Interview with an Adware Author
Jan 12th, 2009 by sherri
Matt Knox, a talented Ruby instructor and coder, talks about his early days designing and writing adware for Direct Revenue. (Direct Revenue was sued by Eliot Spitzer in 2006 for allegedly surreptitiously installing adware on millions of computers.)
S: You wrote adware. You bastard.
M: [sheepishly] Yes, I did. I got to write half of it in Scheme, which probably means that I deployed more Scheme runtime than anybody else on the planet.
S: Let’s back up a second. Why did you write adware?
M: I was utterly and grindingly broke for a little while. I started working on SPAM filtering software. That work got noticed by [Direct Revenue], who hired me to analyze their distribution chain. For a little while, the site through which all their ads ran was something like top 20 in Alexa. Monstrous, really huge traffic. Maybe 4 or 5 months into my tenure there, a virus came out that was disabling some of the machines that we had adware on. I said, “I know enough C that I could kick the virus off the machines,” and I did. They said “Wow, that was really cool. Why don’t you do that again?” Then I started kicking off other viruses, and they said, “That’s pretty cool that you kicked all the viruses off. Why don’t you kick the competitors off, too?”
It was funny. It really showed me the power of gradualism. It’s hard to get people to do something bad all in one big jump, but if you can cut it up into small enough pieces, you can get people to do almost anything.
S: Did you feel this was the gently sloping path to Hell?
M: Oh yeah! Absolutely. [ laughs ] I actually believe that if you sum up everything I did it comes out positive, if only because I kicked off an awful lot more adware than I installed.
S: What was Direct Revenue’s business model?
M: Their business model was that they would buy a screensaver from somebody, or develop it themselves. It would be some stupid thing like a guy who’s washing their screen. Looks like a window washer guy? They’d say “Hey, if you want this, install our adware and you can have it for free.” An astonishing number of people will do that.
S: What did they call it? I presume they didn’t call it “adware.”
M: The good distributors would say, ‘This is ad-supported software.” Not-so-good distributors actually did distribute through Windows exploits. Also, some adware distributors would sell access. In their licensing terms, the EULA people agree to, they would say “in addition, we get to install any other software we feel like putting
on.” Of course, nobody reads EULAs, so a lot of people agreed to that. If they had, say, 4 million machines, which was a pretty good sized adware network, they would just go up to every other adware distributor and say “Hey! I’ve got 4 million machines. Do you want to pay 20 cents a machine? I’ll put you on all of them.” At the time there was basically no law around this. EULAs were recognized as contracts and all, so that’s pretty much how distribution happened.
S: Your company’s not one of those that would leverage exploits in order to get software on people’s computers?
M: We didn’t, no. Some of the distributors certainly did. If we found out a distributor was doing that, we’d say “Now we’re not going to distribute with you any more,” and we’d try to get off those machines.
The thing that I had a real problem with was the persistence work that I was doing. This made it difficult for competitors to kick us off the machine. It was effectively impossible for a civilian to get us off the machine– unless they went through our uninstall process. You had to go to some web site, download an uninstaller, take a short survey about why they were getting rid of us, and then it would actually remove us and we would also leave a Registry key to make sure we didn’t reinstall. Sadly, some misguided antivirus and anti-adware software would go in and remove that, which therefore meant that we would reinstall again.
S: Can you tell me more about your strategies for persistence?
M: Yes. I should probably first speak about how adware works. Most adware targets Internet Explorer (IE) users because obviously they’re the biggest share of the market. In addition, they tend to be the less-savvy chunk of the market. If you’re using IE, then either you don’t care or you don’t know about all the vulnerabilities that IE has.
IE has a mechanism called a Browser Helper Object (BHO) which is basically a gob of executable code that gets informed of web requests as they’re going. It runs in the actual browser process, which means it can do anything the browser can do– which means basically anything. We would have a Browser Helper Object that actually served the ads, and then we made it so that you had to kill all the instances of the browser to be able to delete the thing. That’s a little bit of persistence right there.
If you also have an installer, a little executable, you can make a Registry entry and every time this thing reboots, the installer will check to make sure the BHO is there. If it is, great. If it isn’t, then it will install it. That’s fine until somebody goes and deletes the executable.
The next thing that Direct Revenue did– actually I should say what I did, because I was pretty heavily involved in this– was make a poller which continuously polls about every 10 seconds or so to see if the BHO was there and alive. If it was, great. If it wasn’t, [ the poller would ] install it. To make sure the poller was less likely to be detected, we developed this algorithm (a really trivial one) for making a random-looking filename that was consistent per machine but was not easy to guess. I think it was the first 6 or 8 characters of the DES-encoded MAC address. You take the MAC address, encode it with DES, take the first six characters and that was it. That was pretty good, except the file itself would be the same binary. If you md5-summed the file it would always be the same everywhere, and it was always in the same location.
Next we made a function shuffler, which would go into an executable, take the functions and randomly shuffle them. Once you do that, then of course the signature’s all messed up. [ We also shuffled ] a lot of the pointers within each actual function. It completely changed the shape of the executable.
We then made a bootstrapper, which was a tiny tiny piece of code written in Assembler which would decrypt the executable in memory, and then just run it. At the same time, we also made a virtual process executable. I’ve never heard of anybody else doing this before. Windows has this thing called Create Remote Thread. Basically, the semantics of Create Remote Thread are: You’re a process, I’m a different process. I call you and say “Hey! I have this bit of code. I’d really like it if you’d run this.” You’d say, “Sure,” because you’re a Windows process– you’re all hippie-like and free love. Windows processes, by the way, are insanely promiscuous. So! We would call a bunch of processes, hand them all a gob of code, and they would all run it. Each process would all know about two of the other ones. This allowed them to set up a ring … mutual support, right?
So we’ve progressed now from having just a Registry key entry, to having an executable, to having a randomly-named executable, to having an executable which is shuffled around a little bit on each machine, to one that’s encrypted– really more just obfuscated– to an executable that doesn’t even run as an executable. It runs merely as a series of threads. Now, those threads can communicate with one another, they would check to make sure that the BHO was there and up, and that the whatever other software we had was also up.
There was one further step that we were going to take but didn’t end up doing, and that is we were going to get rid of threads entirely, and just use interrupt handlers. It turns out that in Windows, you can get access to the interrupt handler pretty easily. In fact, you can register with the OS a chunk of code to handle a given interrupt. Then all you have to do is arrange for an interrupt to happen, and every time that interrupt happens, you wake up, do your stuff and go away. We never got to actually do that, but it was something we were thinking we’d do.
We did create unwritable registry keys and file names, by exploiting an “impedance mismatch” between the Win32 API and the NT API. Windows, ever since XP, is fundamentally built on top of the NT kernel. NT is fundamentally a Unicode system, so all the strings internally are 16-bit counter Unicode. The Win32 API is fundamentally Ascii. There are strings that you can express in 16-bit counted Unicode that you can’t express in ASCII. Most notably, you can have things with a Null in the middle of it.
That meant that we could, for instance, write a Registry key that had a Null in the middle of it. Since the user interface is based on the Win32 API, people would be able to see the key, but they wouldn’t be able to interact with it because when they asked for the key by name, they would be asking for the Null-terminated one. Because of that, we were able to make registry keys that were invisible or immutable to anyone using the Win32 API. Interestingly enough, this was not only all civilians and pretty much all of our competitors, but even most of the antivirus people.
We also wrote a device driver and then a printer driver. When you write a device driver you get to do all sorts of crazy things, even crazier than the things you typically get to do in Windows. This was right around the time that the company [ got sued by Eliot Spitzer and started shrinking ]. They made a somewhat poor business decision at the same time to get visible, and they branded their ads and everything at the same time that they were having me kick all of our competitors off and we were doing all that persistence stuff.
There was also of course Scheme. Eventually, we got sick of writing a new C program every time we wanted to go kick somebody off of a machine. Everybody said, “What we need is something configurable.” I said, “Let’s install a Turing-complete language,” and for that I used tinyScheme, which is a BSD licensed, very small, very fast implementation of Scheme that can be compiled down into about a 20K executable if you know what you’re doing.
Eventually, instead of writing individual executables every time a worm came out, I would just write some Scheme code, put that up on the server, and then immediately all sorts of things would go dark. It amounted to a distributed code war on a 4-10 million-node network.
S: In your professional opinion, how can people avoid adware?
M: Um, run UNIX.
S: [ laughs]
M: We did actually get the ad client working under Wine on Linux.
S: That seems like a bit of a stretch!
M: That was a pretty limited market, I’d say.
S: What is the future for adware?
