Oh, the joy...trumpets on high, banners waving in the wind!
Zango has been declared dead.
Good riddance, bugger off, may the fleas of a thousand camels infest your...well, you get the point.
As I've been heckling Zango for years, it gives my real pleasure to fire a parting shot. Or two, perhaps three.
Zango, this is for you.
The rest, dear reader, are for your viewing pleasure.
You'll recall that Hotbar is a Zango "product"?
Enjoy...
Props to John Leyden of El Reg for the best title of the day, via a tidy IFRAME.
http://tinyurl.com/c22sxn
An end to SPAM, thanks to Zango and Hotbar...really, I mean it.
http://tinyurl.com/cxhm79
A nod to Maestro Grossman's excellent book via manipulated Hotbar Flash.
http://tinyurl.com/cg7uke
To quote the mighty Marcus Fenix, "Sucks to be them."
Cheers.
del.icio.us | digg | Submit to Slashdot
Russ McRee's HolisticInfoSec™ includes articles and research, as well as feedback and an occasional rant. HolisticInfoSec™ promotes standards, simplicity, tooling and efficiency in achieving holistic information security.
Showing posts with label Zango. Show all posts
Showing posts with label Zango. Show all posts
Tuesday, April 21, 2009
Friday, May 16, 2008
Beware the Zangobot!
While this news is likely speculative and unfounded, it has ramifications I couldn't resist. My good friend Steve and I have, for the last couple of years, jokingly inferred that Zango must have some form of bot, be it a crawler or IRC/P2P. Now this was stated entirely in jest, mind you, but I have to throw the phrase open now that to a story from Trendmicro claiming Zango and Storm: Possibly in Cahoots.
How could I pass? This is indeed the prospect of a Zangobot!
From Trend's post: "The presence of these clues means either of two possibilities. One, that Storm is now targeting computers that have Zango adware installed in them, or two, that Storm has now been commissioned to deploy Zango adware. Zango (also ePIPO, 180solutions, HotBar) is an adware company notorious for planting software that runs on startup, displays advertisements, and comes bundled with other software."
Alex Eckelberry rightfully puts a cautionary spin on the story in his post on the Sunbelt blog:
"After years of tracking Zango/180, etc., we have a really hard time believing that Zango would knowingly work with distributors of Storm. While there’s no love between us, they're not complete idiots, and they know that if they got caught they'd be in serious trouble with the FTC."
Nonetheless, let the speculation and research begin.
BEWARE THE ZANGOBOT!
I hereby declare a contest! We need a Zangobot graphic. Get your creative juices flowing and send your Zangobot character/avatar/image to me at holisticinfosec at gmail dot com.
The winner receives mention here, an information security book of my choosing, and a Daily WTF sticker.
del.icio.us | digg
How could I pass? This is indeed the prospect of a Zangobot!
From Trend's post: "The presence of these clues means either of two possibilities. One, that Storm is now targeting computers that have Zango adware installed in them, or two, that Storm has now been commissioned to deploy Zango adware. Zango (also ePIPO, 180solutions, HotBar) is an adware company notorious for planting software that runs on startup, displays advertisements, and comes bundled with other software."
Alex Eckelberry rightfully puts a cautionary spin on the story in his post on the Sunbelt blog:
"After years of tracking Zango/180, etc., we have a really hard time believing that Zango would knowingly work with distributors of Storm. While there’s no love between us, they're not complete idiots, and they know that if they got caught they'd be in serious trouble with the FTC."
Nonetheless, let the speculation and research begin.
BEWARE THE ZANGOBOT!
I hereby declare a contest! We need a Zangobot graphic. Get your creative juices flowing and send your Zangobot character/avatar/image to me at holisticinfosec at gmail dot com.
The winner receives mention here, an information security book of my choosing, and a Daily WTF sticker.
del.icio.us | digg
Thursday, January 03, 2008
Zango's in your Face(book)
The Zangonistas are at it again, this time deftly disguising their "software" as a Facebook Widget. Fortinet, who discovered the issue, discusses the "Secret Crush" widget at length, so no need to repeat their extensive effort.
Instead, I'd like to offer a bit of analysis, then invoke a debate.
ANALYSIS
I ran Setup.exe, as found in hxxp://static.zangocash.com/Setup/46/Zango/Setup.exe, through the analysis mill and I think the evidence speaks for itself.
