Adware Firm Accuses 7 Distributors of Using 'Botnets'

By Brian Krebs Staff Writer
Tuesday, August 16, 2005; 2:03 PM

A major online advertising company that has been accused by security experts of fueling the spyware problem says it is taking legal action against seven people in six countries who, it claims, used viruses to spread ad software to thousands of computers without their owners' consent.

In a lawsuit filed yesterday in a federal court in Washington state, Bellevue-based 180Solutions names seven of its affiliates -- individuals whom it paid to distribute the company's software, which causes advertisements to "pop up" depending on which Web sites the users visit -- and accuses them of installing it on thousands of Microsoft Windows PCs that they had infected with computer viruses. The company seeks unspecified damages and a halt to their distribution of its software.

The legal action is the latest effort by 180Solutions to clean up its image following years of criticism for failing to more closely monitor its distributors and crack down on those who profit from installing its software illegally. Since January, the company says, it has severed ties with more than 500 distributors who were found to have installed its "adware" without the recipient's knowledge or consent.

180Solutions claims the affiliates used "botnets" -- large groupings of hacked, remote-controlled computers or "bots" -- to distribute and install their software. A single botnet can consist of thousands of computers, most sitting on desktops of innocent users who have no idea that a virus infection is allowing a hacker to use their PCs for illegal purposes.

Online criminals have long used such networks to steal sensitive information from their victims, distribute junk e-mail and to wage debilitating "denial of service" attacks that inundate Web sites with so much bogus traffic that they can no longer accommodate legitimate visitors.

A Business Opportunity

Increasingly, however, botnets are being used to install spyware and adware. McAfee Inc., a computer security company based in Santa Clara, Calif., said it witnessed a 12 percent increase in the number of adware programs installed on computers in the second quarter of 2005, an increase it said was driven heavily by the proliferation of bot programs configured to install the adware.

The legitimate distribution method for 180Solutions contractors is to embed computer code into their Web sites that asks each visitor for consent to install, in exchange for access to content on the site. Each time a visitor agrees, the Web site owner earns a small commission, usually between 5 and 20 cents. 180Solutions requires its partner Web sites to prompt visitors for approval, but security experts have documented hundreds of sites that use security holes in the visitor's browser to quietly install the adware without permission.

Armed with a botnet of several thousand computers, distributors can make big money, and fast., a Quebec-based distribution firm bought by 180Solutions earlier this year, promises affiliates "big league payouts" and claims to offer the best per-installation rates in the industry, currently 25 cents.

LoudCash's site features a "revenue calculator" which prospective affiliates can use to estimate their monthly earnings. An enterprising hacker controlling a network of just 5,000 PCs -- and at least half of the target computers are located in the United States -- that bot master could make as much as $744 a day, or $22,346.25 a month, according to the company's calculator.

That sort of easy money is a strong draw for hackers who already control botnets and are willing to use them as platforms for spyware and adware, said Sam Norris, president of San Marcos, Calif.-based, a company that helps Web sites remain reachable at the same domain name no matter how frequently their numerical Internet address changes. These "dynamic DNS services" allow botnet operators to periodically change the location of the Web servers used to control their networks, thus making them much harder to detect or shut down.

Norris said that each week he terminates several new accounts that appear to be connected with botnet and spyware activity. In the spring, Norris began tracking one customer who was using's services to control a botnet of 40,000 computers. Norris obtained a copy of the virus the customer used to infect machines and install the 180Solutions software; the programming code also contained an affiliate ID number issued by LoudCash.

Norris alerted 180Solutions to the activity, and the advertising company said it later traced that affiliate ID to one of the defendants. The bot program directed computers to download and install 14 different adware products, more than half of which were produced by 180Solutions, Norris said. The virus also included at least 30 other features, including the ability to capture all of the victim's Web traffic and keyboard keystrokes -- with a particular interest in Paypal user names and passwords. Other programs installed by the bot allow the attackers to peek through the user's Webcam, or steal PC game registration keys.

CONTINUED     1        >

© 2005 The Washington Post Company