M: To the extent that advertising is beautifully targeted, it ceases to become advertising is now more informational. The most encouraging example of this is Gmail. I see nothing but Ruby on Rails developer jobs and Scheme developer jobs on Gmail.
S: Does it weird you out that there’s some automated script filtering all your mail?
M: When I think about that, it sometimes troubles me. The good news is that I’ve been on the other side of those automated script things. Their capability is incredibly dangerous, but the actuality tends not to be.
It would have been fairly trivial for me to go spelunking for people’s credit card information or whatever. I had four million nodes. I could have done it without anybody at the company even noticing. I was the guy writing Scheme, so I could have just put a text file somewhere and then made it go away, and there wouldn’t even have been an executable lying around.
But I didn’t. To do that, by definition you have to be willing to become a criminal, and that’s a little bit rare. So I’m not too worried about that. I think that advertising it going to turn into something that’s just a big mess of algorithms, where somebody says “this guy may be interested in this new programming language.”
S: How private is people’s information today?
M: Not at all.
S: Do you think that in our society we delude ourselves into thinking we have more privacy than we really do?
M: Oh, absolutely. If you think about it, when I use a credit card, the security model is the same as that of handing you my wallet and saying, “Take out whatever money you think you want, and then give it back.”
S: …and yet it seems to be working.
M: Most things don’t have to be perfect. In particular, things involving human interactions don’t have to be perfect, because groups of humans have all these self-regulations built in. If you and I have an agreement and you screwed me over badly, you’ve always got in the back of your mind the nagging worry that I’m going to show up on your doorstep with a club and kill you. Because of that, people don’t tend to screw each other too much, right? At least, they try not to. One danger, perhaps, of moving towards an algorithmically driven society is that the algorithms aren’t scared of us showing up and beating them up. The algorithms will do whatever it is that they are designed to do. But mostly I’m not too worried about that.
S: Is there anything else you wanted to comment on?
M: People can have things as good as they are willing to work for. If you want to have a system that’s clean of nasty software, you can do that. If you want to have personal privacy, it’s possible– very hard, but possible. And I think it’s worth it.
| Interview conducted and edited by Sherri Davidoff |
| Copyright 2009, all rights reserved. |
Awesome interview! Keep up the good work! And let’s hope you don’t work for adware again.
One of the most intriguing interviews of read in a while!
Great interview. Well done
All this time I thought that getting rid of spyware was getting more and more difficult was due to technicians removing it from people’s computers.. To all of the current spyware coders, “YOU GO TO HELL!! YOU GO TO HELL AND YOU DIE!!”
but then I think to myself.. i make money off all these stupid people.. the true american way..
I started out the article wanting to hunt you down and waterboard you terminally. In the end I saw that you are intelligent and not entirely immoral. I hope you do well.
Enjoyed the read, thank you.
Very interesting interview.
Thanks, good reading. You’re quite likely one of the reasons I’m full-day ubuntu user these days.
Fascinating!
Makes me glad I run Linux and freaked out about (lack of) privacy! Great interview.
i wonder how windoze7 compares? they’re touting it as “the most secure” whatever that means.
Love it, though the only new information was the bit about kicking off the competition. Very cool.
Somehow missed this on my rss feed yesterday but then saw it on slashdot (nice!). Great interview.
Cheers,
Andi
“But I didn’t. To do that, by definition you have to be willing to become a criminal, and that’s a little bit rare. ” – That’s not a very interesting rationalization, and most people do view you as a criminal.
> Most things don’t have to be perfect.
Programmers… Read the above and take heed. Especially open source programmers. Have it printed on t-shirts. Tattoo it on your forehead. Just never forget it.
Programming is an attempt to enforce logic and reason on a world population that’s anything but.
Oh, so that BSD daemon really is evil!
great guy comes great mind
maybe already ad-ed if i m commenting too much here
hahaha….
Great interview.
Guys, please be respectful in your comments. I received a couple that were not appropriate to post. Matt is a wonderful teacher, a great coder and a good friend. It was pretty awesome that he did this interview and gave us the inside scoop on how a noted adware company operated, both technically and from a business perspective. Sometimes people find themselves in positions they don’t intend, and he certainly recognized that and moved on. Nowadays he uses his skills to educate and create software for doctors. He’s offered us some valuable insight in this interview, and I for one very much appreciate it.
fun read – great job!
WOw, he sounds like a really cool guy!
http://www.privacy-web.us.tc
Great read, very informative. Sad, but informative. Thanks.
Interesting article! I never heard someone explain the vulnerabilities of windows in such a simplistic manor; it makes me wonder if Windows will ever overcome those vulnerabilities while relying on an NT based kernel. As an avid Windows user (because that’s all I know), it ticks me off that the OS is so vulnerable to malicious code. It also explains why these days that if you get a well written piece of Adware from an organization that has no morals, a Windows reinstall is in your future if you want any piece of mind.
Great interview! I for one really appreciate you candidly discussing the technical aspects in simple terms, as well as your relatively pragmatic outlook on what young, smart kids will do if they are hungry and broke.
Those of you who roll out the “most people think you are a criminal” mentality, have you ever jaywalked? You are a criminal.
A former roommate who I very much respect (and happens to be the grand-daughter of people that you’d recognize from your history of computing lectures) for a brief period worked on helping spams get through filters. I was shocked and unimpressed, but she made a really excellent point: if she didn’t, someone else would.
In conclusion, we all could find ourselves in Matt’s shoes at some point in our lives. Hopefully we’d also be able to talk about it with such openness, later.
Matt is being modest: we were under constant pressure to do far more awful and dangerous things in the name of ‘stickiness’, and we refused.
The accepted goals of our team were simple: [1] once we’re installed, stay installed until the user asks us off [2] make sure it’s the user asking us off, and not a competitor’s code [3] when the user asks us to leave, leave. We took all three points very seriously.
That second requirement was why you had to download an uninstaller (which used a captcha): anything already on the user’s machine could be reverse-engineered.
When users did have trouble getting us to uninstall, we were actually horrified, because once you misuse the magic there’s no telling how bad things might get.
As for unauthorized installs: we didn’t just wait for user complaints, we actually ran multiple webcrawlers designed to detect drive-by downloads.
Even so, it was a dance with the Devil. As with much ordinary advertising, we were exploiting people’s naivite and/or stupidity; I’m glad to have it behind me.
“One danger, perhaps, of moving towards an algorithmically driven society is that the algorithms aren’t scared of us showing up and beating them up. The algorithms will do whatever it is that they are designed to do. But mostly I’m not too worried about that.”
Is that because an increasing lack of privacy will allow developers and deployers of malicious algorithms to be more identifiable and clubbable in the future?
And presumably, you are also not too worried about the potential for AI-generated malware anytime soon?
you know … the true irony is that microsoft has probably heard of matt and hasn’t even considered hiring someone like him (and paying him very large buckets of money) to make windows 7 secure.
seriously, for someone of his talent and knowledge, how hard would it be?
give the guy a building, a staff, a large expense account, and watch him build a secure OS that microsoft could be proud of.
wishful thinking?
cheers
david
http://www.davidsmeaton.com
Yeah, Eric is correct, in every respect. We did try pretty strenuously to make sure that we didn’t get on machines through exploits, something which is extremely hard to avoid for any provider of ad-supported software. And there were several things that we did refuse to do.
Very interesting article.
What are Matt’s thoughts on the security of the Vista kernel?
Clearly he wasn’t impressed with NT, but since its technically obsolete I would be very interested to hear an ex-adware coder’s views on the “infectability” of Vista’s kernel.
> A former roommate who I very much respect (and happens to be the grand-daughter of people that you’d recognize from your history of computing lectures) for a brief period worked on helping spams get through filters. I was shocked and unimpressed, but she made a really excellent point: if she didn’t, someone else would.
What sort of excuse is that? Its no excuse at all. Write virus or worm that steals information and say “if I didn’t someone else would”.
And being broke is no excuse for committing wrong acts either. But in her and Matt’s case it doesn’t sound too evil. Still questionable behavior though.
Its not black or white, but shades of grey.
TheSmJ: I wouldn’t go so far as to call NT “technically obsolete.” My new Thinkpad arrived last week, with Vista Business pre-installed… and a free “XP Downgrade” CD
Interesting interview.
@Sherri Lol.
Found this article via Slashdot and surfed in to read. I am glad I did. Great interview, informative yet readable even to this novice coder. Makes me glad I am going to be migrating to Ubuntu once my current Windoze install dies.
Awesome interview.
What a shocking lapse of ethics. Can this guy even conceive of the time he’s wasted throughout the world?
