×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Interview With an Adware Author

kdawson posted more than 5 years ago | from the warming-up-for-the-botnet-era dept.

Security 453

rye writes in to recommend a Sherri Davidoff interview with Matt Knox, a talented Ruby instructor and coder, who talks about his early days designing and writing adware for Direct Revenue. (Direct Revenue was sued by Eliot Spitzer in 2006 for surreptitiously installing adware on millions of computers.) "So we've progressed now from having just a Registry key entry, to having an executable, to having a randomly-named executable, to having an executable which is shuffled around a little bit on each machine, to one that's encrypted — really more just obfuscated — to an executable that doesn't even run as an executable. It runs merely as a series of threads. ... There was one further step that we were going to take but didn't end up doing, and that is we were going to get rid of threads entirely, and just use interrupt handlers. It turns out that in Windows, you can get access to the interrupt handler pretty easily. ... It amounted to a distributed code war on a 4-10 million-node network."

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

453 comments

Sometimes we forget. (5, Insightful)

jellomizer (103300) | more than 5 years ago | (#26439665)

That the people who makes IT Guys lives difficult and annoying are indeed IT guys.

Re:Sometimes we forget. (5, Insightful)

Anonymous Coward | more than 5 years ago | (#26439721)

Im pretty sure that the majority of cops that became criminals were the hardest to catch. They know all the tricks and what other cops/detectives will be looking for.

Re:Sometimes we forget. (4, Informative)

Thelasko (1196535) | more than 5 years ago | (#26440031)

Im pretty sure that the majority of cops that became criminals were the hardest to catch. They know all the tricks and what other cops/detectives will be looking for.

*COUGH [wikipedia.org] *

Allegedly

Re:Sometimes we forget. (0)

Anonymous Coward | more than 5 years ago | (#26440489)

And the majority of criminals that became cops were the best to catch other criminals.

COUGH: http://en.wikipedia.org/wiki/Frank_Abagnale :)

Re:Sometimes we forget. (5, Insightful)

snl2587 (1177409) | more than 5 years ago | (#26439817)

Difficult? Maybe, but for freelancers who collect a check every time they "fix" an infected computer (read: fiddle around for a while and ultimately end up reinstalling Windows), these crapware authors are the reason they can stay in business.

Re:Sometimes we forget. (5, Informative)

MobyDisk (75490) | more than 5 years ago | (#26440033)

Talented computer repair techs can stay in business just fine. But yes, the adware/spyware boom caused an explosion in the repair field too.

Outsource (1, Interesting)

Anonymous Coward | more than 5 years ago | (#26440099)

As an Out-sourced IT consultant I don't forget. I thank them.

Thirty percent of my work comes from people who don't know what they are doing. Thee other 70% comes from me learning what they screwed up, where they dropped the ball and where I can fix it, at double the rate in 1/2 the time. Everyone wins.

No wonder (1)

Baruch Atta (1327765) | more than 5 years ago | (#26439719)

No wonder why it was impossible to remove. My Windows 2000 machine is most probably infected and will probably stay infected until I just reload windows from scratch. Maybe even that won't get rid of the adware.

Re:No wonder (1, Flamebait)

alfs boner (963844) | more than 5 years ago | (#26439983)

What amuses me is how all the slashlosers will come out of the woodwork, getting ready to stamp their feet and gnash their teeth, and thinking they're going to excoriate this guy with their self-righteous zingers. This guy doesn't need your respect. He has more money, has better technical skills, and probably overall has a better life than most of the best-buy lifers and junior-college fuckups that infest this site. I'm sure he's very upset that some fat, goateed LARPER has strong opinions about him.

I hate it when people venerate/elevate scumbags (5, Insightful)

elrous0 (869638) | more than 5 years ago | (#26439725)

Some serial killer goes and and murders dozens of innocent people; and we reward him with veneration, books written about him, endless press coverage, etc. Scumbags don't deserve our respect, our veneration, or polite treatment.

Re:I hate it when people venerate/elevate scumbags (5, Funny)

Nos. (179609) | more than 5 years ago | (#26439847)

He should be forced to forever use an unpatched Windows (9x, XP, 2000, etc) as his OS on every computer.

Re:I hate it when people venerate/elevate scumbags (5, Funny)

Anonymous Coward | more than 5 years ago | (#26439995)

He should be forced to use Windows ME, at no higher than 800x600 screen mode, with a 56K modem.

He should also be forced to eat his own testicles.

Re:I hate it when people venerate/elevate scumbags (4, Funny)

elrous0 (869638) | more than 5 years ago | (#26440015)

Given a choice between the two, I might go with the testicles.

Re:I hate it when people venerate/elevate scumbags (2, Funny)

Anonymous Coward | more than 5 years ago | (#26440067)

Queue jokes about which one is getting more use in 3... 2... 1...

Re:I hate it when people venerate/elevate scumbags (5, Funny)

dylan_- (1661) | more than 5 years ago | (#26440241)

Given a choice between the two, I might go with the testicles.

That's the trouble with browsing at +1...now I have to imagine what kind of comment that was a response to...

Re:I hate it when people venerate/elevate scumbags (0)

Anonymous Coward | more than 5 years ago | (#26440303)

Or click "Parent"...?

Re:I hate it when people venerate/elevate scumbags (1, Informative)

Archangel Michael (180766) | more than 5 years ago | (#26440307)

If you click "Parent" it opens up so you can see that it said ....

