Slashdot Mirror
Morpheus Hijacks Browsers For Affiliate Links
An anonymous reader submits: "According to this news.com article, morpheus (aka streamcast) has begun silently installing a browser plugin on its users' machines that basically hijacks the web browser even when not running Morpheus. An afflicted browser will sense if a user is going to visit a shopping site like Yahoo! or Amazon, and secretly send them to a different site instead and then redirect them from this site to the user's intended destination. The user will not be aware that this is happening... however the site doing the redirecting will benefit because they are set up as an affiliate partner and will get a commission on the backs of the user. On a horrible scale of 1 - 10 for sleazy business practices, I rate this a 9.
Comments?"
Trillian password files perhaps?
perl -e 'print $i=pack(c5, (41*2), sqrt(7056), (unpack(c,H)-2), oct(115), 10)'
here's arstechnica's forum about it:p c&s=50009562&f=174096756&m=9220974704
http://arstechnica.infopop.net/OpenTopic/page?a=t
So this is based on zero knowledge, but I would guess that that violates the terms of referership (is that a word), considering that fact that that "partner" did not actually refer you to the site.
/.
I think a list should be compiled and reported, I would guess that places like yahoo and amazon could file criminal, if not at least civil, suits against such cheaters. It wouldn't surprise me if they did too, just to make a point, and to try not to jade users to the system....
any thoughts? that's a dumb question this is
http://monkeyserver.com --- weeeeee
Now that Morpheus is just a hacked-up (or down ;-) version of Gnucleus, there's really no point in using it anyway. I don't see what it provides that Gnucleus doesn't, other than annoyance.
Don't blame me, I get all my opinions from my Ouija board.
Business 101 - try really , really hard to piss off your customers
I'll think of a funny sig later on
The truth of it is this could be seen as a virus. It is just a profitable one. They will get smacked on this one as soon as it comes out in the light of day.
Neck_of_the_Woods
#/usr/local/surf/glassy/overhead
Man-in-the-middle attack is the only phrase that flash across my mind... I have no way to check the identity of the "referer".
You can call me a paranoid. Each time when I need to buy stuff online using credit card. I will reboot to a cleaner "environment" -- a clean copy of OpenBSD or something similar. God knows who the hell the various windows plugins are doing..
An afflicted browser will sense if a user is going to visit a shopping site like Yahoo! or Amazon, and secretly send them to a different site instead and then redirect them from this site to the user's intended destination.
The final destination is more or less the same. The difference is the intermediary. Morpheus isn't stopping me from going to Amazon by instead redirecting me to Borders.com...They're just stealing referral dollars.
Honestly, though...I wonder how long it'll be before these online vendors lock out Morpheus' referral IDs, or even worse, deny the connections altogether (since the most recent source IP will be Morpheus' proxy, not your own).
And I assume that if there's a pre-existing Referral ID, Morpheus will strip it out and replace it with its own. Doesn't this constitute actual monetary theft?
"Mod, mod, mod...and another troll bites the dust."
But I keep getting redirected to ZDnet somehow!
[PowerPoint] is a tool for capitalist presentation
This belongs to a new breed of nusiance known as scumware. Check out http://www.scumware.com for more info.
Morpheus is totally fucked.
Thanks,
--
Matt
Honestly, I had the idea for this a while ago while talking with a friend. I've been waiting for someone else to implement it. Its not that much different than those sites that collect and list internet deals, in the hopes that you'll follow their links and they'll get the referer fee, Like this one.
While I personally see this as a bad thing, since they do it behind the users back, I would probably have no objection to installing something similar for slashdot. I don't exactly feel the need to subscribe, but I would have no objection to them collecting a referrer fee off of my internet purchases.
This isn't that bad really for the user, Yahoo and Amazon will give a commision to somebody anyways. What really annoys me is that this hurts all the other websites in the world. If I give a legitimate referal from my site to Amazon, then I should get the commision, not Morpheus. If this becomes common practice, then it will effectively kill the way that business is done on the web, and in the process take out a ton of small websites that are struggling to stay alive out there.
Under "Tools" -> "Internet Options" -> "Advanced" deselect "Enable third party browser extensions" and reboot. Even if the .dll responsible for the redirection, bpboh.dll, is installed, it won't be able to run.
From what I can see on their website ..