He can’t bundle an uninstaller because ‘competitors’ would take advantage of it? Hah. A very strained rationalisation for circumventing anti-malware tools. It’s not like the victims are going to download a separate uninstaller after what happened the last time they downloaded something from criminals.
Guys like him are contributing to the general public’s growing mistrust of 3rd party app developers. It’s really sad that eventually no-one will touch windows freeware/open source with a barge pole.
There is no way this guy should be teaching. What the hell kind of example is he setting?
Brilliant. I don’t blame him for enjoying it, I would love this job as well.
Matt… fascinating article. Though I wish you would show a little more remorse. Speaking metaphorically, sure, when people are broke they often turn to prostitution. But you turned to drug dealing. And there’s a big difference.
A knife can be used by a doctor to save a patient from death and the same knife can be used by another guy to kill. But it is rare that somebody coming and explaining all this in public. I totally appreciate this interview.
@Craig: Matt has probably given you, and us, more information in this one article than we would ever have come across through our own research on this subject. He’s not doing it any more, and is now helping less-informed people to deal with this problem by granting an insider’s perspective. This type of coding goes on daily, so why attack the one guy sticking his head above the parapet to try to help the rest of us out?
What part of the law says it is OK to delete competitor’s programs without permission of the computer user/owner? Seems like that is a pretty weak reed to base a defense on. Surely if it were valid, every MSIE download would delete Firefox. These guys are lucky not to be in jail.
Well, microsoft is aware of this since a long time, and wont take any initiative to stop it, why ?
Because selling anti-virus software is a business, anti-adware too, they exploit the fundamental user-side problem : crash landed on the internet with no knowledge of what they’re doing.
They (microsoft) even sell and make these A-V like or anti-spyware (OneCare for exemple), to have a piece of cake from this business.
Have you noticed that when you buy a computer shipped with windows xp/vista it always comes with norton a-v ?
do you wonder why ?
Partnership, money, money.
Without virus, adware, spyware, bot, etc, anti-virus software will be useless, and then will bankrupt, it’s all in them interest to let this working, i dont say they make some, i just say that they are aware of this, and they let it go, they can have patched/hardenned windows a long time ago , dont forget that.
You’re in real trouble from day one with windows *…
So is this guy(matt) more guilty than someone else in this whole business?
i dont think so, he was just a talented pawn in this industry.
And i want to thanks him and the interviewer very much for this good interview.
Regards Laurent
Hey dude, good job (from a programmer’s stand point)…like what I read, very smart, but I believe in returning as well.
How about you hand over your knowledge and help certain AV makers out, by developing a template or GPL licensed utility, that helps out with this stuff, sort of like Darth Vader switching back to the good side at the end of retun of the jedi!
Good luck in future endeavors and stay away from the warez
An interesting and informational interview.
Thanks
Andrew
I really appreciate the interview and learned a lot, thanks for being so open Matt I’m sure a lot of people really liked it. And as for the people saying how you’re a criminal, they clearly don’t understand the laws regarding this stuff, you’re cleaner than Kevin Trudeau, and he’s on tv pitching his bullshit. Either way thanks for getting out of the market and I hope you left with a large chunk of money for your innovations for the very least.
Absolutely Fascinating read.
As a freelance tech on the weekends, I have faced numerous BHO’s and registry infested adware that are really persistent. I created a batch file that keeps growing to remove registry entries, files, folders and the like, in an attempt to make my job alot easier. I must say that this was a very valuable interview that I will PDF for future reference. I have read other interviews by hackers, and irc maniacs that launch ddos attacks and the like, but this was more interesting because I attend to these problems weekly.
Its a shame antivirus companies dont invest in hiring people capable of finding and eliminating adware threats as much as the viruses they (the antivirus giants) create.
Switching to Ubuntu was worth it I suppose then
Sigh… any OS is insecure when you do normal work as an administrative users. It doesn’t matter what the OS is… if you’re blindly running executibles and install scripts than *nix is just as vulnerable. If you had a million people out there running *nix as root fulltime and installing random scripts and executibles they downloaded off the net you’d have just as many problems.
This sort of self justification, and the adulation that the author adds to it, are disgusting. The millgrew experiment is about listening to an authority figure under duress when being told that it’s in the subject’s best interest, not being too lazy to find a job and wanting to make money for several months at a time.
Obscene.
Great article. Scheme … really? That is very cool.
It sounds like Matt and Eric worked hard not to cross certain lines. Ultimately many of the security issues are social not technical. If you can convince someone to do something you want, it doesn’t much matter what kind of security the operating system has.
Great Article, but this is just adding to the discussion about personal privacy providing evidence for how much we don’t actually have.
This is how Skynet will take over the world people.
Remember what the man said:
“Use Unix.” Or Linux. Heh?
A great interview that will hopefully help anyone trying to fight adware on Windows.
Probably a lost cause as long as Microsoft insists on maintaining a lot of backwards compatibility across versions of Windows.
@Craig Timpany:
Why would people refuse open source? Surely the point is that you can see exactly what the software is doing… Freeware I can understand but then again anything that is closed source could be hiding all sorts of ‘goodies’.
@People asking about Vista and 7:
As far as I know they both use the NT kernel (versions 6 and 7 respectively).
I’d say it’s time for more people to give a more secure system a go. Ubuntu is nice and easy to use, or even Kubuntu which looks more similar to windows.
Cog
Invaluable. Thank you, Matt, for explaining (at a high level, but with enough low-level insight to shed extra light where needed) how Windows allows for the realization (in software) of so many nastinesses. I’ve often wondered how some of these adware processes work. Now, thanks to you, I have at least a small glimpse at what goes on. And Matt, there’s no shame in how any person makes a buck as long as it’s legal. As long as you haven’t committed a crime I don’t think anyone should treat you as if you had! The real crime here is that Microsoft would so negligently expose so many unwitting users to so many serious security risks. The average person has no clue how dangerous Windows computing is.
Good job. Live long and prosper.
If you notice, he used IE to get in in the first place. It is by definintion the front door to getting the code on the pc for a start. So please understand that using a proper browser with added security will get you a long mile safer.
I sure hope those scripts are signed & validated and the webservers they are on bl**dy secure.
… Because I read that as, Dear hacker we have a 4M node botnet ready made for you to pwn.
@JohanC: If you incorporate your adware in some popular program (like ask.com does in Vuze), then you don’t even need a browser. And I bet they also developed a Firefox extension.
@Author: Well written, thanks for the interview.
@Peter Forde
“I was shocked and unimpressed, but she made a really excellent point: if she didn’t, someone else would.”
What a stupid reason for someone to justify their actions with. And what’s worse is that there are actual living people who could find that logic to be “excellent”.
P.S. Fascinating interview.
Thanks for the excellent read.
I run Windoze with weakened immunity. I was recently infected with very similarly behaving symptoms: changing DLL names, reviving from the dead, spawning IE even with no window even though I only use FF. Seeing IE running as a process was actually my tip-off that I had been infected. I tried a whole evening to kill this evil doer and it still beat me. Looking up the processes on google led me to run superantispyware.com free code – never heard of them before. It killed the spam once and for all. I felt so guilty for using freeware that worked better than my virus checker that I paid them five bucks. I may have to buy the full blown version.
I’d love to learn that you were asked to serve in an advisory capacity to the Obama administration. One that would be tasked with educating or legislators on the capacity of programmers (black or white hat) to invade the valuable privacy of anyone with a PC on the Internet. The British Invasion is alive and well, and FISA is still being ignored.
Your voice might carry the weight of authority in the wilderness of New World Order.
*blink, blink* Oh, sorry… I musta been dreaming.
Dude, Kudos on the successful ad-ware, that must have been the most challenging script I ever had to remove, thanks for keeping things interesting and keeping me in the computer repair biz.
Hey, have you ever thought of looking into AI software, you might do well?
Excellent read. Good to know about the most deployed scheme app.
Great interview!
