In an interview with Matt Knox, Sherri Davidoff recorded an extended discussion about his work with adware heavyweight Direct Revenue. Direct Revenue was a New York City company founded in 2002 and known for creating spyware or adware programs — and sued out of business by the State of New York.
I believe that this interview provides an excellent window into how tough business competition can gradually evolve into malware-enabled cybercrime on a vast scale.
Mr. Know explains in detail how after starting with just a unique Registry key entry, they moved onto using an executable, then to a randomly-named executable, followed by an executable which is shuffled around a little bit on each machine, then one that was obfuscated, to an executable that ran only as a series of threads that could communicate with one another and ensured that the company’s browser helper object (BHO) was installed and healthy, along with whatever other software they were installing at any given time was also available.
Mr. Knox also helped create “unwritable” registry keys and file names, by exploiting what he described as an “impedance mismatch” between the Win32 API and the NT API. Modern Windows has inherited much from the NT kernel, which was fundamentally a Unicode system. As a result, all the strings internally are 16-bit counter Unicode. At the same time, the Win32 API is fundamentally ASCII. There are Unicode strings that can’t be expressed in ASCII that is available via the Win32 API. Important to malicious software writers are strings with a Null in the middle of them. Using this technique, Mr. Knox and Direct Revenue could, for instance, write a Registry key that had a Null in the middle of it. And with any user interface based on the Win32 API people would be able to see the key, but they wouldn’t be able to interact with it. That happened because when they asked for the key by name, they would be asking for the Null-terminated one (the first half of the Unicode string). Because of that, they were able to make registry keys that were invisible or immutable to anyone using the Win32 API. Interestingly enough, this was not only all civilians and pretty much all of their competitors. He also said that this technique even worked against most of the antivirus companies.
In describing the scale of what they were up to, Mr. Know described that, “I would just write some …code, put that up on the server, and then immediately all sorts of things would go dark. It amounted to a distributed code war on a 4-10 million-node network.”
Professional malware coders understand their primary target — Windows — very intimately, and understand how to achieve their goals. Sherri Davidoff asked Mr. Knox “In your professional opinion, how can people avoid adware?” He responded, “Um, run UNIX.”
This is an extensive interview and it is followed by a string of comments that are also worth your time. The techniques used by malware authors are interesting, but Mr. Knox’s discussion of their business is something not often documented. In the Information Security profession, we all ought to better understand what we are up against. I believe that this is an excellent window into a slice of it. What do you think?
— References —
“Interview with an Adware Author.” http://philosecurity.org/2009/01/12/interview-with-an-adware-author
Matt Knox: http://mattknox.com/
Sherri Davidoff: http://philosecurity.org/author/sherri
Direct Revenue: http://en.wikipedia.org/wiki/Direct_Revenue