AlbertPacino
Explorer
<CENTER>
</CENTER>
<font color="#FF0000">BitTorrent, the beloved file-sharing client and protocol that provides a way around bandwidth bottlenecks, has become the newest distribution vehicle for adware/spyware bundles.</font>
Public peer-to-peer networks have always been associated with adware program distributions, but BitTorrent, the program created by Bram Cohen to offer a new approach to sharing digital files, has managed to avoid the stigma.
Not any more, anti-spyware advocates warn.
According to Chris Boyd, a renowned security researcher who runs the VitalSecurity.org nonprofit resource center, the warm and fuzzy world of BitTorrent has been invaded by a massive software distribution campaign linked to New York-based adware purveyor Direct Revenue LLC.
"This is the marketing campaign to end all marketing campaigns," said Boyd, the Microsoft Security MVP (most valuable professional) known throughout the security industry by the "Paperghost" moniker.
In an e-mail interview with Ziff Davis Internet News, Boyd said rogue files have popped up occasionally in BitTorrent land but those were usually just random executables. "This is the first time I've seen a definite money-making campaign with affiliates, distributors and some pretty heavy-duty adware names," he added.
Boyd, widely known for chronicling spyware, hacking and malware exploits, has published details of the BitTorrent distributions and identified Direct Revenue and Marketing Metrix Group as the companies responsible for the rigged files.
Boyd said he got the first inkling that BitTorrent was a major adware distribution vehicle while searching for the source of Direct Revenue's Aurora, an adware program that includes the prevalent "nail.exe" component. Sifting through mountains of HijackThis logs posted on security forums, Boyd said the answer was staring him in the face. (HijackThis is a popular freeware spyware removal tool that keeps detailed logs of Windows PC scans).
In the logs, he found that "nail.exe" and "aurora.exe" were always listed alongside "btdownloadgui.exe," the user interface that downloads/uploads when using BitTorrent.
"I checked hundreds of those logs, and more often than not, [btdownloadgui.exe] was chugging away in the background. No wonder none of the victims (or spyware experts) seemed to know what site Aurora was coming fromâ€â€there was no site. It would have never occurred to the end users that it could have crept in by another means altogether," he said.
Because BitTorrent strips digital files into tiny shreds and reassembles them locally once a user completes a download, it has emerged as the perfect place to bundle adware programs among the bits, without the end user ever knowing.
A BitTorrent user downloading a movie clip only becomes aware of the associated adware after the files are reassembled. At that stage, when the user attempts to load the reassembled file, he or she is greeted by an installation notice for an adware bundle distributed by MMG (Marketing Metrix Group), a Canadian company that specializes in P2P network marketing.
Officials from MMG did not respond to queries for comment. On its Web site, the company lists BitTorrent as a lucrative adware distribution vehicle. "Although Bit Torrent is a file format and not a P2P Network … [it] is the fastest growing protocol for file sharing online. Many top Bit Torrent sites such as SuprNova, Lokitorren and Bit Tower support millions of downloads daily," said MMG, which lists PartyPoker.com and Hotbar.com among other clients on its roster.
Boyd said his interest in Aurora increased because it "is absolutely everywhere at the moment, though no one could work out where the infections were coming from."
"I had heard rumors that there was 'something' in peer-to-peer land, but I didn't expect it to be on the BitTorrent network, and finding these files has been surprisingly difficult," he added.
Boyd said BitTorrent was currently "overwhelmed" with multimedia files rigged with adware bundles, adding that the file sizes vary from 3MB to 175MB.
"I expect we'll see more of this, and if the first ever 1GB malware/adware install has a chance of happening anywhere, it will be on file-sharing networks where programs are broken up into pieces. The problem is, you never know what's going to come out the other side," he said.
Direct Revenue admitted to using MMG to push Aurora distributions via BitTorrent, but insisted that the actual adware installation was done with adequate and up-front disclosure.
In an interview, Direct Revenue chief technology officer Daniel Doman said MMG is "one of many affiliates" used to distribute Aurora. "They [MMG] specialize in doing content distribution on peer-to-peer channels, and we think they provide an easy mechanism for people like us who want to monetize software or content."
