Slashdot Mirror

← Back to Stories (view on slashdot.org)

Interview With an Adware Author

Posted by kdawson on from the warming-up-for-the-botnet-era dept.

rye writes in to recommend a Sherri Davidoff interview with Matt Knox, a talented Ruby instructor and coder, who talks about his early days designing and writing adware for Direct Revenue. (Direct Revenue was sued by Eliot Spitzer in 2006 for surreptitiously installing adware on millions of computers.) "So we've progressed now from having just a Registry key entry, to having an executable, to having a randomly-named executable, to having an executable which is shuffled around a little bit on each machine, to one that's encrypted — really more just obfuscated — to an executable that doesn't even run as an executable. It runs merely as a series of threads. ... There was one further step that we were going to take but didn't end up doing, and that is we were going to get rid of threads entirely, and just use interrupt handlers. It turns out that in Windows, you can get access to the interrupt handler pretty easily. ... It amounted to a distributed code war on a 4-10 million-node network."

24 of 453 comments (clear)

  1. Sometimes we forget. by jellomizer · · Score: 5, Insightful

    That the people who makes IT Guys lives difficult and annoying are indeed IT guys.

    --
    If something is so important that you feel the need to post it on the internet... It probably isn't that important.
    1. Re:Sometimes we forget. by Anonymous Coward · · Score: 5, Insightful

      Im pretty sure that the majority of cops that became criminals were the hardest to catch. They know all the tricks and what other cops/detectives will be looking for.

    2. Re:Sometimes we forget. by fph+il+quozientatore · · Score: 5, Insightful

      [Sometimes we forget t]hat the people who makes IT Guys lives difficult and annoying are indeed IT guys.

      Or lawyers.

      --
      My first program:

      Hell Segmentation fault

    3. Re:Sometimes we forget. by snl2587 · · Score: 5, Insightful

      Difficult? Maybe, but for freelancers who collect a check every time they "fix" an infected computer (read: fiddle around for a while and ultimately end up reinstalling Windows), these crapware authors are the reason they can stay in business.

    4. Re:Sometimes we forget. by MobyDisk · · Score: 5, Informative

      Talented computer repair techs can stay in business just fine. But yes, the adware/spyware boom caused an explosion in the repair field too.

    5. Re:Sometimes we forget. by feepness · · Score: 5, Insightful

      Can we throw away the idea of a "throw away society"?

    6. Re:Sometimes we forget. by symbolset · · Score: 5, Informative

      You don't "fix" a computer. You reinstall, it should only take 20 minutes tops. Of course, you should not be an idiot and not let it get that way to begin with. Regardless of your overinflated salary you are throwing away money. Dumbass.

      Look, I'm not a stranger to making an ass of myself on slashdot, but I still get to point out when other people do it. Sure, from a good image I can flash a 40GB SATA 3.0 drive in 3 minutes flat and the user is up and running. Add five minutes and I can restore today's user data from their good backup. That's not the common experience in the field because they have no good image and seldom have backups. In 20 minutes on the same drive you can install Windows if you have SP3 media. You still can't get all the updates, install the system drivers, install the accessory drivers, do a reasonable security software install and user configuration in 20 minutes. You definitely can't restore their user data, nor their critical apps. It just can't be done.

      If the typical consumer were willing to pay his tech to come out and set him up properly, and visit him and make a good image semiannually, maybe. If they bought spares, better still. But they usually won't. Usually they won't call for help until they've borked it good and don't have backups. Most people if you gave them a button that booted their computer from an "emergency backup" spare drive, would crash their main system, then the emergency backup, and then call for help.

      And some of them, oh, God I wish it were not so, utterly rely on some system running Windows 95 that hasn't been updated since because it was set up for them a decade ago and it still works and they bought into a system with no migration path.

      --
      Help stamp out iliturcy.
  2. I hate it when people venerate/elevate scumbags by elrous0 · · Score: 5, Insightful

    Some serial killer goes and and murders dozens of innocent people; and we reward him with veneration, books written about him, endless press coverage, etc. Scumbags don't deserve our respect, our veneration, or polite treatment.

    --
    SJW: Someone who has run out of real oppression, and has to fake it.
    1. Re:I hate it when people venerate/elevate scumbags by Nos. · · Score: 5, Funny

      He should be forced to forever use an unpatched Windows (9x, XP, 2000, etc) as his OS on every computer.

    2. Re:I hate it when people venerate/elevate scumbags by Anonymous Coward · · Score: 5, Funny

      He should be forced to use Windows ME, at no higher than 800x600 screen mode, with a 56K modem.

      He should also be forced to eat his own testicles.

