[EDIT] This particular post has generated a very large amount of email, and apparently is being read by a large number of people infected with VX2. As a result, I've edited it, to clean up typos and to add additional information about the exploits used, the way VX2 works, and the sources of the spyware scourge. New information is identified with [EDIT].
If you're reading this post and you're on a Windows computer, the odds are overwhelming--between 80% and 90%--that you are infected with at least one virus or spyware program, and the odds are very high that you're infected with dozens or hundreds.
Yes, you. Even if you are technically literate, you have a firewall, and you never download suspicious attachments, you are almost certainly infected. There is lots and lots and lots of money in computer viruses and spyware, especially the variety that makes popup ads appear on your machine. The question I've always had, though, is who's making all this money by infecting your computer?
A couple nights ago, Shelly's computer became infected. Shelly's technically savvy, the apartment we live in is on a closed private network with a hardware firewall between us and the Internet, and she also runs a software firewall on her computer, and she still became infected nonetheless.
I spent about six hours removing the infection, and also tracking down the source of the infection, and painstakingly backtracking all the popup ads that the adware displayed on her computer. My goal: Follow the money. Discover where the infection came from, and who was making money from it. The results were, to say the least, interesting.
If you don't care about stuff like this, you can skip the rest of this message. If you're curious about the mechanisms by which spyware and viruses work, who is responsible for them, why they're so common, how they spread, and most important, who makes money by creating and releasing them:
Shelly's computer started behaving strangely, taking a long time to boot and displaying popup ads whenever she launched Internet Explorer, late Wednesday afternoon. Running the anti-spyware program Ad-Aware revealed that the computer was infected with a very nasty bit of malware called VX2, first introduced to the Internet public by a company calling itself VX2, which has since become defunct. The VX2 program has continued to be developed and to become nastier, more destructive, and more malicious as time goes on; today's VX2 is extremely sophisticated, highly destructive, and almost impossible to remove.
Ad-Aware and a similar program called Spybot Search & Destroy could see the infection, but could not remove it. VX2 remains memory-resident, even if its files are deleted, and constantly monitors attempts to get rid of it; if it is removed or the computer's Registry is changed, this evil little bastard changes the Registry back and rewrites itself to disk under a different name. It also sets itself up as a critical system service (so it runs even when the computer is booted in safe mode), and cloaks itself so that it does not appear in the Task Manager. [EDIT]: Earlier versions of VX2 could only conceal themselves in the Task Manager under Windows 95/98/Me; VX2 Variant 3 appears to be able to conceal itself in the Task Manager under Windows NT/2000/XP as well.
Ad-Aware has a special plug-in module written especially to remove VX2. This plug-in confirmed that Shelly's computer was infected with what it described as "VX2 Variant 3," but even the plug-in could not remove the infection; it appears that Shelly had become infected with a brand-new VX2 variant, more cunning and more malicious than even the worst variant known to Ad-Aware.
But from where?
Now things get interesting. In following the source of the infection, I ended up in a virtual trip that went from Dallas, Texas, through servers in Russia and Nevada, and finally back to the source in Rosemount, Minnesota. Along the way, it involved a surprising number of big-name, supposedly reputable companies, all of whom are profiting either directly or indirectly from viruses and spyware.
Shelly's computer first became infected when her browser visited the Web address "http://18.104.22.168/ normal/yyy12.html". At the time I am writing this, this Web address is still active. *** WARNING *** WARNING *** WARNING I have put a space in this URL to keep people from clicking accidentally on it. Do NOT visit this URL if you are on a Windows machine and you're using Internet Explorer. You WILL become infected. I don't know what brought her to that site; it may have been a redirect, a browser hijack, even a maliciously constructed banner ad.
[EDIT]: The site infects a computer using an Explorer iFrame exploit. Put most simply, if a Web page contains an iFrame that points to another Web page containing an OBJECT tag, the file referenced in the OBJECT tag (in this case, a dropper for VX2) is downloaded and installed silently, without the user's knowledge or consent. Versions of Internet Explorer prior to the version that shipped with Windows XP SP2 are all vulnerable; I have not tested the version of Explorer that shipped with XP SP2 or versions patched by subsequent security fixes. I do know that Microsoft has since closed several iFrame exploits. I do not know if this exploit is one of them.
