11/21/2007

I’m back… maybe

After a year of no blogging, I’m getting itchy fingers again. I’m not making any promises about frequency of blogging, and comments and trackbacks are turned off and will remain that way for now.


Said Suzi @ 8:05 pm
Comments Off | Permalink | Filed under: General

11/22/2006

Rob Martinson, Walt Rines and the FTC - final chapter

Nearly three years after Rob Martinson hit the internet with SpyWiper, the anti-spyware program from hell that opened CD ROM drives and sent hundreds of users to spyware help forums, the Federal Trade Commission has settled his case, fining him $1.86 million. Martinson’s cohort in crime, Walt Rines of Odysseus Marketing, was fined $1.75 million for his role in distributing SpyWiper and its successor SpyDeleter by exploiting browser vulnerabilities to distribute the software, along with his other nefarious activities.

From the FTC press release, regarding Martinson:

In April, 2005, the FTC charged that John Robert Martinson, the principal of Mailwiper, Inc. and its successor, Spy Deleter, Inc., unfairly compelled the purchase of two purported “anti-spyware” products marketed under the names Spy Wiper and Spy Deleter. According to the FTC, Martinson and his companies paid spyware distributor Sanford Wallace and his companies, Seismic Entertainment, Inc. and SmartBot.Net, Inc., to promote, advertise, and sell the Spy Wiper and Spy Deleter programs. Wallace and his companies exploited security vulnerabilities in Microsoft’s Internet Explorer Web browser and downloaded spyware onto consumers’ computers. It then sent advertisements for the Mailwiper and Spy Deleter programs. One advertisement, for example, caused the CD-ROM tray on computers to open and then displayed a “FINAL WARNING!!” to computer screens with a message that said, “If your cd-rom drive’s open . . .You DESPERATELY NEED to rid your system of spyware pop-ups IMMEDIATELY! Spyware programmers can control your computer hardware if you failed to protect your computer right at this moment! Download Spy Wiper NOW!” The complaint charged that the defendants forced consumers either to spend $30 to purchase the Spy Wiper and Spy Deleter software, or spend substantial time and money to fix the computer problems they caused.

Regarding Rines (nicknamed Picklejar by some):

In October 2005, the FTC charged that Odysseus Marketing, Inc. and its principal, Walter Rines, lured consumers to their Web sites by advertising bogus free software, including a program called Kazanon that purportedly allowed consumers to engage in anonymous peer-to-peer file sharing. According to the FTC, the bogus software was bundled with spyware and other unwanted software. The agency alleged that the defendants also distributed their spyware by exploiting security vulnerabilities in the Internet Explorer Web browser. The FTC charged that the defendants’ spyware intercepted and replaced search results provided to users who queried popular Internet search engines, and barraged consumers with pop-up and other Internet ads. The FTC also charged that the defendants’ software captured consumers’ personal information such as their first and last names, addresses, e-mail addresses, telephone numbers, and Internet browsing and shopping histories, and transmitted that information to the defendants’ Internet servers. Consumers were unable to locate or uninstall the defendants’ spyware through reasonable means, according to the FTC.

The settlements are well and good but both Martinson and Rines are getting reduced fines due to their supposed inabilities to pay the full amount. From The Register:

Odysseus Marketing and its principal, Walter Rines, along with John Robert Martinson, the principal of Mailwiper, and its successor, Spy Deleter, have agreed to be bound by injunctions against exploiting security vulnerabilities to download software or misrepresenting the purpose of their wares. In addition, the operators agreed to pay a combined total of $50,000 in fines, a modest total that’s unlikely in itself to deter anyone else contemplating by violation of US federal anti-spyware laws.

The FTC must be feeling charitable these days because Zango got away with a mere $3 million, which many experts, including Ben Edelman and Eric Howes, think is far less than the real amount of their ill-gotten gains. But that’s another story.

The Rob Martinson, SpyWiper, SpyDeleter problem was so enraging when it was happening that I devoted an entire blog category to it. Others wrote about Martinson as well. This article at Creative Loafing titled A hated man shed light on Martinson and his history, not a pretty story. I suspected that Martinson himself and a few of his friends visited this very blog several times, based on some comments I got.

