Buddylinks Stinks

Omie TheNull writes "After recieving several messages over AIM with the content: "check this out... http://www.wgutv.com/osama_capture.php?HlvU", I went to the page and discovered that it is sponsored by a site called "BuddyLinks." Their website is at http://www.buddylinks.net and they claim that they are NOT a virus. However, when you visit their links and install their "player" it seems that you are also installing software that takes control of your AIM buddy list and sends advertisments to those on your buddy list. The advertisements are obviously designed to look like innocent messages from your buddies asking you to check out certain links. Very scummy, indeed."

just take look at the page.

[gl4ss]

it says there very clearly that "soon your instant messaging software will start sending your friends funny news messages like this".

tell your friend that he is an asshole if he uses this.

"3. Open the prize - your friends will love the prize they receive in their funny news message. it might be a game or a funny flash cartoon"

yeah i'd really love that.

4. no need to send any new messages when everybodys ignoring you.

This Kind of Thing Keep Happening...

[GTRacer]

...Only because there are FAR too many people who just don't understand that there are people on the Internet with ulterior motives. I don't want to generalize, but I bet the kind of person easily swayed in this manner is also the telemarketer's best friend.

The more this type of "attack" keeps happening, the more I wonder if there shouldn't be a license or minimum firewall requirement to get on the 'Net.

Maybe we have to start teaching "Safe Surfing" along with Safe Sex in the teen years.

GTRacer
- speechless

Vey Scummy Indeed

[orthogonal]

However, when you visit their links and install their "player" it seems that you are also installing software that takes control of your AIM buddy list and sends advertisments to those on your buddy list. The advertisements are obviously designed to look like innocent messages from your buddies asking you to check out certain links. Very scummy, indeed.

What's worse, in an effort to drive traffic to their site, their software hijacks your Slashdot login, forges complaints about their software, and submits those complaints to Slashdot as articles and comments.

You can distinguish their forged posts because invariably the last three words of any forged post are "Very scummy, indeed".

Very scummy, indeed.

Privacy Policy?

[the+Man+in+Black]

My favorite part of this claptrap. To wit: No, our software doesn't PERSONALLY sell your information and the information of everyone on your buddy list. We're merely a conduit for third-parties to do so, and to give us bags of cash for facilitating it. Do you like my hat? It's made of MONEY.

Funny, I was messing with that last night...

[Hollinger]

Here's a copy of what the messages look like:
InfectedUser (12:30:45 AM): check this out... http://www.wgutv.com/osama_capture.php?hAsH
I'm wondering what that little hash code on the end is...

I haven't personally installed that crud, but I'm wondering if SpyBot (google for it) detects it. I clicked around the site, and, to be honest, it looks like they're setting themselves up for a huge "p2p" (I hate buzzwords) marketing push. I'm going to guess that this "jokes and pranks" business will come to an end when they have a sufficent install base, after which they'll start pushing the next new wave of spam for Viagra, Mortgages, Porn, or *checks his SpamNet folder* Internet gambling on you.

Here's a snippet from the license agreement with my emphasis:
Services; Modifications to Your Instant Messaging Client. The Software provides you the opportunity to access Content for no charge. In return for the right to access this Content, you acknowledge and agree that the Software contains additional software products provided to PSD Tools by its suppliers which will periodically deliver additional Content such as, but not limited to, advertisements and promotional messages to your Computer and programs that may alter your home page to offer you Content. In addition, the Software will interoperate with your current instant messaging client so as to permit the automatic sending of advertising messages originating from your Computer to your contact or "buddy" list regarding Content offered by PSD Tools or its suppliers. If you desire to stop this activity, you may elect to stop the messages by navigating to the "buddylinks.net" entry in your "Start Menu", selecting the "buddylinks.net Configuration" item, and unchecking the appropriate option. You may also refer to PSD Tools' website at http://www.psdtools.com for an uninstaller. (http://www.buddylinks.net/terms.html)

Re:Funny, I was messing with that last night...

[Hollinger]

Got a little click-happy with the submit button...

You also agree to: (from the same URL as the parent post)
Updates to Software. The Software includes an automatic update feature to ensure that you have the most recently released version. You acknowledge and agree that PSD Tools or third parties designated by PSD Tools may from time to time provide automatic programming fixes, updates and upgrades to the Software (collectively, the "Updates"). Updates may include installation of third party applications, through automatic electronic dissemination and other means. You consent to such Updates and agree that the terms and conditions of this Agreement will apply to all such Updates. If you should elect not to have your software updated at any future time, PSD Tools shall not be responsible for any incompatibilities that may arise on your system and Computer.

Oh, and I forgot to mention that the uninstaller is available at http://www.buddylinks.net/uninstaller.exe.

Good day!
Mike

Re:Funny, I was messing with that last night...

[cyberepgnuin]

Spybot doesn't pick this up... yet.

I've heard

[TheOnlyCoolTim]

The phone number on the WHOIS for wgutv.com will connect you to the guy who wrote the virus... Use this for good, not for evil.

Tim

Oh my god!

[jarran]

You mean, you downloaded a program being advertised by spam and it was crap?! My god, d'ya reckon it's a one off or should I cancel my penis enlarger and v1agra?

Buddylinks == clickspring

[0x0d0a]

Let's take a brief look at these folks:

$ host buddylinks.net
buddylinks.net has address 63.251.131.235
$ whois 63.251.131.235
[Querying whois.arin.net]
[whois.arin.net]
Internap Network Services NETBLK-PNAP-11-99 (NET-63-251-0-0-1)
63.251.0.0 - 63.251.255.255
ClickSpring LLC INAP-BSN-CLICKSPRING-0041 (NET-63-251-131-232-1)
63.251.131.232 - 63.251.131.239

# ARIN WHOIS database, last updated 2004-02-11 19:15
# Enter ? for additional hints on searching ARIN's WHOIS database.

Googling for clickspring llc turns up a number of hits. Apparently, ClickSpring has been in the business of writing advertising worms and trojans commercially for some time now. They are responsible for PurityScan as well as some other nasties out there.

Normally I wouldn't care -- another Windows virus -- but now I'm getting masses of useless messages from infected friends.

Obviously, nobody has bothered to charge ClickSpring with computer crime charges, which is quite frusterating.