If I were Amazon, why would I pay 10-15% margin to someone who has not really promoted the product, but has hijacked the links?
They also probably violate this portion of the operating agreement.
These folks really must think that they own the user once the user buys their product, becuase even a "respectable" company like Intuit doesn't seem to have any problem with monkeying around with the private parts of the user's computer for their own purposes. Certainly those icons are paid placements.
Bruce
Bruce Perens.
A 10 is when it takes control of your computer, prints out ads, and has your AIBO tape them up all over your house. It paints your walls with company logos, tapes over your Star Trek tapes with infomercials, fills up your TiVO with the same, and replaces all your vinyls with Britney Spears CDs. It will kick your puppy and attack your kittens. It converts your children to Scientology and steals your beer.
If I were a user of Morpheus I'd be looking at filing charges for cracking my computer and using it for unauthorized activities. Companies conducting business like this need to be naild HARD. Teach them a lesson and make an example of them.
And what about the programmers who wrote this 'feature'? Who are they? I wouldn't be opposed to blacklisting them, or at least smearing their names across the headlines. This is sleazy and unethical and shouldn't be tolerated by the rest of us 'respectible' programmers.
Brian
Remember Lexington Green!
Okay, so where are you expecting company/corportation based P2P software to make their money? They have to make something somewhere to continue to operate.
The thing is, I'm not expecting the c/cp based P2P software manufacturers to gain revenue.
Typically, when a product or service is available for free, and another one is put on the market at a non-zero cost, unless there's some type of luxury association attached to the product or service that's non-free, people are going to go with the free choice.
Now, we have these 3 companies, all of which make their software available for "free".
Their only source of revenue is the companies who want them to attach their bits of software to the application. How could they ever hope to make money elsewhere? Nobody would buy the product if it's available on the market. Likewise, who would subscribe to it, if a free alternative is available? Really, their only other option is to develop some type of value-added service to make consumers choose their platform over the free ones.
What could they possibly include as a value-added service? I can't think of anything.
And at the same time, the people who get pissed off with these companies go off, and create something like Kazaa Lite, and undermines your entire company's lifeline.
If software which does this sort of sleezy tactic put as a clear, easily obvious disclaimer "You are indirectly paying for this by allowing us free reign over your PC", then I'd wager that about 5 people on the planet Earth would actually install it. Instead, however, companies that do this sort of tactic either sneak it in entirely unintended, or they hide the details 40,000 words deep into a EULA which they know that no one reads, all the while promoting their "free" software. Why stop at redirecting the browser though? I mean surely there's some worthwhile nuggets of information on that harddrive somewhere that could be sold to the highest bidder. All's fair in the land of free software, right? (Why say just free though? Using this "anything goes" justification, anyone who believes that they are providing a more valuable service than they are charging can go nuts)
.NET Framework supposedly offers this but I wouldn't trust it until its evaluated and proven) or a legal solution. It's obvious that a "Dirtier-than-thou" cat fight is taking place with every sleezy vendor out slimeballing the next.
This sort of activity is atrocious, and I don't see how these people aren't facing the same punishment as the Kevin Mitnicks and Melissa virus writers are. Without any doubt there is a serious need for either a technical solution (one could say that it exists by way of Java : Sandbox every application to ensure it has no rights outside of its little world. The
...Business 101 - try really , really hard to piss ON your customers!
You're using her as bait, Master!
I should get some mod points for that subject :-)
Seriously though, the article says it can only affect IE. This makes sense, given that it's easier to do sneaky things in the registy and elsewhere which, while invisible to the user, will cause drastically different behavior in parts of the operating system, like IE.
Aren't you glad you use Netscape? Don't you wish everyone else did?
(apologies to the old Dial ads)
There is no sig, there is only Zuul.
While visiting astalavista to, um, get a serial number that I'd previously lost from a program I'd bought, I followed a link to a site http://www.cracks.am. When I clicked on the link to download the serial, a dialog popped up asking for my permission to install a program from C2 Media, and certifying that the program had a certificate from Verisign.
Stupidly, I clicked yes, and promptly regretted it. A whole day of browser abuse followed.
* My desktop got taken over by an 'affiliates' homepage
* My desktop got swarmed with icons for adult and gambling sites
* If a site took a long time to load, or got a 404, my browser would end up at the portal http://www.lop.com, part of the 'affiliates' network.
