Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Security Programming IT Technology

Interview With an Adware Author 453

rye writes in to recommend a Sherri Davidoff interview with Matt Knox, a talented Ruby instructor and coder, who talks about his early days designing and writing adware for Direct Revenue. (Direct Revenue was sued by Eliot Spitzer in 2006 for surreptitiously installing adware on millions of computers.) "So we've progressed now from having just a Registry key entry, to having an executable, to having a randomly-named executable, to having an executable which is shuffled around a little bit on each machine, to one that's encrypted — really more just obfuscated — to an executable that doesn't even run as an executable. It runs merely as a series of threads. ... There was one further step that we were going to take but didn't end up doing, and that is we were going to get rid of threads entirely, and just use interrupt handlers. It turns out that in Windows, you can get access to the interrupt handler pretty easily. ... It amounted to a distributed code war on a 4-10 million-node network."
This discussion has been archived. No new comments can be posted.

Interview With an Adware Author

Comments Filter:
  • by jellomizer ( 103300 ) on Tuesday January 13, 2009 @04:32PM (#26439665)

    That the people who makes IT Guys lives difficult and annoying are indeed IT guys.

    • by Anonymous Coward on Tuesday January 13, 2009 @04:35PM (#26439721)

      Im pretty sure that the majority of cops that became criminals were the hardest to catch. They know all the tricks and what other cops/detectives will be looking for.

      • by Thelasko ( 1196535 ) on Tuesday January 13, 2009 @04:57PM (#26440031) Journal

        Im pretty sure that the majority of cops that became criminals were the hardest to catch. They know all the tricks and what other cops/detectives will be looking for.

        *COUGH [wikipedia.org]*

        Allegedly

      • by SuperBanana ( 662181 ) on Tuesday January 13, 2009 @05:50PM (#26440709)

        Im pretty sure that the majority of cops that became criminals were the hardest to catch. They know all the tricks and what other cops/detectives will be looking for.

        What about those that use color of law? It's not terribly surprising that the FBI only receives about 200 complaints of color-of-law, and doesn't investigate, much less prosecute, a single one.

        Simply being a police officer offers enormous immunity from the general public accusing you of crimes, and further means that most of your fellow officers won't "rat" on you (instead of being disgusted at your behavior and bringing disrepute to the supposed "profession.")

    • by fph il quozientatore ( 971015 ) on Tuesday January 13, 2009 @04:36PM (#26439743)

      [Sometimes we forget t]hat the people who makes IT Guys lives difficult and annoying are indeed IT guys.

      Or lawyers.

    • by snl2587 ( 1177409 ) on Tuesday January 13, 2009 @04:42PM (#26439817)

      Difficult? Maybe, but for freelancers who collect a check every time they "fix" an infected computer (read: fiddle around for a while and ultimately end up reinstalling Windows), these crapware authors are the reason they can stay in business.

      • by MobyDisk ( 75490 ) on Tuesday January 13, 2009 @04:57PM (#26440033) Homepage

        Talented computer repair techs can stay in business just fine. But yes, the adware/spyware boom caused an explosion in the repair field too.

      • by Opportunist ( 166417 ) on Tuesday January 13, 2009 @06:32PM (#26441217)

        Without malware writers, I'd be down a few 1000 bucks and would have to do something meaningful.

        Still, you may believe me when I tell you, I'd really prefer to write software people want to have to writing software people hate to have but grudgingly accept as a necessary evil.

      • by Holi ( 250190 ) on Tuesday January 13, 2009 @07:14PM (#26441687)

        if all you end up doing is reinstalling windows then maybe you should be in a different line of work.

        • by bensafrickingenius ( 828123 ) on Tuesday January 13, 2009 @08:40PM (#26442603)
          "if all you end up doing is reinstalling windows then maybe you should be in a different line of work."

          Hello, I understand you have a pretty serious malware problem. Well, here are your choices: I can spend 10 hours researching all of the hundreds of different problems you have, and fix them, and maybe I'll find them all, and maybe your computer will run ok for a while after that. Of course, if I do miss something, it's your financial information that gets stolen, not mine. That'll run you $300. Or I can just back up your data, format your hard drive, reinstall Windows, secure it in its virgin state, restore your data, and have you back up and running in half the time. For half the money. Oh, and when *I'm* done with your computer, it will run faster and more reliably than the day you bought it. What would you prefer?

          And, please, don't give me the "you must not be very good at what you do if you can't make a 5 year old install of windows work better than a sparkling clean one in 20 minutes" line. Your arrogance is making my eyes water.
          • Re: (Score:3, Insightful)

            by juventasone ( 517959 )

            This debate has come up numerous times on slashdot, and I'm disturbed by the completely different paths such professionals adhere to.

