Morpheus Hijacks Browsers For Affiliate Links

An anonymous reader submits: "According to this news.com article, morpheus (aka streamcast) has begun silently installing a browser plugin on its users' machines that basically hijacks the web browser even when not running Morpheus. An afflicted browser will sense if a user is going to visit a shopping site like Yahoo! or Amazon, and secretly send them to a different site instead and then redirect them from this site to the user's intended destination. The user will not be aware that this is happening... however the site doing the redirecting will benefit because they are set up as an affiliate partner and will get a commission on the backs of the user. On a horrible scale of 1 - 10 for sleazy business practices, I rate this a 9. Comments?"

more links

[kritikal]

here's arstechnica's forum about it:
http://arstechnica.infopop.net/OpenTopic/page?a=tp c&s=50009562&f=174096756&m=9220974704

It's scumware...

[ckkoh]

This belongs to a new breed of nusiance known as scumware. Check out http://www.scumware.com for more info.

At least it's easy to disable

[Tremblay99]

Under "Tools" -> "Internet Options" -> "Advanced" deselect "Enable third party browser extensions" and reboot. Even if the .dll responsible for the redirection, bpboh.dll, is installed, it won't be able to run.

Re:At least it's easy to disable

so? and you can turn that off also :)

all they use it for is page statistics anyways, at least thats what they claim ;p

Re:At least it's easy to disable

[GoRK]

No it doesn't. Browser extensions aren't the same thing as plugins like flash/shockwave/etc. that handle files based on a mimetype (or file extension - stupid microsoft). Browser Extensions change the behavior of the browser itself - They are things like the Google toolbar and that Alexa piece of crap. There are some useful ones too that do things like block ads and kill popups. I have Extensions turned off and I can still see flash just fine. Sadly, I can no longer kill popups or ads so easily in IE anymore. Oh well... for all these settings and extensibility, we still can't control the levels of access that scripting languages have to or system or selectively allow certain programs to run.

I think IE is scumware.

Has anyone asked Amazon about what they think?

[shri]

Has anyone asked Amazon what they think about this practice?

From what I can see on their website ..

To protect the integrity of the reputation of Amazon.com Associates as well as the Amazon.com brand name, you may not promote your site via certain forms of indiscriminate advertising, commonly referred to as "spamming." Accordingly, you may not promote your site via unsolicited commercial e-mail (UCE), postings to non-commercial newsgroups, or cross-postings to multiple newsgroups at once. In addition, you may not promote your site in any way that effectively conceals or misrepresents your identity, domain name, or return e-mail address.

If I were Amazon, why would I pay 10-15% margin to someone who has not really promoted the product, but has hijacked the links?

They also probably violate this portion of the operating agreement.

We may reject your application if we determine (in our sole discretion) that your site is unsuitable for the Program. Unsuitable sites include those that: promote sexually explicit materials promote violence promote discrimination based on race, sex, religion, nationality, disability, sexual orientation, or age promote illegal activities include "amazon" or variations or misspellings thereof in their domain names otherwise violate intellectual property rights

Wait Until the ISPs Install It

I used to work for a company that was developing software/hardware that would allow ISPs to do this for all traffic passing through them.

What was interesting was that you could not only add affiliate codes and redirects for links that didn't have them - but that you could also replace existing affiliate codes if you wanted to, basically hijacking the commissions.

They had lots of other ideas for doing similar things - and once the hardware/software is in place at the ISP, there's really not a lot the user can do about it except change ISP.

Re:after reading that article...

[graveytrain]

Indeed, the article painted a much different picture than that given by /. It seems to be that this whole issue is actually reversed -- the browser doesn't visit a commerce site in the background - it visits a 'counter' site when you visit a commerce site.

>Thus, when a file swapper visits a site such as
>Radioshack.com, eBay.com or a handful of others,
>their computer visits a separate site behind the
>scenes before loading the final destination site.
>Those separate servers, run by marketing
>companies including Be Free, count how many times
>Morpheus users stop by.

This isn't exactly what the headline lead you to believe...

More browser scumware, and how to remove

[heretic108]

While visiting astalavista to, um, get a serial number that I'd previously lost from a program I'd bought, I followed a link to a site http://www.cracks.am. When I clicked on the link to download the serial, a dialog popped up asking for my permission to install a program from C2 Media, and certifying that the program had a certificate from Verisign.
Stupidly, I clicked yes, and promptly regretted it. A whole day of browser abuse followed.
* My desktop got taken over by an 'affiliates' homepage
* My desktop got swarmed with icons for adult and gambling sites
* If a site took a long time to load, or got a 404, my browser would end up at the portal http://www.lop.com, part of the 'affiliates' network.
The program didn't leave a listing in the add/remove window. It wasn't in c:\program files.
It had buried itself deep into my windows folder.

Instinctively I searched my disks and registry for lop.com and removed all references. No cure. My browser still kept going to lop.com.