Re:I hate it when people venerate/elevate scumbags (5, Funny)

Anonymous Coward | more than 5 years ago | (#26440385)

Maybe you should click the "whoosh" button.

Re:I hate it when people venerate/elevate scumbags (0)

Anonymous Coward | more than 5 years ago | (#26440065)

Make him use Windows ME! Patched or unpatched; it makes little difference to the suffering.

Re:I hate it when people venerate/elevate scumbags (0)

Anonymous Coward | more than 5 years ago | (#26440569)

waste of time
waste of space
waste of resources

we lack the means to make him suffer enough.

a .22 slug to the skull will work just fine. cheap, quick, clean, efficient, effective.

give me a free pass for it. and i'll shoot this scumbag myself. it needs doing.

Re:I hate it when people venerate/elevate scumbags (0, Offtopic)

megamerican (1073936) | more than 5 years ago | (#26439857)

Some psychopath goes and and murders millions of innocent people; and we reward him with veneration, books written about him, endless press coverage, etc. Scumbags don't deserve our respect, our veneration, or polite treatment.

Leave Henry Kissinger alone!

Re:I hate it when people venerate/elevate scumbags (1)

fuzzyfuzzyfungus (1223518) | more than 5 years ago | (#26439889)

Cmon, he didn't murder millions of innocent people, he got us pay the defense department to do it for him!

Re:I hate it when people venerate/elevate scumbags (4, Insightful)

dave562 (969951) | more than 5 years ago | (#26439933)

There seems to be a big stretch between a serial killer and some guy writing malicious code. My primary interest in computers initially involved all sorts of fraud and outright criminality. I now work in IT and have a completely legit lifestyle. Anyone who has any real competency or natural inclination to understand computers will mess with them and figure out how to make them do things outside of the "normal" range.

The article talks about exploiting some incompatabilities between the Win32 and WinNT APIs. If there weren't guys like the subject of the interview, those incompatabilities would remain hidden. It takes mischevious people to come along and exploit the holes so that they get patched. By its very nature, software gets better when people push the boundries and tweak it. The person who writes code that leads to improvements in the most widely used operating system is not the same as the person who kills a bunch of people.

If anything, Microsoft made the mistake of making the computer too friendly. They released technologies that gave people too many options. In any sort of free environment, there will be people who abuse the freedoms that they are presented with. Malware authors are those kinds of people. It is easy to blame Microsoft for looking into the future and envisioning a world where web browsers are the central application on the computer. They rushed blindly into it and unleased things like ActiveX on the world. At the core, their intention was right.. they wanted to make it easy to execute code in a distributed environment like the internet. Yet the implementation sucked and it seems like they didn't pay any attention to security.

Re:I hate it when people venerate/elevate scumbags (5, Insightful)

Anonymous Coward | more than 5 years ago | (#26440091)

Damn right, dave. However, it's hard to deny that someone who writes malicious code that directly targets (ignorant) consumers may very well be treading on morally bankrupt territory.

Re:I hate it when people venerate/elevate scumbags (0, Troll)

dave562 (969951) | more than 5 years ago | (#26440561)

Of course they're morally bankrupt. However they also play an important role in the ecosystem.

Re:I hate it when people venerate/elevate scumbags (2, Insightful)

0racle (667029) | more than 5 years ago | (#26440371)

There seems to be a big stretch between a serial killer and some guy writing malicious code

"Not for the purpose of the point that was being made, "scum should be treated as such." It doesn't matter what they did to be labeled scum.

If anything, Microsoft made the mistake of making the computer too friendly. They released technologies that gave people too many options

So if I buy a door that happens to have a lock with a flaw, it's the fault of the lock maker that my stuff gets stolen? Sorry, but no, the fault lies solely on the shoulders of the thief. Windows has many problems, but all the fault for exploiting it is on the malware authors.

Re:I hate it when people venerate/elevate scumbags (-1, Flamebait)

Hatta (162192) | more than 5 years ago | (#26440171)

I know how you feel, but he's our President.

Re:I hate it when people venerate/elevate scumbags (0)

Anonymous Coward | more than 5 years ago | (#26440215)

Barack Obama?

Re:I hate it when people venerate/elevate scumbags (4, Insightful)

girlintraining (1395911) | more than 5 years ago | (#26440229)

Some serial killer goes and and murders dozens of innocent people; and we reward him with veneration, books written about him, endless press coverage, etc. Scumbags don't deserve our respect, our veneration, or polite treatment.

We're not here to discuss his moral infirmities. We're here to discuss effective ways of countering the threat the aforementioned poses. It is logical to begin by questioning those we've found engaged in such behaviors as to their motivations, goals, and methods. However, if you do not wish to dissect the frog due to moral outrage, I can give you some music to listen to but you will not pass the course.

Re:I hate it when people venerate/elevate scumbags (2, Insightful)

lxs (131946) | more than 5 years ago | (#26440263)

Scumbags don't deserve our respect, our veneration, or polite treatment.

True, but they are interesting to watch from a distance.

Re:I hate it when people venerate/elevate scumbags (1)

pete-classic (75983) | more than 5 years ago | (#26440653)

Certainly not. But the abnormal throw the normal into contrast. I don't think there's anything wrong with finding that fascinating.

I do disagree with you about polite treatment. Being impolite, even to someone we can agree is a scumbag, only diminishes you. Dick.

Just kidding.

Kinda.

-Peter

Re:I hate it when people venerate/elevate scumbags (4, Interesting)

Ralish (775196) | more than 5 years ago | (#26440667)

I think you're being a little harsh, not to mention very black and white.