            I've also been an independent technician for home/small business for 7 years, and for the vast majority of situations, I strongly believe in fix instead of reload. The reason is two-fold:

            Most of time it is a single issue (such as an infection), which I consistently remedy in an hour or so of billable time. If there are many issues it's a strong indication of hardware problem

  • by elrous0 ( 869638 ) * on Tuesday January 13, 2009 @04:35PM (#26439725)
    Some serial killer goes and and murders dozens of innocent people; and we reward him with veneration, books written about him, endless press coverage, etc. Scumbags don't deserve our respect, our veneration, or polite treatment.
    • He should be forced to forever use an unpatched Windows (9x, XP, 2000, etc) as his OS on every computer.

    • by dave562 ( 969951 ) on Tuesday January 13, 2009 @04:50PM (#26439933) Journal

      There seems to be a big stretch between a serial killer and some guy writing malicious code. My primary interest in computers initially involved all sorts of fraud and outright criminality. I now work in IT and have a completely legit lifestyle. Anyone who has any real competency or natural inclination to understand computers will mess with them and figure out how to make them do things outside of the "normal" range.

      The article talks about exploiting some incompatabilities between the Win32 and WinNT APIs. If there weren't guys like the subject of the interview, those incompatabilities would remain hidden. It takes mischevious people to come along and exploit the holes so that they get patched. By its very nature, software gets better when people push the boundries and tweak it. The person who writes code that leads to improvements in the most widely used operating system is not the same as the person who kills a bunch of people.

      If anything, Microsoft made the mistake of making the computer too friendly. They released technologies that gave people too many options. In any sort of free environment, there will be people who abuse the freedoms that they are presented with. Malware authors are those kinds of people. It is easy to blame Microsoft for looking into the future and envisioning a world where web browsers are the central application on the computer. They rushed blindly into it and unleased things like ActiveX on the world. At the core, their intention was right.. they wanted to make it easy to execute code in a distributed environment like the internet. Yet the implementation sucked and it seems like they didn't pay any attention to security.

      • by Anonymous Coward on Tuesday January 13, 2009 @05:03PM (#26440091)

        Damn right, dave. However, it's hard to deny that someone who writes malicious code that directly targets (ignorant) consumers may very well be treading on morally bankrupt territory.

      • Re: (Score:3, Insightful)

        by 0racle ( 667029 )

        There seems to be a big stretch between a serial killer and some guy writing malicious code

        "Not for the purpose of the point that was being made, "scum should be treated as such." It doesn't matter what they did to be labeled scum.

        If anything, Microsoft made the mistake of making the computer too friendly. They released technologies that gave people too many options

        So if I buy a door that happens to have a lock with a flaw, it's the fault of the lock maker that my stuff gets stolen? Sorry, but no, the fault

        • by Grishnakh ( 216268 ) on Tuesday January 13, 2009 @06:38PM (#26441285)

          So if I buy a door that happens to have a lock with a flaw, it's the fault of the lock maker that my stuff gets stolen? Sorry, but no, the fault lies solely on the shoulders of the thief. Windows has many problems, but all the fault for exploiting it is on the malware authors.

          I disagree.

          If you buy a door that has a lock with a flaw, and the lock maker knows about this flaw and does nothing about it and continues to sell this same flawed model for many years, making billions of dollars of profit, while people like you keep getting your stuff stolen, there's two parties at fault: 1) the thieves, obviously, since they stole the stuff, and 2) the lock maker, because they sold you something they claimed to be secure and which would protect your stuff from thieves, but which really wasn't, and they knew about it.

          When assigning blame for things like this, you have to look at the big picture. For a single instance of criminality, it's usually just the criminal's fault. But when the criminals keep using the same tricks over and over to commit their crimes, you have to look at what's enabling them. In the case of MS, they shoulder a lot of blame, because they, for decades, have put features ahead of security, even though they own the lion's share of the market and any security flaw has the most potential for damage because of that. Finally, because users have known about MS's crap and keep buying it, users also share part of the blame, for continuing to purchase MS's shoddy products, although this is mitigated partially because of MS's manipulation of the market to keep themselves in a position where it's difficult to get by without their product (for instance, because many important software products like AutoCAD only work in Windows).

        • So if I buy a door that happens to have a lock with a flaw, it's the fault of the lock maker that my stuff gets stolen? Sorry, but no, the fault lies solely on the shoulders of the thief.

          I'm sorry, but why did you buy a door with a lock on it if not to protect against thieves? If someone sells a product that purports to protect you against criminals, and it fails to do as advertised, then that seller has sold a defective product and partially to blame for your loss. To follow your line of logic would absolve locksmiths of any responsibility to make a product that isn't slipshod.

