Slashdot Mirror
Interview With an Adware Author
rye writes in to recommend a Sherri Davidoff interview with Matt Knox, a talented Ruby instructor and coder, who talks about his early days designing and writing adware for Direct Revenue. (Direct Revenue was sued by Eliot Spitzer in 2006 for surreptitiously installing adware on millions of computers.) "So we've progressed now from having just a Registry key entry, to having an executable, to having a randomly-named executable, to having an executable which is shuffled around a little bit on each machine, to one that's encrypted — really more just obfuscated — to an executable that doesn't even run as an executable. It runs merely as a series of threads. ... There was one further step that we were going to take but didn't end up doing, and that is we were going to get rid of threads entirely, and just use interrupt handlers. It turns out that in Windows, you can get access to the interrupt handler pretty easily. ... It amounted to a distributed code war on a 4-10 million-node network."
That the people who makes IT Guys lives difficult and annoying are indeed IT guys.
If something is so important that you feel the need to post it on the internet... It probably isn't that important.
Some serial killer goes and and murders dozens of innocent people; and we reward him with veneration, books written about him, endless press coverage, etc. Scumbags don't deserve our respect, our veneration, or polite treatment.
SJW: Someone who has run out of real oppression, and has to fake it.
It was funny. It really showed me the power of gradualism. It's hard to get people to do something bad all in one big jump, but if you can cut it up into small enough pieces, you can get people to do almost anything.
It reminds me of the movie Permanent Midnight , where Ben Stiller starts out the movie smoking weed and at the end is hooked on crack.
It's probably Ben Stiller's best work, by the way.
One of our competitors trademarked the term "hypothesis". From now on, we will call them "boneheaded ideas".
It would be a damn shame if something bad happened to this guy.
Times change. In order for this to continue to be a factor, we need to make sure that occasionally, someone *does* show up on a doorstep and club someone over the head.
I suggest we start with people who have kidded themselves that the abusive software they've written does not make them a villain.
"Trolls they were, but filled with the evil will of their master: a fell race..." -- J.R.R. Tolkien on Olog-hai
I am now more convinced than ever that it is impossible to secure Windows.
...his skills to slide past security and override their computer systems may be the last hope of mankind.
Unless the aliens AREN'T running Windows.
I'm seeing comments and tags using words like "scumbag". Well, I actually RTFA, and this guy doesn't seem to be a complete jerk.
According to him, the adware he wrote did not crack into your system using exploits, and when you ran the uninstaller it would go away and never come back. Also, according to him, it didn't scan for really personal information like credit card numbers.
I'm not about to start a fan club for him, but I don't hate him either.
I was interested in the technical stuff. His software would find other adware on a system and kick the other adware off; it was also designed to be very difficult for other adware to kick off.
The best single exchange in the interview:
steveha
lf(1): it's like ls(1) but sorts filenames by extension, tersely
I think the Windows programming model is at fault for much of the obfusciation tactics used by malware. Entire classes of exploits have arisen due entirely to the complexities and obscurities of the interface. Modern anti-malware tactics have to monitor many different parts of the operating system, and in some cases due to architectural constraints the methods of doing so can make the entire operating system unstable. Not only that, but race conditions and the use of special trap conditions/exception handling can make safely disabling malware a frustrating experience. Even professionally designed applications can sometimes tank the Operating System. Trying disabling Symantec Anti-virus on an XP system without a reboot, for example, and then doing a reinstall of it remotely. In the field, I saw failure rates of about 6% for SAV10. On a hundred thousand systems, let's just say I was not happy on that deployment! Killing malware is even more risky.