Firstly, he's not a serial killer, he hasn't killed anyone; he's just irritated a LOT of people by installing infuriating software that's a pain to remove; in my view, this isn't quite of the same calibre as murdering people.

And if you read the interview, you'd see he's not really evil, like many/most/all serial killers, but a very intelligent young person.

His actions were motivated out of being extremely poor, he needed the money, and so he got involved in dodgy software programming. This isn't a justification for what he did, but it's nevertheless important to note. Further, he removed a lot of viruses and adware through his own adware, I'm not sure if this qualifies as grey hat behaviour, but once again, it blurs the line. Most importantly, he's reformed, and persuing an honest living, as well as providing insight into his past actions. I found his explanation of the measures he took to ensure his software remained on the infected computer fascinating from a technical perspective, there were some very clever approaches there.

I don't agree with what he did, but I'm not going to relegate him to "scumbag" status, and I wouldn't be surprised if over the coming years and decades, he makes many valuable contributions to IT and the Ruby community in particular.

Permanant Midnight (3, Interesting)

Thelasko (1196535) | more than 5 years ago | (#26439727)

It was funny. It really showed me the power of gradualism. It's hard to get people to do something bad all in one big jump, but if you can cut it up into small enough pieces, you can get people to do almost anything.

It reminds me of the movie Permanent Midnight [wikipedia.org] , where Ben Stiller starts out the movie smoking weed and at the end is hooked on crack.

It's probably Ben Stiller's best work, by the way.

Re:Permanant Midnight (2, Insightful)

sanosuke001 (640243) | more than 5 years ago | (#26439767)

Can't be much of a stretch... he plays the same bumbling, over-the-top idiot in every movie he is in.

Re:Permanant Midnight (1)

Chabo (880571) | more than 5 years ago | (#26439929)

I hated him, up until Night at the Museum. That's the first Ben Stiller movie that I've genuinely liked (Meet the Parents was ok I guess...).

Re:Permanant Midnight (3, Insightful)

Hatta (162192) | more than 5 years ago | (#26440203)

If you've watched enough Ben Stiller movies to have an opinion on which is the "best", not only do I not trust your opinion, I fear for the health and welfare of you and those around you.

Re:Permanant Midnight (1)

thetoadwarrior (1268702) | more than 5 years ago | (#26440641)

All Ben Stiller movies are of the same quality since it's the same character and virtually the same premise every time.

Still, he's not as bad as Adam Sandler.

Seriously (4, Funny)

Anonymous Coward | more than 5 years ago | (#26439737)

It would be a damn shame if something bad happened to this guy.

Re:Seriously (5, Funny)

fuzzyfuzzyfungus (1223518) | more than 5 years ago | (#26439773)

Do you think it would be more of a shame if he accidentally cut his throat while shaving, slipped and fell down three flights of stairs, or tripped and hit his head on a bullet?

Re:Seriously (1)

bennomatic (691188) | more than 5 years ago | (#26440175)

This made me think of one of OJ's scenes in the Naked Gun movie. I seem to recall tripping over furniture, falling down stairs, mouse traps, a window closing on his hand, and to top it all off, wet paint.

Re:Seriously (0)

Anonymous Coward | more than 5 years ago | (#26440491)

And they found him floating face down... two hours later.

Re:Seriously (-1, Offtopic)

Anonymous Coward | more than 5 years ago | (#26440191)

It would be a shame if http://mattknox.com/ [mattknox.com] got Slashdotted, or if someone wrote a script to call his cell phone at all hours of the day and night with "1-900" number advertising.

P. MATTHEW KNOX

matt@mattknox.com

matthewknox@gmail.com

917-355-6517

The Adware (0)

Anonymous Coward | more than 5 years ago | (#26439757)

It's a series of threads.

You first, buddy (4, Interesting)

Red Flayer (890720) | more than 5 years ago | (#26439783)

FTA:

In particular, things involving human interactions don't have to be perfect, because groups of humans have all these self-regulations built in. If you and I have an agreement and you screwed me over badly, you've always got in the back of your mind the nagging worry that I'm going to show up on your doorstep with a club and kill you.

Times change. In order for this to continue to be a factor, we need to make sure that occasionally, someone *does* show up on a doorstep and club someone over the head.

I suggest we start with people who have kidded themselves that the abusive software they've written does not make them a villain.

Did you say Villian? (1, Funny)

Anonymous Coward | more than 5 years ago | (#26439979)

This sounds like a task for the super friends! [imageshack.us] Talk about being scared straight... lulz.

Re:You first, buddy (1)

I.M.O.G. (811163) | more than 5 years ago | (#26439987)

Let me guess... You liked playing whack-a-mole when you were a kid, right?

Re:You first, buddy (4, Funny)

Red Flayer (890720) | more than 5 years ago | (#26440331)

Let me guess... You liked playing whack-a-mole when you were a kid, right?

I grew up on a farm, where we did not have to dilute the whack-a-FOO experience with carnival games.

Juvenile groundhogs leaving the nest to dig their own burrow were frequent targets of a well-timed shovel strike.

Potentially-rabid raccoons, whether in the bottom of a 55-gallon drum, or in a wire mesh trap, proved no match for a well-placed pitchfork thrust.

Voracious, ridiculously fecund rabbits proved much easier to deal when their heads were separated from their bodies via garden hoe.

Pesky, time-wasting, crop-damaging field/woodland creatures QUIVERED before the mightiness of the farmer's kids.