          Microsoft thumps its own chest about the safety and security of its system. Their failure to live up to their c

      • Distributed crime (Score:3, Insightful)

        by onkelonkel ( 560274 )
        "a big stretch between a serial killer and some guy writing malicious code"

        I sometimes wonder if there is a way to estimate aggregate "harm" caused by a widely distributed crime. Is it the same to steal 1 minute of time from 1 million people with an automated telemarketing robocall as it is to lock 1 guy in your basement for 2 years (1 million minutes)?

      • by try_anything ( 880404 ) on Tuesday January 13, 2009 @06:07PM (#26440901)

        Anyone who has any real competency or natural inclination to understand computers will mess with them and figure out how to make them do things outside of the "normal" range.

        "Normal?" Not "honest" or "right" or "non-dickish?" Do you really have the balls to suggest there is some kind of honest difference of opinion about the morality of what these adware guys do?

        As for what you did, we all have our shameful moments in life. We all, at some point in our lives, invented and couldn't resist using the really clever way to make fun of the retarded kid or the weak kid in class that nobody liked. We did it to show off, to take out our frustrated aggression, and to temporarily feel better than somebody else. It's called being a childish asshole and it isn't any different from a big kid beating up smaller kids because he hates his life and is desperate for any triumph, no matter how hateful it makes him feel.

        By its very nature, software gets better when people push the boundries and tweak it. The person who writes code that leads to improvements in the most widely used operating system is not the same as the person who kills a bunch of people.

        Bigger problems get more attention. The more people exploit a flaw, the bigger a problem it is. So yeah, if you go around making problems worse, they'll get patched faster. Childish, egocentric hackers use that logic to rationalize the havoc they cause. People with an honest desire to protect users act in a very different way. The difference is instructive.

    • by girlintraining ( 1395911 ) on Tuesday January 13, 2009 @05:11PM (#26440229)

      Some serial killer goes and and murders dozens of innocent people; and we reward him with veneration, books written about him, endless press coverage, etc. Scumbags don't deserve our respect, our veneration, or polite treatment.

      We're not here to discuss his moral infirmities. We're here to discuss effective ways of countering the threat the aforementioned poses. It is logical to begin by questioning those we've found engaged in such behaviors as to their motivations, goals, and methods. However, if you do not wish to dissect the frog due to moral outrage, I can give you some music to listen to but you will not pass the course.

    • Re: (Score:3, Insightful)

      by lxs ( 131946 )

      Scumbags don't deserve our respect, our veneration, or polite treatment.

      True, but they are interesting to watch from a distance.

    • Certainly not. But the abnormal throw the normal into contrast. I don't think there's anything wrong with finding that fascinating.

      I do disagree with you about polite treatment. Being impolite, even to someone we can agree is a scumbag, only diminishes you. Dick.

      Just kidding.

      Kinda.

      -Peter

    • by Ralish ( 775196 ) <sdl.nexiom@net> on Tuesday January 13, 2009 @05:47PM (#26440667) Homepage
      I think you're being a little harsh, not to mention very black and white.

      Firstly, he's not a serial killer, he hasn't killed anyone; he's just irritated a LOT of people by installing infuriating software that's a pain to remove; in my view, this isn't quite of the same calibre as murdering people.

      And if you read the interview, you'd see he's not really evil, like many/most/all serial killers, but a very intelligent young person.

      His actions were motivated out of being extremely poor, he needed the money, and so he got involved in dodgy software programming. This isn't a justification for what he did, but it's nevertheless important to note. Further, he removed a lot of viruses and adware through his own adware, I'm not sure if this qualifies as grey hat behaviour, but once again, it blurs the line. Most importantly, he's reformed, and persuing an honest living, as well as providing insight into his past actions. I found his explanation of the measures he took to ensure his software remained on the infected computer fascinating from a technical perspective, there were some very clever approaches there.

      I don't agree with what he did, but I'm not going to relegate him to "scumbag" status, and I wouldn't be surprised if over the coming years and decades, he makes many valuable contributions to IT and the Ruby community in particular.
      • "Not evil?" (Score:4, Insightful)

        by Valdrax ( 32670 ) on Tuesday January 13, 2009 @09:51PM (#26443251)

        And if you read the interview, you'd see he's not really evil, like many/most/all serial killers, but a very intelligent young person.

        First, what exactly is "evil?" Some people think that one has to cackle and twirl your moustache with glee at being evil for its own sake, but most people who do horrible and evil things to other people have a good justification for their acts: "I was desperate and I needed the money," "I was just following orders," "I'm protecting my family and my country," "Everybody else gets away with doing it," "My evil rids the world of other evils," "If I didn't, then someone else would," "It was just a job," "It's nothing personal," "Stupid people get what they deserve," "It's just survival of the fittest," etc., etc.

