Spyware in Audio Galaxy

LintMan and a zillion other people wrote in about the story on Portal of Evil discussing spyware bundled with Audio Galaxy that seems to be even more nasty than usual. Others have written about it as well - there's Counterexploitation and Wired stories. Frankly, we're kind of bored by all these spyware/shareware stories (don't people learn?) so we let it sit around in the submissions bin for a few days, until, say, a slow Saturday night.

VX2 - Devious

[Tony.Tang]

I've written about this before, but in the interest of karma whoring, here it is in full:

AudioGalaxy's [audiogalaxy.com] software unfortunately now installs VX2 by default. We didn't know this when we installed AG, and were subject to a pop-up ad so frequently, it was unbelievable. At first, I suspected the sites we were visiting, but they were even coming up on Google!

The big throw was that the ads that were being served up always seemed to come from different places. One day, I decided to look into it, and discovered that all the ads were being downloaded from VX2 [vx2.cc].

VX2 is a very devious piece of sofwtare, logging every one of the sites you visit, and then popping an ad every once in a while. If you surf quickly, throttles itself; surf slowly, and it pops for every site. Quite devious, really.

Remove it easily

[DiveX]

Hopefully Ad Aware (http://www.lsfileserv.com/index.html) will include it in their list soon, but until then it is an easy remove (http://www.vx2.cc/uninstall.html)

The VX2 software is a single program file in the system directory called VX2.dll.

To remove VX2:

1) From the Control Panel select ADD/REMOVE programs. Select "VX2 RespondMiter" and "Remove".

If VX2 RespondMiter is not present:
2) Close all internet explorer browsers.
3) Search your "C" drive for VX2.dll
4) Delete VX2.dll

If the system does not permit the file to be deleted proceed as follows.
5) Select "Start" and then "Run" and type "regedit"
6) Find the and delete the entry named "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Explorer\Browser Helper Objects\{00000000-5eb9-11d5-9d45-009027c14662}".
7) delete the {00000000-5eb9-11d5-9d45-009027c14662}entry.
8) Reboot computer.
9) Search your "C" drive for VX2.dll
10) Delete VX2.dll

It seems to just plug itself in IE, so as usualy Netscapers are pretty safe from this one....for now.

Re:Remove it easily

[lightPhoenix]

From what I understand 5.62 of Adaware will kill this.

Re:Remove it easily

[dan133]

I found VX2.dll in C:\WINNT (running win2k) but I couldn't delete it
so I proceeded to follow the registry key deletion outlined above but couldn't find such an entry at the given path.

So, an easier way for everyone, would be to search for "00000000-5eb9-11d5-9d45-009027c14662" and delete the result.
That's what I did and then deleting VX2.dll was possible.

Just letting those of you stumped know :)

A bit late on the story

[Trepidity]

This story is not very timely, as the entire issue has been resolved for at least a week now. Audiogalaxy did include the VX2 spyware in their application, was thoroughly lambasted for it, and finally gave in to user complaints and removed it. The current version of audiogalaxy available on their website has no spyware in it (or at least no VX2 spyware, and no mandatory-install spyware; it might still include Gator or something as an optional install, I haven't checked).

Other coverage not mentioned in story precis

[RareHeintz]

This has also been covered in a story at Kuro5hin, and in slightly more depth.

OK,
- B

Re:License?

[epsalon]

Read the article!
It says that it is mentioned at the end of the EULA, but only vaguely. In any case, do you actually read all those EULAs before clicking "I Accept"?

Re:No Problem

[sharkman67]

Im using Sniffles on OSX to check for spyware.

It allows logging of IP traffic in either TCP, UDP or ICMP protocols, over any ethernet or PPP link on your system. It also allows the use of custom filter programs, of the same syntax as that used by tcpdump, which allows you to specify a ruleset for determining which network packets are passed from the kernel into Sniffles for analysis.

Nice to find a slick app like this freeware for OSX.

Support lavasoft!

[Graelin]

If you're unfortunate enough to be running Windows. You will need to protect yourself.