Windows is layers upon layers of earlier APIs that cannot be removed due to "backwards compatibility" concerns. I have some limited exposure to the .NET framework, and it has perhaps a half-dozen APIs for threading, and the documentation is riddled with exposed interfaces that have the note "Do not use. Not safe. bullet in the brain pan squish" in it. Over a third of the API is already depreciated (as far as I can tell), and there is an ever-shifting set of best practices standards. I can only imagine the hell a proper programmer endures in developing truly complex applications for .NET -- all I was doing was a few WMI calls and a database interface and I still crashed the kernel many times trying to figure out what to trap -- in many cases, error handling is mostly about creating a catch-all and then trying to break your code to see what is generated and then guessing what to trap accordingly. With an interface this complicated and unstable, it will always be a cat and mouse game between the white and black hats on this architecture, a game predicated on undocumented interfaces, obscurity, and deep knowledge of layers of the operating system that interact in unpredictable ways.
Compare this to linux, where the interfaces haven't changed that much, and when they do, depreciated means "We're going to remove this in a year or so and we mean it." Open source has one huge advantage here -- if it's not maintained, it ceases to be relevant and there's no 20 year old code lurking about in an unused API long forgotten. At least not nearly to the degree Windows has it. If you ask me, Microsoft is complicit in allowing malware to exist because they are unwilling to modernize Windows. They need to start over from scratch on their codebase and have a good hard think about what those APIs and interfaces are going to look like and then stick to it. Or at the very least, they could start by documenting these interfaces and releasing some code so we can be more confident that our hooks into their black-boxed APIs won't tear the operating system's heart out...
#fuckbeta #iamslashdot #dicemustdie
Theoretically, I'm not opposed to ad-supported programs. If someone is willing to put up with an advertisement in order to use a program for free, go ahead and let them. It's worked for television, radios, and web sites for quite a while (Tivos and Ad-Block aside).
The problem, obviously, is when uninstalling the adware becomes a major hassle. For example, the author described in the interview how you would have to download a special uninstaller from the net, fill out a survey, and allow them to keep a registry key installed permanently. That is bullshit. Uninstalling shouldn't force any remains of the program to be left behind, period. Yes, in this situation it prevents unintentional (or intentional) reinstalls, but that wouldn't be an issue if adware didn't rely on drive-by downloads and was more upfront in what was being installed with the main program.
To maintain some sense of legitimacy, uninstalling shouldn't be more complicated than a few clicks from using the Add/Remove Programs dialog, and not leave behind any of the program's code.
From the article:
Um, no. Unconscionability is a pretty ancient principle of contract law. People joke about signing away their first-born child in an unread EULA, but they understand that it's a joke: that term would never be enforced by a court, because allowing contracts of adhesion (like EULAs) signed by non-lawyers in casual circumstances to extract those kinds of concessions from the parties would result in the complete breakdown of society.
So when this guy (and his bosses) talk about how there was "no law around this", they're not fooling anyone, least of all themselves. If I buy a bus ticket and on the back there's some fine print stating that by riding the bus I've agreed to let the driver break into my house and take anything he wants, guess where the bus driver ends up if he tried to exercise his contractual "rights"? In prison. Which is where this guy belongs.
The real "Libtards" are the Libertarians!
To get that oh-so-useful uninstaller you had to go to a website, answer a survey, and only then could you download it. If they genuinely wanted to make it easy, they would have put it in Add/Remove Programs, and stuck their survey in there.
I don't know about you, but after getting sketchy software on my machine, the LAST thing I want to do is go to some random website and download even MORE crap. I wouldn't trust that download one bit.
And the bit about "it was also designed to be very difficult for other adware to kick off" is complete hand-waving B.S. It was designed to be very difficult for anti-virus packages and anti-spyware packages too. In fact, anti-malware packages were probably the primary target of the persistence code.
And their distributors were complete scum that Direct Revenue did very little to police. Yeah, they suspended any that were complained about (if the hapless users even had any clue how they got the software), but those rogue distributors would just sign up under a new name.
I can't believe he thought this job was a "net positive" simply because he wiped out the other guys' malware more than he installed. That just means he is a very sneaky coder... That's like a embezzeling salesman saying he was a "net positive" because he generated more profits than he stole. It may be true, but it doesn't make him any less of a scumbag.