        Doing something wrong just because you were in a tight spot and put your own needs over others is no more just than doing it just because you enjoyed it. Evil is evil. While I feel sympathy for his poverty and think that we as a society should focus our government's attention more on preventing the root causes of crime than just "deterrence," I feel no real qualms about stringing someone up if they've crossed the line. He had a choice whether to do right and struggle or to do wrong and prosper. He chose the easier of the two paths.

        And second, I'd like to point out that most serial killers were "very intelligent young people." Unlike them, he wasn't mentally ill -- just greedy, ethically bankrupt, and too enthralled by the shiny programming challenge.

        • Re: (Score:3, Interesting)

          by Ralish ( 775196 )
          For me your post illustrates the over usage of the word "evil", or maybe I just have a different idea of what really qualifies for evil.

          If someone was to ask me to provide an example of someone who is just plain evil, I'd reply with someone like Robert Mugabe. Completely and utterly corrupt, inhumane, starves his people, an absolute disgrace with no redeeming features.

          For someone like the subject of this article, I prefer "unethical". What he did was undoubtedly wrong, but he also did things that imme
  • Permanant Midnight (Score:4, Interesting)

    by Thelasko ( 1196535 ) on Tuesday January 13, 2009 @04:35PM (#26439727) Journal

    It was funny. It really showed me the power of gradualism. It's hard to get people to do something bad all in one big jump, but if you can cut it up into small enough pieces, you can get people to do almost anything.

    It reminds me of the movie Permanent Midnight [wikipedia.org] , where Ben Stiller starts out the movie smoking weed and at the end is hooked on crack.

    It's probably Ben Stiller's best work, by the way.

    • Re: (Score:3, Insightful)

      by sanosuke001 ( 640243 )
      Can't be much of a stretch... he plays the same bumbling, over-the-top idiot in every movie he is in.
    • by Chabo ( 880571 )
      I hated him, up until Night at the Museum. That's the first Ben Stiller movie that I've genuinely liked (Meet the Parents was ok I guess...).
    • Re: (Score:3, Insightful)

      by Hatta ( 162192 )

      If you've watched enough Ben Stiller movies to have an opinion on which is the "best", not only do I not trust your opinion, I fear for the health and welfare of you and those around you.

    • All Ben Stiller movies are of the same quality since it's the same character and virtually the same premise every time.

      Still, he's not as bad as Adam Sandler.
  • Seriously (Score:4, Funny)

    by Anonymous Coward on Tuesday January 13, 2009 @04:36PM (#26439737)

    It would be a damn shame if something bad happened to this guy.

  • You first, buddy (Score:5, Interesting)

    by Red Flayer ( 890720 ) on Tuesday January 13, 2009 @04:39PM (#26439783) Journal
    FTA:

    In particular, things involving human interactions don't have to be perfect, because groups of humans have all these self-regulations built in. If you and I have an agreement and you screwed me over badly, you've always got in the back of your mind the nagging worry that I'm going to show up on your doorstep with a club and kill you.

    Times change. In order for this to continue to be a factor, we need to make sure that occasionally, someone *does* show up on a doorstep and club someone over the head.

    I suggest we start with people who have kidded themselves that the abusive software they've written does not make them a villain.

    • Let me guess... You liked playing whack-a-mole when you were a kid, right?
      • by Red Flayer ( 890720 ) on Tuesday January 13, 2009 @05:19PM (#26440331) Journal

        Let me guess... You liked playing whack-a-mole when you were a kid, right?

        I grew up on a farm, where we did not have to dilute the whack-a-FOO experience with carnival games.

        Juvenile groundhogs leaving the nest to dig their own burrow were frequent targets of a well-timed shovel strike.

        Potentially-rabid raccoons, whether in the bottom of a 55-gallon drum, or in a wire mesh trap, proved no match for a well-placed pitchfork thrust.

        Voracious, ridiculously fecund rabbits proved much easier to deal when their heads were separated from their bodies via garden hoe.

        Pesky, time-wasting, crop-damaging field/woodland creatures QUIVERED before the mightiness of the farmer's kids.

        It'd be a better world if malware writers trembled before the wrath of internet users.

  • Chilling (Score:5, Insightful)

    by bbbaldie ( 935205 ) on Tuesday January 13, 2009 @04:41PM (#26439813) Homepage
    I am now more convinced than ever that it is impossible to secure Windows.
    • Re: (Score:3, Insightful)

      by blueg3 ( 192743 )

      Hey, *someone's* got to apply all those malware techniques to a money-making venture.