It irritates me how judgemental people are about ‘bad people’. Be it murders, rapist, malware writers, spammers etc. Just cause people do bad thing doesn’t mean they aren’t human too. People who have commited / do commit worst atrocities have and are regularly given more respect and power. Just look at Bush, Hitler, Bill Gates, and many many other people you never find out about. Many people are responsible for the polling the environment (including each one of us) for instance that kill or harm real people. His ‘crimes’ (may not be legally criminal) arguably have many positive benefits to those people whose machines are infected. As he said his software removed by less malevolent adware other malicious programs. That may of in itself made those machines usable for people who would have otherwise trashed them or more likely caused those individuals to go out and buy anti-malware/virus software from companies who make deceitful or fraudulent claims regarding the ability to secure their computers. I’m primarily referring to well known companies such as McAfee & Norton amongst others sold in retail & computer shops around the world. These companies in my opinion are the one truly taking advantage of people in a malicious way as they are directly take peoples money and are generally unable in practice to secure (remove all the malicious programs) the end users machines despite that those are the impressions given to their customers. When you are on the Internet communicating with others using means that are risky you should not have any expectation of security beyond that which is reasonably ascertainable (you can identify SSL connection to a site that is reputable- fine- otherwise it is your own fault for infecting unless vulnerabilities were used to infect- at which the blame needs to be put on Microsoft- or the browser/application author where payment for the software was involved if that contract should have reasonably included secure coding- Microsoft fails to release timely patches- thus should be liable). In that regard Microsoft should be liable for users infections in many instances where these infections come through non-user initiated processes of Microsoft applications.
Awesome interview!
About half way through (the part where it’s mentioned to use unix to be adware-free), I stopped, copied that Q&A volley, then emailed it to my mother just to say, “See! Even the guy that writes the malicious software says that you shouldn’t use Windows!”
At the very least, the response will be worth a good laugh
@JohanC: Don’t fool yourself: Firefox would not have saved you. There are two reasons for this.
First, we did not take advantage of IE vulnerabilities to get on the machine, nor did we need to. Once you clicked on the ‘download’ button, whatever your browser, we were just another setup program.
Second, we eventually abandoned the IE-specific BHO architecture in favor of using the Accessibility API, which works with all browsers, and some version of which exists on most operating systems. (The BHO served only one purpose: to look at which URLs you were visiting. This helped determine which ads to show.)
Something else that should be mentioned: people whose machines were completely overrun and essentially disabled by adware — I examined two of these myself — were the victims of a very specific attack, a drive-by download that installed dozens of different ad clients all at once, like a parasite that kills its host. (They did this because distributors, in this case the attacker, were paid on a per-install basis.) By contrast, if our client ever showed more than a few ads per hour that was a bug, not a feature.
On a separate note: If you run an ad client and analyze its traffic, you can produce a list of all the sites that place ads with their network. You can imagine the uses for this, as did our ad sales department.
What a great insight interview! Good Job!
Re: Pete Forde
“…she made a really excellent point: if she didn’t, someone else would.”
Further, the Nazi concentration camp guards that forced the Jews into the gas chambers didn’t really do anything wrong. After all, if they didn’t do it, Hitler would have found somebody else to do it.
Re: Krishna
“…Probably a lost cause as long as Microsoft insists on maintaining a lot of backwards compatibility across versions of Windows.”
Doesn’t MS have it’s own virtualization environment now? Why not run programs that need backwards compatibility in their own self-contained virtual machine running $legacy_windows_version? Or is my new dual 2Ghz 64-bit quad-core box incapable of running an old win32 program from 1997 along side MS Word and IE?
Re: Norman Andrews
“…when people are broke they often turn to prostitution. But you turned to drug dealing. And there’s a big difference.”
Agreed. Full disclosure: I once worked for a company that spammed search engines. My justification at the time: I was *broke*, and they *paid* me to look at *porn* my first day on the job. There were certainly bigger scumbags than myself at that company. But I still feel dirty. Fortunately, the people at Google et al were able to render the spamming techniques impotent. Too bad the AV / anti-malware vendors seem to be loosing their race. It would be nice to see Matt Knox do a complete 180 and work for them as a consultant (not that McAfee or Symantec would be interested in such talent…)
“Something else that should be mentioned: people whose machines were completely overrun and essentially disabled by adware — I examined two of these myself — were the victims of a very specific attack, a drive-by download that installed dozens of different ad clients all at once, like a parasite that kills its host. (They did this because distributors, in this case the attacker, were paid on a per-install basis.) By contrast, if our client ever showed more than a few ads per hour that was a bug, not a feature.”
Document 29 of the NYAG Vs Direct Revenue, LLC. These are comments from DR staff via internal emails:
“I got at least 30 ads today from Aurora, sometimes back to back within a minute…my computer crashed four times”.
“As a follow up to our conversation last week where I mentioned we are abusing the hell out of our users…I installed Ceres ad client on my machine, and the program literally disabled my computer from functioning in a normal manner”.
“there are several timers in place for us to work with. We really are hammering users right now. There are two key settings – how often the client checks in and how much lapse between ads the server waits before serving another. I have asked Rod to back off the server setting to 2 minutes while leaving check-in rate at 45 seconds”.
“I have often believed that we are hammering users too often. The temptation is to get as many impression opportunities as we can..”
“I think we all agree that we are popping too much. There are actually several settings that control how often we pop”.
Already mentioned, but Document 30:
“I think it almost certain that we will dial back significantly on the user abuse and let revenue fall to something around $100k”. Joshua Abram
Or how about Document 40, where they give the order to “raise the frequency cap” to increase the total number of adverts served up to end-users.
There’s always Doecument 120, where (amazingly) someone suggests they should REDUCE the frequency of adverts – but only so people don’t associate the adverts with a newly installed copy of Morpheus and so uninstall their future revenue stream. Classy.
Now, you tell me. Does it look like the frequency of adverts was consistently refered to by Direct Revenue staff over and over again as “abuse”, and that they were fully aware of what was happening at all times? And does it look like they only ever turned them down when they were in danger of “losing their userbase” or had to fool Morpheus users into thinking the adverts were coming from somewhere else?
Bug? Or feature?
How about we ditch them both and settle for shenanigans?
Oh, my first post doesn’t appear to be sitting in the mod queue (unlike the second one), so I’m reposting it.
“We do not presently make much effort to assure that people are not getting our ads legitimately, but it would not be that hard for us to make fraudulent ad consumption a near-impossibility”. That’s from someone called “Matt Knox”, in 2005, from Document 25 of the NYAG Vs Direct Revenue. Would I be right in thinking this is the same person above?
Even accounting for the “advice” which follows with regards suggestions for “improving” this area (which I’m sure were immediately ignored by the top brass at DR), that hardly gels with the image presented above where Matt is making a big deal out of being “horrified” by all the dubious practices at Direct Revenue. Yes, oh so horrified….but oh, the top brass isn’t listening to us so we’ll just keep rolling on regardless.
As for the random guy in the comments who appears to have also worked there:
“The accepted goals of our team were simple: [1] once we’re installed, stay installed until the user asks us off ”
DR did everything it could to convince people NOT to uninstall. Remember the purple webpage that claimed uninstalling might “harm their computer”? Document 5.
“Users didn’t like the purple webpage saying the uninstall may harm their computer”.
Let’s not forget the Aurora uninstaller, which frequently corrupted as a download and made it impossible to remove without security software.
Also, this:
“S: Your company’s not one of those that would leverage exploits in order to get software on people’s computers?
M: We didn’t, no. Some of the distributors certainly did.”
…is a joke. Document 18:
“It is wonderful to hear you are making progress on the affiliate program implementation, and we are very interested in learning from your experience in dodging SP2 and anti-virus programs”. Mia Simonsen, distribution manager Better Internet LLC
The DISTRIBUTION MANAGER of Better Internet, being “very interested” in “dodging SP2″. Last time I checked, anything wanting to “dodge SP2″ would be classed as exploiting, seeing as it wasn’t *supposed* to be “dodged”.
With a distribution manager saying things like that, it’s not hard to see DR was rotten from top to bottom.
Document 19, Daniel Doman:
“I doubt that (Microsoft) would want to partner with someone who actually takes advantage of their vulnerability and poor design”.
“Vulnerability”? Why doesn’t he tell us what he *really* thinks.
There’s a lot more, but people can see it all for themselves benedelman.org/spyware/nyag-dr/ here. Besides that, there are endless reams of research from security researchers and companies who saw amazingly poor practices from Direct Revenue on a daily basis.
I’m alarmed that people are somehow accepting this almost apologetic “days of our lives” account of Direct Revenue, especially when they spent their time sending private investigators after people like Patrick Jordan (because he kept exposing their rotten and unethical practices) and throwing their legal weight at security companies who had a problem with their actions.
This isn’t the full story, by any stretch of the imagination. It’s not even close.
@AC: the nazi comparision is completely out of place… Besides great interview!
I think adware is a good development, we need strong market dynamics!
Excellent article. The technical parts were interesting but the human motivation was even more interesting. I have never read someone who was so candid about what they did. Most people end up trying to rationalize things but I think the coder here learned something from the experience about being a moral agent. Like he said, souls are sold a piece at a time, not all at once.
