Interview With an Adware Author 453
rye writes in to recommend a Sherri Davidoff interview with Matt Knox, a talented Ruby instructor and coder, who talks about his early days designing and writing adware for Direct Revenue. (Direct Revenue was sued by Eliot Spitzer in 2006 for surreptitiously installing adware on millions of computers.) "So we've progressed now from having just a Registry key entry, to having an executable, to having a randomly-named executable, to having an executable which is shuffled around a little bit on each machine, to one that's encrypted — really more just obfuscated — to an executable that doesn't even run as an executable. It runs merely as a series of threads. ... There was one further step that we were going to take but didn't end up doing, and that is we were going to get rid of threads entirely, and just use interrupt handlers. It turns out that in Windows, you can get access to the interrupt handler pretty easily. ... It amounted to a distributed code war on a 4-10 million-node network."
Permanant Midnight (Score:4, Interesting)
It was funny. It really showed me the power of gradualism. It's hard to get people to do something bad all in one big jump, but if you can cut it up into small enough pieces, you can get people to do almost anything.
It reminds me of the movie Permanent Midnight [wikipedia.org] , where Ben Stiller starts out the movie smoking weed and at the end is hooked on crack.
It's probably Ben Stiller's best work, by the way.
You first, buddy (Score:5, Interesting)
Times change. In order for this to continue to be a factor, we need to make sure that occasionally, someone *does* show up on a doorstep and club someone over the head.
I suggest we start with people who have kidded themselves that the abusive software they've written does not make them a villain.
Not a complete jerk (Score:5, Interesting)
I'm seeing comments and tags using words like "scumbag". Well, I actually RTFA, and this guy doesn't seem to be a complete jerk.
According to him, the adware he wrote did not crack into your system using exploits, and when you ran the uninstaller it would go away and never come back. Also, according to him, it didn't scan for really personal information like credit card numbers.
I'm not about to start a fan club for him, but I don't hate him either.
I was interested in the technical stuff. His software would find other adware on a system and kick the other adware off; it was also designed to be very difficult for other adware to kick off.
The best single exchange in the interview:
steveha
The new battle ground (Score:5, Interesting)
I think the Windows programming model is at fault for much of the obfusciation tactics used by malware. Entire classes of exploits have arisen due entirely to the complexities and obscurities of the interface. Modern anti-malware tactics have to monitor many different parts of the operating system, and in some cases due to architectural constraints the methods of doing so can make the entire operating system unstable. Not only that, but race conditions and the use of special trap conditions/exception handling can make safely disabling malware a frustrating experience. Even professionally designed applications can sometimes tank the Operating System. Trying disabling Symantec Anti-virus on an XP system without a reboot, for example, and then doing a reinstall of it remotely. In the field, I saw failure rates of about 6% for SAV10. On a hundred thousand systems, let's just say I was not happy on that deployment! Killing malware is even more risky.
Windows is layers upon layers of earlier APIs that cannot be removed due to "backwards compatibility" concerns. I have some limited exposure to the .NET framework, and it has perhaps a half-dozen APIs for threading, and the documentation is riddled with exposed interfaces that have the note "Do not use. Not safe. bullet in the brain pan squish" in it. Over a third of the API is already depreciated (as far as I can tell), and there is an ever-shifting set of best practices standards. I can only imagine the hell a proper programmer endures in developing truly complex applications for .NET -- all I was doing was a few WMI calls and a database interface and I still crashed the kernel many times trying to figure out what to trap -- in many cases, error handling is mostly about creating a catch-all and then trying to break your code to see what is generated and then guessing what to trap accordingly. With an interface this complicated and unstable, it will always be a cat and mouse game between the white and black hats on this architecture, a game predicated on undocumented interfaces, obscurity, and deep knowledge of layers of the operating system that interact in unpredictable ways.
Compare this to linux, where the interfaces haven't changed that much, and when they do, depreciated means "We're going to remove this in a year or so and we mean it." Open source has one huge advantage here -- if it's not maintained, it ceases to be relevant and there's no 20 year old code lurking about in an unused API long forgotten. At least not nearly to the degree Windows has it. If you ask me, Microsoft is complicit in allowing malware to exist because they are unwilling to modernize Windows. They need to start over from scratch on their codebase and have a good hard think about what those APIs and interfaces are going to look like and then stick to it. Or at the very least, they could start by documenting these interfaces and releasing some code so we can be more confident that our hooks into their black-boxed APIs won't tear the operating system's heart out...
Re:Chilling (Score:4, Interesting)
Outsource (Score:1, Interesting)
As an Out-sourced IT consultant I don't forget. I thank them.
Thirty percent of my work comes from people who don't know what they are doing. Thee other 70% comes from me learning what they screwed up, where they dropped the ball and where I can fix it, at double the rate in 1/2 the time. Everyone wins.
