Forgot your password?
typodupeerror
Security Programming IT Technology

Interview With an Adware Author 453

Posted by kdawson
from the warming-up-for-the-botnet-era dept.
rye writes in to recommend a Sherri Davidoff interview with Matt Knox, a talented Ruby instructor and coder, who talks about his early days designing and writing adware for Direct Revenue. (Direct Revenue was sued by Eliot Spitzer in 2006 for surreptitiously installing adware on millions of computers.) "So we've progressed now from having just a Registry key entry, to having an executable, to having a randomly-named executable, to having an executable which is shuffled around a little bit on each machine, to one that's encrypted — really more just obfuscated — to an executable that doesn't even run as an executable. It runs merely as a series of threads. ... There was one further step that we were going to take but didn't end up doing, and that is we were going to get rid of threads entirely, and just use interrupt handlers. It turns out that in Windows, you can get access to the interrupt handler pretty easily. ... It amounted to a distributed code war on a 4-10 million-node network."
This discussion has been archived. No new comments can be posted.

Interview With an Adware Author

Comments Filter:
  • Permanant Midnight (Score:4, Interesting)

    by Thelasko (1196535) on Tuesday January 13, 2009 @05:35PM (#26439727) Journal

    It was funny. It really showed me the power of gradualism. It's hard to get people to do something bad all in one big jump, but if you can cut it up into small enough pieces, you can get people to do almost anything.

    It reminds me of the movie Permanent Midnight [wikipedia.org] , where Ben Stiller starts out the movie smoking weed and at the end is hooked on crack.

    It's probably Ben Stiller's best work, by the way.

  • You first, buddy (Score:5, Interesting)

    by Red Flayer (890720) on Tuesday January 13, 2009 @05:39PM (#26439783) Journal
    FTA:

    In particular, things involving human interactions don't have to be perfect, because groups of humans have all these self-regulations built in. If you and I have an agreement and you screwed me over badly, you've always got in the back of your mind the nagging worry that I'm going to show up on your doorstep with a club and kill you.

    Times change. In order for this to continue to be a factor, we need to make sure that occasionally, someone *does* show up on a doorstep and club someone over the head.

    I suggest we start with people who have kidded themselves that the abusive software they've written does not make them a villain.

  • Not a complete jerk (Score:5, Interesting)

    by steveha (103154) on Tuesday January 13, 2009 @05:48PM (#26439919) Homepage

    I'm seeing comments and tags using words like "scumbag". Well, I actually RTFA, and this guy doesn't seem to be a complete jerk.

    According to him, the adware he wrote did not crack into your system using exploits, and when you ran the uninstaller it would go away and never come back. Also, according to him, it didn't scan for really personal information like credit card numbers.

    I'm not about to start a fan club for him, but I don't hate him either.

    I was interested in the technical stuff. His software would find other adware on a system and kick the other adware off; it was also designed to be very difficult for other adware to kick off.

    The best single exchange in the interview:

    S: In your professional opinion, how can people avoid adware?

    M: Um, run UNIX.

    steveha

  • by girlintraining (1395911) on Tuesday January 13, 2009 @05:56PM (#26440019)

    I think the Windows programming model is at fault for much of the obfusciation tactics used by malware. Entire classes of exploits have arisen due entirely to the complexities and obscurities of the interface. Modern anti-malware tactics have to monitor many different parts of the operating system, and in some cases due to architectural constraints the methods of doing so can make the entire operating system unstable. Not only that, but race conditions and the use of special trap conditions/exception handling can make safely disabling malware a frustrating experience. Even professionally designed applications can sometimes tank the Operating System. Trying disabling Symantec Anti-virus on an XP system without a reboot, for example, and then doing a reinstall of it remotely. In the field, I saw failure rates of about 6% for SAV10. On a hundred thousand systems, let's just say I was not happy on that deployment! Killing malware is even more risky.

    Windows is layers upon layers of earlier APIs that cannot be removed due to "backwards compatibility" concerns. I have some limited exposure to the .NET framework, and it has perhaps a half-dozen APIs for threading, and the documentation is riddled with exposed interfaces that have the note "Do not use. Not safe. bullet in the brain pan squish" in it. Over a third of the API is already depreciated (as far as I can tell), and there is an ever-shifting set of best practices standards. I can only imagine the hell a proper programmer endures in developing truly complex applications for .NET -- all I was doing was a few WMI calls and a database interface and I still crashed the kernel many times trying to figure out what to trap -- in many cases, error handling is mostly about creating a catch-all and then trying to break your code to see what is generated and then guessing what to trap accordingly. With an interface this complicated and unstable, it will always be a cat and mouse game between the white and black hats on this architecture, a game predicated on undocumented interfaces, obscurity, and deep knowledge of layers of the operating system that interact in unpredictable ways.