Rob Martinson and his hijacking software, with help from Walt Rines, stirred up a lot of heat on the internet. Here’s a few links for a historical perspective for your reading pleasure. Oh, and let’s not forget Spamford Wallace, who also played a large role in the scams with his servers at default-homepage-network.com, etc. My comrade in the fight, nomorespyware, wrote extensively about programs doing hijacks, the companies behind them, and the servers used. Whitis.com has a historical timeline with links here. Blogs about SpyWiper here, here and a post at broadbandreports.com’s security forum by Eric Howes has a number of links.

At any rate, good riddance to Rob Martinson and Walt Rines. May they never plague the internet again.


8/14/2006

Movieland.com sued by Washington State AG for spyware

From today’s press release:

Rob McKenna
ATTORNEY GENERAL OF WASHINGTON
1125 Washington Street SE · PO Box 40100 · Olympia WA 98504-0100

FOR IMMEDIATE RELEASE
August 14, 2006

Attorney General McKenna Sues Movieland.com and Associates for Spyware

SEATTLE – Washington State Attorney General Rob McKenna today announced the filing of Washington’s second lawsuit under the state’s computer spyware act. The state’s suit accuses four California-based corporations of installing software that takes control of a consumer’s computer by launching aggressive and persistent pop-ups that demand payment for a movie download service.

“The defendants in our suit promote a movie download service through Web sites including movieland.com that offer consumers a free three-day trial,” McKenna said. “After the trial period, consumers are inundated with pop-ups that appear at least hourly and subject the consumer to a 40-second payment demand that cannot be closed. These messages are generated by software installed on their computers that cannot be easily removed.

“To stop these aggressive pop-ups, many frustrated consumers ultimately give in to the defendants’ unfair tactics and pay anywhere from $19.95 to nearly $100 for the service,” McKenna said. “Thousands of consumers nationwide have complained to my office, the Federal Trade Commission, the Better Business Bureau and others about the defendants’ unfair practices.”

Washington’s lawsuit charges Digital Enterprises, of West Hills, doing business as Movieland.com; Alchemy Communications, of Los Angeles; AccessMedia Networks, of Los Angeles; and Innovative Networks, of Woodland Hills, with violating the state’s Computer Spyware and Consumer Protection acts. Two company officials are also charged in the suit: Digital Enterprises’ Easton A. Herd, and Alchemy’s Andrew M. Garroni. Both men live in Los Angeles.

If found liable, each defendant could be fined $100,000 per violation of the Computer Spyware Act and $2,000 per violation under the Consumer Protection Act. They may also be required to pay restitution to affected consumers.

More info at infoworld.com here. Full press release here . Blogged at ZDNet here.


Said Suzi @ 4:25 pm
Comments Off | Permalink | Filed under: Spyware/Adware in the News

7/3/2006

161 trackback spams from InterCage/Atrivo IP

Yesterday I was unpleasantly surprised to find I had 161 blog trackback spams —all from the same IP address, 69.50.188.35.

You can see here that the IP address belongs to InterCage, formerly known as Atrivo.

Whois Record

OrgName: InterCage, Inc.
OrgID: INTER-359
Address: 1955 Monument Blvd.
Address: #236
City: Concord
StateProv: CA
PostalCode: 94520
Country: US

ReferralServer: rwhois://rwhois.intercage.com:4321/

NetRange: 69.50.160.0 – 69.50.191.255
CIDR: 69.50.160.0/19
NetName: INTERCAGE-NETWORK-GROUP
NetHandle: NET-69-50-160-0-1
Parent: NET-69-0-0-0-0
NetType: Direct Allocation
NameServer: MAIL.ATRIVO.COM
NameServer: PAVEL.ATRIVO.COM
Comment:
RegDate: 2003-06-04
Updated: 2005-09-01

OrgAbuseHandle: ABUSE735-ARIN
OrgAbuseName: Abuse Department
OrgAbusePhone: +1-925-550-3947
OrgAbuseEmail:

OrgNOCHandle: NETWO670-ARIN
OrgNOCName: Network Operations
OrgNOCPhone: +1-925-550-3947
OrgNOCEmail:

OrgTechHandle: INE4-ARIN
OrgTechName: IP Network Engineering
OrgTechPhone: +1-925-550-3947
OrgTechEmail:

Tracert from dnsstuff.com shows it as 69.50.188.35 AS27595 Intercage. The upstream provider appears to be nlayer.net.