Lavasoft is helping you wage your war against the marketing droids. Support them! Let them, and the rest of the world, know that you won't stand for these kinds of privacy intrusions.

Support lavasoft in their mission, buy their stuff!!

[Disclaimer: I do not work for them, I just like my rights granted by being human.]

Who's behind "VX2 Corporation"

[Animats]

After searching state corporation records, we find "VX2 Corporation" in Nevada. Address is "PO Box 21703, Las Vegas, NV, 89107", which isn't too helpful. The company president is listed as "Maurice O'Bannon".

Looking up "Maurice O'Bannon" in Google, we find that name associated with a major Internet fraud case in Nevada and California involving $37 million of phony credit card charges which resulted in jail time for some of the participants.

Uh oh. Spyware from people involved with credit card fraud is big trouble. This needs to be followed up with law enforcement.

Re:Who's behind "VX2 Corporation"

The link for the state-records does not work. Should have been: http://sos.state.nv.us/corpsrch.asp

Re:Who's behind "VX2 Corporation"

[theancient2]

This one seems to be a lot worse than the other spyware programs I've read about. Most just track things like the URLs you've seen. This one "collects some information from online forms that you fill out. This information is automatically sent to VX2 in order to save you the time and trouble of submitting such information to us yourself." (I love the way they word this thing. Save me the time and trouble. Thanks guys.)

The spyware doesn't even stop collecting data when you're on a secure (SSL) site -- they'll just encrpt the data they collect. (Is their no end to VX2's thoughtfulness?) We're told to look for the "secure" icon before giving away personal information, and to deal only with reputable companies... but what good does that do when a very popular software program has installed a trojan which may or may not be sending credit card numbers to someone who may or may not be a convicted criminal?

Adding popups to any random site you visit is along the lines of those programs that replace ad banners with their own, hijacking the site's revenue stream and making it appear that the site owner supports an advertiser they have no relationship with.

To top it all off, they have the right to update their software in the background, and possibly install third-party applications without the user being aware. Does accepting this licence agreement mean I accept the licence agreements of any third-party software that may be installed at a later time?

Re:Who's behind "VX2 Corporation"

[torklugnutz]

Nevada is a relatively easy place to become incorporated. This O'Bannon guy is using the service of a firm specializing in doing incorporations (Budget Corporate Renewals), which is located in 89107. Upon closer examination of the address, I see that it is located in a residential area behind a Target. Their phone numbers (702-870-5351 and 702-880-7044) correspond with this area of town. My guess is it is some home business thing.

I doubt if O'Bannon has any base of operations out of Vegas at all.

The guy doesn't know how to do a whois lookup...

[Mustang+Matt]

I got much more info back than him. Just have to use the correct whois server.

Registrant:
vx2 (VX52-DOM)
po box 27103
Las Vegas, NV 89126
US

Domain Name: VX2.CC

Administrative Contact, Technical Contact, Billing Contact:
vx2 (D25000-OR) vx2org@hotmail.com
vx2
po box 27103
Las Vegas, NV 89126
US
212 255 1008 fax: 123 123 1234

Record last updated on 05-Oct-2001.
Record expires on 31-Jul-2003.
Record created on 31-Jul-2001.
Database last updated on 26-Jan-2002 12:04:00 EST.

Domain servers in listed order:

NS1.VX2.CC207.246.124.6
NS2.VX2.CC207.246.124.7

Re:No Problem

[innocent_white_lamb]

linux app that maximizes its install, hiding my taskbar with that dumb blue screen, and insisting on stealing focus.

StarOffice/OpenOffice install program.

Not that it's a big deal, but you did say you've not seen any so here are two examples, if you're interested.

onflow

[kz45]

We know nothing about VX2," Merhej said. The VX2 program file (called vx2.dll) was part of an advertising graphics enhancer made by the Onflow Corporation, he said. Audio Galaxy offered the Onflow program as part of its software package from Oct. 1 through Nov. 4, 2001, Merhej said. The partnership was cancelled due to unpaid bills.

Onflow is the worst company I have ever dealt with.

