Interview With an Adware Author

rye writes in to recommend a Sherri Davidoff interview with Matt Knox, a talented Ruby instructor and coder, who talks about his early days designing and writing adware for Direct Revenue. (Direct Revenue was sued by Eliot Spitzer in 2006 for surreptitiously installing adware on millions of computers.) "So we've progressed now from having just a Registry key entry, to having an executable, to having a randomly-named executable, to having an executable which is shuffled around a little bit on each machine, to one that's encrypted — really more just obfuscated — to an executable that doesn't even run as an executable. It runs merely as a series of threads. ... There was one further step that we were going to take but didn't end up doing, and that is we were going to get rid of threads entirely, and just use interrupt handlers. It turns out that in Windows, you can get access to the interrupt handler pretty easily. ... It amounted to a distributed code war on a 4-10 million-node network."

You first, buddy

[Red+Flayer]

FTA:

In particular, things involving human interactions don't have to be perfect, because groups of humans have all these self-regulations built in. If you and I have an agreement and you screwed me over badly, you've always got in the back of your mind the nagging worry that I'm going to show up on your doorstep with a club and kill you.

Times change. In order for this to continue to be a factor, we need to make sure that occasionally, someone *does* show up on a doorstep and club someone over the head.

I suggest we start with people who have kidded themselves that the abusive software they've written does not make them a villain.

Not a complete jerk

[steveha]

I'm seeing comments and tags using words like "scumbag". Well, I actually RTFA, and this guy doesn't seem to be a complete jerk.

According to him, the adware he wrote did not crack into your system using exploits, and when you ran the uninstaller it would go away and never come back. Also, according to him, it didn't scan for really personal information like credit card numbers.

I'm not about to start a fan club for him, but I don't hate him either.

I was interested in the technical stuff. His software would find other adware on a system and kick the other adware off; it was also designed to be very difficult for other adware to kick off.

The best single exchange in the interview:

S: In your professional opinion, how can people avoid adware?

M: Um, run UNIX.

steveha

The new battle ground

[girlintraining]

I think the Windows programming model is at fault for much of the obfusciation tactics used by malware. Entire classes of exploits have arisen due entirely to the complexities and obscurities of the interface. Modern anti-malware tactics have to monitor many different parts of the operating system, and in some cases due to architectural constraints the methods of doing so can make the entire operating system unstable. Not only that, but race conditions and the use of special trap conditions/exception handling can make safely disabling malware a frustrating experience. Even professionally designed applications can sometimes tank the Operating System. Trying disabling Symantec Anti-virus on an XP system without a reboot, for example, and then doing a reinstall of it remotely. In the field, I saw failure rates of about 6% for SAV10. On a hundred thousand systems, let's just say I was not happy on that deployment! Killing malware is even more risky.

Windows is layers upon layers of earlier APIs that cannot be removed due to "backwards compatibility" concerns. I have some limited exposure to the .NET framework, and it has perhaps a half-dozen APIs for threading, and the documentation is riddled with exposed interfaces that have the note "Do not use. Not safe. bullet in the brain pan squish" in it. Over a third of the API is already depreciated (as far as I can tell), and there is an ever-shifting set of best practices standards. I can only imagine the hell a proper programmer endures in developing truly complex applications for .NET -- all I was doing was a few WMI calls and a database interface and I still crashed the kernel many times trying to figure out what to trap -- in many cases, error handling is mostly about creating a catch-all and then trying to break your code to see what is generated and then guessing what to trap accordingly. With an interface this complicated and unstable, it will always be a cat and mouse game between the white and black hats on this architecture, a game predicated on undocumented interfaces, obscurity, and deep knowledge of layers of the operating system that interact in unpredictable ways.

Compare this to linux, where the interfaces haven't changed that much, and when they do, depreciated means "We're going to remove this in a year or so and we mean it." Open source has one huge advantage here -- if it's not maintained, it ceases to be relevant and there's no 20 year old code lurking about in an unused API long forgotten. At least not nearly to the degree Windows has it. If you ask me, Microsoft is complicit in allowing malware to exist because they are unwilling to modernize Windows. They need to start over from scratch on their codebase and have a good hard think about what those APIs and interfaces are going to look like and then stick to it. Or at the very least, they could start by documenting these interfaces and releasing some code so we can be more confident that our hooks into their black-boxed APIs won't tear the operating system's heart out...

Why Windows Registry is a bad idea

[whoever57]

From the interview:

We did create unwritable registry keys and file names, by exploiting an "impedance mismatch" between the Win32 API and the NT API. Windows, ever since XP, is fundamentally built on top of the NT kernel. NT is fundamentally a Unicode system, so all the strings internally are 16-bit counter Unicode. The Win32 API is fundamentally Ascii. There are strings that you can express in 16-bit counted Unicode that you can't express in ASCII. Most notably, you can have things with a Null in the middle of it.

That meant that we could, for instance, write a Registry key that had a Null in the middle of it. Since the user interface is based on the Win32 API, people would be able to see the key, but they wouldn't be able to interact with it because when they asked for the key by name, they would be asking for the Null-terminated one. Because of that, we were able to make registry keys that were invisible or immutable to anyone using the Win32 API. Interestingly enough, this was not only all civilians and pretty much all of our competitors, but even most of the antivirus people.

Re:Why Windows Registry is a bad idea

[Johnno74]

The differences in the way the NT api and Win32 api handle registry strings has been very well documented by Mark Russinovich and others.

Rootkit Revealer (written by mark) uses this difference to try and detect rootkits - read the registry using both APIs, and see what comes back different.

Hence Rootkit Revealer would put a huge flashing neon sign above malware that uses this technique

Re:I hate it when people venerate/elevate scumbags

[Ralish]

I think you're being a little harsh, not to mention very black and white.

Firstly, he's not a serial killer, he hasn't killed anyone; he's just irritated a LOT of people by installing infuriating software that's a pain to remove; in my view, this isn't quite of the same calibre as murdering people.

And if you read the interview, you'd see he's not really evil, like many/most/all serial killers, but a very intelligent young person.

His actions were motivated out of being extremely poor, he needed the money, and so he got involved in dodgy software programming. This isn't a justification for what he did, but it's nevertheless important to note. Further, he removed a lot of viruses and adware through his own adware, I'm not sure if this qualifies as grey hat behaviour, but once again, it blurs the line. Most importantly, he's reformed, and persuing an honest living, as well as providing insight into his past actions. I found his explanation of the measures he took to ensure his software remained on the infected computer fascinating from a technical perspective, there were some very clever approaches there.

I don't agree with what he did, but I'm not going to relegate him to "scumbag" status, and I wouldn't be surprised if over the coming years and decades, he makes many valuable contributions to IT and the Ruby community in particular.

Re:Sometimes we forget.

[hairyfeet]

That is why I tell customers that if they don't want it formatted and they have more than 1 virus they have to pay PER virus. Works real well and keeps them from complaining when you show them the machine has 200+ virus infections at $10 a pop. I had one customer come in and after scanning his new Toshiba laptop he had 2074 viruses RUNNING at the same time! It took nearly an hour just to see the desktop! Sadly my former boss says he had that beat, as he had a home user bring in a machine where he had managed to get over 4500 infections in the thing.

What the earlier poster wrote is true though. Folks acted shocked that it costs so much to fix their horribly infected machines, like we should be fixing them for fun or something. Yet for some reason they don't bat an eyelash when the plumber hands them this huge itemized bill. So I have taken to handing them a nice little printout with Hijack This that shows how much crap was installed with a little mark by each infection. They don't seem to complain as much when they see that huge list of crap they managed to install.