My only cure was radical action. I ran Win2k in a VMware box with disks set to non-persistent. Immediately before saying 'yes' to the installation, I ran the 'InCtrl' install tracker program. Thank God for InCrtrl - after the install was done, I had a list of all files added by this nasty piece of scumware, and had the utmost pleasure in removing it once and for all.

Re:What is the plus side to using Morpheus?

[Ian+Peon]

Heh... I wonder what website a Morpheus user would find himself at if he clicked here.

Bearshare does this too

[rufusdufus]

Installing Bearshare also installs two secret spyware apps. One of them does a similar redirection, but is especially evil because it bypasses firewalls like ZoneAlarm. More information about this at cexx.org/newnet.htm and lots of related stuff at the root cexx.org

Re:Bearshare does this too

[mr3038]

Installing Bearshare also installs two secret spyware apps.

Yeah, but I was able to figure this out! The dialog in question presented during installation has following checkboxes:

• BearShare
• BearShare Desktop Icon
• SaveNow
• New.net Domain Names
• Desktop Shortcuts: Links to Great Products
• n-CASE Ad Delivery System

Simply uncheck everything else but BearShare and there's no spyware. To be honest, if you couldn't figure out which of those you need then I'd suggest you to sell your PC and purchase Xbox or PS2 instead.

("Secret spyware" that was mentioned contains New.net and SaveNow)

other software installed

[vlauria]

For you windows users, I noticed that Morphesus also installs a program called BDE under "\%Windows%\BDE", and it installs a Registry Key under:

"HKEY_LOCAL_MACINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run".

This key loads the program at startup. The program appears to be some sort of video codec/player.

How to disable Morpheus redirects

[Dynedain]

After reading this article (and noticing redirects being performed on my system - i thought it was something else, not morpheus) I downloaded this utility: BHO Cop which is designed to search out these nasty browser-attached proggies and allow the user to disable them. I found the culprit: bpboh.dll put out by Wurld Media, who, according to their inadequite website, claim the primary goal of their business is to help companies be profitable (very ambiguous, don't you think?).

Well, I disabled the .dll w/ BHO Cop, relogged in (WinXP) and low and behold, when I go to amazon.com, I end up at the root page rather than a referal page deep in the system.

So - download and run BHO Cop now! who knows what else you might find (Acrobat seems to have dumped something as well)

Lavasoft's AD-AWARE will Remove this thing for ya!

[EMR]

goto http://www.Lavasoft.com and download ad-aware and the latest ref update and have it remove all your spyware from your computer..

Method to remove Morpheus spyware

[jonearth]

The new Morpheus marketing program is based on a technology called browser helper objects (BHO), which attach themselves to Microsoft's Internet Explorer browser

The Morpheus spyware is just a .dll that will be loaded every time your Internet Explorer starts. It is registered in the windows registry.

So this bho spyware can be removed by using bhocaptor . Bhocaptor displays all bho that are registered within windows registry. So, what you need to do is to select Morpheus bho(a .dll file) and then deactivate it.

As bho is an Internet explorer technology, those who are using netscape or mozilla should be immune to this spyware.

From the Download Page

[Screamer49]

Taken from download page of Morfeus:

"This ad-supported software includes technology that will serve banner advertisments through the program interface. Morpheus also includes BuyersPort, a shopping portal that may log your IP address, track surfing habits online, and share aggregate user information to third parties. For more information, please refer to BuyersPort's privacy policy."

let's play with this...

[gregor]

I played with a few URLs, and here's my findings:

www.ebay.com

links to http://www.qksrv.net/image-280514-220264, which has an instant redirect to pages.ebay.com. I played with this in netscape 6.2 and lynx, and they still directly put me towards www.ebay.com. There is definitely redirection occurring here.

www.amazon.com

links to http://www.amazon.com/exec/obidos/subst/home/home. html/104-9801158-34639, while netscape and lynx go similar (but not the same) page in the same sub-directory tree. I'm not sure if there's a url redirect occurring here.

www.barnesandnoble.com

In IE, goes to http://service.bfast.com/bfast/serve?bfmid=2181&so urceid=21425507&categoryid=rn_home, then redirects towards a barnesandnoble.com redirected address. Netscape and lynx still go straight the low level barnesandnoble.com address. There is also definite, blatant redirection occurring here.

So, there you have it- out of just three simple checks, Morpheus went and screwed with two of them. I'm getting this crap off my machine and installing a better gnutella client.

Re:Sleezy, but no point in Morpheus anymore anyway

[ender81b]

Exactly. Why the hell are people using it anyways? Go here to download the spyware free and opensource version.

What Happened to "No Spyware"?

[dugless]

Didn't Morpheus' just recently (as in last month) contain a prominent "no spyware" logo?

That sure didn't last long.