    • Re:Chilling (Score:5, Insightful)

      by El Lobo ( 994537 ) on Tuesday January 13, 2009 @04:48PM (#26439907)
      The same guy says in another interview in CNET that it would be pretty easy to find ways to implement the same in OSX (where they are actually experimenting) and in many Linux distros, but nobody pays a shit for that. They can get a lot of cash for pressing their brains to find exploits for hundred of millions of computers than what they would get to find exploits for some thousands in more exotic OSs. Easy like that. A so complex thing like a OS with millions of lines of code will necessarily ALWAYS have a couple of thousand possible holes, be it BeOS, MistOs, NetBSD os whatever. You only need the will (or the cash).
      • Re:Chilling (Score:5, Insightful)

        by steelfood ( 895457 ) on Tuesday January 13, 2009 @05:30PM (#26440477)

        In life, genetic diversity means the species has a better chance of survival. OS diversity, processor, and even instruction set diversity, is important for the same ends.

        So it's not worth much to attack Linux or OSX or one of the BSD's. If all of these OS's including Windows had the same, 20% marketshare, perhaps it wouldn't be worth it to attack any of them. Or, it might actually be worth it to go for the low hanging fruit, namely, the easier-to-use OS's (OSX, Windows, and possibly a flavor of Linux). But the returns for the amount of work needed to attack 3 or 4 different OS's definitely wouldn't be as high, and the incentive for creating malware would be much less.

      • Re:Chilling (Score:4, Insightful)

        by vadim_t ( 324782 ) on Tuesday January 13, 2009 @05:36PM (#26440533) Homepage

        Except that for Linux, the situation is quite different.

        First, the OS is open. Which means any user of it can make and submit a patch, which would quickly spread around. Distributions engage in some competition, and the patch would get copied around. There's no need for anybody to wait for a vendor to do it.

        Second, there's much less backwards compatibility. If a library function is vulnerable, and fixing is impossible without breaking compatibility, a distribution can find all of the included software that uses it, and fix to work with the new version. You're not going to find libqt 1.0 in a modern distro either.

        Third, the open nature of the OS leads to the possibility of patching the OS to mess with the adware, making it report complete crap to the server.

        Fourth, there already are generic mechanisms such as SELinux to deal with such things. While they're not that widespread yet, a good attack or two of this sort would do a lot to help adoption.

    • Re: (Score:3, Insightful)

      by nwssa ( 993577 )
      there isn't much stopping anyone from implementing this on Linux except the payoff is a fraction. Do you go to work for 1/20th of your hourly wage?
    • Re:Chilling (Score:4, Interesting)

      by ILikeRed ( 141848 ) on Tuesday January 13, 2009 @04:58PM (#26440041) Journal
      "Securing an environment of Windows platforms from abuse - external or internal - is akin to trying to install sprinklers in a fireworks factory where smoking on the job is permitted." -Gene Spafford
  • by starglider29a ( 719559 ) on Tuesday January 13, 2009 @04:43PM (#26439835)
    ...his skills to slide past security and override their computer systems may be the last hope of mankind.

    Unless the aliens AREN'T running Windows.
  • Not a complete jerk (Score:5, Interesting)

    by steveha ( 103154 ) on Tuesday January 13, 2009 @04:48PM (#26439919) Homepage

    I'm seeing comments and tags using words like "scumbag". Well, I actually RTFA, and this guy doesn't seem to be a complete jerk.

    According to him, the adware he wrote did not crack into your system using exploits, and when you ran the uninstaller it would go away and never come back. Also, according to him, it didn't scan for really personal information like credit card numbers.

    I'm not about to start a fan club for him, but I don't hate him either.

    I was interested in the technical stuff. His software would find other adware on a system and kick the other adware off; it was also designed to be very difficult for other adware to kick off.

    The best single exchange in the interview:

    S: In your professional opinion, how can people avoid adware?

    M: Um, run UNIX.

    steveha

    • Yes, he is a jerk (Score:5, Insightful)

      by sirwired ( 27582 ) on Tuesday January 13, 2009 @05:11PM (#26440219)

      To get that oh-so-useful uninstaller you had to go to a website, answer a survey, and only then could you download it. If they genuinely wanted to make it easy, they would have put it in Add/Remove Programs, and stuck their survey in there.

      I don't know about you, but after getting sketchy software on my machine, the LAST thing I want to do is go to some random website and download even MORE crap. I wouldn't trust that download one bit.

      And the bit about "it was also designed to be very difficult for other adware to kick off" is complete hand-waving B.S. It was designed to be very difficult for anti-virus packages and anti-spyware packages too. In fact, anti-malware packages were probably the primary target of the persistence code.

      And their distributors were complete scum that Direct Revenue did very little to police. Yeah, they suspended any that were complained about (if the hapless users even had any clue how they got the software), but those rogue distributors would just sign up under a new name.

