Buddylinks Stinks

Omie TheNull writes "After recieving several messages over AIM with the content: "check this out... http://www.wgutv.com/osama_capture.php?HlvU", I went to the page and discovered that it is sponsored by a site called "BuddyLinks." Their website is at http://www.buddylinks.net and they claim that they are NOT a virus. However, when you visit their links and install their "player" it seems that you are also installing software that takes control of your AIM buddy list and sends advertisments to those on your buddy list. The advertisements are obviously designed to look like innocent messages from your buddies asking you to check out certain links. Very scummy, indeed."

just take look at the page.

[gl4ss]

it says there very clearly that "soon your instant messaging software will start sending your friends funny news messages like this".

tell your friend that he is an asshole if he uses this.

"3. Open the prize - your friends will love the prize they receive in their funny news message. it might be a game or a funny flash cartoon"

yeah i'd really love that.

4. no need to send any new messages when everybodys ignoring you.

Re:just take look at the page.

[jpsowin]

Looks like you took care of that by giving them a good slashdotting. Good work!

This Kind of Thing Keep Happening...

[GTRacer]

...Only because there are FAR too many people who just don't understand that there are people on the Internet with ulterior motives. I don't want to generalize, but I bet the kind of person easily swayed in this manner is also the telemarketer's best friend.

The more this type of "attack" keeps happening, the more I wonder if there shouldn't be a license or minimum firewall requirement to get on the 'Net.

Maybe we have to start teaching "Safe Surfing" along with Safe Sex in the teen years.

GTRacer
- speechless

Re:This Kind of Thing Keep Happening...

>>Maybe we have to start teaching "Safe Surfing" along with Safe Sex in the teen years.

Just abstain from surfing

Johnny "Come on, just touch it"
Jill "I don't know Johnny, I told my parents I'd wait until I was married"
Johnny "It won't hurt you, just give it a try"
Jill "Are they all this hard and small?"
Johnny "You mean you've never seen a mouse before!"

Re:This Kind of Thing Keep Happening...

[0x0d0a]

This has nothing to do with firewalls. All traffic is going through legitimate programs -- AIM/IE. As a matter of fact, firewalls can make these problems worse, since legitimate people try to tunnel more crap through things like IE requests to avoid having their program set of alarms, etc.

Personal firewalls are, frankly, the worst thing to hit the Net sinc AOL.

It *would* be interesting to sandbox programs that can use the Internet to some degree. This cannot be done on Windows anytime soon (thanks, IE), but could be considered on other platforms.

Re:This Kind of Thing Keep Happening...

[GTRacer]

Personal firewalls are, frankly, the worst thing to hit the Net...

I didn't mean personal software-based FW's. I know that Norton and ZoneAlarm can be tricked, bypassed, or even easily misused to give a false sense of security.

And I know that most of this stuff works by hijacking or piggybacking legitimate port use. I was meaning something along the lines of an agressive, separate piece of FW hardware that would limit port 80 traffic to HTTP under most circumstances, and restrict Active and JavaScript unless whitelisted (hopefully by a clueful person). It could also watch for excessive SMTP traffic (perhaps a TO: count threshold or messages/sec) and flag it or require user intervention.

Advances in FW tech have surely made such a thing possible. I doubt that the average home user needs much more than HTTP and SMTP, and certainly doesn't need inbound access! Well, P2P notwithstanding...

GTRacer
- Hey...where's a VC?

Re:This Kind of Thing Keep Happening...

[0x0d0a]

I'm dubious as to whether this sort of approach would block the buddylinks worm -- the usage is not that excessive or unusual.

If you have application-level analysis at your firewall, you're talking about more money and maintenance and issues that will crop up. And you want to maintain fairly loose bounds on "legitimate" activity, or else you get false positives for evil activity.

Advances in FW tech have surely made such a thing possible. I doubt that the average home user needs much more than HTTP and SMTP, and certainly doesn't need inbound access!

Ugh. I think we're going to have to remain at an impasse over this. I strongly oppose this point of view. I see people that put in port-blocking firewalls "just because" as being a significant issue in blocking the development of new software on the Internet. (The same goes for NAT and UDP issues -- there's a lot of software that works fine in the absence of NAT that NAT has shredded.