Our company (which shall remain nameless) used onflow technologies in our product for about 2 years. They paid us for the first few months of operation, but when they owed us a total of about $30,000, we received a letter claiming they had lost overseas investments, and they couldn't pay us.

Funny enough, it look like they are still in business.......

Re:This is an excellent case for free software

[Boiling_point_]

Something you might have missed: the Audiogalaxy Sattelite software IS open source - GPL'ed, in fact. They produce their own compiled binary with an installer avec spyware, but anyone's free to roll their own.

And as all good cooking show viewers will know, here's one prepared earlier... I hope you find this useful.

Re:This is an excellent case for free software

[Genghis+Troll]

Only the user interface (ui.dll) is GPL'ed. They could put spyware in the actual, closed-source, executable.

here's the slime.

[footility]

There is a reference to joshua@abram.com on the
"contact" page at vx2.cc. This is the whois
from vx2.org. coincidence? I think not.
go get him ;-)

Registrant:
Abram, Joshua (VX54-DOM)
444 east 57th street
New York, NY 10022
US

Domain Name: VX2.ORG

Administrative Contact, Billing Contact:
Abram, Joshua (FSQYHRRZLI) joshua@abram.com
444 east 57th street
New York, NY 10022
US
212 255 1008

Re:No surprise to me...

[BCTECH]

Morpheus is not spyware free. It installs B2d projector from briliantdigital.com. If you are running it check out c:\bde

Slipped past the guys at AG, but understandable

[Omar+El-Domeiri]

Having worked at Audiogalaxy this past summer, I can assure you its not the case that they meant to bundle this, it had to have happened by accident.
Its bundling goes against their views of making all bundled software opt-in, meaning the user must check a little box to opt-in otherwise the default setting is to not install bundled stuff.

After reading the wired article, I think its pretty understandable how this slipped past the guys at Audiogalaxy. The spyware mentioned is just one little file vx2.dll. Since it came with onflows advertising software, To the guys at AG it must of looked like it was a dll that onflow dynamically linked their code to. It just goes to show you how sneaky companies like vx2 are. I bet spyware companys just try and sumberse themselves further like the parasite they are, and just go tag their BS onto legit dll's.

Knowing how the folks at AG are they'll be taking a fine comb thorough their bundleware to maintain that opt-in philosophy.

My ad hell

[hyrdra]

It may be bad popping up ads when you're surfing the web, but what about just whenever. That's what happened on my system.

I, like Chet & Eric of the linked article do support programs having internal ads to support themselves as free software. However, monitoring users behavoirs is another story -- that's your computer and most contracts (as I have heard from a lawyer friend) cannot "sign" that away; for example your landlord cannot include a clause stating he has the right to monitor your mail, who you talk to, etc. and by living in the property he owns, you forfeit those rights, and if you do not agree with them you cannot live there. Well, folks, this is exactly what most of these programs are having you agree to. The fact is, they're illegal contracts. You cannot gather personally identifiable information (it's identifiable because they are able to deliver targeted advertisement thus they must have a system to know who you are) if you signed the rights away or not.

I have accepted that companies do this and there really isn't a way of getting around it (heck, I don't really care what they do with the info, I'm not going to buy something from any ads they use and that'll be my contribution). So I have tolerated these commercial bombardments. That is until something strange happened.

All of a sudden while I would be at my desk in the same room (this is at work mind you), I would notice activity on the monitor. Going over to look at it, I would notice an ad window had mysteriously popped up, when no programs were running and I hadn't been using the computer for hours. In the morning I typically had several windows to close after the nights ad-popping fun.

Thinking it was a web site which some how introduced a popup delay, I dismised it at first. But it got worse. It was impossible to work on a Word document without having an ad popup and steal focus from my document. I also came to the realization when you close a browser window, its process ends and thus a delay javascript wouldn't work.

I finally decided that it must be some program launching these ad windows. Searching the running process list, I noticed an interesting program happily running. Savenow was the culprit. This program was actually popping up windows on my personal desktop, on my computer (yes, I do own it) and collecting web browsing data in the background, even when its associated product wasn't running! Deleting the savenow executable, I was free of the ads yet outraged of how this company violated my privacy and my computer, and also comprimised the security of my employer. What if they could learn something about our project based upon my web browsing habits and sell that to another company?