Two factors make this particularly enraging, the first being InterCage/Atrivo’s long history of known abuse. Just look at the comments on this SPEWS report.

Hosting spammers.

Interesting ARIN data. 1995 to 2003? Hmmm…

Meaning the sudden re-birth of a dead /16 is puzzling in these times
of ARIN block piracy. More details would certainly be welcome.

UPDATE: “more details” =>

It’s stolen. Crime don’t pay Emil.

UPDATE: More crime, proxy hijacking:

10. 66.250.145.0/24 backbone = cogentco.com provider = atrivo.com (Walnut Creek, CA)

That’s just a fraction of ths story. I’ve blogged about InterCage/Atrivo previously, several times, as have others here, here and here, to name a few.

The second factor is the content of the trackback spams —not just run of the mill spam for pills and such. These were all excedingly disgusting, with links to porn sites, nasty hard core porn. Stuff like this:

Little girls videos pictures
Sex anal film preview Desi porn password Incest prrn thumbs Xxx desi girls videos free Roberts sex comics Boyladysexteaching Free porn videos watch Farm incest cartoons Free xxx video school Virgin young sex Download free sex hot Free old men fu…

and worse.

And whoever is responsible for this used some type of tool or bot that was able to turn off the email notification I should have gotten for each trackback.

I’ve sent an abuse complaint to Emil Kacperski, the man behind InterCage/Atrivo, the abuse reporting address at InterCage, and the abuse reporting address at nLayer. We’ll see what kind of response I get.

One other thing—this is not the first time Emil Kacperski’s name has been brought up in regard to blog comment spam. Check out this link for the story.

Update—in my haste to delete comment spam, I accidently deleted the comments that went with this post.


Said Suzi @ 7:10 pm
Comments Off | Permalink | Filed under: General

CastleCops responds to trademark troll Leo Stoller

Follow up on the story last week about Leo Stoller, well known as a trademark troll, attack on CastleCops over the name “Castle”—see CastleCops responds to Leo Stoller here.

Dear Mr. Stoller:

I write you on behalf of my clients Paul Laudanski and Computercops, LLC. I have spoken with my clients about your previous correspondence and your allegations that you have rights in the mark “CASTLE.” In short, we find no basis for your potential opposition and believe that you are engaging in vexatious, harassing litigation with no purpose.

My client objects to any further extensions of time for you to file your opposition and will oppose any further delays caused by you or entities you control. 37 CFR § 2.102© states in pertinent part:

Read the rest and stay tuned for the follow up as CastleCops’ policy is to keep the public informed on these matters.


Said Suzi @ 5:10 pm
Comments Off | Permalink | Filed under: General

6/27/2006

Trademark Troll Leo Stoller targets CastleCops

This is sickening really. My good friends at CastleCops are now the target of a well known figure, Leo Stoller, who apparently makes a living doing this kind of thing. (Extortion?) From Wikipedia:

Leo D. Stoller (born c. 1946; cited as “59 years old” in July, 2005 New York Times article) is a self-styled entrepreneur based in Chicago, Illinois who claims rights to a large inventory of trademarks and engages in the assertive enforcement of those trademark rights in the United States, threatening infringement action against people and companies who attempt to infringe these marks, which Stoller refers to as “famous”.

< snip >

Stoller’s companies include Rentamark.com, Stealth Industries Inc., S Industries Inc., Sentra Sporting Goods U.S.A., and Central Manufacturing Company. Through these companies or in his own name, Stoller has registered trademarks over 25 years including STEALTH, SENTRA, DARK STAR, AIR FRAME, TRIANA, STRADIVARIUS, HAVOC, CHESTNUT, TRILLIUM, WHITE LINE FEVER, FIRE POWER, LOVE YOUR BODY etc.