The program didn't leave a listing in the add/remove window. It wasn't in c:\program files.
It had buried itself deep into my windows folder.
Instinctively I searched my disks and registry for lop.com and removed all references. No cure. My browser still kept going to lop.com.
My only cure was radical action. I ran Win2k in a VMware box with disks set to non-persistent. Immediately before saying 'yes' to the installation, I ran the 'InCtrl' install tracker program. Thank God for InCrtrl - after the install was done, I had a list of all files added by this nasty piece of scumware, and had the utmost pleasure in removing it once and for all.
-- In the beginning was the WORD, and the WORD was UNSIGNED, and the main(){} was without form and void...
Installing Bearshare also installs two secret spyware apps. One of them does a similar redirection, but is especially evil because it bypasses firewalls like ZoneAlarm. More information about this at cexx.org/newnet.htm and lots of related stuff at the root cexx.org
First, they took an open source app, Gnucleus, and repackaged it as their own, adding nothing while actually degrading the software by adding popup ads.
Second, they started banning from their chat room anyone who mentioned this fact and posted the url to Gnucleus.
Now, they're installing scumware in order to control your browser for their own profit even while you're not using Morpheus.
Anyone left who still wants to argue with me about whether or not Music City is a company of degenerate sleazebags? Anyone who still disagrees with me that the proper course of action is to delete Morpheus and install Gnucleus immediately? (at least until something better comes along).
This is like spammers embedding banner images in their spam and getting paid every time someone opens the email just because the banner was loaded. It's just running the meter and the entity being screwed is the website that is paying them a referral fee.
The article, in one part, reads: "Griffin said the technology is simply taking the old affiliate referral program to a new level. Most of the referrals will happen inside the Morpheus application itself after the new version is launched with a commerce section, he said."
Yeah, right. Most of the referrals will clearly be a result of their sneaky browser add-ons, not because anyone really pays attention to the commerce section of a P2P client. Heck, P2P users generally get as much as they can for FREE--not exactly the target market of much of anyone.
After reading this article (and noticing redirects being performed on my system - i thought it was something else, not morpheus) I downloaded this utility: BHO Cop which is designed to search out these nasty browser-attached proggies and allow the user to disable them. I found the culprit: bpboh.dll put out by Wurld Media, who, according to their inadequite website, claim the primary goal of their business is to help companies be profitable (very ambiguous, don't you think?).
.dll w/ BHO Cop, relogged in (WinXP) and low and behold, when I go to amazon.com, I end up at the root page rather than a referal page deep in the system.
Well, I disabled the
So - download and run BHO Cop now! who knows what else you might find (Acrobat seems to have dumped something as well)
I'm out of my mind right now, but feel free to leave a message.....
goto http://www.Lavasoft.com and download ad-aware and the latest ref update and have it remove all your spyware from your computer..
Limewire is good. But don't download its Windows installer- that has spyware in it! Instead: install a JVM on your computer, then go to Limewire's page for alternate OS downloads, select "other" as your operating system, and run it using the JVM, without all the crap they bundle in. Most spyware is Windows-specific.
Yeah, it's a shame that P2P only became popular recently, in the age of the MP3. If it had been invented 10-20 years earlier, with RFCs, and had the stature of, say, FTP, people would be thinking of it as a fundamental part of the Internet. Instead we have this horrible situation, where anyone who uses a P2P client is presumed to be a freeloader or a criminal. P2P deserves better than a bunch of spyware-loaded clients that block each other's users from their own networks.
I have sent the following message to Robin Gross of EFF.
Dear Ms. Gross
I am writing to express my concern that my attempts to financially support EFF have been stolen by Morpheus and similar companies. I have long been careful to use the Amazon Affiliate Button on your front page for all of my book purchases. I have felt that doing this combined to support what I believe in simply and effectively. Since my purchases have been well over $1000 per year for at least the last two years, I know that it has to have been worth at least some money to EFF.
It has recently become apparent that Morpheus et al. have been placing software such as TopText and other scumware on users machines. These programs have the sole purpose of rewriting affiliate links. This effectively redirects the financial benefits of these links to the scumware operators. To put it bluntly, this is theft, no different than if they had taken the affiliate checks and written their own names as payee.
