Sunday, Sep 7, 2008
It's the latest in Web marketing innovation: Hijacked Web surfers, exploited Web browser vulnerabilities and malicious spyware all wrapped up together.
May 7, 2002 | Looking for state-of-the-art Internet skulduggery? Try this: Thousands of unsuspecting visitors to a family entertainment site are discovering a cornucopia of unwanted, potentially malicious software on their computers -- the result of a pop-up ad campaign, a booby-trapped Web site, a compromised Web browser, and strange doings at a shadowy Los Angeles company.
The story starts at Flowgo, a site that prides itself as the leading family entertainment portal. According to officials at eUniverse, the California firm that operates Flowgo, a pop-up ad that ran at the heavily trafficked humor site for a couple of weeks until late April caused the trouble.
The ad, purchased by a Los Angeles Internet marketing firm named IntelliTech Web Solutions, was designed to automatically redirect visitors away from Flowgo (no mouse click required) and to dump them at a booby-trapped site called KoolKatalog.
Once at KoolKatalog, visitors were invited to feed an e-mail address into a digital slot machine created in the Shockwave animation format. Solve the puzzle faster than anyone else, and KoolKatalog would send you a swell prize!
In the nanosecond it took most people to recognize the obvious junk mail trap, the real damage was already nearly done. According to virus experts, code in the pages at KoolKatalog exploited a known flaw in an old version of the Java engine of Microsoft's Internet Explorer browser to covertly download the first of 10 files onto visitors' computers.
KoolKatalog is currently inacessible, but its domain name was registered by an IntelliTech employee and the phone number listed in the privacy statement at KoolKatalog is the number for IntelliTech Web Solutions. Phone messages left with the receptionist who answered at that number were not returned.
A contrite spokeswoman for eUniverse said IntelliTech's automatic redirects violated its ad policy, and eUniverse pulled the pop-ups as soon as it learned what was happening. Flowgo has achieved its success, she said -- and helped earn its publicly traded parent several quarters of profitability -- by taking great care to protect the safety of its visitors.
But according to virus experts, tens of thousands of Internet users have been back-doored by the KoolKatalog-distributed "malware," which they have added to their lists of malicious code for scanning.
"When you exploit a security bug to get your program onto someone's PC, you've crossed the boundary into what we consider malicious," said Craig Schmugar, a researcher with McAfee, which refers to the KoolKatalog-served payload as Downloader-W.
While researchers have not yet completely decoded all functions of the programs, they say two of the files, BVT.exe and ABSR.exe, attach themselves to victims' browsers and covertly monitor which sites they visit. Other components, including a file called AUSVC.exe, appear to enable the program's authors to secretly send updates or other files to the infected computer.
What's more, the install program, a file called CoolStuff.ocx, checks to see whether the victim is running a firewall, and terminates if it finds one. If no security software is monitoring outbound network connections, the installer grabs other files from one of two IntelliTech Web servers, online1net.com and wwws1.com.
"Somebody took a lot of time and attention to create this. There's a lot of error checking and careful programming in there," said Vincent Weafer, director of Symantec's virus research lab. Backdoor.Autoupder, as Symantec calls it, quietly made the software firm's list of the five most-prevalent viruses in April.
Get Salon in your mailbox!