According to Stoller, a number of large and small companies have resolved trademark controversies. When approaching infringers, Stoller is reported to document his claims with copies of letters which demonstrate capitulation with his demands. Such letters are said to be from companies such as KMart, and often marked “Confidential”.

Stoller has filed oppositions to others’ trademark applications with the Trademark Trial and Appeal Board numerous times, and filed applications for extention of the deadline to file such oppositions even more times.

Stoller object to the use of the word “Castle”. Can you believe that? You can read the letter CastleCops’ attorney received from Leo Stoller and additional info about Stoller can be seen here and here. There are five pages (!) of cases listed at the Trademark Trial and Appeal Board Inquiry System site.

CastleCops is a well known security website, also the home of anti-phishing effort PIRT, with a lot of support in the community. Here’s what some of the CastleCops supporters have said thus far. SunbeltBLOG says:

Well, there’s also trademark trolls. And one such fellow is Leo Stoller (BoingBoing calls him a “trademark bully”). Stoller makes money by suing companies over the use of trademarks like “Stealth”, “Chestnut” and “Stradivarius”.
< snip >
Obviously, CastleCops is not causing any confusion out there with Leo Stoller’s “Castle Brand Products and Services”. All Leo is trying to do is make some money off the hard-won efforts of Paul and Robin Laudanski.

BoingBoing wrote last year:

Leo Stoller is the jackass who registered a trademark on the word “Stealth” and now has a racket bullying people into paying him for a “license” to use the word (people give him small sums of money to get lost, though occasionally they sue and get big judgments against him).

Paperghost at Vitalsecurity has a few choice words about Stoller, too.

here’s the deal. This guy registers tons of rather bland sounding words as Trademarks, then goes on an uber-offensive against anybody found using those words, pretty much regardless of context.

Others carrying this story include Microsoft MVP Donna at her Security News Flash and SecuriTeam blog. The story has been Digged (dug?) with a mention that Stoller went after Google at one time. I guess you can say this for Stoller—he has balls. But can he make an honest living? It seems like he wants to prey on the little guy and do what I think amounts to extortion. There’s a 3 page discussion at BroadbandReports.com and the folks there do not have a high opinion of Stoller, what a surprise.

Stay tuned because we will cover this story to the end.


Said Suzi @ 9:53 pm
Comments Off | Permalink | Filed under: General

6/19/2006

Spyware fighter under attack by trojan from DollarRevenue

In my last blog post, I wrote about adware/spyware company DollarRevenue and their affiliate program including why affiliates like to trash your machines with huge bundles of adware/spyware. It’$ all about the $Money$.

Now one of the best and most revered spyware fighters around is under attack by a trojan from that very same DollarRevenue group.

Webhelper, whose real name is Patrick Jordan, Senior Malware Researcher for Sunbelt-Software, has posted this message on his site.

Updated: 19 June, 2006 05:12 PM

As of June 16, 2006, I have been under a DDos attack from a trojan installer that DollarRevenue.com began using which was called from one of the Russian VladZone gangs sites and which with my current hosting company, I cannot block the attacks which in 3 days went over 125 Gig in bandwidth usage of my alloted 200Gig per month. They are putting url addressess to free web pages designed to load my sites pages as if they were images and with the use of a trojan from the VladZone and bundled in DollarRevenue.com infestations, I cannot and will not put all my time into fighting groups that have been running since 2003 and authorities around the world have not been able to stop.

I deliberately did not link to the site in order to conserve bandwidth there.

This isn’t the first time anti-spyware sites have been attacked by spyware pushers. In 2004 Spywareinfo.com, Tom Coyote’s site and CastleCops were hit by massive DDoS attacks.


Said Suzi @ 5:26 pm
Comments Off | Permalink | Filed under: About Spyware/adware/scumware

5/26/2006

Gimmy some Cash and Dollar Revenue!

Subtitled “of mousepads and keyboards” or “how to cheat your affiliate program”.

I’ve been wanting to blog this for a while because some of the most persistent and pervasive adware bundles being found in the wild for the last few months seems to be coming from affiliates of these two programs, GimmyCash! and DollarRevenue. The links are to the domain registration whois info, not to the actual sites, but the sites seem safe enough if you want to see them.