      I can't believe he thought this job was a "net positive" simply because he wiped out the other guys' malware more than he installed. That just means he is a very sneaky coder... That's like a embezzeling salesman saying he was a "net positive" because he generated more profits than he stole. It may be true, but it doesn't make him any less of a scumbag.

      SirWired

    • So the worst offenders on Windows are all from Unix.

    • by bigpat ( 158134 )

      Just because the company used social engineering instead of technical exploits to put unwanted software on people's computers doesn't make it ethical. They were piggybacking their adware software on screensaver software or little widgets and then hiding that extra unwanted software on your system so it wasn't clear where it was coming from. Putting something in the EULA that you click through shouldn't cover this.

      You had to go to some web site, download an uninstaller, take a short survey about why they were getting rid of us, and then it would actually remove us and we would also leave a Registry key to make sure we didnâ(TM)t reinstall.

      That isn't like any uninstaller I have ever heard of, basically that means that they hid soft

    • You have no experience with adware uninstallers, it seems.

      This scumbag's software could ONLY be uninstalled if the user jumped through more hoops than in a hulahoop factory. If you used the windows uninstall feature or deleted directly, his software would reinstall itself.

      Only after forcing you to take a survey on the web would you have the option of removing the software. Surveys are valuable commodities. Basically, he wrote ransomware.

  • by girlintraining ( 1395911 ) on Tuesday January 13, 2009 @04:56PM (#26440019)

    I think the Windows programming model is at fault for much of the obfusciation tactics used by malware. Entire classes of exploits have arisen due entirely to the complexities and obscurities of the interface. Modern anti-malware tactics have to monitor many different parts of the operating system, and in some cases due to architectural constraints the methods of doing so can make the entire operating system unstable. Not only that, but race conditions and the use of special trap conditions/exception handling can make safely disabling malware a frustrating experience. Even professionally designed applications can sometimes tank the Operating System. Trying disabling Symantec Anti-virus on an XP system without a reboot, for example, and then doing a reinstall of it remotely. In the field, I saw failure rates of about 6% for SAV10. On a hundred thousand systems, let's just say I was not happy on that deployment! Killing malware is even more risky.

    Windows is layers upon layers of earlier APIs that cannot be removed due to "backwards compatibility" concerns. I have some limited exposure to the .NET framework, and it has perhaps a half-dozen APIs for threading, and the documentation is riddled with exposed interfaces that have the note "Do not use. Not safe. bullet in the brain pan squish" in it. Over a third of the API is already depreciated (as far as I can tell), and there is an ever-shifting set of best practices standards. I can only imagine the hell a proper programmer endures in developing truly complex applications for .NET -- all I was doing was a few WMI calls and a database interface and I still crashed the kernel many times trying to figure out what to trap -- in many cases, error handling is mostly about creating a catch-all and then trying to break your code to see what is generated and then guessing what to trap accordingly. With an interface this complicated and unstable, it will always be a cat and mouse game between the white and black hats on this architecture, a game predicated on undocumented interfaces, obscurity, and deep knowledge of layers of the operating system that interact in unpredictable ways.

    Compare this to linux, where the interfaces haven't changed that much, and when they do, depreciated means "We're going to remove this in a year or so and we mean it." Open source has one huge advantage here -- if it's not maintained, it ceases to be relevant and there's no 20 year old code lurking about in an unused API long forgotten. At least not nearly to the degree Windows has it. If you ask me, Microsoft is complicit in allowing malware to exist because they are unwilling to modernize Windows. They need to start over from scratch on their codebase and have a good hard think about what those APIs and interfaces are going to look like and then stick to it. Or at the very least, they could start by documenting these interfaces and releasing some code so we can be more confident that our hooks into their black-boxed APIs won't tear the operating system's heart out...

    • by Shados ( 741919 ) on Tuesday January 13, 2009 @05:07PM (#26440163)

      Over a third of the API is already depreciated (as far as I can tell), and there is an ever-shifting set of best practices standards. I can only imagine the hell a proper programmer endures in developing truly complex applications for .NET -- all I was doing was a few WMI calls and a database interface and I still crashed the kernel many times trying to figure out what to trap -- in many cases, error handling is mostly about creating a catch-all and then trying to break your code to see what is generated and then guessing what to trap accordingly.

      Wow there cowboy... only a very small part of the API is deprecated, the best practices changed a bit once, and only had additions as new features popped, but didn't change much in years... if you crashed the -kernel-, you were using legacy APIs through .NET, not .NET itself, and error handling is very well documented for the most part, and doing a catch all is a (no offense, since .NET is obviously not your primary dev environment) noob way of doing things and is heavily warned against since version 1.