Oh, well.

AIM is ASS

[scumbucket]

Why in the world does anybody still use AIM? It's a bloated, closed-source POS. Those using it should expect to get spammed.

Give me Trillian any day.....

Re:AIM is ASS

[OutRigged]

Um yeah.. Trillian is also closed-source, and quite bloated.

Give me Miranda-IM any day....

Re:AIM is ASS

[Bugmaster]

I use Trillian, and it works fine for me. Which part of it is bloated ? In fact, IMO it doesn't have enough features -- I want full-HTML logging and better file transfer support. Still, the features that are there are good enough for me, and it certainly beats trying to get GAIM to work on Windows.

Vey Scummy Indeed

[orthogonal]

However, when you visit their links and install their "player" it seems that you are also installing software that takes control of your AIM buddy list and sends advertisments to those on your buddy list. The advertisements are obviously designed to look like innocent messages from your buddies asking you to check out certain links. Very scummy, indeed.

What's worse, in an effort to drive traffic to their site, their software hijacks your Slashdot login, forges complaints about their software, and submits those complaints to Slashdot as articles and comments.

You can distinguish their forged posts because invariably the last three words of any forged post are "Very scummy, indeed".

Very scummy, indeed.

Re:Vey Scummy Indeed

[torpor]

godamn it, now that virus has infected my sid and is now getting me to post a follow up to your thread ...

Very scummy, very scummy indeed.

Privacy Policy?

[the+Man+in+Black]

My favorite part of this claptrap. To wit: No, our software doesn't PERSONALLY sell your information and the information of everyone on your buddy list. We're merely a conduit for third-parties to do so, and to give us bags of cash for facilitating it. Do you like my hat? It's made of MONEY.

Funny, I was messing with that last night...

[Hollinger]

Here's a copy of what the messages look like:
InfectedUser (12:30:45 AM): check this out... http://www.wgutv.com/osama_capture.php?hAsH
I'm wondering what that little hash code on the end is...

I haven't personally installed that crud, but I'm wondering if SpyBot (google for it) detects it. I clicked around the site, and, to be honest, it looks like they're setting themselves up for a huge "p2p" (I hate buzzwords) marketing push. I'm going to guess that this "jokes and pranks" business will come to an end when they have a sufficent install base, after which they'll start pushing the next new wave of spam for Viagra, Mortgages, Porn, or *checks his SpamNet folder* Internet gambling on you.

Here's a snippet from the license agreement with my emphasis:
Services; Modifications to Your Instant Messaging Client. The Software provides you the opportunity to access Content for no charge. In return for the right to access this Content, you acknowledge and agree that the Software contains additional software products provided to PSD Tools by its suppliers which will periodically deliver additional Content such as, but not limited to, advertisements and promotional messages to your Computer and programs that may alter your home page to offer you Content. In addition, the Software will interoperate with your current instant messaging client so as to permit the automatic sending of advertising messages originating from your Computer to your contact or "buddy" list regarding Content offered by PSD Tools or its suppliers. If you desire to stop this activity, you may elect to stop the messages by navigating to the "buddylinks.net" entry in your "Start Menu", selecting the "buddylinks.net Configuration" item, and unchecking the appropriate option. You may also refer to PSD Tools' website at http://www.psdtools.com for an uninstaller. (http://www.buddylinks.net/terms.html)

Re:Funny, I was messing with that last night...

[Hollinger]

Got a little click-happy with the submit button...

You also agree to: (from the same URL as the parent post)
Updates to Software. The Software includes an automatic update feature to ensure that you have the most recently released version. You acknowledge and agree that PSD Tools or third parties designated by PSD Tools may from time to time provide automatic programming fixes, updates and upgrades to the Software (collectively, the "Updates"). Updates may include installation of third party applications, through automatic electronic dissemination and other means. You consent to such Updates and agree that the terms and conditions of this Agreement will apply to all such Updates. If you should elect not to have your software updated at any future time, PSD Tools shall not be responsible for any incompatibilities that may arise on your system and Computer.

Oh, and I forgot to mention that the uninstaller is available at http://www.buddylinks.net/uninstaller.exe.

