into it."
Within two weeks, most of these companies had indeed taken action. Generally, their replies indicated that they had identified the affiliate that was distributing their product and put a stop to it. MMG was still uploading several files a day at BitTorrent sites at the end of May, but the payload had dwindled to products from just two companies: 180Solutions and Direct Revenue. The situation with these two is a bit trickier; they do allow their software to be bundled with adult content, so an affiliate needs to be guilty of more than mere pornography to get the boot. That's no problem, I offered to provide both companies with quite a bit of information about the incidents.
With even a cursory investigation and followup, an adware maker should have been able to find several reasons why this distribution needed to stop. First, they violated the copyrights of several software and video authors; I was able to verify at least three cases but there appear to have been dozens. Second, this distribution made it easy for minors to access adult content; a EULA and the honor system is not an effective safeguard for a 15-year-old boy. Finally, some of the adult videos depicted young girls and implied they were under 18 years of age.
Grey Areas, Shady Practices
Direct Revenue was not communicative or cooperative in pursuing this issue. In mid-May, I made Direct Revenue aware that their application was being distributed by MMG with potentially inappropriate content. I offered to send them copies of downloaded files and network traces; they never asked for that information. Following up on June 1, I reiterated the same offers and expressed concern that the company had taken no action; that received no reply at all. Finally on June 16th, and only after Chris Boyd's public blog-flogging about this issue, Direct Revenue says they've terminated the distributor.
I was able to discuss the MMG incidents with 180Solutions, and provided them copies of several files and install logs. They indicated that the problems identified in the process could either be remedied or were not their responsibility. The MMG license originally had no mention at all of 180Solutions, for example. "It's a grey area," explained York Baur at 180Solutions. "IST is mentioned in the license, and our product is installed by IST. We'll be reviewing our policy on that." (In later distributions, MMG made a change to mention 180Solutions in the license.) What about distribution of pirated content? "They are telling us they have a license to the content." And what if there actually are problems with MMG's practices? "If you shut them off, it just drives them to other channels. It's better to police them."
However, the VitalSecurity.org disclosure seemed to push the situation over the top. On June 21, I received an email from Brian Wallace at 180Solutions, which said in part: "On Wednesday, June 14, other instances of unacceptable behavior were brought to our attention. We decided it would be in the best interest to pause the relationship until these issues could be addressed by MMG. As we contacted them, THEY actually said they were going to turn off ALL their channels for the next couple weeks. They claimed that they had lost partial control of their own affiliate network and needed time to revamp their network and install practices."
If this episode demonstrated anything, it showed that there is fading hope the adware industry can regulate itself. None of the adware companies involved here seem to have any effective fraud prevention measures. Is this because they benefit from these questionable installation practices, because they don't see any benefit in the cost of fraud prevention, or simply because they naively believe these are out-of-the-ordinary occurrences? Direct Revenue and 180Solutions certainly did not take quick action to shut down this problem, whatever the reason.
If the past is any indication, MMG will not suffer any serious consequences from adware companies for these distribution tactics. Although 180Solutions says MMG was not paid for any of these fraudulent installations, that isn't the case for everyone. IBIS' Bogdanoff explained the financial reality of the situation: "Affiliates want to be paid quickly ... some of them are even prepay deals. In most cases we're dealing with a few thousand dollars, and it would cost more than that in legal fees to go after them." Those bad distributors can do this math as well; is it any wonder that the problem is growing?
Still, MMG's brazen tactics of bundling copyrighted and controversial content went further than any previous incident, and may result in legal action from the copyright holders. Though MMG (and/or the company that contracted with them to distribute the the files) is ultimately responsible for what they do, a reputable company should not want to do business with someone that they should reasonably know is breaking the law or at least violating a distribution agreement. The multi-level distribution schemes that many adware companies employ seem almost designed for shirking of responsibility. When a problem arises, as it does nearly every month or two, the adware companies seem to use this "chain of irresponsibility" to insulate themselves from accusations of wrongdoing.
How could the MMG situation be avoided in the future? The most important thing is to eliminate financial rewards for rule breakers. Adware makers should hold back commissions for 30 days or more on new distributors, and place commissions on hold for any distributor suspected of problems. They should abandon the multi-level anonymous distributorships that breed fraud. Adware companies could even pay a bounty for outside reports of fraud, which could easily be funded by forfeited commissions. Still, adware makers should not expect to leave their fraud prevention to outside security experts. Every one of them should have an in-house team that monitors their own network and not just wait for independent investigators to report them.
What if adware makers don't act? We can hope that reputable advertisers will avoid them, and there are encouraging precedents. In early June, advertisers pulled ads from Yahoo when they found that their ads were supporting chat rooms being used by child predators. I can't imagine advertisers will be any happier about the methods these adware companies are using through companies such as MMG.