The nazi comparison is surprisingly apt, actually. Check out a book called Ordinary Men that described how a bunch of fairly normal Nazi police officers stationed in Poland ended up taking out pregnant women to a field and shooting them in the back of the head, one bit at a time. Influence by Robert Cialdini also talks about how people can end up doing terrible things using examples from history (Vietnam War) and cults (Jonestown).
But I’m willing to bet no one’s gonna read this far down!
Awesome article. I’m annoyed by the people who view you as “completely evil” because you definitely aren’t if I have to believe the full article. People should calm down a bit about the morality in this, I think.
What sort of excuse is that? Its no excuse at all. Write virus or worm that steals information and say “if I didn’t someone else would”.
And it’s completely true. Of course, someone else doing bad things doesn’t mean that you should, but ultimately it’s her own decision.
How about you hand over your knowledge and help certain AV makers out, by developing a template or GPL licensed utility, that helps out with this stuff, sort of like Darth Vader switching back to the good side at the end of retun of the jedi!
Didn’t he die in the end? The example you’re giving has quite a sad conclusion if you put it like that…
I’m in awe of his programming skills. But equally the fact remains trying to survive does not warrant becoming a blood-sucking maggot. There is nothing as sickening to me as someone who thrives on raping children (i.e. the computer illiterate), then blaming it on his dad’s Hustler collection (i.e. Windows). Loving Linux does not justify bashing Windows when Windows is the orphanage.
@Paperghost: Yes, I’ve read those docs.
You won’t find my name in them, even though I was a full-time coder on the ad client, the device drivers, and the compliance spiders. This is instructive: we all worked in a single loft, without walls, and the actual programmers never had to put anything of this kind in memos. When someone proposed hiding the code file in a phony bad sector so the OS couldn’t see it, and the rest of us refused, why would we have put any that debate in writing?
And of course, Spitzer’s office would have no reason to publish the inter-departmental memos I wrote to report illegal installs, nor would the archive you link to post them if they had.
Thus you are reading conversations between mostly non-techs, many of which are wildly ignorant. For example, to “dodge SP2″ didn’t mean to do a drive-by install, it meant that SP2 threw up a warning for *any* BHO install; our solution was to abandon the BHO architecture entirely.
Similarly, when Dan refers to Windows’ vulnerability, he is talking to non-techs about the kinds of things that Matt explained in the interview.
In any case, I’m not sure you understand that many of the bits you are quoting are *bug reports* from internal testers. There was no advantage to us in driving users crazy by showing too many ads (aka ‘killing the host’), as we made money only on ad-clicks, not installs.
Yes, we caused suffering. We knew we were going to hell. We have done our best since then to apologize and atone. That we are trying to be precise about what we did and did not do may be vanity, but is not an attempt to excuse what was done.
@RT Wolf: yes, some of us read all the way down!
“Thus you are reading conversations between mostly non-techs, many of which are wildly ignorant.”
People like Daniel Doman (who was a director of engineering at doubleclick and the CTO at DR, in other documents repeatedly asks the techs to *reduce* the popup rate to the “techs”, only to have his requests seemingly fall on deaf ears time after time) and Josh Abrams (who had a long history of working in and around web based ad companies) aren’t “ignorant” of how their companies tech worked, and that’s backed up plenty by some of the other documents related to the popup rate where either Doman or Abrams (I forget which) clearly and concisely talk about the different kinds of tech deployed, how they work etc – certainly not dundering tech novices.
In fact, Abrams himself in another document says
“We have a very stealthy version of our adware product which we’re happy to give you….don’t worry, if we do a deal and build together…these will not be caught”
Let’s be clear – these are the people with (I believe) the majority of ownership in the company, driving these dubious practices with comments like the above (only seemingly asking for popups to be toned down when they are indeed in danger of angering their “userbase”) and pushing the limits of what is acceptable as far as it’s possible to get away with.
Matt himself says “We do not presently make much effort to assure that people are not getting our ads legitimately”. Well, why was that exactly? It seems nobody could be bothered because the money was too good. The programmers would protest meekly, the head guys would mutter the odd plea for reductions in popup rates, meanwhile you had your “dark arts” department, and you were hiring PIs to hunt down and intimidate security researchers.
“For example, to “dodge SP2? didn’t mean to do a drive-by install”
Come on, dude. Anyone who worked around ad networks at the time SP2 was coming down the pipeline knows that the ONLY discussion doing the rounds was any number of variants on how to “get around” SP2. It didn’t *have* to be a drive-by, it could be any number of things. But the key point drummed into many, many network affiliate managers was “get by at all costs”. They were ALL doing it, at every adware company at the time – and even before that.
Hell, there was one adware company that had more moles in it passing on information to security researchers than it did legit employees.
There are way, way too many comments in those documents related to the NYAG case where people talk about exploiting, getting around, polymorphism, disabling automated removals, stealth and all the other junk that we see in common malware exploits all the time. Then let’s talk about the borked uninstalls, the intention to remove information from the uninstall page, the refusal to include add / remove control panel data, the SUPER sneaky “lets pop adverts for morpheus users but ONLY a day or so after they install it…” and so on.
How can *anyone* justify that last one as anything other than dubious and unethical? It’s not just about the code – bad as it was – Aurora, anybody? – but also about the practices at every other part of the business.
And it sucked.
“Similarly, when Dan refers to Windows’ vulnerability, he is talking to non-techs about the kinds of things that Matt explained in the interview.”
Well, for starters we need to know exactly who Tom Phillips is, which is who the discussion was with. Considering he’s talking to him quite informally regarding a VC meeting with microsoft, he’s not likely to be stupid, nor is Doman going to be dumbing down his conversation with him in such a way because that would be amazingly obvious if he were to do so.
And it really doesn’t look good regardless, given the content of 99% of the rest of those documents. You can perhaps pass one or two off as “mostly harmless” or “he didn’t mean that, he meant this”.
But you can’t do that for each and every one. And there’s quite a lot of them in there…
“And of course, Spitzer’s office would have no reason to publish the inter-departmental memos I wrote to report illegal installs, nor would the archive you link to post them if they had.”
Actually, there’s quite a few documents in there where information is given related to DR terminating affiliates for bad behavior. The problem is, there were nowhere near enough “terminations” (one document tries to proudly proclaim they terminated “at least a dozen” such deals).
A “dozen”? Really?
There were endless incidents of rogue behaviour and screwball antics reported every other day, by countless researchers and individuals. Want to know what typically happened?
In 2005, I found a huge scale distribution of Adware bundles being pumped out via BitTorrent downloads. DR was in there, along with a bunch of others.
When I wrote about it, you know what DR did? Daniel Doman called my article “misleading” and tried to blow it all off, insisting there was nothing bad out there.
Took me all of a day to find installs entirely without notification or consent being delivered via exploits, and the bittorrent bundles went into meltdown, with some of them containing what looked like UA porn videos bundled with the adware.
DR then had to post up a simpering “thank you paperghost” style entry on their website, which pretty much said it all about how companies like DR operated: refuse any liability, admit no guilt, insult, harass and attempt to intimidate those who found bad practices (like patrick jordan who had PIs coming after him), while using those same people as a form of “outsourced” quality control (because it was obviously non existent at DR, amongst others) and then getting all red faced at the end of it when it turned out we were right all along.
“Yes, we caused suffering. We knew we were going to hell. We have done our best since then to apologize and atone. That we are trying to be precise about what we did and did not do may be vanity, but is not an attempt to excuse what was done.”
An admirable notion, however it could (and should) be argued more of this should have been in evidence at the time this was all taking place – and the “fine” at the end of it all was pretty laughable. I’m certain the owners of DR sailed into the sunset with a stack of cash, so who “won” really, apart from them? Certainly not you, certainly not me, and certainly not the end-user.
The truth is that the whole programming group was full of good people with good intentions, including Matt and Eric. At one point there were around a hundred people working there and we were sheltered by management from knowing how we were negatively affecting our users. I was proud to be part of that team, because it was after all, such an amazing group of brilliant minds. I left the company as soon as I found out what the true effect we were having on our customers, when I read some hate mail directed at the company. I went on to work at Microsoft as a security engineer and after enough time felt I had redeemed myself. Vista is more secure, however, many of the same exploits that we used are still possible to do, which is a scary thought. I do believe the Windows model is fundamentally flawed, unfortunately and even the most advanced anti-virus software is insufficient. I do recommend users run a version of UNIX and Windows in a VM (Virtual Machine) only when absolutely necessary.