    Compare this to linux, where the interfaces haven't changed that much, and when they do, depreciated means "We're going to remove this in a year or so and we mean it." Open source has one huge advantage here -- if it's not maintained, it ceases to be relevant and there's no 20 year old code lurking about in an unused API long forgotten. At least not nearly to the degree Windows has it. If you ask me, Microsoft is complicit in allowing malware to exist because they are unwilling to modernize Windows. They need to start over from scratch on their codebase and have a good hard think about what those APIs and interfaces are going to look like and then stick to it. Or at the very least, they could start by documenting these interfaces and releasing some code so we can be more confident that our hooks into their black-boxed APIs won't tear the operating system's heart out...

  • Re:Chilling (Score:4, Interesting)

    by ILikeRed (141848) on Tuesday January 13, 2009 @05:58PM (#26440041) Journal
    "Securing an environment of Windows platforms from abuse - external or internal - is akin to trying to install sprinklers in a fireworks factory where smoking on the job is permitted." -Gene Spafford
  • Outsource (Score:1, Interesting)

    by Anonymous Coward on Tuesday January 13, 2009 @06:03PM (#26440099)

    As an Out-sourced IT consultant I don't forget. I thank them.

    Thirty percent of my work comes from people who don't know what they are doing. Thee other 70% comes from me learning what they screwed up, where they dropped the ball and where I can fix it, at double the rate in 1/2 the time. Everyone wins.

  • by whoever57 (658626) on Tuesday January 13, 2009 @06:11PM (#26440211) Journal
    From the interview:

    We did create unwritable registry keys and file names, by exploiting an "impedance mismatch" between the Win32 API and the NT API. Windows, ever since XP, is fundamentally built on top of the NT kernel. NT is fundamentally a Unicode system, so all the strings internally are 16-bit counter Unicode. The Win32 API is fundamentally Ascii. There are strings that you can express in 16-bit counted Unicode that you can't express in ASCII. Most notably, you can have things with a Null in the middle of it.

    That meant that we could, for instance, write a Registry key that had a Null in the middle of it. Since the user interface is based on the Win32 API, people would be able to see the key, but they wouldn't be able to interact with it because when they asked for the key by name, they would be asking for the Null-terminated one. Because of that, we were able to make registry keys that were invisible or immutable to anyone using the Win32 API. Interestingly enough, this was not only all civilians and pretty much all of our competitors, but even most of the antivirus people.

  • by Ralish (775196) <ralish@gma i l . c om> on Tuesday January 13, 2009 @06:47PM (#26440667)
    I think you're being a little harsh, not to mention very black and white.

    Firstly, he's not a serial killer, he hasn't killed anyone; he's just irritated a LOT of people by installing infuriating software that's a pain to remove; in my view, this isn't quite of the same calibre as murdering people.

    And if you read the interview, you'd see he's not really evil, like many/most/all serial killers, but a very intelligent young person.

    His actions were motivated out of being extremely poor, he needed the money, and so he got involved in dodgy software programming. This isn't a justification for what he did, but it's nevertheless important to note. Further, he removed a lot of viruses and adware through his own adware, I'm not sure if this qualifies as grey hat behaviour, but once again, it blurs the line. Most importantly, he's reformed, and persuing an honest living, as well as providing insight into his past actions. I found his explanation of the measures he took to ensure his software remained on the infected computer fascinating from a technical perspective, there were some very clever approaches there.

    I don't agree with what he did, but I'm not going to relegate him to "scumbag" status, and I wouldn't be surprised if over the coming years and decades, he makes many valuable contributions to IT and the Ruby community in particular.
  • by Johnno74 (252399) on Tuesday January 13, 2009 @07:24PM (#26441139)

    The differences in the way the NT api and Win32 api handle registry strings has been very well documented by Mark Russinovich and others.

    Rootkit Revealer (written by mark) uses this difference to try and detect rootkits - read the registry using both APIs, and see what comes back different.

    Hence Rootkit Revealer would put a huge flashing neon sign above malware that uses this technique

  • by hobbit (5915) on Tuesday January 13, 2009 @07:27PM (#26441169)

    Furthermore, he didn't steal 4 million people's credit card details. I rather think a scumbag would have done just that.

  • Re:Sadly, no. (Score:1, Interesting)

    by tuna_wasabi (792557) on Tuesday January 13, 2009 @07:46PM (#26441385)

    I think your bus driver analogy is flawed. It would be more like giving a salesman your house key so he could deliver whatever "free gift" he had offered you. When he asks the terms under which he's allowed to enter your house, you answer "Whatever you think is reasonable." Then you come home and he's on your couch, eating your chips. You ask him to leave and, after spending a few minutes collecting all of his stuff, he does.