Doman, a former director of engineering at DoubleClick Inc., said the increased visibility of Aurora and the "nail.exe" component was not the result of new installations, pointing out that Direct Revenue is auto-updating its file-naming convention to address criticisms that the adware program was hidden on purpose.
"We just recently launched a full awareness and campaign to the entire user base, and the fact that those files are showing up in logs shows that we're having success," he said. The campaign, announced on May 17, includes the placement of an uninstall facility within the add/remove panel on Windows for PCs that points users to the previously hard-to-find MyPCTuneUp Web site for adware program removal.
"We've taken pains to brand all of our windows so that the source and prominence of the advertising we serve are extremely clear," Doman said. So far, about 90 percent of Direct Revenue's user base has received the branding updates, which happen without any user action.
Direct Revenue has been heavily criticized for forcing users to visit the MyPCTuneUp site to complete the program removal, but Doman defended that strategy, insisting the Web-based uninstall utility is the most efficient way to make sure the removal is properly done.
He said the company was seeing increased traffic to the site since the launch of the campaign, adding that the daily uninstall count was "in the thousands."
Even so, he said, the thousands of daily uninstalls represent only a fraction of a percentage of the entire user count and are not materially affecting Direct Revenue's business.
Doman described Boyd's posts on VitalSecurity.org as "misleading" and pointed out that the screenshots provided by the researcher "clearly show full disclosure" before the Aurora program is installed.
He acknowledged that a "grey area" exists in the timing of the disclosure, but insisted that it was done in full compliance with existing laws. "We require all our distributors to fully inform end users about what is being installed. It's a clear opt-in procedure," he said.
"The user is downloading something through BitTorrent that is ad-supported and [Boyd's screenshot] shows the disclosure that is provided. The idea that somehow the download is surreptitious is wrong. It's very apparent that if the BitTorrent user goes through with the MMG download, they agree to install the ad-supported software."
Doman added: "The notion that the user has accidentally found all this software on his machine is false. [MMG] is using a 'pull' technology. Nothing is being snuck in the back door."
Source
<font color="#FF0000">BitTorrent, the beloved file-sharing client and protocol that provides a way around bandwidth bottlenecks, has become the newest distribution vehicle for adware/spyware bundles.</font>
Public peer-to-peer networks have always been associated with adware program distributions, but BitTorrent, the program created by Bram Cohen to offer a new approach to sharing digital files, has managed to avoid the stigma.
Not any more, anti-spyware advocates warn.
According to Chris Boyd, a renowned security researcher who runs the VitalSecurity.org nonprofit resource center, the warm and fuzzy world of BitTorrent has been invaded by a massive software distribution campaign linked to New York-based adware purveyor Direct Revenue LLC.
"This is the marketing campaign to end all marketing campaigns," said Boyd, the Microsoft Security MVP (most valuable professional) known throughout the security industry by the "Paperghost" moniker.
In an e-mail interview with Ziff Davis Internet News, Boyd said rogue files have popped up occasionally in BitTorrent land but those were usually just random executables. "This is the first time I've seen a definite money-making campaign with affiliates, distributors and some pretty heavy-duty adware names," he added.
Boyd, widely known for chronicling spyware, hacking and malware exploits, has published details of the BitTorrent distributions and identified Direct Revenue and Marketing Metrix Group as the companies responsible for the rigged files.
Boyd said he got the first inkling that BitTorrent was a major adware distribution vehicle while searching for the source of Direct Revenue's Aurora, an adware program that includes the prevalent "nail.exe" component. Sifting through mountains of HijackThis logs posted on security forums, Boyd said the answer was staring him in the face. (HijackThis is a popular freeware spyware removal tool that keeps detailed logs of Windows PC scans).
In the logs, he found that "nail.exe" and "aurora.exe" were always listed alongside "btdownloadgui.exe," the user interface that downloads/uploads when using BitTorrent.
"I checked hundreds of those logs, and more often than not, [btdownloadgui.exe] was chugging away in the background. No wonder none of the victims (or spyware experts) seemed to know what site Aurora was coming fromâ€â€there was no site. It would have never occurred to the end users that it could have crept in by another means altogether," he said.