SirWired
so let's educate some of you:
we capture someone like frank abagnale, and we go all sharia law on him, as a lot of you propose, and leave him as a bloody stump
then what?
well, there are other frank abagnales out there. how do we detect them and capture them? well, the frank abagnale you just beat to a pulp: he would have made a good tool to do that, ya think?
luckily, in real life, this is exactly what the feds and the banks did. in real life, you capture and use highly intelligent crooks to... drum roll please... capture more highly intelligent crooks. get it?
law enforcement is hard grinding work, it doesn't happen like "death wish" or "dirty harry". i know in some of your justice league of america fantasy lives, delivering justice with a fist and a gun is the way to go. but we'd like to talk about reality, ok?
so to review:
1. we can have justice your way, and beat adware authors to a pulp, or
2. we can have smart justice, and listen carefully to mr. adware author's words, and use those words to catch more adware authors
get it? see the difference? do you want to pursue justice? or do you want to beat people up?
these are mutually exclusive activities, despite your dimwitted fantasy lives
now go crawl back under your rocks mouth breathers. nobody who is actually going to catch and punish cybercriminals in this world is going to think like you do
even the most vile amoral serial killer is useful to keep alive and listen to. simply for matters of brain analysis and psychological study. or, we could put a bullet in his head, scrambling the abnormal brains, and having nothing useful to catch more vile amoral serial killers
dumb violent justice leaves a dumb violent society that knows nothing about the smart and truly vicious criminals in their midst
smart justice is about studying smart criminals, and using them against each other
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
Just for fun, consider the following actions a Unitary Programmer might do to your machine. Where would you rate them on the $SCOUNDREL scale, and why?
Playing "CoreWars" is tricky business, and people with even a dim sense of ethics are loathe to try it. But there's one case where none of the above actions are ethically questionable: When the machine's owner does it themselves.
I think the adware author lost sight of that for a while...
Schwab
Editor, A1-AAA AmeriCaptions
According to the article, deleting the registry entries mean that the program would re-install itself, while leaving them in-place would cause the software to avoid that computer (registry entries were used as an opt-out marker).
Im pretty sure that the majority of cops that became criminals were the hardest to catch. They know all the tricks and what other cops/detectives will be looking for.
What about those that use color of law? It's not terribly surprising that the FBI only receives about 200 complaints of color-of-law, and doesn't investigate, much less prosecute, a single one.
Simply being a police officer offers enormous immunity from the general public accusing you of crimes, and further means that most of your fellow officers won't "rat" on you (instead of being disgusted at your behavior and bringing disrepute to the supposed "profession.")
Please help metamoderate.
I sometimes wonder if there is a way to estimate aggregate "harm" caused by a widely distributed crime. Is it the same to steal 1 minute of time from 1 million people with an automated telemarketing robocall as it is to lock 1 guy in your basement for 2 years (1 million minutes)?
None of them can see the clouds; The polished wings don't care.
Maybe even that won't get rid of the adware.
It will, if you do it right. That means
1) Don't try to "repair" the installation, format C: and do it really from scratch.
2) Don't install from a "recovery CD" from the hardware vendor, it might have the adware pre-installed. Use an unmodified Microsoft CD. Install from that.
Now you have a clean installation. To make it stay clean (not only from adware), do the following: ;-)
3) Before you connect to the internet again, install the latest service pack AND the post-SP4 hotfixes. Here a utility that collects all the updates into an offline update CD is helpful. I use the offline updater from heise, a German IT publishing house.
You can download the current version from http://www.heise.de/ct/projekte/offlineupdate/download/ctupdate50.zip
The UK site of heise has an article in English that explains the system (for an older version, but I think the principle still applies): http://www.heise-online.co.uk/security/Do-it-yourself-Service-Pack--/features/80682
4) It is usually a good idea to use something else than Internet Explorer for surfing
C - the footgun of programming languages
Lol, the only "other" profession where it can take 4 million lines of code and a dozen libraries to effectively state "Hello World".
-Matt
--- Need web hosting?
Have a look at broken window fallacy.
Not everyone wins. Just someone else is paying the price
Of course they're morally bankrupt. However they also play an important role in the ecosystem.
