September 2004

The Scourge that is Kazaa
and AOL Instant Messenger

Teenager’s Best Friends are
Mom and Dad’s Worst Nightmare

WHILE MOST OF THE COUNTRY knows me as a graphics guy, around my hometown of Pleasanton, CA, I’m the computer guy. Not too much of a market here for someone who can help with undercolor removal or EPS clipping paths, so my local focus is on general configuration help, basic advice, and wart removal, mostly for homes and families.
 

And it must be said that this is a difficult time for families who compute. Never in my career as a computer consultant have I seen computers get so mucked up with parasites by people who have done so little to deserve it. Most of the time, potential clients who call me have absolutely no idea what has happened to them; they are brought to their electronic knees with sluggish performance and incessant pop-ups and they never saw it coming.

I am not talking about the simple type of spyware that you can remove with Ad-Aware and SpyBot. I am talking about the type of self-spawning trojans that bury themselves deep into the operating system and require thorough Registry scrubs and forays into Safe Mode in order to eradicate.

I have become adept at fixing these machines but I remained in the dark about the direct cause. Most of my clients run firewall software or use routers; most of them exhibit responsible email practices.

But there were three persistently common elements that I observed:

  • Every single client has young sons and daughters who use the computer.

  • Just about all of the affected systems had AOL Instant Messenger

  • The systems with really nasty infestations all had Kazaa on them.

There was just too much smoke not to have some fire, so I decided to become the George Plimpton of spyware. I just had to find out what was creating such drek on my clients’ computers.


Clean as a Whistle

I started with a fast notebook computer running a fresh copy of Windows XP Professional. The Registry showed that there were no extraneous or unknown elements being loaded at startup. This computer booted and stopped showing the hourglass in about 45 seconds and no clicking was required to get there. When I opened a browser window, I could go hours without any popups, except an occasional ad that was programmed to appear by the web page I was visiting.

I then went to the AOL website and clicked to download Instant Messenger. My computer has never been the same since, and here is my accounting of that...


AOL and all its Friends

The first thing that I observed is how hard it is to install just AOL Instant Messenger. AOL’s community partners probably number in the thousands and nobody wants to be left behind. First, AOL asked me if I have "Tried AOL for Broadband yet?" Then came SpywareStormer that delivered this bogus message designed to scare me. I would receive this pop-up at least 10 times in the course of three days, and I note with alarm the now-familiar tactic of many of AOL’s friends: The three hyperlinks on this page all go to the same place.

Then upon beginning the installation, I noticed this screen. These two add-ons are not malware (Weatherbug is quite benign and the WildTangent is a gaming engine), but the fact that they are on by default and appear to be intertwined with AOL is troublesome at best.

Not five minutes after AIM was running, this ad appeared. This was the first time in the history of this computer that its browser window appeared spontaneously. Over the course of the next hour, I observed a 100% correlation:

  • When the AIM window was open, ads would spontaneously appear.

  • When it was closed, ads would not appear.

My daughter Erica set me up with a few "robots" to chat with, a common pastime among the bored, apparently. One of the robots responded to my first query by informing me that his (I think it was a he) services were now available at a particular website, which he took me to. It was full of casino ads and gambling opportunities.

Pretending to be a kid listening to his parents, I clicked No on everything, but each click of a No kept opening new windows. I knew better (you should right-click the Taskbar and choose Close; answering No is often as bad as answering Yes), but most kids don’t. And an ad like this one is just way too tempting to an 11- or 12-year-old who has been badgering his or her parents for a mobile phone since Christmas.

Kids are not the only prey—I know many grown-ups who fell for this one. I followed this chain of hyperlinks and it was two levels away from some very nasty malware that produces the type of trojans that can cripple a system.

AIM on its face does not present a direct danger to one’s computer. The amount of pop-up ads generated from it was not overwhelming, just annoying, and you must be vigilant to close those pop-up browser windows instead of click on them. And while I did not appreciate my Desktop being littered with PartyPoker, Play Cards Now, WeatherBug, and Your Free Chips Await, they pose no real threat.

But the way that AOL chooses to represent its partners is onerous; they are positioned as inextricably-linked components of the service—a gambling website appearing directly from a chat session is reprehensible. And as I discovered, AIM is just about two degrees of separation from the really bad stuff that is our next subject...