I have supported the EFF for years. I supported Morpheus partly because of EFF's support of them. But I am frankly disgusted by this turn of events. As the Director of the Campaign for Audiovisual Free Expression, and a staff attorney for EFF for Fair Use and Intellectual Property, I believe that you may well be the single best person to let them know they have gone too far. To take a principled stand on Fair Use is one thing. To pump ads to users while using the software is also perfectly legit. To actively steal revenue from other people, companies and organizations, even after the user has supposedly removed the software, without notice is simply beyond comprehension.
Sincerely
Walter Williams
The article said that StreamCast will:
1. Redirect users to another site to collect usage statistics before sending them to the site they wanted to go to. This might be seen as invading people's privacy, but no personal data will be collected, merely usage statistics.
2. Put up a shopping section in Morpheus. That sounds perfectly legitimate to me.
3. Put referrals to online stores inside the browser window in some unspecified manner.
Please note that 1) and 3) are two separate points. They won't redirect you to another site when you're trying to go to Amazon.com, and then claim the referral bonus. The redirection is only for collecting usage statistics.
And the referrals inside the browser window have nothing to do with the redirection.
There's nothing in the article saying that StreamCast will hijack other people's referrals.
There's nothing in the article saying that StreamCast will pretend to refer people to sites (like Amazon.com) when they go there themselves.
www.ebay.com
links to http://www.qksrv.net/image-280514-220264, which has an instant redirect to pages.ebay.com. I played with this in netscape 6.2 and lynx, and they still directly put me towards www.ebay.com. There is definitely redirection occurring here.
www.amazon.com
links to http://www.amazon.com/exec/obidos/subst/home/home. html/104-9801158-34639, while netscape and lynx go similar (but not the same) page in the same sub-directory tree. I'm not sure if there's a url redirect occurring here.
www.barnesandnoble.com
In IE, goes to http://service.bfast.com/bfast/serve?bfmid=2181&so urceid=21425507&categoryid=rn_home, then redirects towards a barnesandnoble.com redirected address. Netscape and lynx still go straight the low level barnesandnoble.com address. There is also definite, blatant redirection occurring here.
So, there you have it- out of just three simple checks, Morpheus went and screwed with two of them. I'm getting this crap off my machine and installing a better gnutella client.
Exactly. Why the hell are people using it anyways? Go here to download the spyware free and opensource version.
Didn't Morpheus' just recently (as in last month) contain a prominent "no spyware" logo?
That sure didn't last long.
To hell with the idiots downloading porn or warez.
This affects website owners. Many small websites make ends meet by their affiliate links. This will steal that money away. This is one of the few way small webmasters can make money - short of begging.
And aren't we all sick of the virtual begging cup by now? Don't let the last legit way for sites to make money be destroyed. Sites that don't have traffic for banner ads sales, need these sales. They need this income. If this takes off, it will wipe out small sites everywhere.
As an example, look at http://www.gonegold.com
Informative helpful website. IGN pays them squat. But they do make money on their affiliate gaming links. Take them away and who will pay the site's bandwidth? That is the real issue, that is the real fight. And for some smaller sites, this really is a fight for their survival.
By the way- what is the implications that the only thing you have to agree with when installing morpheus is the gnu license. their is no mention of this spyware(even though it is installed).
Chet
...that comes up all the time, particularly with reguard to virii and warez. If you can't trust the software - don't install it. When you run any .exe in Windows, you accept that you do not know that it is going to do - at all! It may format your hard-drives, and mail all your porn to your mother.
/usr/local for others, so I never need to log in as anything but that unpriviledged user.
So, if you don't want all the crap, don't use software you can't trust. How do you know if you can trust it? Well, you could audit the source code and compile it yourself. You could write the software yourself. Or you could get the software maker to sign into a legally binding contract which says that their software will not do anything but its primary intended use (for Morpheus, this would be stealing music), and that they must disclose everything that it's going to do to your computer. Fat chance of that.
What do I do? I run Linux. I only login as a unpriviledged user (I have access to my home directory, that's all.) All the software I install I only install into my home directory (again, as the unpriviledge user.) I'm the sole user of my machine - I don't need to be putting it in
The security then isn't perfect, but strangely enough, most open source projects don't include spyware/scumware of any sort. So I don't worry about it.