      Maybe you fell in the ONE edgecase where it doesn't work well, but 95%+ (probably more) of it works flawlessly, is clearly documented and predictable...even if you go really deep. It becomes a bit more messy when you're interacting with separate products that just happen to have APIs coded in .NET (especially if its not the only language, and thus is probably coded by programmers who have no clue wtf they're doing), and its poorly done... Happens a lot. An example is the SSIS API (thats by Microsoft too), which is in .NET, but was clearly written by C++ gurus...so its a total fucking mess.

      • Well, you're probably right on all counts. .NET is not my environment. But when my manager throws me an intractable problem that's going to result in a legion of poorly trained kids being thrown at it otherwise, in less than a month, I adapt. I also scream "Train! Train! Get off the tracks--TRAIN!" to the aforementioned manager while doing so. -_- I basically had an O'Reilly book on Visual Basic and the online references to work with. And I had to bust a few people's nuts in another department to get Visual

        • Re: (Score:3, Insightful)

          by Shados ( 741919 )

          But I don't think you'll argue with me that Windows programming is helluva more complicated than Linux/Unix, and unnecessarily so.

          Oh yes I will argue with you over that :) You just have to get the parallels right. You can't go and compare the entirety of the API of Windows to a subset of Linux's...if you take all of the GUI APIs, the management APIs, .NET, Win32, etc, then just go and compare to the stuff the Linux kernel exposes... that doesn't work. Add the primary linux GUI environments, the various libr

    • by Chabo ( 880571 )

      "Do not use. Not safe. bullet in the brain pan squish"

      I wish the API docs actually said that... that would be awesome.

    • by Samah ( 729132 ) on Tuesday January 13, 2009 @05:34PM (#26440523)

      If you ask me, Microsoft is complicit in allowing malware to exist because they are unwilling to modernize Windows. They need to start over from scratch on their codebase and have a good hard think about what those APIs and interfaces are going to look like and then stick to it.

      And the new version of Windows would be laughed at by non-IT consumers. "Why would I upgrade to the new Windows when all of my stuff doesn't work?" This is part of the argument against Vista, and why some people can't see past the need to break backward compatibility to do things "the right way".

      • Re: (Score:3, Informative)

        by Lonewolf666 ( 259450 )

        True, and even some corporate users would not want it if their old applications won't run. On the other hand, the old cruft will continue to give them trouble until they DO a redesign.

        Apple went the other way with OS X, see http://en.wikipedia.org/wiki/History_of_Mac_OS_X [wikipedia.org]. It took them four years to develop it, and backwards compatibility was limited.
        For a while, I'm sure that cost them customers. But by now, it seems they got past that problem and the new, shiny OS helps them to gain market share from Micr

  • Theoretically, I'm not opposed to ad-supported programs. If someone is willing to put up with an advertisement in order to use a program for free, go ahead and let them. It's worked for television, radios, and web sites for quite a while (Tivos and Ad-Block aside).

    The problem, obviously, is when uninstalling the adware becomes a major hassle. For example, the author described in the interview how you would have to download a special uninstaller from the net, fill out a survey, and allow them to keep a re
  • Sadly, no. (Score:5, Insightful)

    by lucas_picador ( 862520 ) on Tuesday January 13, 2009 @05:08PM (#26440167)

    From the article:

    In their licensing terms, the EULA people agree to, they would say "in addition, we get to install any other software we feel like putting on." Of course, nobody reads EULAs, so a lot of people agreed to that. If they had, say, 4 million machines, which was a pretty good sized adware network, they would just go up to every other adware distributor and say "Hey! I've got 4 million machines. Do you want to pay 20 cents a machine? I'll put you on all of them." At the time there was basically no law around this. EULAs were recognized as contracts and all, so that's pretty much how distribution happened.

    Um, no. Unconscionability is a pretty ancient principle of contract law. People joke about signing away their first-born child in an unread EULA, but they understand that it's a joke: that term would never be enforced by a court, because allowing contracts of adhesion (like EULAs) signed by non-lawyers in casual circumstances to extract those kinds of concessions from the parties would result in the complete breakdown of society.

    So when this guy (and his bosses) talk about how there was "no law around this", they're not fooling anyone, least of all themselves. If I buy a bus ticket and on the back there's some fine print stating that by riding the bus I've agreed to let the driver break into my house and take anything he wants, guess where the bus driver ends up if he tried to exercise his contractual "rights"? In prison. Which is where this guy belongs.

  • by whoever57 ( 658626 ) on Tuesday January 13, 2009 @05:11PM (#26440211) Journal
    From the interview:

    We did create unwritable registry keys and file names, by exploiting an "impedance mismatch" between the Win32 API and the NT API. Windows, ever since XP, is fundamentally built on top of the NT kernel. NT is fundamentally a Unicode system, so all the strings internally are 16-bit counter Unicode. The Win32 API is fundamentally Ascii. There are strings that you can express in 16-bit counted Unicode that you can't express in ASCII. Most notably, you can have things with a Null in the middle of it.