@paperghost: You assume that executives and the sales department understand the difference between legitimate and illegitimate coding practices, which is highly unlikely, and given the number of vague and/or incorrect generalizations you make, I’m not sure that you do either; but I think we’ve laid things out sufficiently fully that the readership can make up their own minds.
“Vista is more secure, however, many of the same exploits that we used are still possible to do”
I don’t want to play semantics police, but it seems some of you ex DR guys are saying “we never did exploits” and some of you are.
“At one point there were around a hundred people working there and we were sheltered by management from knowing how we were negatively affecting our users.”
While your leaving once you found out the users reactions is commendable, I am somewhat curious how they managed to keep about a hundred people working for a company from missing all of that nagativity. The net was awash with it for years where DR was concerned – you couldn’t miss it. If it wasn’t slashdot, it’d be a mainstream news tech site. If it wasn’t that, it’d be people ranting on forums, or articles on blogs etc.
How do 100 odd tech savvy people completely miss any and all of that?
Plus, some clearly *were* aware of what was going on – Matts email from the NYAG documents is proof of this, and there were plenty of other mails in those documents from various tech / programmer guys.
So does that mean the people who were aware of this in those hundred odd individuals simply keep quiet or not bother to mention that there were whole boatloads of incredibly angry people out there and what you were doing wasn’t the greatest of ideas?
Seems somewhat odd.
“You assume that executives and the sales department understand the difference between legitimate and illegitimate coding practices, which is highly unlikely”
You can’t tell from wading through those documents that the executives, the sales departments and all the rest of them knew full well that what they were doing was, shall we say, somewhat dubious? Many of those documents are a tour de force in going about things the wrong way. It’s not physically “possible to accidentally make every other decision reek of dubious tactics. Whether it’s the top brass talking about their stealthy, undetectable software, or “abusing the hell” out of their users, or your distribution managers getting excited about “getting around” SP2, or hired goons stalking security researchers, it’s not hard to see a pattern there, is it?
You don’t get dragged in front of the NYAG for minor screwups. It seems anyone who works for an adware company that gets brought to book can wring their hands and talk about how they knew they were “going to hell” and “making people suffer”, yet anyone who rightly criticizes them for doing that instead of, you know, doing something about it (as opposed continuing to be dragged along for the ride) “just doesn’t get it”.
Truly, my heart bleeds.
“@paperghost: You assume that executives and the sales department understand the difference between legitimate and illegitimate coding practices, which is highly unlikely, and given the number of vague and/or incorrect generalizations you make, I’m not sure that you do either; but I think we’ve laid things out sufficiently fully that the readership can make up their own minds.”
Lol, what a funny comment. Given that the direct revenue ex-employee seems unable to address any of the points raised about irrefutably unethical behavior, he instead ignores them and resorts to hammering away at “not understanding legitimate and illegitimate coding practices” – like that makes what they were doing any better.
Look, its not hard. Your bosses get together and say, “we want this to pop up adverts and get onto the system with the bare minimum amount of disclosure, and let’s make it a real chore to identify the source of the ads, and let’s make the uninstall a nightmare too”. The specifics of what are “legit” and “not legit” with regards coding practices don’t come into it. All that matters is, someone asks you to make something that is CLEARLY BAD, and the programmers and engineers repeatedly go off and do JUST THAT.
When the bosses ask you to make what they want, they’re not interested in what subtle and arcane aspects of coding can be classed as legitimate or “acceptable”. they just want you to make something abhorrent, and off you go.
And you did, for the longest time.
I also agree that it’s silly to claim nobody from the programming team knew about the bad things going on. Aside from the fact that it’s inconceivable to think all those smart programmers at no point would think, wait, why am I coding something that does x, y and z bad things, you’re seriously claiming none of them ever came across RSS feeds, or talked to others in the industry at conferences or just saw it in the news?
No way could you have been so insulated. certainly not from the news, certainly not from the world around you and definitely not from the other major players in the adware industry.
I see that Matt and I have used the word ‘exploits’ slightly differently. To clarify: I have been using the word in the sense of “exploit a bug in IE to sneak code onto a machine,” while Matt is using it in the sense of “exploit CreateRemoteThread()’s incidental ability to make your process less inconspicuous”.
My point is that almost all of the things Matt describes have ‘normal’ uses. I was recently asked by maker of a parental-control (censorware) product, to make it hard for a kid to disable the software. Suddenly all these ‘exploits’ (in Matt’s sense) were now potentially legitimate. Where is the clear bright line?
“I see that Matt and I have used the word ‘exploits’ slightly differently. To clarify: I have been using the word in the sense of “exploit a bug in IE to sneak code onto a machine,” while Matt is using it in the sense of “exploit CreateRemoteThread()’s incidental ability to make your process less inconspicuous”.”
Well, plenty of people including myself found exploits in the sense of “exploiting a bug in IE to sneak code onto a machine” where DR were concerned, and as I said above, responses from DR ranged from dismissive to out and out hostility, every single time. Then there’d be a big rigmarole in the press and they’d come out of it looking stupid.
They never learned their lesson, and they continued to not learn it and ultimately that’s perhaps why they ran into the NYAG.
“My point is that almost all of the things Matt describes have ‘normal’ uses.”
Yes, but can you claim what DR was up to where pure tech was concerned was anywhere near approaching “normal uses”? Everything seemed designed to subvert, confuse, frustrate and take power away from the end user. Hell, Aurora was bad enough that your own employees called it “spooky”. Myself and others had to put our security sites on moderated comments because of the amount of death threats posted aimed at DR employees. Entirely unrelated websites with “aurora” in the name had to put up warning messages that they had nothing to do with you because they were sick of the threats. To this day, I’ve never seen such anger generated as a result of a piece of code. Ever.
“I was recently asked by maker of a parental-control (censorware) product, to make it hard for a kid to disable the software. Suddenly all these ‘exploits’ (in Matt’s sense) were now potentially legitimate. Where is the clear bright line?”
There is no clear bright line anymore, thanks in part to companies like direct revenue. security companies basically have to put *everything* in their database now whether something is legit or not, give it a stupid classification name so they don’t get sued to death then give the ultimate decision to the end user.
I should add, however, that being able to *make* that decision at all was by and large entirely removed from end-users by companies like direct revenue and the old-guard of adware companies thanks to their “wonderful” products.
I’m impressed. The comment stream got all the way to 64 before Hitler was mentioned and all the way to 68 before Nazis and concentration camps were dragged in.
I loved the article, not least because I’ve cleaned off some of Direct Revenue’s adware. Generally, I just used the uninstaller. I’ve run into some really nasty and persistent adware, and I’ve seen in use every one of the techniques Matt talked about.
I tend to agree with Matt about security and privacy. I still use Windows, not because I like it, but because I like (or have to use) applications that run only on Windows.
I also appreciated Eric’s comments.
To paperghost: Sorry to blow your reality, but your model map of reality in your head is just not how it was. You were not there. So, listen to what Eric and I are saying about the reality, not the assumptions you make. I would say about 90% of the company had no clue because they were too busy working to browse the web or read hate forums. Don’t get hung up on the word, “exploit”, as even Mother Teresa “exploited”. To a computer there is no good or bad and as Matt said, we probably in the end did more good than harm because I am sure we did knock off some horrendous adware clients far more unethical than ours from countries wihch had no regard for our laws. But because of our high-profile, we got all the heat. Management tried to go legit and upfront, but for trying to turn to the “good” side, they went down for that. Now, I don’t want to defend them entirely, cause I still don’t support their business model and would never be a part of something like that in the future. Anyway, I think intelligent people with enough real world experience who are reading this interview understand what I am saying. That’s all I can say about my work there. So I will sign off from this forum. And yes, Matt is someone I would trust with my life. He’s a good guy and I am sure has already redeemed himself and will continue to contribute great things to our society.
Great interview! It is interesting that a company can get that number of people to “opt in” to something so bad… I guess this will never change since there will always be a ton of people who just don’t understand how dangerous the net is if not treated with respect.
Great interview! I think adware is horrible but I know what he’s talking about. It starts out small little things. As you let those little things go then it keeps going. You let a little a more go and then more. And then one day you have a moment of clarity (either by choice or forced) and you ask yourself, “how the f$%K did I get here!?” If you don’t stop those things early on… if you let yourself go… it’s gonna f#$k you over.
You have to stand up for morals and ethics in your work environment. Persuade them not to be a cheese dick slimy bastard because it works both ways.
“All that is necessary for the triumph of evil is that good men do nothing.” (Edmund Burke)
PS I think this was the best article I’ve read all year! Would you please do another on the state of security in OS’s, what you can do to secure your OS (when I ask a friend how I secure windows he says “uninstall it” so secure it if possible)
PSS At one point Apple threw out it’s OS and started fresh. Do you think that should be a choice for MS?