The Web site at 22.214.171.124 is running on a computer whose ISP connection is provided by a company called Rackspace, a large and busy Texas-based ISP with international offices and a long history of supporting and condoning spam and other unethical behavior; in fact, Rackspace even has its own entire section on the Blackholes.us spam support blacklisting service.
So Rackspace is the first company profiting from the infection; they're making money by providing Internet connections for the URL hosting the malware dropper. Remember the name Rackspace; we'll be seeing it again later.
So. Moving along: The virus-dropping Web site at 126.96.36.199 is nothing but a simple redirector. It redirects to "http://188.8.131.52/ ads/banners/banner3.php?ID=1". Again, I have put a space in this URL. Do NOT visit this URL if you are on a Windows machine and using a vulnerable version of Explorer; you WILL become infected. [EDIT]: This page is referenced by an iFrame from the preceding page, and contains an iFrame pointing to the next server in the chain, which contains the actual dropper; we'll get to that in a moment.
This Web site is hosted on a server in Russia; the ISP is a Russian service called Linkey.ru. They are the second group of people in the chain making money from viruses and spyware, by hosting a virus dropper. I don't know if they're a knowing participant or just an innocent ISP who's unknowingly hosting a virus dropper. [EDIT]: Additional information from a helpful reader on the news.admin.net-abuse.email newsgroup:
The Russian-hosted Web site is:
http://184.108.40.206/ = Adsavior.com
11/08/04 11:05:06 dns Adsavior.com
Adsavior.com NS (Nameserver) ns1.adsavior.biz
Adsavior.com NS (Nameserver) ns2.adsavior.biz
Adsavior.com A (Address) 220.127.116.11
mail.Adsavior.com A (Address) 18.104.22.168
ns1.adsavior.biz A (Address) 22.214.171.124
ns2.adsavior.biz A (Address) 126.96.36.199
#395-1027 Davie St.
Vancouver, BC V6E4L2
Registrar Name....: Register.com
Registrar Whois...: whois.register.com
Registrar Homepage: http://www.register.com
Domain Name: ADSAVIOR.COM
Created on..............: Thu, Sep 16, 2004
Expires on..............: Fri, Sep 16, 2005
Record last updated on..: Mon, Oct 04, 2004
It appears that linkey.ru and IPs in the same general block as "Adsavior.com" are well known for Net abuse. Mr. Finlayson, another Canadian, appears to be deeply involved in this particular virus/adware gang as well.
Onward and upward: The Russian virus host itself is also nothing but a redirector. Clearly, the person responsible for the virus wants to put some distance between himself and the virus; we've already gone through two redirectors in two countries. The Russian Web site contains an Internet Explorer iFrame exploit which causes Internet Explorer to load a program from the URL "http://www.xzoomy.com/ stc.php?stid=007". Once again, I have put a space in the URL; if you visit this Web site, and allow your browser to download the executable that it references, you'll be infected with VX2.
Now we're getting somewhere. The xzoomy.com Web site is a search engine that's well-known in anti-virus and anti-spyware circles. Xzoomy.com makes a small profit every time someone uses their Web page to do a search; they have a long and ignoble history of attracting visitor through the use of spyware, adware, and viruses. They've been responsible for their own spyware/adware software, and they've got their hands in an Internet gambling site called "free scratch and win" as well. These guys are looking more and more like our scumbags, eh? This site is registered to:
Mike Cass (email@example.com)
181 Coniston St
Winnipeg, MB R2H1P8
So Mike Cass is up to his ears in this mess. Mike's Web site, well-known for being the source of spyware and adware, is hosted by an ISP called Peer 1 Network, an outfit in Montreal known to be indifferent to spammers. Mike and Peer 1 Network are making money here--Peer 1 by hosting Mike's Web site in spite of the fact that it's known to be associated with adware and spyware, Mike because he makes money every time someone visits his site. But wait, there's more!