    That meant that we could, for instance, write a Registry key that had a Null in the middle of it. Since the user interface is based on the Win32 API, people would be able to see the key, but they wouldn't be able to interact with it because when they asked for the key by name, they would be asking for the Null-terminated one. Because of that, we were able to make registry keys that were invisible or immutable to anyone using the Win32 API. Interestingly enough, this was not only all civilians and pretty much all of our competitors, but even most of the antivirus people.

    • by Johnno74 ( 252399 ) on Tuesday January 13, 2009 @06:24PM (#26441139)

      The differences in the way the NT api and Win32 api handle registry strings has been very well documented by Mark Russinovich and others.

      Rootkit Revealer (written by mark) uses this difference to try and detect rootkits - read the registry using both APIs, and see what comes back different.

      Hence Rootkit Revealer would put a huge flashing neon sign above malware that uses this technique

  • so let's educate some of you:

    we capture someone like frank abagnale [wikipedia.org], and we go all sharia law on him, as a lot of you propose, and leave him as a bloody stump

    then what?

    well, there are other frank abagnales out there. how do we detect them and capture them? well, the frank abagnale you just beat to a pulp: he would have made a good tool to do that, ya think?

    luckily, in real life, this is exactly what the feds and the banks did. in real life, you capture and use highly intelligent crooks to... drum roll please... capture more highly intelligent crooks. get it?

    law enforcement is hard grinding work, it doesn't happen like "death wish" or "dirty harry". i know in some of your justice league of america fantasy lives, delivering justice with a fist and a gun is the way to go. but we'd like to talk about reality, ok?

    so to review:

    1. we can have justice your way, and beat adware authors to a pulp, or
    2. we can have smart justice, and listen carefully to mr. adware author's words, and use those words to catch more adware authors

    get it? see the difference? do you want to pursue justice? or do you want to beat people up?

    these are mutually exclusive activities, despite your dimwitted fantasy lives

    now go crawl back under your rocks mouth breathers. nobody who is actually going to catch and punish cybercriminals in this world is going to think like you do

    even the most vile amoral serial killer is useful to keep alive and listen to. simply for matters of brain analysis and psychological study. or, we could put a bullet in his head, scrambling the abnormal brains, and having nothing useful to catch more vile amoral serial killers

    dumb violent justice leaves a dumb violent society that knows nothing about the smart and truly vicious criminals in their midst

    smart justice is about studying smart criminals, and using them against each other

    • Re: (Score:3, Insightful)

      by Red Flayer ( 890720 )
      You make a good point, but there is a huge flaw to your system.

      There is no disincentive to do wrong.

      I know there's a big philosophical issue with deterrence as a reason for punishment, but the truth of the matter is that people will tend to not commit crimes when the

      [risk of getting caught]*[punishment when caught] is greater than [benefit from committing crime]

      I think your philosophy tries to tip the balance by increasing the risk of getting caught for potential criminals... but that doesn't help when th

  • by ewhac ( 5844 ) on Tuesday January 13, 2009 @05:24PM (#26440389) Homepage Journal
    My initial gut reaction was to denounce this guy as a $SCOUNDREL (substitute your preferred profane term). But a little voice told me to go read the article, and now I'm not as sure as I was previously.

    Just for fun, consider the following actions a Unitary Programmer might do to your machine. Where would you rate them on the $SCOUNDREL scale, and why?

    • Deletes viruses from your machine.
    • Deletes competing adware from your machine.
    • Rebuffs attempts by competing viruses and adware to be deleted.
    • Reconfigures IE to be more secure.
    • Reconfigures Outlook to send plaintext only, fixed-width font, no top-posting, do not load or display remote images.
    • Disables using MSWord as an email editor.
    • Deletes IE; replaces it with Firefox, preserving all your bookmarks.
    • Deletes Outlook; replaces it with Thunderbird, converting all your mail archives.
    • Deletes all BitTorrent clients; replaces it with a RIAA/MPAA/FBI warning.
    • Deletes the scary warning about installing device drivers not digitally signed by Microsoft.
    • Converts HDCP to a system security setting, and flags all unprivileged applications that attempt to mess with it.
    • Deletes Windows; replaces it with Linux+Wine.
    • Deletes Windows; replaces it with Linux+KDE, with a message on the desktop reading, "Learn to use a real computer, kid..."

    Playing "CoreWars" is tricky business, and people with even a dim sense of ethics are loathe to try it. But there's one case where none of the above actions are ethically questionable: When the machine's owner does it themselves.

    I think the adware author lost sight of that for a while...

    Schwab

Almost anything derogatory you could say about today's software design would be accurate. -- K.E. Iverson

Working...