“So, listen to what Eric and I are saying about the reality, not the assumptions you make.”
Ha, just like the adware days of old – the conversation is entirely one sided. You basically ignore every valid point made and continue to go back to “you weren’t there”.
Points made about plenty of DR installs made via system exploits – ignored. Hiring PI goons to track down and intimidate security researchers, simply because you didn’t like him uncovering information – ignored. DRs mud slinging towards myself, which subsequently turned into a healthy dose of crow eating (entirely avoidable if they’d just *listened* for once) – ignored. Queries as to why your staff endlessly refer to treatment of installed users as “abuse” ignored. I’ve asked you repeatedly about whether or not you think delaying advert pops from morpheus installs for a day or two so the user doesn’t associate it with the ads is ethical or not – ignored. I asked, when Matt said this in his email – “We do not presently make much effort to assure that people are not getting our ads legitimately” – why this “lack of effort” existed, because people were clearly aware of what was going on yet seemingly just staying on for the ride – ignored.
I could go on, but you continue to ignore all of the above and more besides in favour of going back to “you weren’t there”.
I don’t need to have “been there” to know about the above, because it’s right there, in the documents, in black and white, written by your own staff. You also seem to dismiss the repeated personal experience I have of your company via email and what they said in the press in relation to my findings.
You don’t need to have been hanging out at the direct revenue water cooler to know that you were doing bad things, yet apparently the closer you stood to it, the more you missed. Interesting business model.
“as Matt said, we probably in the end did more good than harm because I am sure we did knock off some horrendous adware clients far more unethical than ours from countries wihch had no regard for our laws”
This is an amazing quote, thank you. The most desperate attempt yet to justify what an adware company was doing that I have ever seen. Yeah, we were up to no good, but we took an awful lot of other people up to no good down with us.
Awesome. Pity about all those people caught in the crossfire on the way down though, wasn’t it? You know, all those people with their PCs stuffed with DR adware they didn’t want?
Also, talking about adware companies in “other countries” with “no respect for the law” is pretty humorous when your own company pushed the limit of the law so many times you ended up in front of the NYAG.
“Management tried to go legit and upfront, but for trying to turn to the “good” side, they went down for that.”
No, Direct Revenue “went down” because of years of dubious and unethical business practices. Please don’t try to turn them into some kind of martyrs for suddenly waking up and “seeing the light” only to find nobody wanted to play ball with them.
“Now, I don’t want to defend them entirely, cause I still don’t support their business model and would never be a part of something like that in the future.”
Commendable.
“I would say about 90% of the company had no clue because they were too busy working to browse the web or read hate forums.”
This still doesn’t make any sense. Even IF 90% of 100+ people somehow didn’t read tech news, tech news websites, read RSS feeds, blogs, visit forums, get google alerts on their company, see entries for DR in google search (nobody ever even googled their own company name?) or converse with other adware companies at conferences (or even just see / hear the discussions about them at conferences, many of which I attended had a good portion of people from DR, from execs to engineers and the odd programmer), that would STILL leave a percentage of people who knew what was happening (borne out by many programmers including Matt himself who frequently appear in the documents complaining about bad practices and / or discussing something dubious they’ve been asked to make).
So, again – why did these people (if so troubled by what was taking place) not simply *tell* the others? It’s just bizarre.
This is a great interview, it is fantastic to have the truth from the horses mouth, and good to know that people will listen to their conscience still.
What would be better is for people like Matt to write some spyware/rootkit removing routines. All too many people fall into this situation of having such software running on their system, often with no idea where it is from, let alone how to remove it.
These talented people creating tools to identify and remove such rogue software is the only chance we have of bringing control to a huge grey area of the law, which governments are incapable of understanding and dealing with locally, let alone internationally, even if they did take it seriously they would never keep pace with how the software is adapted.
Linux may be the safe root currently and as Win 7 is still based on the NT kernal, is not going to offer any greater security, but if to avoid such threats Linux becomes the majority OS, then the malware writers will just shift across to exploiting that platform, we need effective protective software and this requires the skills of people like Matt, combined with inside knowledge like he has.
“you weren’t there so you don’t know”.
That works both ways though, doesn’t it?
I notice anyone who comments on this story in a sympathetic manner towards the DR staff gets a free pass, despite also not having “been there” – yet anyone who naturally enough calls into question this extremely whitewashed attempt at a portrait of direct revenue is immediately dismissed with nothing much more than “you weren’t there”.
Glorious logic. I would suggest if you don’t like the very large inaccuracies, flaws in logic and gaping holes in common sense picked apart, it would be a good idea simply not to post in the first place – or at least post something that isn’t ridiculously hard to swallow (“90% of the company had no idea”? LOL. No, of course they didn’t).
Personally I am grateful to the adware purveyors. They persuaded me 5 years ago that I needed to try Linux. I installed Mandrake 8.something and have never used a Microsoft garbage OS on any computer of mine since. I do realise that there are applications that only run on Windows. For the unfortunates in that position there is still no need to go online with such rubbish. Web browsers, email clients and instant messengers are near enough the same to render Windows unnecessary for online use.
This is a great interview. I admire Matt for having the courage to get out. It must have been a tough choice.
Most of us have been in the unenviable position of having to make a choice between having a job and doing what we believe is the right thing. It’s tough to take the moral highground, because truthfully, I don’t know what I’d decide if I were in the same situation. I’d like to think I’d tell my bosses to “take this job and shove it” but the truth is I don’t know. I’d hope I’d have the courage to get out quickly, but the choice is difficult. Money versus conscience.
And with coding, it’s even more understandable because, like Matt says, coders hardly ever see the forest because we’re sitting deep inside of it with a microscopic view of all the twigs, bark, and berries. If you’ve never been a coder in a software company, you might not understand this. Sometimes when you code, because of the way the work is segmented, you might have a vague idea of the overall project, but your individual snippet is just a tiny part and when you finish, you’re on to something else and then on the train home. Hardly anyone at the cubicle level understands the big picture. Look at Windows itself as a perfect example. How many people at Microsoft, do you suppose, understand the entirety of Windows? I’d guess a handful at best. More likely nobody does.
One comment about the photo to the editor that chose it. Great choice, and the photo matches the tone of the article perfectly. Matt looks like a slightly embarrassed Bill Pullman and had my sympathy before I even started reading.
Hey, all you guys who are bickering back and forth, it’s like watching a ping-pong match being played with two balls instead of one. but each player only sees his own ball.
I think you all have good points, and you would probably agree on 90% of everything that’s been said. But it looks like your differences are mainly because you’re not defining your scope in your posts. Some people are arguing about the global level evil DR’s and some are talking about the local variable, Matt.
The problem is that posts are being made without ever saying exactly which part of the issue you’re talking about. These are two separate issues, but they’re within the same article. Wow imagine that, a multi-faceted story. Who woulda thunk it?
I can agree that the DR companies are evil. But I can also admire Matt for getting out. If I say I admire Matt, does that mean I admire the DR companies? If I say I deplore the DR companies and their tactics, am I saying I deplore Matt?
Very interesting article and and a good one.
You can say that somehow you were ethical and and believe that by some strange reasoning that you did more good than harm.
I don’t have to believe you.
If you wan’t to make mends, do something voluntary, work in soupkitchen or something.
But kudos for the interview.
There are some holes in your programming skills (back then at least). Cool factor rather than reasoning seemed to rule.
High number of threads in badly written code is a horrible idea and one of the biggest reasons for slowdowns that adware are responsible for. If using threads, they have to be only as many as needed in skillfully written code.
Another one are bad Winsock hooks (mostly abandoned because it is relatively easy to remove).
Interrupts seems to me to a rather obvious first choice. Not thinking of interrupts tells me you are not from the prewindows generation.
The registry hack is old and similar to old file system hacks, in Unix and Dos.
I think almost everyone should realize that almost all adware has been written by programmers that suck (not meaning you) the slowdowns and crashes enough proof.
And:
I am an old Unix and Linux dog, but I’lll say this:
You can stay reasonable secure at your home running Windows if you use Linux virtual machine for browsing
(free version of VMWare and a free small Image downloadable from vmware.com)
By small additional configuration of our network environment, even more secure.
@xandalar: The ping-pong is my fault.
Matt’s subjects were (among others) How Software Achieves Stealth and Milgram For Beginners. Both subjects need an almost clinical dispassion to yield useful insights, which Matt provided.
I tried to emulate this, but failed.