Running any priviledged executable is the ultimate shrinkwrap EULA, saying, "I give you permission to do what ever you want to my computer." We'd all be a little better off if people were more paranoid about their computer - but if they don't mind untrusted software messing around, who am I to stop them? Maybe we'll get lucky, and the next version of Morpheus or Kazaa will automagically lock out any user that downloads it. That would provide a nice lesson. Would it be a virus? Well, you chose to download it and run it yourself. So, I say no.
What do you think?
Jake
Dating: while( 1 ){ call_girl(); get_rejected(); drink_40(); } return 0;
I'm a sysadmin in a large call centre which used to tolerate a certain amount of personal use of it's computers. One of the main helpdesk requests to the IS department had was for ghosting's of computers which had been so f**cked up by various bits of spyware. The worst offender by far was Save Now, getting it to uninstall was a pain and even when you did think it was gone, it would reappear sooner or later. We firewalled the Save Now website and any addresses the app connected to to and rather than die after 2-3 attempts the plugin would thrash the firewall contiuously trying to make a connection. We also came across a particular nasty spyware app which had no visible front end but would randomly redirect you to a porn site, thankfully we had Super Scout installed which blocked 99% of porn sites. However this didn't help the poor employee who unknowingly had this crap on his PC as he though he was going to be sacked for looking at porn (we have always had a very, very tough line on porn).
Most of the spyware on the computers was not intentionally installed which is what made it worse. The last straw for us was when we discoverd a Win98, 1ghz Pentium with 256mb RAM and a fast hard drive taking 15 minutes to start as it was loaded with so much spyware/plugins/rubbish and they all wanted to start simultaneously, running a packet sniffer on that particular machine showed that spyware was using over half the bandwidth available. We locked down the network after that barring access to anything known to inolve file sharing, plugins, spyware etc. However there is an interesting side note, we had a retained lawyer with IT specialisms, aparently the UK Computer Misuse Act makes it illegal to alter the contents of a computer without getting the users authority, which was interesting.
It's bad enought these spyware app's stealing money from deserving small websites and let's face it users as well. You just need to see the damage they can do to networks and computers as well, I can see a lot of sysadmins becomming very angry if these sort of applications get more sneaky and nasty in the way the operate.
I have played with a couple of them.
Limewire has spyware/adware hardwired into the program, at least in the Windows version. Re-apearing Reqistry keys shows this.
Seems to be possible to run BearShare without all the snooping. But 3rd party crap is included and you must be careful not to get it installed..
A bit offtopic but still on the subject of spy/adware.
Now even my Logitech comes with a lot of crap that when you try to install their drivers, you have to read carefully right to the end what the diaglog boxes says and even after avoiding all their "helpful" programs there seems to be one or two programs running in the background that you can remove without it having any impact on the functions of the mouse like the webwheel etc. witch by the way will have a date with my packet sniffer one day, I'd be surpriced if they didn't do some monitoring.
That Logitech was really too much, they REALLY tried to shove a lot of junk down your throat. Which made med loose the last ounce of respect for the company. I am a user who knows what to look out for, but I'll bet that 99% of the mouse buyers just answers yes to it all.
A web browser or an ftp client allow you to steal music and porn. Blank paper and a pen allows you to steal sheet music, books etc.
There is nothing illegal or wrong about p2p software, it's just another way of transferring information.
graspee
Documentation on Browser Helper Objects (BHOs) at MSDN.
S
Well, maybe that's because they effectively do own the user? Operating systems are still designed around the idea that any application has all priviledges the user running it has. This is a good idea if you have small tools -- e.g., cat may read all the files that I have read permission on. When you have larger applications, like a complete office suite, this solution is somewhat less good. Once the user installs software from the internet, this design is a fundamentally flawed one.
Users expect that e.g. on a UNIX system, cat will only read files, and therefore it is a perfect idea to let cat read all files that the user has read permission on. The user's perception will be "I may read this file," when technically it is actually "software I run may read this file."
As soon as the user installs software that does things they don't expect, because the software doesn't advertise all of its functionality, this model breaks. Most users won't even find out, and if they did, they'd probably ask "why is Morpheus allowed to do this?" The user will no longer have the perception that he is doing things, and will have to realize that actually it is the software doing things. The operating system however is still designed around the idea that everything the sofware does was intended by the user. (No, I don't have an idea for a better design.)
Sig (appended to the end of comments I post, 54 chars)