Network News

X My Profile
View More Activity

More 'Rogue' Trouble for 180solutions

Anti-spyware activist and Harvard Ph.D. student Ben Edelman has just put up another one of his "gotcha" videos that he says documents "rogue" -- i.e., non-consensual -- installs of adware, this one from a Web site getting paid by 180solutions to install its Zango Search Assistant software.

Ben explains in the usual delicious detail:

"I was browsing an ordinary commercial Web site, when I got a popup from (a major U.S. ad network, with headquarters in Portland, Oregon) . The popup sent me to a third party's Web site. (I'll call that third party "X" for convenience. ... ) Then X ran a series of exploits to take control of my test PC, including using the widely reported WMF exploit uncovered last month." (This was the flaw in Internet Explorer that allows Web sites to install whatever they want on visiting PCs browsing malicious sites with IE. Microsoft patched this flaw last week.)"

Edelman continues:

"Once X took control of my PC, X caused my computer to install and run 180solutions Zango software, among a dozen other programs. Notably, X fully installed 180's Zango without me taking any action whatsoever -- without me clicking "I agree," "Yes," "Finish" or any other button of any kind."

While Ben's machine was not infected with a bot, this matches the type of trickery the two botmasters I profiled in my recent Post magazine story used to make sure victims had no opportunity to click "no" to decline installation.

From my story:

"0x80 and Majy don't leave computer owners any chance to decline the adware. Once they invade a computer and add it to their botnet, they use automated keystroke codes to order the enslaved machine to click 'OK' on installation agreements."'

The Center for Democracy & Technology, a nonprofit public-policy group in Washington that's leading an entity called the Anti-Spyware Coalition, last month filed a detailed report asking the Federal Trade Commission to sue 180solutions, alleging that the company violated consumer-protection laws by repeatedly failing to prevent rogue installs of its adware products. 180solutions, in response, has said its new anti-fraud technology, which it has dubbed "S3," would prevent such installs going forward after January 2006, when the system was to be put in place.

But according to Edelman's video, X installed Zango on his test machine despite the new S3 protections. Ben says he expects "to provide (and in some cases already [has] provided) this information to law enforcement officials considering action against 180solutions, to private attorneys in litigation against 180solutions." Things are looking darker for 180 by the day.

By Brian Krebs  |  February 20, 2006; 3:21 PM ET
Categories:  Fraud  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: Do You Know Where Your Identity Is?
Next: Exploit Published for Unpatched Mac OS X Flaw


Brian, I don't know if you've caught onto this yet or not, but it's all over and Slashdot.

Basically, readers downloaded the photos of 0x80 and checked the metadata, finding the city these were taken in. Then using Google Local/Maps, found where a gas station, stripclub and convenience store intersect in said town.

Check out this blog for more details -

Posted by: omar c | February 20, 2006 3:43 PM | Report abuse

Omar c - I am aware of it, yes. Thank you.

Posted by: Bk | February 20, 2006 4:16 PM | Report abuse

Are you aware of what a "confidentiality agreement"vor "trust" is?

Posted by: drew | February 21, 2006 12:42 AM | Report abuse

I have to agree with drew. Even though I (and probably the vast majority of readers) would prefer the guy be caught, I hope you're waking the WP up to the dangers of leaving metadata lying around. I'd hate to see a whistleblower source identified and harmed due to a fiasco like this.

Posted by: Pete | February 21, 2006 2:18 AM | Report abuse

Wow, I'm very curious how this occured, if you (or whoever is at fault) did indeed betray the identity of your source you do realize that you have basically betrayed a legacy of protecting journalistic sources (that at the WaPo includes the most infamous of such, Deep Throat), not only that but you have inadvertnatly (we can only assume it was inadvertant) destroyed faith in the concept of journalists protecting their sources, making it more difficult for future sources to come forward. I know you didn't mean to do what you did, but you can't imagine the implications of this, not to mention the implications of this on past stories. With the release of this information, readers on slashdot have narrowed the location of where this guy lives to within a very small area, plus the generic information you gave us, male, 21, limit to probably <10% of the population of a town of less than 3000. Restrict based on the area and your left with a very small pool.

