Oh yeah, it’s the one where all customers are abused, intimidated, interrupted, frustrated, confused, and their system is professionally known as “hosed.” It’s the business model of choice from our favorite adware/fraudware syndicates, hard at work.
Some of the analysis in our lab takes a bit to sort out. The malware’s activities just don’t seem to make any sense at all at first, and understanding them takes some time and patience. The one we will detail here fits the bill — it takes more than an hour of time and some amount of user interaction for the whole scam to play out.
We’re looking at software that falls under the category of adware and fraudware. The organizations and motivations behind this stuff is questionable at best. The unfortunate thing is that it involves some of the most prevalent malware in the wild — there are LOTS of takers.
The basic ideas behind this business model is easy enough to understand: convince a user to install something that seems to be of some value, but bundle lots and lots of adware with it. The ads and junk that pop up produce revenue, but eventually all the malware that is downloaded and installed will “hose” the computer. The system becomes so bogged down in communicating with backend servers, fetching the next ad to display and running all the new software. The user becomes confused and frustrated, which used to be a problem. Although the adware is producing income from all the connections, it shouldn’t overwhelm the system.
Here’s the twist — installing so much adware and spyware so as to confuse and frustrate the user, then convincing the user they need to install “security software” to clean up the mess. Moreover, persuade them that they need to pay for that cleanup. That persuasion is pretty easy, surely it has already been done by all the adware and malware that were just installed on that system.
The worst of the worst web sites performing these massive installs seemed to have been taken down or went out of business, because the model of destroying the usability of your customer’s system fails. But, new sites get set back up, and the creators keep adding tricks…like what the established industry is calling “Rogue Anti-Spyware.” We’ve been calling it “Rogueware”, and it was extremely prevalent in all of 2007:
Doesn’t the above image look familiar? It’s the same stuff we saw in September of 2006, when Microsoft found out about their buggy Internet Explorer’s VML rendering. That 0-day was used to distribute tons of this Rogueware stuff from malicious web pages onto unsuspecting user’s desktops. Here is a shot from back then. Familiar, no?
So one of our marketing guys stops in the lab, takes a look at the screen, and asks “are you kidding me? What is the business model behind that? I thought that filling a user’s system up with so much crap that it’s unusable didn’t make you money!!”
But there it is. Staring us in the eye was this monitor, covered in popup ads, unable to shift back and forth between applications that we’re actually trying to use, a process monitor on the left side of the screen full of new malicious processes, fraudulent demands to clean up spyware and other evil software on the system appearing onscreen, and more processes than the system can handle. The system was so bogged down that I couldn’t open an explorer window to the c: drive. Isn’t this the internet nuisance of yesterday? Aren’t they done with this?
The answer is no. Individuals attracted to free software offers, often utilities from the sex industry or an illegal keygen, and open to trying out new software will always be the target of this kind of stuff. But where is the money in this? The user’s machine is hosed.
Well, answer is partly from the relentless popups and ad windows, and partly from intimidated users paying up to their desktop mysteriously screaming “WE KNOW YOUR IP ADDRESS, WHO YOU ARE AND YOU HAVE TO GET THIS STUFF OFF YOUR SYSTEM. NOW PAY UP! 30 BUCKS!”