Because BitTorrent strips digital files into tiny shreds and reassembles them locally once a user completes a download, it has emerged as the perfect place to bundle adware programs among the bits, without the end user ever knowing.
A BitTorrent user downloading a movie clip only becomes aware of the associated adware after the files are reassembled. At that stage, when the user attempts to load the reassembled file, he or she is greeted by an installation notice for an adware bundle distributed by MMG (Marketing Metrix Group), a Canadian company that specializes in P2P network marketing.
Officials from MMG did not respond to queries for comment. On its Web site, the company lists BitTorrent as a lucrative adware distribution vehicle. "Although Bit Torrent is a file format and not a P2P Network … [it] is the fastest growing protocol for file sharing online. Many top Bit Torrent sites such as SuprNova, Lokitorren and Bit Tower support millions of downloads daily," said MMG, which lists PartyPoker.com and Hotbar.com among other clients on its roster.
Boyd said his interest in Aurora increased because it "is absolutely everywhere at the moment, though no one could work out where the infections were coming from."
"I had heard rumors that there was 'something' in peer-to-peer land, but I didn't expect it to be on the BitTorrent network, and finding these files has been surprisingly difficult," he added.
Boyd said BitTorrent was currently "overwhelmed" with multimedia files rigged with adware bundles, adding that the file sizes vary from 3MB to 175MB.
"I expect we'll see more of this, and if the first ever 1GB malware/adware install has a chance of happening anywhere, it will be on file-sharing networks where programs are broken up into pieces. The problem is, you never know what's going to come out the other side," he said.
Direct Revenue admitted to using MMG to push Aurora distributions via BitTorrent, but insisted that the actual adware installation was done with adequate and up-front disclosure.
In an interview, Direct Revenue chief technology officer Daniel Doman said MMG is "one of many affiliates" used to distribute Aurora. "They [MMG] specialize in doing content distribution on peer-to-peer channels, and we think they provide an easy mechanism for people like us who want to monetize software or content."
Doman, a former director of engineering at DoubleClick Inc., said the increased visibility of Aurora and the "nail.exe" component was not the result of new installations, pointing out that Direct Revenue is auto-updating its file-naming convention to address criticisms that the adware program was hidden on purpose.
"We just recently launched a full awareness and campaign to the entire user base, and the fact that those files are showing up in logs shows that we're having success," he said. The campaign, announced on May 17, includes the placement of an uninstall facility within the add/remove panel on Windows for PCs that points users to the previously hard-to-find MyPCTuneUp Web site for adware program removal.
"We've taken pains to brand all of our windows so that the source and prominence of the advertising we serve are extremely clear," Doman said. So far, about 90 percent of Direct Revenue's user base has received the branding updates, which happen without any user action.
Direct Revenue has been heavily criticized for forcing users to visit the MyPCTuneUp site to complete the program removal, but Doman defended that strategy, insisting the Web-based uninstall utility is the most efficient way to make sure the removal is properly done.
He said the company was seeing increased traffic to the site since the launch of the campaign, adding that the daily uninstall count was "in the thousands."
Even so, he said, the thousands of daily uninstalls represent only a fraction of a percentage of the entire user count and are not materially affecting Direct Revenue's business.
Doman described Boyd's posts on VitalSecurity.org as "misleading" and pointed out that the screenshots provided by the researcher "clearly show full disclosure" before the Aurora program is installed.
He acknowledged that a "grey area" exists in the timing of the disclosure, but insisted that it was done in full compliance with existing laws. "We require all our distributors to fully inform end users about what is being installed. It's a clear opt-in procedure," he said.
"The user is downloading something through BitTorrent that is ad-supported and [Boyd's screenshot] shows the disclosure that is provided. The idea that somehow the download is surreptitious is wrong. It's very apparent that if the BitTorrent user goes through with the MMG download, they agree to install the ad-supported software."
Doman added: "The notion that the user has accidentally found all this software on his machine is false. [MMG] is using a 'pull' technology. Nothing is being snuck in the back door."
Source