    3. Re:I hate it when people venerate/elevate scumbags by Anonymous Coward · · Score: 5, Insightful

      Damn right, dave. However, it's hard to deny that someone who writes malicious code that directly targets (ignorant) consumers may very well be treading on morally bankrupt territory.

    4. Re:I hate it when people venerate/elevate scumbags by dylan_- · · Score: 5, Funny

      Given a choice between the two, I might go with the testicles.

      That's the trouble with browsing at +1...now I have to imagine what kind of comment that was a response to...

      --
      Igor Presnyakov stole my hat
    5. Re:I hate it when people venerate/elevate scumbags by Anonymous Coward · · Score: 5, Funny

      Maybe you should click the "whoosh" button.

    6. Re:I hate it when people venerate/elevate scumbags by Grishnakh · · Score: 5, Insightful

      So if I buy a door that happens to have a lock with a flaw, it's the fault of the lock maker that my stuff gets stolen? Sorry, but no, the fault lies solely on the shoulders of the thief. Windows has many problems, but all the fault for exploiting it is on the malware authors.

      I disagree.

      If you buy a door that has a lock with a flaw, and the lock maker knows about this flaw and does nothing about it and continues to sell this same flawed model for many years, making billions of dollars of profit, while people like you keep getting your stuff stolen, there's two parties at fault: 1) the thieves, obviously, since they stole the stuff, and 2) the lock maker, because they sold you something they claimed to be secure and which would protect your stuff from thieves, but which really wasn't, and they knew about it.

      When assigning blame for things like this, you have to look at the big picture. For a single instance of criminality, it's usually just the criminal's fault. But when the criminals keep using the same tricks over and over to commit their crimes, you have to look at what's enabling them. In the case of MS, they shoulder a lot of blame, because they, for decades, have put features ahead of security, even though they own the lion's share of the market and any security flaw has the most potential for damage because of that. Finally, because users have known about MS's crap and keep buying it, users also share part of the blame, for continuing to purchase MS's shoddy products, although this is mitigated partially because of MS's manipulation of the market to keep themselves in a position where it's difficult to get by without their product (for instance, because many important software products like AutoCAD only work in Windows).

    7. Re:I hate it when people venerate/elevate scumbags by fuckface · · Score: 5, Funny

      Of course they're morally bankrupt. However they also play an important role in the ecosystem.

      OMG, you're right! I'll be over in 20 minutes to smash all your windows. You know, to stimulate the economy!

      All these tools are doing is saving M$ money on code audits and proper beta testing at the expense of EVERYONE else.

  3. Re:Seriously by fuzzyfuzzyfungus · · Score: 5, Funny

    Do you think it would be more of a shame if he accidentally cut his throat while shaving, slipped and fell down three flights of stairs, or tripped and hit his head on a bullet?

  4. Chilling by bbbaldie · · Score: 5, Insightful

    I am now more convinced than ever that it is impossible to secure Windows.

    1. Re:Chilling by El+Lobo · · Score: 5, Insightful

      The same guy says in another interview in CNET that it would be pretty easy to find ways to implement the same in OSX (where they are actually experimenting) and in many Linux distros, but nobody pays a shit for that. They can get a lot of cash for pressing their brains to find exploits for hundred of millions of computers than what they would get to find exploits for some thousands in more exotic OSs. Easy like that. A so complex thing like a OS with millions of lines of code will necessarily ALWAYS have a couple of thousand possible holes, be it BeOS, MistOs, NetBSD os whatever. You only need the will (or the cash).

      --
      It's time to realise that Abble's products are the biggest abomination these days. Just say NO to the dumb iAbble way!!
  5. Not a complete jerk by steveha · · Score: 5, Interesting

    I'm seeing comments and tags using words like "scumbag". Well, I actually RTFA, and this guy doesn't seem to be a complete jerk.

    According to him, the adware he wrote did not crack into your system using exploits, and when you ran the uninstaller it would go away and never come back. Also, according to him, it didn't scan for really personal information like credit card numbers.

    I'm not about to start a fan club for him, but I don't hate him either.

    I was interested in the technical stuff. His software would find other adware on a system and kick the other adware off; it was also designed to be very difficult for other adware to kick off.

    The best single exchange in the interview:

    S: In your professional opinion, how can people avoid adware?