Delete the plugin

[Otis_INF]

The plugin is likely to be found in the directory:
\winnt\downloaded program files\
where al the IE plugins are stored. I don't know the correct filename, but you should first de-register it from the registry by using regsvr32 /u filename and then delete it from the dir.

Re:Scary

That's the Windows System Registry. There, you can get names, passwords, Install codes, all kinds of neat stuff. Hit Gnutella or Morpheus. Do a regex to get the keys, etc.
That's scary.

So what do you propose, there is no safe way to store passwords if you have to send them plain text later, that is if you asume security trough obscurity is not safe which most people do

Oh and real men use regedit.exe (whats in a name) to search the registry and use regmon to find out what stuff software is storing/reading from the registry (thats includes user.dat/user.man, which has unique user data rather then the system wide settings in sytem.dat)

Morpheus is crap

[JimPooley]

One of the guys at work had this on his PC, but after the weekend I came in and our IDS had reported shitloads of snarky portscans aimed at him. So he took it off again.

Just don't go there....

PS. EMI report today that due to falling profits, they're laying off 1800 people. That's eighteen hundred people who have lost their jobs, because of shit like Morpheus allowing easy piracy..
Don't forget that. Music theft costs ordinary people their livelihood.

Re:I like it.

[muffen]

The truth of it is this could be seen as a virus.

You could not be more wrong. This is nothing like a virus. A virus is defined as a piece of code that replicates. Since this does not follow the definition, it is NOT a virus.

Re:Scary

[thing12]

The best any program can do is hide the passwords if they want to allow auto-login. It just can't be done any other way. You can get auto-login passwords MSN, AOL, and ICQ all by going through the registry or configuration files. Trillian could encrypt the files, but then you need to enter a password when Trillian starts. Maybe that's a small price to pay for a little bit of added security, maybe it it's not worth it to most people.

I encrypt my Trillian directory and run it as a user that has the ability to read those files. And likewise I run all file sharing programs as a user that has no permissions at all except for their own directories. Windows 2000/XP aren't so bad :-) at least they give you a process model that's similar to *nix.

Re:Scary

[matrix29]

The skinny of the news is a file called BPBOH.DLL that comes with the MORPHEUS PREVIEW version and carries the nasty little bugger that is causing CONSTANT browser crashes right now on my system. LAVASOFT's AdAware has a program called REFUPDATE which includes the killer for this little spyware nasty. The downside is RefUpdate is SUPPOSED to be aware of BPboh.dll, but didn't find it on my system as per Lavasoft's mirror page. So search the BPBOH.DLL and delete the nasty crashing bugger.

The nasty is made by a sleazy firm called Wurld Media, Inc. (They spelled it "Wurld" not "World")

Here's a snippet of the bastard.
rdxr020305.dat (which appears on my desktop)
bpboh.dll (the offending file)
bpboh2.dll (not on my system but in the hex dump)
www.rdxrp.com
www.maplehollow.com
www.rdx rs.com
www.inmotiongolf.com
/rdxr020304.dat
/bp boh.dll
about:blank werule
\winbpupd.exe
www.sephora.com
http://www.sephora.com
(Who wants to boycott Sephora's "we'll make you look like a prostitute" makeup selection? I don't wear it, but who would?)
http://www.sephora.com/help/about_sephora.jhtml?lo cation=contact

www.shop.barnesandnoble.com
www.barnesandnoble. com
http://www.barnesandnoble.com
(Who wants to boycott Barnes&Nobles now for foisting crappy spyware on us? I sure do! By the way, MAKE CERTAIN you let them KNOW what we feel about spyware please.)
http://www.barnesandnoble.com/help/customer_servic e/morehelp.asp?userid=199PI1EZ1Y

Go to this nasty crapware website and share how you feel about their little spyware games please.
http://www.wurldmedia.com/
Their email address for contacting them is
corpcom@wurldmedia.com

Or use their snail mail address:
WURLD Media, Inc.
63 Putnam Street
Saratoga, Springs, NY 12866
Telephone: 1-518-691-1100
Fax: 1-518-691-1180
(Oh... let me think for a moment about what kinds of FAX pranks exist...)

Re:Lavasoft's AD-AWARE will Remove this thing for

[FlacoFuerte]

I have the newest version of lavasoft and it didn't detect it. Morpheus' little redirect fairy wreaked all kinds of havoc on my comp when I used norton firewall to restrict access of the website they send you to- www.inmotiongolf.com. Once I restricted it, xp froze completely and after rebooting, it would freeze everytime once imapi.exe loaded. After a few hours of figuring out what the hell just happened, I reinstall my firewall, uninstall the superevil morpheus, delete c:\windows\bpboh.dll, c:\windows\rdxr020305.dat, and c:\windows\system32\rdxr020305.dat. System clean, no more spyware, no more crashes, and I hope whatever ad wizard decided to throw that little component into the new Morpheus drowns in a pool of his own vomit or better yet stops by my place so I can beat him about the head and neck with my keyboard.