Kazaa and its Gang

The perils of using AIM pale in comparison to the havoc that can be wreaked by using peer-to-peer networking, in which others are granted access to resources on your machine. The big daddy of P2P services is, of course, the file-sharing (music-sharing) engine known as Kazaa. According to one survey, over 95% of downloaders choose the free version of the program, supported by advertising.

Points for honesty, at least: the Kazaa website is explicit about what software is installed on your machine when you download the free version. What you do not know is what software is surreptitiously installed by the software you agree to have installed.

Kazaa Free installs an advertising engine from the Gain Network (formerly Gator, and I am not surprised that the company changed names; Gator is reputed to be one of the most offensive of all adware engines). Again, Gain is up-front about what it does:

The GAIN Network delivers online advertisements that are selected based in part on how you surf the Web. Some information that the GAIN AdServer may collect includes: Web pages your computer views and how much time is spent at those sites...Response to the ads we display...What software is on the host [your] computer...

Within 10 minutes of installing Kazaa, my tracking software was notifying me of attempted changes to the Registry. Entries were being made in the various (and deeply-hidden) areas that control which programs will start automatically, as well as new "Browser Helper Objects." My browser doesn’t need any help, thank you very much, but suddenly it was getting all the help it could stand.

My first post-Kazaa surfing session told me immediately that life would be different: There was a MySearch toolbar that took up residence directly below the Address Bar. I returned to the user agreement at the Kazaa website and, sure enough, found this among the disclosures of software to be installed:

PerfectNav - Provides alternative websearch results when browsing

Seeing how I accepted it into my system, I might as well use it. So I typed the following into its search field:

Singles in my area

Making sure to inform my wife Becky that this was just an editorial experiment, I watched as many results from SinglesResults.com, MatchMaker.com, and others appeared, Google-style.

And then, not five minutes later, came the pop-up ads for how I can further increase my chances of meeting others. Indeed, Kazaa’s big brother was watching over me.

The ads came in waves. There were periods of over a half-hour in which I would receive none, whether I was actively surfing or not, and then other times in which a veritable storm of pop-ups would appear, irrespective of whether the browser was even open. I went to the U.S. Open website to check on the big tennis tournament in New York, and I do not feel it a coincidence that an ad featuring Serena Williams appeared soon after. When I wasn’t surfing at all, the ad engine would pretty much just spew at me: mortgages...my PC is infected...smiley face cursors...I’ve just won an iPod...join the Army.

I went out for dinner and kept the computer on and idle. But somewhere between 6:00 and 8:30pm, it stopped being idle. I returned to a full-frontal assault:

  • Nine browser windows open, one of them (called ad.engine) only accessible by clicking on its icon in the Taskbar

  • One window self-spawning, continually reopening itself upon each close command

  • Two download commands waiting for me to click Yes, even though I made no such requests for download while I was outside eating corn on the cob.

  • My tracking software reporting four attempts to write to the Registry.

  • And the holy grail of adwaring: my default browser page was changed to http://www.adorbit.com and five folders were added to my Favorites: Entertainment, Finance, Free Stuff, Gambling, and Internet (all with links through the notorious OrbitExplorer).

It took less than five hours after installing Kazaa for my system to be completely hijacked. Before embarking on this experiment, the "Run" entry in the Registry (where programs are set to start at boot) contained four entries:

SynTPLpr.exe Driver for notebook touchpad
SynTPEnh.exe Second driver for notebook touchpad
drivesub.bat Batch file I wrote for creating drive letters
qttask.exe Quicktime module

 

Within one business day, these additional entries were added:

rundll16.exe Virus that allows remote system control
cdaEngine0400.dll The WildTangent gaming engine installed by AIM
SpywareStormer.Exe Installed by AIM (I think I might have said yes to this)
kazaa.exe The file-sharing program
P2P Networking.exe Peer-to-peer component
(Installed by Kazaa but NOT required by Kazaa)
updmgr.exe Updater for eUniverse, one of the "Gain Gang" of programs installed with Kazaa
Points Manager.exe Tracks Kazaa points earned for number of files shared
CMESys.exe Part of the Gain Gang
mtsoemon.exe The My Search toolbar that cannot be removed by conventional means
orbitupdate.exe The trojan that hijacked my browser’s default page and inserted all of the links into my Favorites.
srchupdt.exe A randomly-generated and self-spawning executable placed in the Windows folder that becomes an ad server. If you delete it, another one appears with a different name the next time you boot.