It'd be a better world if malware writers trembled before the wrath of internet users.

Re:You first, buddy (0)

Anonymous Coward | more than 5 years ago | (#26440465)

I played whack barack [barackwhack.com] but that did not help with the election.

Chilling (5, Insightful)

bbbaldie (935205) | more than 5 years ago | (#26439813)

I am now more convinced than ever that it is impossible to secure Windows.

Re:Chilling (2, Insightful)

blueg3 (192743) | more than 5 years ago | (#26439821)

Hey, *someone's* got to apply all those malware techniques to a money-making venture.

Re:Chilling (5, Insightful)

El Lobo (994537) | more than 5 years ago | (#26439907)

The same guy says in another interview in CNET that it would be pretty easy to find ways to implement the same in OSX (where they are actually experimenting) and in many Linux distros, but nobody pays a shit for that. They can get a lot of cash for pressing their brains to find exploits for hundred of millions of computers than what they would get to find exploits for some thousands in more exotic OSs. Easy like that. A so complex thing like a OS with millions of lines of code will necessarily ALWAYS have a couple of thousand possible holes, be it BeOS, MistOs, NetBSD os whatever. You only need the will (or the cash).

Re:Chilling (4, Insightful)

steelfood (895457) | more than 5 years ago | (#26440477)

In life, genetic diversity means the species has a better chance of survival. OS diversity, processor, and even instruction set diversity, is important for the same ends.

So it's not worth much to attack Linux or OSX or one of the BSD's. If all of these OS's including Windows had the same, 20% marketshare, perhaps it wouldn't be worth it to attack any of them. Or, it might actually be worth it to go for the low hanging fruit, namely, the easier-to-use OS's (OSX, Windows, and possibly a flavor of Linux). But the returns for the amount of work needed to attack 3 or 4 different OS's definitely wouldn't be as high, and the incentive for creating malware would be much less.

Re:Chilling (3, Insightful)

vadim_t (324782) | more than 5 years ago | (#26440533)

Except that for Linux, the situation is quite different.

First, the OS is open. Which means any user of it can make and submit a patch, which would quickly spread around. Distributions engage in some competition, and the patch would get copied around. There's no need for anybody to wait for a vendor to do it.

Second, there's much less backwards compatibility. If a library function is vulnerable, and fixing is impossible without breaking compatibility, a distribution can find all of the included software that uses it, and fix to work with the new version. You're not going to find libqt 1.0 in a modern distro either.

Third, the open nature of the OS leads to the possibility of patching the OS to mess with the adware, making it report complete crap to the server.

Fourth, there already are generic mechanisms such as SELinux to deal with such things. While they're not that widespread yet, a good attack or two of this sort would do a lot to help adoption.

Re:Chilling (-1, Troll)

Anonymous Coward | more than 5 years ago | (#26440649)

Fifth, due to nobody even using it in the first place, nobody is likely to give a shit.

Re:Chilling (0)

Anonymous Coward | more than 5 years ago | (#26440539)

Proof of concept is not enough.

On Linux I get my software from the distro's repository. It has an MD5 sum. One point of risk/failure.

On Windows, I get software from install CDs and the internet. No MD5 sums, lots of points of failure.

There are differences in the security risk between Windows and Linux apart from that Linux is used less.

Re:Chilling (0)

Anonymous Coward | more than 5 years ago | (#26440647)

A so complex thing like a OS with millions of lines of code will necessarily ALWAYS have a couple of thousand possible holes, be it BeOS, MistOs, NetBSD os whatever. You only need the will (or the cash).

That is true, but the open-source Unices do have the "many eyeballs" effect on their side. The adware makers would not only need to find the exploit in the OS, but they would also need to be the only ones to have noticed it, or at least to take advantage of it before the next round of patching. Of course it's still possible for this to be done -- open source isn't magic, but it does cut down on the risk of an exploit actually remaining exploitable.

Re:Chilling (3, Insightful)

nwssa (993577) | more than 5 years ago | (#26439943)

there isn't much stopping anyone from implementing this on Linux except the payoff is a fraction. Do you go to work for 1/20th of your hourly wage?

Re:Chilling (3, Interesting)

ILikeRed (141848) | more than 5 years ago | (#26440041)

"Securing an environment of Windows platforms from abuse - external or internal - is akin to trying to install sprinklers in a fireworks factory where smoking on the job is permitted." -Gene Spafford

Demonize him now, but when the aliens invade... (4, Funny)

starglider29a (719559) | more than 5 years ago | (#26439835)

...his skills to slide past security and override their computer systems may be the last hope of mankind.

Unless the aliens AREN'T running Windows.

Re:Demonize him now, but when the aliens invade... (3, Funny)

hesaigo999ca (786966) | more than 5 years ago | (#26439913)

Keep him around once Skynet becomes self aware, we might need him!

Re:Demonize him now, but when the aliens invade... (1)

thebheffect (1409105) | more than 5 years ago | (#26439951)

If Steve Balmer isn't an alien put here to distribute unsecure OS's in order to destabilize our world computer networks, I'll be surprised. At least Jeff Goldblum knows how to... take em down...do...do your stuff.

Re:Demonize him now, but when the aliens invade... (1)

Chabo (880571) | more than 5 years ago | (#26439957)

If movies have taught us anything, it's that real hackers who take down alien races use MacBooks.