    You trusted a stranger, and explicitly allowed him into your home on his terms. When you wanted him to leave, he did. Maybe not as swiftly as you would like, but with no lasting damage. The salesman isn't going to jail, and hopefully you'll be a little wiser next time.

  • by DigiShaman (671371) on Tuesday January 13, 2009 @10:03PM (#26442825) Homepage

    Computers are cheap.

    A new one can be purchased for about $500 bucks these days. It simply isn't worth cleaning up a major virus infection or re-installing the OS and applications. The billable time alone would exceed the cost of the machine! Basically, computers are one-trick ponies. Once they get infected, physically throw it away and buy a new one. We live in a disposable society and computer usage is no longer an exception that it once was.

  • by Hal_Porter (817932) on Tuesday January 13, 2009 @10:25PM (#26443025)

    I think you're being a little harsh, not to mention very black and white.

    Firstly, he's not a serial killer, he hasn't killed anyone; he's just irritated a LOT of people by installing infuriating software that's a pain to remove; in my view, this isn't quite of the same calibre as murdering people.

    I was once stuck at a client waiting for someone else to do something. This was back in the days of VBScript worms. I spent a happy few hours taking one apart to see how it worked.

    Hell, if I couldn't get a real job I'd probably be doing the same as him. Infecting a machine with UAC and IE running in protected mode is probably possible, but it sure as hell would be a challenge.

  • by hairyfeet (841228) <bassbeast1968@gm[ ].com ['ail' in gap]> on Tuesday January 13, 2009 @10:46PM (#26443203) Journal

    That is why I tell customers that if they don't want it formatted and they have more than 1 virus they have to pay PER virus. Works real well and keeps them from complaining when you show them the machine has 200+ virus infections at $10 a pop. I had one customer come in and after scanning his new Toshiba laptop he had 2074 viruses RUNNING at the same time! It took nearly an hour just to see the desktop! Sadly my former boss says he had that beat, as he had a home user bring in a machine where he had managed to get over 4500 infections in the thing.

    What the earlier poster wrote is true though. Folks acted shocked that it costs so much to fix their horribly infected machines, like we should be fixing them for fun or something. Yet for some reason they don't bat an eyelash when the plumber hands them this huge itemized bill. So I have taken to handing them a nice little printout with Hijack This that shows how much crap was installed with a little mark by each infection. They don't seem to complain as much when they see that huge list of crap they managed to install.

  • Re:"Not evil?" (Score:3, Interesting)

    by Ralish (775196) <ralish@gma i l . c om> on Tuesday January 13, 2009 @11:53PM (#26443741)
    For me your post illustrates the over usage of the word "evil", or maybe I just have a different idea of what really qualifies for evil.

    If someone was to ask me to provide an example of someone who is just plain evil, I'd reply with someone like Robert Mugabe. Completely and utterly corrupt, inhumane, starves his people, an absolute disgrace with no redeeming features.

    For someone like the subject of this article, I prefer "unethical". What he did was undoubtedly wrong, but he also did things that immediately illustrate that he DOES have a conscience, examples:
    a) Provided an uninstaller
    b) Removed viruses (and to a far lesser extent, competing adware)
    c) Didn't take it to the next level (capturing credit cards and personal data)

    You call him greedy. Well, yes, he was to the extent that his motivation was money. But (do correct me if I'm wrong), I don't get the impression he got rich off what he did. He made some money, but not lots.
    You call him ethically bankrupt, but if he truly was bankrupt in the ethics department, why did he do the above?
    Why would you provide people a means to remove your software, take the time to remove viruses, and not steal their personal data?

    If he has no ethical boundaries, fuck it, just do it. But he didn't, even though by his own admission, he easily could have. For me, this indicates that he's definitely not ethically bankrupt, he has ethical limits, and by extension, he's certainly not evil. Society at times can be far too quick to condemn someone as "evil", "scumbag", whatever. Rarely is it that clear cut, and in this case, it's far more grey.
  • by XDirtypunkX (1290358) on Wednesday January 14, 2009 @03:52AM (#26445291)

    Well, Socrates was often very rude, because rudeness promoted discourse and challenged established ideas. His teaching style was rude and aggressive, he equated those who sold access to their wisdom (sophists) with whores. Plato referred to Socrates as the "gadfly" of the state for this reason, stinging the state into action as a gadfly would sting a horse.

    Then again, Socrates was executed, so that's not to say being rude doesn't get you into trouble.

If I had only known, I would have been a locksmith. -- Albert Einstein

Working...