The xzoomyy.com Web site is another redirector. It redirects to "http://www.2nd-thought.com/ files/install007.exe" (I've put a space in the URL); and it loads and executes the Windows program install007.exe from the 2nd-thought.com Web site by using an OBJECT tag. [EDIT]: This file, install007.exe, is the actual executable that installs the adware. If you're using Explorer for Windows and you visit any of the pages before this in the chain, install007.exe downloads and runs silently without prompting you, because the OBJECT tag that references it is contained inside an iFrame. This is also why other browsers are safer; they don't recognize the iFrame tag.
The program install007.exe loads and runs as soon as the browser hits that page; the computer's owner never gets any warning and has no opportunity to stop it. As you may have guessed, install007.exe installs VX2 on the victim's computer.
Note that all this--the numerous redirects, downloading the program from the 2nd-thought Web site, installing the VX2 virus--all happened automatically and silently; at no point is the computer owner aware of what is going on, and at no point does the computer owner know that a virus is being loaded onto his computer.
2nd-thought.com is the primary villain here. They are hosting the installer itself; they are the people actually placing VX2 on the victims' computers without permission or notification. Let's take a look-see and find out who these guys are:
Domain name: 2nd-thought.com
Don Lativalle (firstname.lastname@example.org)
3597 boul St-Jean
Dollard des Ormeaux, H9X2B5
Well, lookit that, another Canuck. What is up with Canadian spyware and virus profiteers, eh? Does Canada have particularly lax computer-crime laws?
2nd-thought.com is hosted by Peer 1 Networks as well. 2nd-thought.com is also a well-known scourge on the Internet, notorious for releasing a spyware program that changes your home page to their page, and for redirecting search engine searches you do to porn sites. That's two scumbags with long histories of Internet abuse, both hosted on Peer 1 Networks and both, apparently, now working together. Mike Cass, Don Lativalle, and Peer 1 Networks: three people or organizations with shady pasts and questionable ethics, three people or organizations who are apparently involved with loading VX2 onto Shelly's computer.
So now we know how VX2 ended up on Shelly's computer. We know what people are responsible, we know what businesses support and profit from them, and we know they've gone to a whole lot of trouble and effort to hide themselves. We know that the people, Mike Cass and Don Lativalle, have histories of releasing spyware and adware to infect people's computers, we know they run for-profit Web sites, and we know that they have independently established histories of using dubious and unethical practices to get traffic to those Web sites. We know they're both Canadian, we know they have found a Canadian ISP in Peer 1 Networks willing to turn a blind eye to outrageous network abuse, and we know that they appear to have teamed up to spread an extremely malicious variant of a program already known for being almost impossible to get rid of.
What's left is discovering the </i>why.</i> What's the mechanism by which they make money? How do they profit from infecting you with VX2? Where does the money come from, and where does it go?
For that, I had to turn to the actions that this VX2 variant takes once it's infected the computer, and to the ads it serves up.
This particular strain of VX2 does two things. First, it carries a payload unusual for adware; it loads another adware program called Bargain Buddy. Bargain Buddy's Web site is at cashbackbuddy.com, which is hosted by Globix, a Web-hosting company headquartered in the United Kingdom.
The cashbackbuddy.com Web site attempts to get people to deliberately infect themselves with the Bargain Buddy scumware by telling them "the new Software helps the end-user maximize his/her savings and gain cash back commissions from purchases made at all participating on-line and some offline merchants" (and so on, and so on). CashBackBuddy and its scumware is operated by an outfit called eXact Advertising:
101 W. 23rd Street, PMB 2392
New York, New York 10011
eXact Advertising owns a number of different Internet properties, including pay-for-placement search engines, Mail.com, a personals Web site called "luvbandit," and so on.
The Bargain Buddy software is pretty straightforward: every now and then, it loads an ad on the victim's computer. Each time an ad is served, eXact Advertising makes a few cents from the advertisers who pay for the ads. Some of this money goes to Bargain Buddy "referrers;" the rest is profit.
So what that means is that if I sign up with eXact Advertising, then I get you to put the Bargain Buddy adware on your computer, every time an ad pops up, the advertiser pays eXact Advertising some money, and eXact Advertising pays me some money.
eXact Advertising claims to be "opt-in;" they say the only way you'll get Bargain Buddy is if you explicitly sign up and put it on your computer voluntarily. They lie, of course; the fact that they're doing businesses with referrers such as Mike Cass and Don Lativalle, who use very sneaky ways indeed to get the software onto your computer, proves it. They pretend to be good guys helping consumers save money; in reality, they don't care so long as people can be cajoled, tricked, or forced into installing their software, with or without their consent.