GimmyCash is an adware company using an affiliate program to distribute their software, GimmyGames and GimmySmileys. (Links to domain registration info.)

Check out the payment structure as seen on the GimmyCash.com site. Click picture for larger image.

GimmyCash

40 cents per install in the US and Canada sounds like a good incentive as affililiate programs go. Note the text that says:

You can choose to promote Gimmycash by:

Software bundles -> combine your software with Gimmy.
Advertising our free GimmyGames concept into your site.
Advertising our free GimmySmileys concept into your site.

This sounds like it’s begging for abuse, Software bundles -> combine your software with Gimmy.

Interestingly enough, when downloaded from the Gimmy websites, GimmyGames and GimmySmileys install Zango.

So, what about DollarRevenue? See screenshot for DollarRevenue’s payment structure, but note there is no information about what content DollarRevenue provides. Click for larger image:

DollarRevenue

The faq page doesn’t enlighten us on that either. All it talks about is how they pay their affiliates. There is an affiliate agreement but judging on what I’ve seen in the wild, it doesn’t mean much. Note the payment is 30 cents per install in the US. Again, note the distribution methods—activeX and:

2) Software bundle (exe)
You own a software application and like to keep it for free? DollarRevenue is what you need!
You can easily combine your software applications with the DollarRevenue application and make
money with every install.

Begging for abuse? Just like GimmyCash? Let’s look at what I’ve seen happening in the wild and what we’re seeing in the spyware help forums. I’ve encountered numerous installations of DollarRevenue software bundled with any number of other adware/spyware programs including what looks like GimmyCash software.

Files named keyboardx.exe (x representing a number), mousepadx.exe and newnamex.exe indicate DollarRevenue’s presence as shown in HijackThis logs, click for example log.

O4 - HKLM..Run: [keyboard] C:windowskeyboard11.exe
O4 - HKLM..Run: [mousepad] C:windowsmousepad11.exe
O4 - HKLM..Run: [newname] C:newname11.exe

Other files indicating the presence of DollarRevenue are drsmartload.exe, in installer for DollarRevenue and other adware. See CA write up on DollarRevenue. A DollarRevenue installation is typically accompanied by a bucket full of other adware including SurfSideKick, Webhancer, Newdotnet, Command Service, sometimes with Look2Me, Virtumonde (aka Vundo) and others thrown in for good measure.

So what happened to GimmyCash? HijackThis log lines like this indicate the presence of GimmyGames or GimmySmileys:

O4 - HKLM..Run: [gimmygames] C:windowsgimmygames11.exe
O4 - HKLM..Run: [gimmysmileys] C:windowsgimmysmileys1.exe

Analysis of gimmysmilyes.exe here. What’s puzzled me is that I’ve often encountered the gimmygames.exe and gimmysmiley.exe files in large infestations including DollarRevenue and the other applications listed above, but I’ve never once seen the actual GimmyCash applications installed during an infestation. So, I’m left wondering what the DollarRevenue and GimmyCash affiliates are doing…

Are the GimmyCash affiliates cheating by bundling the gimmy files with DollarRevenue and others? Are they getting paid that 40 cents for each download of a gimmygames.exe and gimmysmileys.exe file even though the application are never actually installed? If any other spyware researchers have any observations or thoughts on this, I’m most interested.

At any rate, some affiliates are apparently making a lot of 40 cents and 30 cents based on all the complaints, HijackThis logs and reports seen on the web. It’s no wonder affiliates of these kinds of programs bundle as many pay-per-install adware applications into one infestation and push them through exploits. It’s all about the money folks, the cash, the moola, the dollar revenue and gimmy cash— nothing else.


Said Suzi @ 9:23 pm
Comments Off | Permalink | Filed under: About Spyware/adware/scumware

180solutions and botnets again

180solutions managed to stay out of the news for a few weeks, but now they are back. Discovered and blogged in living color by Paperghost at VitalSecurity, get the details there. Also blogged by yours truly at SpywareConfidential.