Why Windows Registry is a bad idea (Score:5, Interesting)
Re:I hate it when people venerate/elevate scumbags (Score:5, Interesting)
Firstly, he's not a serial killer, he hasn't killed anyone; he's just irritated a LOT of people by installing infuriating software that's a pain to remove; in my view, this isn't quite of the same calibre as murdering people.
And if you read the interview, you'd see he's not really evil, like many/most/all serial killers, but a very intelligent young person.
His actions were motivated out of being extremely poor, he needed the money, and so he got involved in dodgy software programming. This isn't a justification for what he did, but it's nevertheless important to note. Further, he removed a lot of viruses and adware through his own adware, I'm not sure if this qualifies as grey hat behaviour, but once again, it blurs the line. Most importantly, he's reformed, and persuing an honest living, as well as providing insight into his past actions. I found his explanation of the measures he took to ensure his software remained on the infected computer fascinating from a technical perspective, there were some very clever approaches there.
I don't agree with what he did, but I'm not going to relegate him to "scumbag" status, and I wouldn't be surprised if over the coming years and decades, he makes many valuable contributions to IT and the Ruby community in particular.
Re:Why Windows Registry is a bad idea (Score:5, Interesting)
The differences in the way the NT api and Win32 api handle registry strings has been very well documented by Mark Russinovich and others.
Rootkit Revealer (written by mark) uses this difference to try and detect rootkits - read the registry using both APIs, and see what comes back different.
Hence Rootkit Revealer would put a huge flashing neon sign above malware that uses this technique
Re:I hate it when people venerate/elevate scumbags (Score:2, Interesting)
Furthermore, he didn't steal 4 million people's credit card details. I rather think a scumbag would have done just that.
Re:Sadly, no. (Score:1, Interesting)
I think your bus driver analogy is flawed. It would be more like giving a salesman your house key so he could deliver whatever "free gift" he had offered you. When he asks the terms under which he's allowed to enter your house, you answer "Whatever you think is reasonable." Then you come home and he's on your couch, eating your chips. You ask him to leave and, after spending a few minutes collecting all of his stuff, he does.
You trusted a stranger, and explicitly allowed him into your home on his terms. When you wanted him to leave, he did. Maybe not as swiftly as you would like, but with no lasting damage. The salesman isn't going to jail, and hopefully you'll be a little wiser next time.
Comment removed (Score:2, Interesting)
Re:I hate it when people venerate/elevate scumbags (Score:2, Interesting)
I think you're being a little harsh, not to mention very black and white.
Firstly, he's not a serial killer, he hasn't killed anyone; he's just irritated a LOT of people by installing infuriating software that's a pain to remove; in my view, this isn't quite of the same calibre as murdering people.
I was once stuck at a client waiting for someone else to do something. This was back in the days of VBScript worms. I spent a happy few hours taking one apart to see how it worked.
Hell, if I couldn't get a real job I'd probably be doing the same as him. Infecting a machine with UAC and IE running in protected mode is probably possible, but it sure as hell would be a challenge.
Comment removed (Score:5, Interesting)
Re:"Not evil?" (Score:3, Interesting)
If someone was to ask me to provide an example of someone who is just plain evil, I'd reply with someone like Robert Mugabe. Completely and utterly corrupt, inhumane, starves his people, an absolute disgrace with no redeeming features.
For someone like the subject of this article, I prefer "unethical". What he did was undoubtedly wrong, but he also did things that immediately illustrate that he DOES have a conscience, examples:
a) Provided an uninstaller
b) Removed viruses (and to a far lesser extent, competing adware)
c) Didn't take it to the next level (capturing credit cards and personal data)
You call him greedy. Well, yes, he was to the extent that his motivation was money. But (do correct me if I'm wrong), I don't get the impression he got rich off what he did. He made some money, but not lots.
You call him ethically bankrupt, but if he truly was bankrupt in the ethics department, why did he do the above?
Why would you provide people a means to remove your software, take the time to remove viruses, and not steal their personal data?
If he has no ethical boundaries, fuck it, just do it. But he didn't, even though by his own admission, he easily could have. For me, this indicates that he's definitely not ethically bankrupt, he has ethical limits, and by extension, he's certainly not evil. Society at times can be far too quick to condemn someone as "evil", "scumbag", whatever. Rarely is it that clear cut, and in this case, it's far more grey.
Re:I hate it when people venerate/elevate scumbags (Score:2, Interesting)
Well, Socrates was often very rude, because rudeness promoted discourse and challenged established ideas. His teaching style was rude and aggressive, he equated those who sold access to their wisdom (sophists) with whores. Plato referred to Socrates as the "gadfly" of the state for this reason, stinging the state into action as a gadfly would sting a horse.
Then again, Socrates was executed, so that's not to say being rude doesn't get you into trouble.