Good day!
Mike

Re:Funny, I was messing with that last night...

[cyberepgnuin]

Spybot doesn't pick this up... yet.

Re:Funny, I was messing with that last night...

[candl]

Yeah, if you're on Windows and you catch it, "Buddylinks Messaging Integration" can be removed via add/remove. Don't know if that's better or worse than the uninstaller. However I'd recommend also going into the registry to check for/remove references to "trickler" and Gator.com. I found them as well on the pc I was working on. Could be coincidental but FYI, YMMV, RTFM, RDA (random disclaimer acronym) etc...

Re:Funny, I was messing with that last night...

[nomel]

great...now spammers are gunna get ahold of these and install their own software. Hope they use decent authentication or something.

Be careful out there

[Rick+the+Red]

The way to avoid worms, viruses, etc. is to apply some common sense and be careful. For example, never open email attachments when you don't know who sent them.

Another example, which applies here, is to avoid certain software. The "A" in "AIM" stands for AOL; therefore, I've never installed AIM and thus I avoid this latest marketing ploy.

Similarly, the "Windows" in "Windows Messenger" stands for Microsoft Windows, so I disabled it. Yes, I run Windows (because I can't avoid it for a variety of reasons), but I only run it behind an OpenBSD firewall, and I also run ZoneAlarm and Norton Anti-Virus. As Gene Simmons says, if it's raining wear a raincoat.

Mod this "flamebait" if you must, but you know I'm right.

Re:Be careful out there

[Cuthalion]

I've installed an AIM client, but I don't tend to make friends with abject morons, so I have avoided this latest marketing ploy.

Re:Be careful out there

[Bugmaster]

How is this AOL's fault ? It seems that buddylinks is just exploiting their client (or some Windows vulnerability) to send viruses to people. I don't blame McDonalds for making me fat, and I don't blame AOL for making me install other people's backdoors.

Note that it doesn't matter how evil McDonalds or AOL are; some things just aren't their fault. They're the user's fault.

Re:Be careful out there

[Mistshadow2k4]

This is just the same stuff they tell Windows-users everyday and it's not quite correct.

Actually, that "never open email attachments from someone you don't know" is a myth to a great extent. If you're in someone's address book, possibly your best friend, and they get a worm, you'll be on it's hit list.

No, the way to avoid worms and virii is to not use Windows with the ineternet. Believe me, I used Windows for 2 years, and no matter how careful I was, it had a virus or worm almost once every month, not to mention spyware every week. Now I don't let my Windows partition online at all. Love or hate Linux, it's worth the extra effort just for that.

Huh..?

[KDan]

What, and you're surprised? That's expected of that type of scum. Hardly worth mentioning on Slashdot... there are probably a hundred other companies doing the same scummy thing all over the net. This one's not any more or less worthy of notice.

Daniel

Re:Huh..?

[FooAtWFU]

But this particular one is spreading rather quickly. Heck, I got a link for one of those earlier, and was thinking it was a virus.

Re:Huh..?

[holizz]

Like Windows? What I want to know is where I find 'Windows' in the Add/Remove Programs dialog. No wonder people call it a monopoly, you can't uninstall it!

Not a virus?

[dtfinch]

That'll be up to the law to decide I guess.

It makes everyone look bad...

[no+longer+myself]

Even though it is obvious what they are from their front page, they look bad for spamming your friends, you look bad for trusting obvious slime, and your friends look bad for including you on their list.

It's one big disfunctional love-triangle.

Re:It makes everyone look bad...

[Laplace]

Is that a MMF triangle, or a MFF triangle?

Re:It makes everyone look bad...

[Clockwurk]

In your case, it's probably MMM.

Re:It makes everyone look bad...

[Laplace]

Homophobe.

why is this YRO?

This isn't actually violating anybody's rights, is it? Let's keep things in perspective. It isn't anything like this.

Why the hell

[OptimoosePrime]

is this on here? So what?! People who don't know any better have been clicking "Yes" to install stuff they don't know anything about for years. Maybe you've heard of Gator. Its adware/spyware and I don't see how its newsworthy or relevant.