    M: Um, run UNIX.

    steveha

    --
    lf(1): it's like ls(1) but sorts filenames by extension, tersely
  6. Sadly, no. by lucas_picador · · Score: 5, Insightful

    From the article:

    In their licensing terms, the EULA people agree to, they would say "in addition, we get to install any other software we feel like putting on." Of course, nobody reads EULAs, so a lot of people agreed to that. If they had, say, 4 million machines, which was a pretty good sized adware network, they would just go up to every other adware distributor and say "Hey! I've got 4 million machines. Do you want to pay 20 cents a machine? I'll put you on all of them." At the time there was basically no law around this. EULAs were recognized as contracts and all, so that's pretty much how distribution happened.

    Um, no. Unconscionability is a pretty ancient principle of contract law. People joke about signing away their first-born child in an unread EULA, but they understand that it's a joke: that term would never be enforced by a court, because allowing contracts of adhesion (like EULAs) signed by non-lawyers in casual circumstances to extract those kinds of concessions from the parties would result in the complete breakdown of society.

    So when this guy (and his bosses) talk about how there was "no law around this", they're not fooling anyone, least of all themselves. If I buy a bus ticket and on the back there's some fine print stating that by riding the bus I've agreed to let the driver break into my house and take anything he wants, guess where the bus driver ends up if he tried to exercise his contractual "rights"? In prison. Which is where this guy belongs.

  7. Why Windows Registry is a bad idea by whoever57 · · Score: 5, Interesting
    From the interview:

    We did create unwritable registry keys and file names, by exploiting an "impedance mismatch" between the Win32 API and the NT API. Windows, ever since XP, is fundamentally built on top of the NT kernel. NT is fundamentally a Unicode system, so all the strings internally are 16-bit counter Unicode. The Win32 API is fundamentally Ascii. There are strings that you can express in 16-bit counted Unicode that you can't express in ASCII. Most notably, you can have things with a Null in the middle of it.

    That meant that we could, for instance, write a Registry key that had a Null in the middle of it. Since the user interface is based on the Win32 API, people would be able to see the key, but they wouldn't be able to interact with it because when they asked for the key by name, they would be asking for the Null-terminated one. Because of that, we were able to make registry keys that were invisible or immutable to anyone using the Win32 API. Interestingly enough, this was not only all civilians and pretty much all of our competitors, but even most of the antivirus people.

    --
    The real "Libtards" are the Libertarians!
  8. there are comments here threatening violence by circletimessquare · · Score: 5, Insightful

    so let's educate some of you:

    we capture someone like frank abagnale, and we go all sharia law on him, as a lot of you propose, and leave him as a bloody stump

    then what?

    well, there are other frank abagnales out there. how do we detect them and capture them? well, the frank abagnale you just beat to a pulp: he would have made a good tool to do that, ya think?

    luckily, in real life, this is exactly what the feds and the banks did. in real life, you capture and use highly intelligent crooks to... drum roll please... capture more highly intelligent crooks. get it?

    law enforcement is hard grinding work, it doesn't happen like "death wish" or "dirty harry". i know in some of your justice league of america fantasy lives, delivering justice with a fist and a gun is the way to go. but we'd like to talk about reality, ok?

    so to review:

    1. we can have justice your way, and beat adware authors to a pulp, or
    2. we can have smart justice, and listen carefully to mr. adware author's words, and use those words to catch more adware authors

    get it? see the difference? do you want to pursue justice? or do you want to beat people up?

    these are mutually exclusive activities, despite your dimwitted fantasy lives

    now go crawl back under your rocks mouth breathers. nobody who is actually going to catch and punish cybercriminals in this world is going to think like you do

    even the most vile amoral serial killer is useful to keep alive and listen to. simply for matters of brain analysis and psychological study. or, we could put a bullet in his head, scrambling the abnormal brains, and having nothing useful to catch more vile amoral serial killers

    dumb violent justice leaves a dumb violent society that knows nothing about the smart and truly vicious criminals in their midst

    smart justice is about studying smart criminals, and using them against each other

    --
    intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
  9. or the cops still on the force... by SuperBanana · · Score: 5, Insightful

    Im pretty sure that the majority of cops that became criminals were the hardest to catch. They know all the tricks and what other cops/detectives will be looking for.

    What about those that use color of law? It's not terribly surprising that the FBI only receives about 200 complaints of color-of-law, and doesn't investigate, much less prosecute, a single one.

    Simply being a police officer offers enormous immunity from the general public accusing you of crimes, and further means that most of your fellow officers won't "rat" on you (instead of being disgusted at your behavior and bringing disrepute to the supposed "profession.")

    --
    Please help metamoderate.
  10. Yes, law by Wrexs0ul · · Score: 5, Funny

    Lol, the only "other" profession where it can take 4 million lines of code and a dozen libraries to effectively state "Hello World".

    -Matt

    --
    --- Need web hosting?