Executable that's not an executable? (0)

Anonymous Coward | more than 5 years ago | (#26439851)

How would one get a program to run without executing it? Dr. Evil's 'series of threads' load itself into the ram space of an already running program, or what?

Also, is this the guy who wrote Virtumundo? That thing was so fucked it required its own remover.. spybot alone couldn't get it. Fuck that fucking thing fucking stole so much of my fucking time..

Re:Executable that's not an executable? (1)

Rycross (836649) | more than 5 years ago | (#26440083)

According to the story, there is a Windows API call that can basically hand another process a bit of code and have it execute it. That's what he meant by a series of thread: distributing the code to other processes and having it run in a distributed manner.

Re:Executable that's not an executable? (1)

Anthony_Cargile (1336739) | more than 5 years ago | (#26440687)

NOW I see how botnets are so easy to do on Windows. Just hand the code to a widely-distributed network protocol or some RPC, and boom I have male enhancement spam in all of my inboxes. How could I have missed this?

Re:Executable that's not an executable? (1)

Billhead (842510) | more than 5 years ago | (#26440193)

You're lucky, I had to make a BartPE cd with Spybot, and even after that had to manually find the latest random-character files is system32 and deleted them, and then boot back into Windows and run Spybot again to get rid of any left over registry entries.

Re:Executable that's not an executable? (2)

Rycross (836649) | more than 5 years ago | (#26440481)

According to the article, deleting the registry entries mean that the program would re-install itself, while leaving them in-place would cause the software to avoid that computer (registry entries were used as an opt-out marker).

Not a complete jerk (5, Interesting)

steveha (103154) | more than 5 years ago | (#26439919)

I'm seeing comments and tags using words like "scumbag". Well, I actually RTFA, and this guy doesn't seem to be a complete jerk.

According to him, the adware he wrote did not crack into your system using exploits, and when you ran the uninstaller it would go away and never come back. Also, according to him, it didn't scan for really personal information like credit card numbers.

I'm not about to start a fan club for him, but I don't hate him either.

I was interested in the technical stuff. His software would find other adware on a system and kick the other adware off; it was also designed to be very difficult for other adware to kick off.

The best single exchange in the interview:

S: In your professional opinion, how can people avoid adware?

M: Um, run UNIX.

steveha

Re:Not a complete jerk (1, Insightful)

Anonymous Coward | more than 5 years ago | (#26440017)

he wrote adware.

let me repeat that. he wrote adware.

yes, he is a complete jerk. he worked for a corporation that did evil things. think Godwin's Law. he doesn't deserve a free pass just because you admire his methods.

Yes, he is a jerk (4, Insightful)

sirwired (27582) | more than 5 years ago | (#26440219)

To get that oh-so-useful uninstaller you had to go to a website, answer a survey, and only then could you download it. If they genuinely wanted to make it easy, they would have put it in Add/Remove Programs, and stuck their survey in there.

I don't know about you, but after getting sketchy software on my machine, the LAST thing I want to do is go to some random website and download even MORE crap. I wouldn't trust that download one bit.

And the bit about "it was also designed to be very difficult for other adware to kick off" is complete hand-waving B.S. It was designed to be very difficult for anti-virus packages and anti-spyware packages too. In fact, anti-malware packages were probably the primary target of the persistence code.

And their distributors were complete scum that Direct Revenue did very little to police. Yeah, they suspended any that were complained about (if the hapless users even had any clue how they got the software), but those rogue distributors would just sign up under a new name.

I can't believe he thought this job was a "net positive" simply because he wiped out the other guys' malware more than he installed. That just means he is a very sneaky coder... That's like a embezzeling salesman saying he was a "net positive" because he generated more profits than he stole. It may be true, but it doesn't make him any less of a scumbag.

SirWired

Re:Yes, he is a jerk (0)

Anonymous Coward | more than 5 years ago | (#26440355)

I don't know about you, but "not a complete jerk" is not the highest praise I have to offer.

I can't believe he thought this job was a "net positive" [...] That's like a embezzeling salesman saying he was a "net positive" because he generated more profits than he stole.

I agree with this sentiment.

It may be true, but it doesn't make him any less of a scumbag.

There are gradations of jerkhood. Adware that has no uninstall, installs through exploits, and vacuums up passwords and credit card numbers is in a whole worse category than what this guy says he wrote. Not writing the more-evil adware does make him less of a scumbag.

Assuming he isn't lying. If he's lying and he wrote full-on malware, then he is a 100% scumbag.

Re:Not a complete jerk (1)

bigpat (158134) | more than 5 years ago | (#26440339)

Just because the company used social engineering instead of technical exploits to put unwanted software on people's computers doesn't make it ethical. They were piggybacking their adware software on screensaver software or little widgets and then hiding that extra unwanted software on your system so it wasn't clear where it was coming from. Putting something in the EULA that you click through shouldn't cover this.

You had to go to some web site, download an uninstaller, take a short survey about why they were getting rid of us, and then it would actually remove us and we would also leave a Registry key to make sure we didnâ(TM)t reinstall.

That isn't like any uninstaller I have ever heard of, basically that means that they hid software on your machine and only the people that somehow realized what precisely was causing ads to pop up randomly on your screen could then follow some really obscure and tedious process to remove the software. That isn't an ethical practice.

Re:Not a complete jerk (1)

Lord Ender (156273) | more than 5 years ago | (#26440553)

You have no experience with adware uninstallers, it seems.

This scumbag's software could ONLY be uninstalled if the user jumped through more hoops than in a hulahoop factory. If you used the windows uninstall feature or deleted directly, his software would reinstall itself.