Ha!

[OptimoosePrime]

Looks like we've shown them how "buddylinks" really work by having their /. "buddies" slashrape their server.

Don't go near that site!!

[monkeyserver.com]

Some one at work clicked one of those links (it throws a link in your profile) and her machine was infected. It altered her ie's homepage, and it made it constantly write the page it was viewing to some temp dir. It also installed about 5 other progs. We tried to remove it, first with windows... no good it reinstalled itself,. Then we tried the uninstaller, well that got some of it, but there were still a good few side affects.

MY DEAR LORD!! stay away from these sleezballs, they make bonzia buddy look like a good idea. If anyone is deserving of a serious slashdotting it is them.

Re:Don't go near that site!!

[spikedvodka]

If anyone is deserving of a serious slashdotting it is them.

well, a few things:
a) I'm sure that they expect to get a good psudo-slashdotting (not from slashdot, but from the virus/worm/etc)

b) It'll just push the number of hits they get up higher, making it seem like they are being more successful that they really are which will make them do this kind of thing more often

and c) when does anyone deserve a good slashdotting?

It's NOT a virus.

[Matchstick]

It's a trojan!

Re:It's NOT a virus.

[holizz]

It's probably not legally (IANAL, thank god) classed as a trojan because it tells you exactly what it does before you install it. I don't think 'I didn't RTFEULA' would stand up in court.

Re:It's NOT a virus.

[Guano_Jim]

These are also Trojans, posted for the benefit of some members of the Slashdot community who might never have seen one before.

I've heard

[TheOnlyCoolTim]

The phone number on the WHOIS for wgutv.com will connect you to the guy who wrote the virus... Use this for good, not for evil.

Tim

Re:I've heard

[0x0d0a]

Unlikely. The whois information for wgutv.com refers to a register.com administrator...unless this was intended to be a joke and just went over my head. :-(

Re:I've heard

[TheOnlyCoolTim]

It didn't used to. It used to have the info of some guy in Boston.

Tim

Re:I've heard

[PaintyThePirate]

I plugged the phone number listed into Google a few days ago. Turns out that it goes to Brueger's Bagel's of Cambridge, Massachutsetts... Apparently this is some kind of evil scheme to make us buy bagels.

Oh my god!

[jarran]

You mean, you downloaded a program being advertised by spam and it was crap?! My god, d'ya reckon it's a one off or should I cancel my penis enlarger and v1agra?

Got it without clicking through

[gc8005]

I got the message from a friend last night thru AIM on my laptop at work. I never got any sort of IE message about installing software - nothing, nil, notta. Looked like a dead link. Now, today, on a totally separate computer, I'm sending AIM messages to everyone in my list. I have NO IDEA how (1) it was installed on my laptop without the pop-up message / approval and (2) how it made it to my home machine (thru AIM?). Also note, contrary to other posts, that this is not removed by using control panel add/remove - it leaves shit all over the machine.

Re:Got it without clicking through

If it's sending out when it can't be running, they must be harvesting the IM names and sending from a central place. Which makes sense since they *claim* to allow an 'unsubscribe' feature.

Figuring out where the messages are coming from would be very useful.

Re:Got it without clicking through

This is what windows restore points are for. I get a ton of people asking me how to remove all of these things and I kept getting fed up with them screwing up running adaware, spybot, etc. So, you can disable it by just going to a restore point that was amde a day or so ago. Just turns the thing inactive, which is enough for most people.

Re:Got it without clicking through

[Jmstuckman]

One of my friends got it, and according to them, they were never presented with a yes/no box. However, I was presented with a yes/no box when I clicked the link. I was up-to-date on my IE patches but my friend was not. Was your machine up-to-date on IE patches? It's possible the the virus spreads through an IE hole as well.

Re:Got it without clicking through

[emilymildew]

If you don't have security settings on IE set properly, it might not question the install.

That is, you wouldn't HAVE to get the message for it to have installed.

Bizarre that it's on another computer, though.

not a virus

[Polo]

technically, would it be a worm? ;)

Don't infect the scum!

..and you had to post the same scummy links on Slashdot. Perhaps 40% of the thousands of viewers will click the links just to see if they hold any information.