Said Suzi @ 6:10 pm
Comments Off | Permalink | Filed under: Spyware/Adware in the News

5/5/2006

Spamford Wallace busted and owes $4 million

Anyone who’s been reading this blog for a while might remember that I was very involved fighting the SpyWiper and SpyDeleter attacks on computer users that started in late November 2003, and was, in fact, one of my inspirations for starting this blog dedicated to the fight against spyware. It also spurred me to open my forum where we helped a lot of people get rid SpyWiper and SpyDeleter. I have an entire blog category on the subject and the scumbags behind it.

The saga isn’t over yet, but a very significant announcement was made yesterday by the FTC.

Court Halts Spyware Operations

One Operator to Pay More Than $4 Million; Another Ordered to Stop Collecting Consumers Personal Information

An operation that deceptively downloaded spyware onto unsuspecting consumers’ computers, changing their settings and hijacking their search engines, has been halted by a federal court at the request of the Federal Trade Commission. The judge has ordered the operators to give up to more than $4 million in ill-gotten gains. The court also ordered a halt to another spyware operator’s stealthy downloads and barred the collection of consumers’ personal information, pending trial.

More:

The FTC alleged that Sanford Wallace and his company, Smartbot.Net, exploited a security vulnerability in Microsoft’s Internet Explorer’s Web browser in order to distribute spyware. The spyware caused the CD-ROM tray on computers to open and then issued a “FINAL WARNING!!” to computer screens with a message that said, “If your cd-rom drive’s open . . .You DESPERATELY NEED to rid your system of spyware pop-ups IMMEDIATELY! Spyware programmers can control your computer hardware if you failed to protect your computer right at this moment! Download Spy Wiper NOW!” Spy Wiper and Spy Deleter, purported anti-spyware products the defendants promoted, sold for $30.

Sanford “Spamford” Wallace has to pay the hefty sum of $4,089,500 in ill-gotten gains and ad-broker Jared Lansky has to pay $227,000 Two other perps in this case have yet to be dealt with.

Walt “picklejar” Rines and his company, Odysseus Marketing, have been sued by the FTC as well but the case is not resolved yet. Documents for the case are here.

A revised preliminary injunction has been issued against Odysseus and Rines. It bars them from downloading spyware without consumers’ consent, and from disclosing, using, or further obtaining consumers’ personal information, pending trial. The FTC will ask the court to order a permanent halt to their activities and order them to give up their ill-gotten gains.

Rob Martinson, the owner of SpyWiper and SpyDeleter, was added to the case in April of last year.

Through this action, the FTC is seeking to name as additional defendants Optintrade, Inc.; Jared Lansky; Mailwiper, Inc.; Spy Deleter, Inc.; and John Robert Martinson. The amended complaint alleges that, on behalf of the Seismic defendants, OptinTrade, Inc., and its principal Jared Lansky disseminated Internet pop-up ads causing consumers’ computers to be sent to the Seismic defendants’ Web sites, to have their Web browser home pages changed, and to have spyware and other software installed without authorization. The amended complaint also alleges that Mailwiper, Inc.; Spy Deleter, Inc.; and John Robert Martinson retained the Seismic defendants to unfairly market the purported anti-spyware products, Spy Wiper and Spy Deleter.

I heard from a reliable source that the FTC is seeking $2 million from Martinson. I’m looking forward to the resolution on Picklejar and Martinson.


4/17/2006

180solutions at it again, this time with a child porn browser and CoolWebSearch

This is pretty unbelievable, yet it’s true, and several spyware researchers have the evidence. See my write up at Spyware Confidential called 180solutions sponsors Yapbrowser and… child porn?

I can’t wait to hear the 180 spin on this one.


4/6/2006

DirectRevenue’s dirty laundry

Tuesday I blogged at Spyware Confidential about the lawsuit against DirectRevenue by New York State AG Eliot Spitzer and now today, thanks to Ben Edelman, DirectRevenue’s dirty laundry is out of the closet. More details and my comments here. Don’t forget to bring the clothes pin.


Said Suzi @ 10:59 pm
Comments Off | Permalink | Filed under: Spyware Scumbags , Spyware/Adware in the News