Only after forcing you to take a survey on the web would you have the option of removing the software. Surveys are valuable commodities. Basically, he wrote ransomware.

A series of threads (1)

Jotii (932365) | more than 5 years ago | (#26440001)

It runs merely as a series of threads

I am certain that a truck would run better.

The new battle ground (4, Interesting)

girlintraining (1395911) | more than 5 years ago | (#26440019)

I think the Windows programming model is at fault for much of the obfusciation tactics used by malware. Entire classes of exploits have arisen due entirely to the complexities and obscurities of the interface. Modern anti-malware tactics have to monitor many different parts of the operating system, and in some cases due to architectural constraints the methods of doing so can make the entire operating system unstable. Not only that, but race conditions and the use of special trap conditions/exception handling can make safely disabling malware a frustrating experience. Even professionally designed applications can sometimes tank the Operating System. Trying disabling Symantec Anti-virus on an XP system without a reboot, for example, and then doing a reinstall of it remotely. In the field, I saw failure rates of about 6% for SAV10. On a hundred thousand systems, let's just say I was not happy on that deployment! Killing malware is even more risky.

Windows is layers upon layers of earlier APIs that cannot be removed due to "backwards compatibility" concerns. I have some limited exposure to the .NET framework, and it has perhaps a half-dozen APIs for threading, and the documentation is riddled with exposed interfaces that have the note "Do not use. Not safe. bullet in the brain pan squish" in it. Over a third of the API is already depreciated (as far as I can tell), and there is an ever-shifting set of best practices standards. I can only imagine the hell a proper programmer endures in developing truly complex applications for .NET -- all I was doing was a few WMI calls and a database interface and I still crashed the kernel many times trying to figure out what to trap -- in many cases, error handling is mostly about creating a catch-all and then trying to break your code to see what is generated and then guessing what to trap accordingly. With an interface this complicated and unstable, it will always be a cat and mouse game between the white and black hats on this architecture, a game predicated on undocumented interfaces, obscurity, and deep knowledge of layers of the operating system that interact in unpredictable ways.

Compare this to linux, where the interfaces haven't changed that much, and when they do, depreciated means "We're going to remove this in a year or so and we mean it." Open source has one huge advantage here -- if it's not maintained, it ceases to be relevant and there's no 20 year old code lurking about in an unused API long forgotten. At least not nearly to the degree Windows has it. If you ask me, Microsoft is complicit in allowing malware to exist because they are unwilling to modernize Windows. They need to start over from scratch on their codebase and have a good hard think about what those APIs and interfaces are going to look like and then stick to it. Or at the very least, they could start by documenting these interfaces and releasing some code so we can be more confident that our hooks into their black-boxed APIs won't tear the operating system's heart out...

Re:The new battle ground (3, Insightful)

Shados (741919) | more than 5 years ago | (#26440163)

Over a third of the API is already depreciated (as far as I can tell), and there is an ever-shifting set of best practices standards. I can only imagine the hell a proper programmer endures in developing truly complex applications for .NET -- all I was doing was a few WMI calls and a database interface and I still crashed the kernel many times trying to figure out what to trap -- in many cases, error handling is mostly about creating a catch-all and then trying to break your code to see what is generated and then guessing what to trap accordingly.

Wow there cowboy... only a very small part of the API is deprecated, the best practices changed a bit once, and only had additions as new features popped, but didn't change much in years... if you crashed the -kernel-, you were using legacy APIs through .NET, not .NET itself, and error handling is very well documented for the most part, and doing a catch all is a (no offense, since .NET is obviously not your primary dev environment) noob way of doing things and is heavily warned against since version 1.

Maybe you fell in the ONE edgecase where it doesn't work well, but 95%+ (probably more) of it works flawlessly, is clearly documented and predictable...even if you go really deep. It becomes a bit more messy when you're interacting with separate products that just happen to have APIs coded in .NET (especially if its not the only language, and thus is probably coded by programmers who have no clue wtf they're doing), and its poorly done... Happens a lot. An example is the SSIS API (thats by Microsoft too), which is in .NET, but was clearly written by C++ gurus...so its a total fucking mess.

Re:The new battle ground (1)

girlintraining (1395911) | more than 5 years ago | (#26440587)

Well, you're probably right on all counts. .NET is not my environment. But when my manager throws me an intractable problem that's going to result in a legion of poorly trained kids being thrown at it otherwise, in less than a month, I adapt. I also scream "Train! Train! Get off the tracks--TRAIN!" to the aforementioned manager while doing so. -_- I basically had an O'Reilly book on Visual Basic and the online references to work with. And I had to bust a few people's nuts in another department to get Visual Studio installed on my system. Oh yeah -- and no dev boxes. Every test I did was against a production system, because wouldn't give me access to the dev boxes ("You're in software deployment, not development!"). So yeah... My knowledge of .NET is entirely trial-by-fire. Add that to the endless frustrations of the SMS/WMI SDK and a total lack of training on SMS (again, I worked in deployment, so why would I need access to the console?)... well, you get the idea.

Maybe your experiences were better (maybe owing to not being in a pressure-cooker environment), but my experience of .NET was that the documentation was there but it was confusing at best and the code examples left something to be desired -- like "Why X instead of Y?" But I don't think you'll argue with me that Windows programming is helluva more complicated than Linux/Unix, and unnecessarily so.