You see, as a programmer, my whole life is focused on getting the details exactly right, while crusaders need to tell a stirring, unambiguous, Hollywood-ready story, the details be damned. I didn’t realize this was why my comments were not being read accurately, and would have quit the point-counterpoint earlier if I had.
“while crusaders need to tell a stirring, unambiguous, Hollywood-ready story, the details be damned. ”
ROFL. When all else fails, resort to ad hominem namecalling. The “details” are right there in the court case documents, as others have already mentioned. They do a very good job of countering many of the statements yourself and others have made, and continue to make.
Don’t flatter yourself that your story was in any way “hollywood worthy”. The only way it would make it to hollywood is if it were the amazing story of how 90% of a company including 100 odd “brilliant” programmers were locked in a dungeon and never went online or read the news, and somehow missed the fact that their company was indulging in wrong behavior for years and years.
A comedy of errors, perhaps, but nothing more.
The problem is that when people bring up these glaring contradictions between what you claim and what the documents quite clearly say, you choose to ignore all of those points and switch to talking about something….anything…that doesn’t address the entirely reasonable points raised by others.
As others have said, it’s right there in black and white. As someone who chooses to disagree with you (that is still allowed, isn’t it?) I look forward to more ad hominem namecalling.
While I’m here, I decided to check out Matts website. I already noticed “removing other spyware/adware” was quite a big deal he made as a form of justifying what he did with the company.
“I helped write other bits of DR’s software. I did not go spelunking into people’s systems to steal personal info, nor did I use exploits to get onto people’s boxes. In fact, I spent a bunch of time writing software to detect such behavior, so the relevant distributor could be stopped sooner.”
“but I think I removed around 4x as much adware as I helped stay put, and a bunch of actual malware.”
“I started doing math for an adware company, then wrote software to remove a virus, then lots of viruses, then competitors”
This is obviously going to make people more sympathetic towards him – and potentially more sympathetic towards direct revenue (“hey, they weren’t that bad, they were removing other peoples crapware”) – yet unless I’ve missed it (its not on the welcome slashdotters page, and it doesnt seem to be in the interview) – the actual REASON for removing others adware and spyware is missing, isn’t it?
direct revenue didnt have matt running round making programs that uninstalled others software for some amazing holistic, lets police the net reasons. they created uninstallers specifically so that competitors on a PC would be targetted and removed – so you would make more money. cant make money on computers already full of crap, can you?
Avenue media made quite a stink about it; i’m sure there were others.
http://tinyurl.com/7eax36
” Caribbean-based ad company Avenue Media last month accused New York-based DirectRevenue of using competing software to detect and delete Avenue Media’s Internet Optimizer program from its customers’ computers.
According to the Nov. 24 complaint, DirectRevenue’s software detects Internet Optimizer and then sends a command to “kill” the program, a process that deletes its files from the PC registry and from the computer altogether. Avenue Media said DirectRevenue’s tactics have caused it to lose about 1 million customers–about half its installed base–and as much as $10,000 a day in revenue.”
Oh look, the picture is now somewhat more balanced out seeing that those uninstallers were costing competitors lots of money. Why is this “feature” of writing uninstaller routines that removes other peoples crap – the rather obvious byproduct that you stand to make more money – not mentioned anywhere?
Meanwhile, I had a look through those court docs and see that there are docs in there where DR staff talk about creating programs that *prevent* automated uninstall of your *own* software.
“details be damned”, indeed.
The main problem these days is not adware, its those botnets which steal your money and passwords!
You can’t fix that simply by reinstalling windows or moving to linux. No point talking about the past when this kind of thing is happening, apart from 1 thing, which is that due to the rulings against Microsoft for their own greed, the consumer loses out and has to buy their own security software which they don’t always get or buy the wrong ones.
Hack the Planet…
Not to point out the obvious, but woudn’t the most widely-accessible UNIX platform which most users could handle (without advanced skills) be a Macintosh?
Interesting article on a controversial reality! Some of the commentary volley is too reminiscent of the recent campaign fervor. Life is rarely as simplistic or polarized as some would have us believe. Thanks, Sherri and Matt, for a great read!
Informative article. Thanks.
There is a tendancy to overreact to moral offences, so remember “Shoot not the messenger!”
As an out of work programmer I can feel his pain about being broke. It was a great interview, nothing to terraibly new for anyone who has tried to crack software, but I am happy that some green horns are learning something, life is always about learning! To all the people who sput nonsense about him being a criminal… The internet and computer are young and with very little of an immune system. If he was not writing and inventing new ways to break windows security it would not be patched untill someone with less morals then he came along and did something truely vile with the knowledge. So in closing, thank him for a hacker in the true spirt of the word. Not a cracker who steals your something more then a bit of your system resources.
Last point, I am not advicating keeping spyware around but as I am advicating using it as booster shot that computers need so they don’t get something way more evil.
An excellent interview, and an opportunity to look into the mind of someone many of us would consider to be an opportunist at best, cyber criminal at worst.
Keep up the good work!
so what is the difference betwen ptrace and createremotethread?
you are actully a very intelligent guy, and you could be a good hacker
if russia attacks the US, you might be able to help us
you should take all your skill, and use it for good
help antiviruses companies
i totalty agree, if you want to be free of this adware, dont use windows
you should have used this info for good int he first place
Hi, Mr. Pure Evil
))
Nice talk, thanks.
Fascinating peek into the “M”ad-world. The debate over “ethics” (not really mentioned by name) and the methodology of infection were of great interest. I learned something new about something I had suspected was going on (I do not have Windows). Personally I think that ad/spyware and spam are a waste of resources. But in a “free-market” individual participants can freely create wasteful chaos. So be it.
This was a fantastic article and a great read. I read through all of the remarks and everyone seems to think that by moving to Unix or some other more secure system they will be safe from Adware in the future…
I leave you with these thoughts:
M: That was a pretty limited market, I’d say.
If suddenly everyone becomes more “savvy” and switches to a unix machine, then that market will not be so limited anymore, making it worth the expense to write adware for. If the majority of people quit using windows, then the spyware and adware folks will adapt and follow the “market”. No matter how secure a system is, someone will find a way to beat it.
Re: the whole we-did-more-good-than-harm thing–isn’t that pretty much what a pimp would say? “My bitches need my protection from the even crueler pimps out there.”
I also have to wonder how much these guys’ malware-fu would help in devising anti-malware software. An arsonist isn’t necessarily good at putting out fires.
It never ceases to amaze me how vicious some people can get about adware etc. These guys showed you ADs – no worse than TV (I don’t get the right to block ads from my TV), and the man who went after them, Eliot Spitzer:
- Circumvented campaign-contribution limits in New York state law and then concealed his actions
- Used state police to gather information to smear a political opponent
- Was a regular customer of prostitutes for years
- Attempted to circumvent bank reporting requirements to hide his activities
- Used a false name on a hotel registration to hide his activities
As far as I am concerned SPITZER was a far worse human being than ANY adware maker!
- Attempted to circumvent bank reporting requirements to hide his activities
- Used a false name on a hotel registration to hide his activities
As far as I am concerned SPITZER was a far worse human being than ANY adware maker!
Great interview – very insightfull.
The bit about Google and Gmail filtering our personal info for their own advertising needs is quite scary – who know what else they know about us.
terraibly new for anyone who has tried to crack software, but I am happy that some green horns are learning something, life is always about learning! To all the people who sput nonsense about him being a criminal… The internet and computer are young and with very little of an immune system. If he was not writing and inventing new ways to break windows security it would not be patched untill someone with less morals then he came along and did something truely vile with the knowledge. So in closing
For some people, the idea that good people can do bad things is very upsetting: in mild forms the upset is called “cognitive dissonance”: in severe forms it can drive you crazy.
Dave_J would presumably have been with those who thought that Hannah Arendt’s “Eichman in Jerusalem” condoned evil.
For myself, I’m with Isaiah:
“And all our righteousnesses are like filthy rags”
Isaiah 64:6
Great interview
[...] Broke and professionally inexperienced, he got a job working at an adware company analysing spam. He gradually wrote more and more adware code, protecting his employers and attacking their competitors, and before long he found himself engaged in what amounted to a ‘distributed code war on a 4-10 million-node network‘. [...]
What if I run the application in a sandbox? Then I can delete it after I use it for the things I want. You can’t do anything right?
I had the pleasure to meet this terrific guy!! What a wild CUSEC conference in Montreal. Great Interview!!! This guy rocks, one of the best talks at CUSEC….miss this guy!!! Great foot wear sense too….sorry for stepping on your toes Matt…lol
Great interview! Keep up the good work! And let’s hope the other great interview