How much they're paying you per visits? Was it _you_ that authored the scummy-links?

Blocked?

[fulldecent]

Are all these sites down, or is my university blocking them on the router level?

Chew on their database

[0x0d0a]

You can stress-test their system by running the following script:

cat /usr/share/dict/words| perl -pe 'system("curl http://www.buddylinks.net/support.php?sn=$_");' >/dev/null

This will start removing everyone in their database, and will also eat cycles on their system.

If you're a clever perlmaster...

[0x0d0a]

...if you're a clever perlmaster, and can come up with a short way to synthesize usernames other than just using the entries in the system wordlist, feel free to post it.

perl?

[DrSkwid]

why not use a decent shell like rc ?

for (w in `{cat /usr/share/dict/words})
curl 'http://www.buddylinks.net/support.php?sn=' ^$w > /dev/null

Re:perl?

[0x0d0a]

Because bash/zsh are everywhere, and rc is as scarce as hen's teeth -- and I have to use other systems than my own.

It's just as easy in sh:

for w in `cat /usr/share/dict/words`; do curl http://www.buddylinks.net/support.php?sn=$w >/dev/null; done

Re:perl?

[0x0d0a]

Also, I went through a ton of shells back in the day to find one to settle on -- doesn't rc lack job control? I consider that a pretty mandatory feature...

Re:perl?

[DrSkwid]

Because bash/zsh are everywhere

That's odd, perhaps you mean 'Because bash/zsh are in GNUserland'

'cause they sure as shit aint in *BSD or Unix by default or plan9 by design

So is it rare as in 'you can download bash, zsh and rc if you want and use them'?

Thanks for the sh example, I knew it would be in other shells but when perl is your hammer you'd better watch your fingers ;)

PLZ FWD!! Your friends will love you for this.

[Channard]

"3. Open the prize - your friends will love the prize they receive in their funny news message. it might be a game or a funny flash cartoon"

So basically Buddylinks is doing what real people have been doing for ages. Specifically, an aquaintance or friend decides to add your email to their address book, and forwards every piece of crap - virus hoaxes/jokes etc to everyone in their book. Yes, why, thank you vague aquaintance - I really did enjoy that list of hugely stupid jokes you sent me. The repeated quote arrows really made it work. At least with Buddylinks you have to actually install it...

Buddylinks == clickspring

[0x0d0a]

Let's take a brief look at these folks:

$ host buddylinks.net
buddylinks.net has address 63.251.131.235
$ whois 63.251.131.235
[Querying whois.arin.net]
[whois.arin.net]
Internap Network Services NETBLK-PNAP-11-99 (NET-63-251-0-0-1)
63.251.0.0 - 63.251.255.255
ClickSpring LLC INAP-BSN-CLICKSPRING-0041 (NET-63-251-131-232-1)
63.251.131.232 - 63.251.131.239

# ARIN WHOIS database, last updated 2004-02-11 19:15
# Enter ? for additional hints on searching ARIN's WHOIS database.

Googling for clickspring llc turns up a number of hits. Apparently, ClickSpring has been in the business of writing advertising worms and trojans commercially for some time now. They are responsible for PurityScan as well as some other nasties out there.

Normally I wouldn't care -- another Windows virus -- but now I'm getting masses of useless messages from infected friends.

Obviously, nobody has bothered to charge ClickSpring with computer crime charges, which is quite frusterating.

Link

[Shadowkat]

http://www.cnn.com/2004/TECH/internet/02/11/instan tmessenger.ad.ap/index.html Looks like even the AV companies might be blocking it soon. -Shadowkat

First Red Flag

[Stephen+Samuel]

Anybody who has to make it clear that, whatever they are, they're not a virus, is somebody that I'm gonna be very worried about installing their software.

Some of us just like the minimalism

All of what you want more of I wouldn't be able to stand. This is why I stopped using Trillian earlier this year.

I prefer Miranda IM for AIM. As of right now it only connects via TOC, but I don't need the added features of OSCAR AIM. Being able to send and receive messages is most important to me.

To me Trillian is a little too big for what it does, and does too much more than it needs to initially. But that's just my opinion.