Re:The new battle ground (0)

Anonymous Coward | more than 5 years ago | (#26440289)

Compare this to linux, where the interfaces haven't changed that much, and when they do, depreciated means "We're going to remove this in a year or so and we mean it.

Yeah, right: char *gets(char *s) [wikipedia.org]

Re:The new battle ground (1)

Chabo (880571) | more than 5 years ago | (#26440341)

"Do not use. Not safe. bullet in the brain pan squish"

I wish the API docs actually said that... that would be awesome.

Re:The new battle ground (0)

Anonymous Coward | more than 5 years ago | (#26440393)

It's disappointing. Maybe the answer is to do a careful rewrite as you suggest, and create a WOW-like compatibility layer for legacy code that sandboxes poor behavior -- inform users of any hooks or startup entries the code attempts, prevent hooks and startup entries from the legacy code when booting to safe mode, and keep a control panel option around that lets users disable or remove legacy applications independently of their uninstall binaries.

I don't think transition to a more secure system has to severely impact backwards-compatibility, but there's not a lot of incentive for them to change. It's more important for the OS to look pretty, tie in with small electronics, and protect the end user from using movies, music, and the operating system itself in an unauthorized manner.

Re:The new battle ground (3, Insightful)

Samah (729132) | more than 5 years ago | (#26440523)

If you ask me, Microsoft is complicit in allowing malware to exist because they are unwilling to modernize Windows. They need to start over from scratch on their codebase and have a good hard think about what those APIs and interfaces are going to look like and then stick to it.

And the new version of Windows would be laughed at by non-IT consumers. "Why would I upgrade to the new Windows when all of my stuff doesn't work?" This is part of the argument against Vista, and why some people can't see past the need to break backward compatibility to do things "the right way".

deprecated ... like the "gets" function? (0)

Anonymous Coward | more than 5 years ago | (#26440591)

"Deprecated function: char * gets (char *s). ... The gets function is very dangerous because it provides no protection against overflowing the string s. The GNU library includes it for compatibility only. You should always use fgets or getline instead."

I'm pretty sure I remember "gets" being deprecated more than 20 years ago, so what exactly does "and we mean it" mean?

Re:The new battle ground (0)

Anonymous Coward | more than 5 years ago | (#26440593)

the documentation is riddled with exposed interfaces that have the note "Do not use. Not safe. bullet in the brain pan squish" in it.

Name five.

great interview (0)

Anonymous Coward | more than 5 years ago | (#26440135)

This is quite possibly one of the best interviews I've read, ever. Definitely read the article.

Persistance is the problem (2, Insightful)

FrostDust (1009075) | more than 5 years ago | (#26440159)

Theoretically, I'm not opposed to ad-supported programs. If someone is willing to put up with an advertisement in order to use a program for free, go ahead and let them. It's worked for television, radios, and web sites for quite a while (Tivos and Ad-Block aside).

The problem, obviously, is when uninstalling the adware becomes a major hassle. For example, the author described in the interview how you would have to download a special uninstaller from the net, fill out a survey, and allow them to keep a registry key installed permanently. That is bullshit. Uninstalling shouldn't force any remains of the program to be left behind, period. Yes, in this situation it prevents unintentional (or intentional) reinstalls, but that wouldn't be an issue if adware didn't rely on drive-by downloads and was more upfront in what was being installed with the main program.

To maintain some sense of legitimacy, uninstalling shouldn't be more complicated than a few clicks from using the Add/Remove Programs dialog, and not leave behind any of the program's code.

Sadly, no. (5, Insightful)

lucas_picador (862520) | more than 5 years ago | (#26440167)

From the article:

In their licensing terms, the EULA people agree to, they would say "in addition, we get to install any other software we feel like putting on." Of course, nobody reads EULAs, so a lot of people agreed to that. If they had, say, 4 million machines, which was a pretty good sized adware network, they would just go up to every other adware distributor and say "Hey! I've got 4 million machines. Do you want to pay 20 cents a machine? I'll put you on all of them." At the time there was basically no law around this. EULAs were recognized as contracts and all, so that's pretty much how distribution happened.

Um, no. Unconscionability is a pretty ancient principle of contract law. People joke about signing away their first-born child in an unread EULA, but they understand that it's a joke: that term would never be enforced by a court, because allowing contracts of adhesion (like EULAs) signed by non-lawyers in casual circumstances to extract those kinds of concessions from the parties would result in the complete breakdown of society.

So when this guy (and his bosses) talk about how there was "no law around this", they're not fooling anyone, least of all themselves. If I buy a bus ticket and on the back there's some fine print stating that by riding the bus I've agreed to let the driver break into my house and take anything he wants, guess where the bus driver ends up if he tried to exercise his contractual "rights"? In prison. Which is where this guy belongs.

Re:Sadly, no. (0)

Anonymous Coward | more than 5 years ago | (#26440409)

And a contract which you only become aware of AFTER signing it is completely unenforceable anyway.

Why Windows Registry is a bad idea (5, Interesting)

whoever57 (658626) | more than 5 years ago | (#26440211)

From the interview:

We did create unwritable registry keys and file names, by exploiting an "impedance mismatch" between the Win32 API and the NT API. Windows, ever since XP, is fundamentally built on top of the NT kernel. NT is fundamentally a Unicode system, so all the strings internally are 16-bit counter Unicode. The Win32 API is fundamentally Ascii. There are strings that you can express in 16-bit counted Unicode that you can't express in ASCII. Most notably, you can have things with a Null in the middle of it.