After that incident, I went in with a resource editor on every single ad-supported program on my computer and removed the ad resources. I also installed ad-blocking software. Still though, I do occassionaly get ads and various brandings. I have since persuaded my boss to let me put my Linux box on the network, but still, how long until we see these ads and tactics on Linux? How long until these ad programs start embedding ads in your paid for software, or interfacing with your printer driver to print a banner ad out on every page?

The point I'm trying to make is I am all for advertising and realize it does support free products quite nicely, but when it invades my privacy and makes me sign illegal contracts, I get angry. Anyone would. And something should be done about it. I don't have the resources, I can only not buy the products they force on me and put a dent in their success rate thus no ads. But someone with the resources and time should go after these bastards.

Re:No surprise to me...

[autopr0n]

On the topic of bitrates, I rip all my CDs at 320kbps. Now that's quality :)

If by 'quality' you mean 'inaudible waste of space'

I like Gator!

[genka]

I've been using it for several years, and it does pretty good job filling out forms and remembering passwords. All personal data is stored locally, encrypted and easily exported or imoprted. After each install I go through little procedure to "pull Gator's teeth"
1 Uninstall "Offer Companion" from Control panel
2 Open Regedit and go to HKEY_LOCAL_MACHINE\SOFTWARE\Gator.com\Gator\dyn
3 Change servers URLs to 127.0.0.1
After this I never see a banner.
Downside:
1 Gator runs two memory-hungry processes
2 I don't know if their encryption for my data is any good
You can start throwing rocks at me now.

Re:Do you know what spyware means?

[BCTECH]

Your correct. It does not send back information to a centralized server. Apparently it has an automated silent update procedure like Onflow. I was incorrect in classifying it as spyware.

VX2 Corporation Info followup

[Animats]

OK, let's recap what we now know about VX2 Corporation. Some of this info is corrected from the last posting.

The Nevada Secretary of State Corporation Search gives us.

• President:MAURICE O'BANNON
• 
  Address: PO BOX 27103
  LAS VEGAS NV 89126

Checking "vx2.cc" with Network Solutions WHOIS:

• vx2 (VX52-DOM)
• 
  po box 27103
  Las Vegas, NV 89126
  US

  Domain Name: VX2.CC

  212 255 1008 fax: 123 123 1234

The post office box addresses match, so the Nevada VX2 Corporation is the correct business.

"Maurice O'Bannon" is mentioned in several legal documents related to the J.K. Publications scam. In that case, O'Bannon was on paper an officer or director of several dummy Nevada corporations which were fronting for a multimillion dollar phony credit card billing scam operated by Kenneth Taves of Malibu, CA. (Mr. Taves is currently Inmate #12289-112 at the Los Angeles Metropolitan Detention Center). O'Bannon, though, appears to be some guy in Nevada who just signed whatever was put in front of him. In the judge's words [large .PDF] "Maurice O'Bannon had an informal agreement with Nevada Corporate Headquarters, Inc., an incorporator, to act as a nominee for their client-corporations and sign whatever documents Nevada Corp wanted him to sign." The judge was bothered by O'Bannon's actions, but the FTC didn't have enough evidence that he had control of or profited from the scam to put him away.

The J.K. publications scam involved obtaining a database of 3.6 million valid credit card numbers and charging them small amounts each, supposedly for use of a porno site. The mess involved offshore bank accounts in the Cayman Islands and Vanatu, but much of the money has been recovered. Company names involved were JK Publications, Inc., MJD Service Corp., Netfill, N-Bill, Webtel, Billing On Line, Fun On Line, and Discreet Bill.

We're not at the bottom of this yet, but it looks very suspicious.

AGstreme

[eries]

Here's a plug for AGstreme, which I switched to after I heard about this latest round of spyware nonsense. It's a GPL AudioGalaxy client replacement, which a boatload more features. My favorite: it can read CDDB entries and then request download of one or more tracks from a given CD. Pretty darn cool:

http://www.ractive.ch/gpl/AGStreme.html