What? How in the hell are malware writers an "important part of the ecosystem"?
This is the Internet, not Wild Kingdom. In nature, real virus infections do indeed serve a natural purpose. On a computer, it serves nothing but the ends of assholes and criminals. There's no justification... none whatsoever... for what these guys do. And don't give me that farcical security argument, either. They're not doing the world any favors by violating other people's computers.
Life is hard, and the world is cruel
So if I buy a door that happens to have a lock with a flaw, it's the fault of the lock maker that my stuff gets stolen? Sorry, but no, the fault lies solely on the shoulders of the thief.
I'm sorry, but why did you buy a door with a lock on it if not to protect against thieves? If someone sells a product that purports to protect you against criminals, and it fails to do as advertised, then that seller has sold a defective product and partially to blame for your loss. To follow your line of logic would absolve locksmiths of any responsibility to make a product that isn't slipshod.
Microsoft thumps its own chest about the safety and security of its system. Their failure to live up to their claims makes them part of the problem and not an innocent bystander.
If it's for-profit but free, you're not the customer -- you're the product (e.g., the Slashdot Beta's "audience").
And if you read the interview, you'd see he's not really evil, like many/most/all serial killers, but a very intelligent young person.
First, what exactly is "evil?" Some people think that one has to cackle and twirl your moustache with glee at being evil for its own sake, but most people who do horrible and evil things to other people have a good justification for their acts: "I was desperate and I needed the money," "I was just following orders," "I'm protecting my family and my country," "Everybody else gets away with doing it," "My evil rids the world of other evils," "If I didn't, then someone else would," "It was just a job," "It's nothing personal," "Stupid people get what they deserve," "It's just survival of the fittest," etc., etc.
Doing something wrong just because you were in a tight spot and put your own needs over others is no more just than doing it just because you enjoyed it. Evil is evil. While I feel sympathy for his poverty and think that we as a society should focus our government's attention more on preventing the root causes of crime than just "deterrence," I feel no real qualms about stringing someone up if they've crossed the line. He had a choice whether to do right and struggle or to do wrong and prosper. He chose the easier of the two paths.
And second, I'd like to point out that most serial killers were "very intelligent young people." Unlike them, he wasn't mentally ill -- just greedy, ethically bankrupt, and too enthralled by the shiny programming challenge.
If it's for-profit but free, you're not the customer -- you're the product (e.g., the Slashdot Beta's "audience").
Can you get me in touch with these people you're advising? I could certainly use some free IT equipment.
No really, I'm serious -- if you know of folks throwing out perfectly functional computers solely because of virus infections, I'd love to have a few of their machines. Heck, they're worth something just for hobbyist spare parts, if nothing else. :)
Cheers,
"What in the name of Fats Waller is that?"
"A four-foot prune."
3.b. Make a clone image of the system to an external hard drive so that next time you can be done in 20 minutes. I recommend clonezilla for this because it's free, boots from a pen drive, supports Windows and Linux, and will save to a USB drive or open Windows share on the network.
4) It is usually a good idea to use something else than Internet Explorer for surfing ;-)
Another good tip is to load a good hosts file. You would be amazed how much it helps. There's no host like localhost. It's cheezy, it's retro, it's cheating. But it doesn't cause cancer.*
*This statement has not been evaluated by the AMA. Void where prohibited. Your mileage may vary. Everything causes cancer.
Help stamp out iliturcy.
Mods, while I might not personally agree with the rationale of throwing away computers because of infections, Digishaman's argument certainly makes sense, at least on an economic level, for the vast legions of the clueless. If they have browsing habits that habitually get their machines so glommed up with muckware as to be unusable, they're going to have to shell out major buckage to get their machines un-mucked -- and at that point, it *does* indeed begin to make more sense for them to just buy a newer low-end machine -- at least the OEM OS should be more up-to-date than their older machine, and might therefore last a bit longer before being rendered unusable again.
Cheers,
"What in the name of Fats Waller is that?"
"A four-foot prune."