So, are we having fun yet? It is no wonder that my boot time went from 45 seconds to over four minutes. And this is after just one day.

Unfortunately, many of these parasites are not the kind that can be eradicated with the reputable spyware removal programs. Ad-Aware found 346 suspicious objects and removed them all. SpyBot found 123 more. But while these programs can remove most parasites from memory and eliminate their entries in the Registry, they are unable to detect the engines that are capable of restoring the parasites the next time the system starts. When Ad-Aware and SpyBot were done, the search bar, P2P Networking, and CMEsys were still running on the system. To SpyBot’s credit, it did eliminate permanently Orbit, arguably the nastiest of the parasites I contracted in this brief period.

But this was a lab experiment; in the real world, you would probably go days, maybe weeks, and sometimes months, before garnering the strength to do battle with your system. And removing this grade of infestation requires careful, deliberate, and deft handling of files and operating system resources that normal users are not expected to know about and would have no business tinkering with. Removing these parasites is akin to removing the engine of a car, repairing it, and then putting it back.


What can you do?

Believe me, I know how hard it is to tell your 11-year-old that she can no longer use AOL Instant Messenger. Wage that battle and you’ll wonder if having a computer in the house is even worth it. Here are our recommendations:

  • If you can afford it, buy your kids their own computer. They might still muck it up, but at least they’re not mucking up the system that you need for more important matters. And because they might still muck it up, follow these other points...

  • Update Windows XP aggressively. The new major maintenance update includes several significant measures for safer computing.

  • Short of that, set AIM to not start automatically (from Preferences | Sign On/Sign Off). You will save almost two minutes of downtime when the system starts and you won’t be bothered by unwanted buddy lists, sounds of doors opening and closing (a popular WAV file used to signify when others log on and off), the decidedly Gen-Y welcome screen with news about celebrities you have never heard of, and the intermittent popups that AIM produces. When your kids want to IM, they can click the Desktop icon to start the service.

  • Coach them vigorously on never answering any pop-up ad. "Just Say No" is not good enough—often times, answering No is the same as answering Yes. Don’t answer at all. They should click the X at the extreme top-right of the browser window, and if you they are not sure which X to click (some windows try to fool you there, too), they should right-click the ad’s icon in the Task Bar and choose Close.

  • Do not allow ActiveX controls to run without your permission. From Internet Explorer, go to Tools | Internet Options | Security | Custom Level. From there, find Download signed and unsigned ActiveX controls and set them to Prompt or Disable.

  • Prohibit any peer-to-peer networking applications, including Kazaa. Teenagers in the house might rebel as vociferously as the pre-teens do about AIM, and all parents draws their own lines in the sand of the family beach. That’s where I draw mine: absolutely no Kazaa. Today, you can buy a song from iTunes for 99 cents, and I’d be happy to give my kid a song allowance to make up for the free downloading they have to give up on. Or maybe I should just inform them that using iTunes insures against their being arrested for illegally downloading music...

 

In early September, the New York Times reported on the sharp increase observed in use of instant messaging, as a direct consequence of spam reducing the effectiveness of email. We sincerely hope that these people are not trading one poison for another, and far worse, one. I do not include myself among the proponents of instant messaging as an email replacement, as I think it degrades communication in several significant ways:

  • IM’ing invites cryptic speech, clipped expressions, and poor grammar. I know I sound like an old fogey here, but as a writer, I believe that written communication should exist on a higher plane than spoken communication.

  • Setting grammar aside, you are not capable of composing your thoughts in a live chat session as articulately as in an email. Taking the time to compose an email (a luxury you do not have with IM) is crucial to good business correspondence. There are things that I would not say over the phone, preferring to collect my thoughts first, and that is precisely the same for IM.

  • Most IM software does not have the capability of your email client for keeping a history of your correspondence. No Sent Items, no folders to organize correspondence, no ability to forward messages.

Instant messaging is an evolutionary step in communication, no doubt. But replacing email? Get serious. And is spam so bad that you are willing to compromise the security of your computer and invite popup swarms? If so, you need to change your email address periodically as I do. Otherwise, I think that your treatment is worse than the condition you are trying to treat...

 

 

© 2008 R. Altman & Associates