Posted by: Adam Jacob Muller | February 21, 2006 6:52 AM | Report abuse

Posted by: Anonymous | February 21, 2006 10:42 AM | Report abuse

Since those metadata fields are hand-entered, who's to say they're not filled with false information, a decoy meant to disguise the true location of the hacker?

And the best decoy is a location that matches up with the article's contents.

Posted by: Ken L | February 21, 2006 1:17 PM | Report abuse

re: the third party "X" web site

I use Firefox but since I.E. is a permanent roommate, I have to pay attention to weaknesses in both browsers.

I'd sure like to to know who "X" is, so I can make sure that site is already in I.E.'s Restricted Zone and blocked off in the HOSTS file.

Four ways to deal with this:
a. Block the popup
b. Block the ad server
c. Block the malicious third-party site.
d. Patch the MS vulnerability

I have a, b, and d covered. Don't know about C.

Posted by: Ken L | February 21, 2006 1:51 PM | Report abuse

"Since those metadata fields are hand-entered, who's to say they're not filled with false information, a decoy meant to disguise the true location of the hacker?"

That is a foolish question that completely fails Occam's razor.

Posted by: tweak | February 21, 2006 2:12 PM | Report abuse

Ken L wrote:
>>Four ways to deal with this:

Don't neglect to harden the Internet zone too.

tweak wrote:
>>That is a foolish question


>>that completely fails Occam's razor.

Occam's Razor is a useful tool for thinking, not an infallible magic wand. It's intended to assist, not overpower, thinking.'s_Razor

Posted by: Mark Odell | February 21, 2006 4:19 PM | Report abuse

re: the metadata issue

I guess the thing that's so amusing here is that I remember Security Fix having an article or three regarding metadata privacy concerns in the somewhat recent past. It's the kind of thing that makes you wonder if the powers that be (i.e. policy makers) actually read their own newspaper.

Posted by: r | February 21, 2006 8:10 PM | Report abuse

Tiger in Your OS
Now I appreciate one feature of my Tiger OS that might seem annoying. Before an executable can be installed on an OS X Mac, the password of the owner must be entered. That must create some serious problems for hackers.

Posted by: Asa Simmons | February 21, 2006 11:01 PM | Report abuse

"Since those metadata fields are hand-entered, who's to say they're not filled with false information, a decoy meant to disguise the true location of the hacker?"

"That is a foolish question that completely fails Occam's razor."

I agree that this is an absurd question -- this is just the kind of non-critical thinking that causes people to start blaming natural disasters on grand government conspiracies.

Sure, it is possible that the Washington Post did the following:
1) Decided that omitting 0x80's name and location from the article did not provide enough privacy
2) Felt that they needed to add an additional layer of privacy by coming up with a scheme to throw would-be sleuths off the scent
3) Came up with the idea of adding fake meta-data to a photo
4) Located a new town, different enough from 0x80's town to throw sleuths off, but similar enough that it would fit all of the characteristics of the story
5) Edited the meta data of the file, in the vain hope that some intrepid explorer would download the file
6) That the explorer would post his find on a well known website, thereby fueling the conspiracy and further anonymyzing 0x80

Sure, that is *possible*, but is it likely? What is the realistic alternative?


1) Some stupid editor screwed up and didn't think to remove the meta-data

You make the call...

Posted by: Kaisa | February 21, 2006 11:12 PM | Report abuse

Better than some sleazeball spyware guy gets caught than Deep Throat.

Posted by: nobody | February 22, 2006 2:30 PM | Report abuse

I hope the metadata controversy does not distract people from the point of your article. I am a web developer and like to think my home computers have enough security because I am "computer-savvy" -- this piece was a reminder that we all need to be vigilant. I read the article and went straight to my computers to run AdAware!

Posted by: Larissa | February 22, 2006 5:42 PM | Report abuse

Posted by: atrivo | February 24, 2006 3:50 PM | Report abuse

The comments to this entry are closed.

RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company