That meant that we could, for instance, write a Registry key that had a Null in the middle of it. Since the user interface is based on the Win32 API, people would be able to see the key, but they wouldn't be able to interact with it because when they asked for the key by name, they would be asking for the Null-terminated one. Because of that, we were able to make registry keys that were invisible or immutable to anyone using the Win32 API. Interestingly enough, this was not only all civilians and pretty much all of our competitors, but even most of the antivirus people.

there are comments here threatening violence (5, Insightful)

circletimessquare (444983) | more than 5 years ago | (#26440279)

so let's educate some of you:

we capture someone like frank abagnale [wikipedia.org] , and we go all sharia law on him, as a lot of you propose, and leave him as a bloody stump

then what?

well, there are other frank abagnales out there. how do we detect them and capture them? well, the frank abagnale you just beat to a pulp: he would have made a good tool to do that, ya think?

luckily, in real life, this is exactly what the feds and the banks did. in real life, you capture and use highly intelligent crooks to... drum roll please... capture more highly intelligent crooks. get it?

law enforcement is hard grinding work, it doesn't happen like "death wish" or "dirty harry". i know in some of your justice league of america fantasy lives, delivering justice with a fist and a gun is the way to go. but we'd like to talk about reality, ok?

so to review:

1. we can have justice your way, and beat adware authors to a pulp, or
2. we can have smart justice, and listen carefully to mr. adware author's words, and use those words to catch more adware authors

get it? see the difference? do you want to pursue justice? or do you want to beat people up?

these are mutually exclusive activities, despite your dimwitted fantasy lives

now go crawl back under your rocks mouth breathers. nobody who is actually going to catch and punish cybercriminals in this world is going to think like you do

even the most vile amoral serial killer is useful to keep alive and listen to. simply for matters of brain analysis and psychological study. or, we could put a bullet in his head, scrambling the abnormal brains, and having nothing useful to catch more vile amoral serial killers

dumb violent justice leaves a dumb violent society that knows nothing about the smart and truly vicious criminals in their midst

smart justice is about studying smart criminals, and using them against each other

Re:there are comments here threatening violence (2, Insightful)

Red Flayer (890720) | more than 5 years ago | (#26440643)

You make a good point, but there is a huge flaw to your system.

There is no disincentive to do wrong.

I know there's a big philosophical issue with deterrence as a reason for punishment, but the truth of the matter is that people will tend to not commit crimes when the

[risk of getting caught]*[punishment when caught] is greater than [benefit from committing crime]

I think your philosophy tries to tip the balance by increasing the risk of getting caught for potential criminals... but that doesn't help when the punishment is minimal and the potential gains so large. Let's see... a life of luxury vs. a short stint in country club prison and a consulting gig with a three-letter-agency.

The key is to increase the chances of catching criminals, while having punishment severe enough to factor into the potential criminal's decision-making process.

I'd also note... the interviewee mentions that it was a gradual change to intentionally writing malware, and the incremental decisions to do what he did were easy to make. He valued pleasing his employer over not doing wrong, even if he didn't consciously realize it. If there is a risk of severe punishment for his actions, maybe those incremental decisions would have been made differently (note that at the time, legality was not an issue, however).

To sum up, increased success at catching criminals solves nothing if it does not come with punishment for those criminals. As you point out, there will always be more brilliant people who will fulfill the role of criminal... we need to ensure that they don't *want* to commit those crimes.

The Ethics of CoreWars (4, Insightful)

ewhac (5844) | more than 5 years ago | (#26440389)

My initial gut reaction was to denounce this guy as a $SCOUNDREL (substitute your preferred profane term). But a little voice told me to go read the article, and now I'm not as sure as I was previously.

Just for fun, consider the following actions a Unitary Programmer might do to your machine. Where would you rate them on the $SCOUNDREL scale, and why?

  • Deletes viruses from your machine.
  • Deletes competing adware from your machine.
  • Rebuffs attempts by competing viruses and adware to be deleted.
  • Reconfigures IE to be more secure.
  • Reconfigures Outlook to send plaintext only, fixed-width font, no top-posting, do not load or display remote images.
  • Disables using MSWord as an email editor.
  • Deletes IE; replaces it with Firefox, preserving all your bookmarks.
  • Deletes Outlook; replaces it with Thunderbird, converting all your mail archives.
  • Deletes all BitTorrent clients; replaces it with a RIAA/MPAA/FBI warning.
  • Deletes the scary warning about installing device drivers not digitally signed by Microsoft.
  • Converts HDCP to a system security setting, and flags all unprivileged applications that attempt to mess with it.
  • Deletes Windows; replaces it with Linux+Wine.
  • Deletes Windows; replaces it with Linux+KDE, with a message on the desktop reading, "Learn to use a real computer, kid..."

Playing "CoreWars" is tricky business, and people with even a dim sense of ethics are loathe to try it. But there's one case where none of the above actions are ethically questionable: When the machine's owner does it themselves.

I think the adware author lost sight of that for a while...

Schwab

There. Fixed it for you. (1)

vawarayer (1035638) | more than 5 years ago | (#26440633)

Spyware, adware, viruses and other sh1t? There [faronics.com] fixed it for you.

Disclaimer: I am not affiliated with this company in any way. Just a happy customer.

Software development as a profession (0)

Anonymous Coward | more than 5 years ago | (#26440683)

Stories like this make me think the profession should have some sort of written code of ethics. This guy violated the profession's ethics and should be barred from practicing in the future.

As it is, all we can do is call him a scumbag

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...