So. Now Shelly's computer is infected with two adware programs: Bargain Buddy by eXact Advertising, who is paying the people responsible for the infection, and a custom version of VX2, which prevents itself from being removed easily, installs Bargain Buddy, and also serves ads on its own.
Now popup ads are popping up all over the place. Some of them are from eXact Advertising, a shady company that's written its own custom adware. Some of them are from VX2 itself. It's the latter ones, the ones that VX2 is generating, that are the most interesting.
VX2 brings in ads from, of all places, Revenue.net, a very large mainstream online advertising broker that serves up banner ads, popup and popunder ads, and contextual ads for a lot of big-name clients. Revenue.net does serve popup ads and popunder ads, primarily from Web sites rather than adware. The ads being brought in from the VX2 infection were being pulled from Revenue.net; the persons responsible for the VX2 infection were Revenue.net affiliates.
I fired off an email to Revenue.net, with the URLs of some of the popup ads being pulled in by the virus. Revenue.net, rather to my surprise, actually responded, and claimed that the affiliate code attached to the popup ads appearing on Shelly's computer belonged to an outfit calling itself "look2me.com".
Look2me.com is--surprise surprise--a Web advertising company that makes money from popup ads. Look2me.com is a Revenue.net affiliate; Look2me.com gets people to view ads produced by Revenue.net, the advertiser pays Revenue.net, who then pays a percentage of the take to look2me.com.
Look2me.com is hosted by...wait for it...Rackspace! Told you their name would pop up again.
Look2me.com is owned by:
NicTech Networks email@example.com
3860 W 150TH ST
Rosemount, Minnesota 55068
NicTech Networks also owns a dating service called "SimilarSingles.com". Sound familiar? eXact Advertising, based in New York, is an Internet advertising company that serves popup ads on virus-infected computers and also owns an online dating service. NicTech Networks, based in Minnesota, is an Internet advertising company that serves popup ads on virus-infected computers and also owns an online dating service. Two well-known and unethical Canadians, Mike Cass and Don Lativalle, each with separate histories of profiting from adware and malware, are jointly responsible for a computer infection which serves popup ads from eXact Advertising and NicTech Networks. NicTech Networks is hosted by Rackspace; the initial point of infection of the virus is a Web site hosted by Rackspace.
Rackspace is looking pretty bad here. In fact, Rackspace and Peer 1 Networks are both obviously dirty; both are up to their elbows in hosting and providing services for people who make money by serving popup ads through viruses and malware. It's hard to argue that either Rackspace or Peer 1 Networks is simply being duped by a client, particularly in light of the fact that emails to both outfits concerning this situation go unanswered, and in light of the fact that the virus-dropping Web site is still up three days after I've emailed the responsible hosts. [EDIT]: After complaining to both ISPs, I still have not had a response from either. As of this writing, neither Rackspace nor Peer1 has taken any action against the Web sites named in this report.
So. Advertisers pay eXact Advertising and Revenue.net. eXact Advertising and Revenue.net then go on to pay affiliates who have infected target computers with malware to serve up the ads. The affiliates host their virus-dropping Web sites, along with Web sites that profit in other ways from viruses and malware, on Canadian ISP Peer 1 Networks and American ISP Rackspace.com. The money goes from the advertisers to eXact Advertising and Revenue.net; some of this money then goes to the affiliates, who infect the computers with malware; some of the money the virus-spreaders make in turn goes to Peer 1 Networks and Rackspace, who turn a blind eye to what their clients are doing. But where does the money originate? Obviously, the advertisers are only buying ads because they think the ads will work; that means, somebody is clicking on these popup ads and buying the advertisers products.
But who on earth would spend money on an annoying popup ad? What could possibly induce someone to take out his wallet when everyone knows that virus-spawned popup ads are among the most annoying things on Earth?
Ah, that's the pure genius of it--that's the brilliance of the scheme, honed to a fine edge. The popup ads you get when you're infected with VX2? They advertise...
...spyware removal and popup blocking tools.