IMPORTANT NOTE FOR YOUR CONSIDERATION: All of the following occurs BEFORE you accept the EULA.
IPs called:
66.150.14.74 Zango
66.150.14.65 Zango
66.150.14.61 Zango
64.94.137.72 Zango
URLs:
http://installs.zango.com/downloads/valueadd/SRS/UCI/R1/seekmo.html
http://installs.zango.com/downloads/valueadd/SRS/UCI/R1/zango.html
http://installs.zango.com/downloads/valueadd/SRS/Installer/2.0.26/R1/Installer.exe
http://static.zangocash.com/Setup/Update/
http://public.zangocash.com/php/rpc_uci.php
http://te.seekmo.com/TrackedEvent.aspx
http://te1.zango.com/te.aspx
Registy Keys:
HKEY_CURRENT_USER\Software\ZangoInstall
HKEY_CURRENT_USER\Software\ZangoDebugSettings
softwaredistributionfaild
HKEY_LOCAL_MACHINE\Software\MediaGateway
SoftwareList
hkey_local_machine\software\seekmo
hkey_local_machine\software\zango
softwareurl: %s, registry: %s
GetSoftwareList
The software you are trying to install does not yet support Windows Vista@.
The software you are trying to install does not support your operating system.
Anti-virus and firewall applications can interfere with this and other software installation programs.
You may want to temporarily disable these applications during software installation.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
HKEY_LOCAL_MACHINE\software\Mozilla\
HKEY_CURRENT_USER\Software\
HKEY_LOCAL_MACHINE\Software\
Software\Microsoft
softwarecount=%d&retrycount=%d&reason=%s
HKEY_LOCAL_MACHINE\SOFTWARE\ShoppingReport
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\
HKEY_LOCAL_MACHINE\software\microsoft\Internet Explorer\ActiveX Compatibility
Software
API Log (edited for brevity, but oh so interesting):
416a68 LoadLibraryA(crypt32.dll)=762c0000
762ec91d RegOpenKeyExA (HKLM\Software\Microsoft\Cryptography\OID)
77ddecaf RegOpenKeyExA (SOFTWARE\Microsoft\Cryptography\Providers\Type 001)
77dded3f RegOpenKeyExA (HKLM\SOFTWARE\Microsoft\Cryptography\Defaults\Provider Types\Type 001)
77ddee3b RegOpenKeyExA (HKLM\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Strong Cryptographic Provider)
77ddf4b3 ReadFile()
77e6ce44 CreateFileA(C:\WINDOWS\System32\rsaenh.dll)
ffeb87e ReadFile()
77ddf43f LoadLibraryA(C:\WINDOWS\System32\rsaenh.dll)=ffd0000
ffe8206 RegOpenKeyExA (HKLM\Software\Microsoft\Cryptography)
ffeb11f RegOpenKeyExA (HKLM\Software\Microsoft\Cryptography\Offload)
762ec6c4 RegOpenKeyExA (CryptDllFindOIDInfo)
What are we encrypting and offloading? Hmm?
719546f9 LoadLibraryA(UxTheme.dll)=5ad70000
41996b RegOpenKeyExA (HKLM\SOFTWARE\WindUpdates)
4195f3 RegOpenKeyExA (HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run)
41996b RegOpenKeyExA (HKLM\SOFTWARE\Winad Client)
41996b RegOpenKeyExA (HKLM\SOFTWARE\Windows SyncroAd)
41996b RegOpenKeyExA (HKLM\SOFTWARE\Win Comm)
41996b RegOpenKeyExA (HKLM\SOFTWARE\Windows AdTools)
41996b RegOpenKeyExA (HKLM\SOFTWARE\Windows AdControl)
41996b RegOpenKeyExA (HKLM\SOFTWARE\Windows TaskAd)
41996b RegOpenKeyExA (HKLM\SOFTWARE\Windows AdService)
41996b RegOpenKeyExA (HKLM\SOFTWARE\Windows ControlAd)
41996b RegOpenKeyExA (HKLM\SOFTWARE\Windows ServeAd)
41996b RegOpenKeyExA (HKLM\SOFTWARE\Admilli Service)
41996b RegOpenKeyExA (HKLM\SOFTWARE\DeskAd Service)
41996b RegOpenKeyExA (HKLM\SOFTWARE\Admanager Controller)
41996b RegOpenKeyExA (HKLM\SOFTWARE\AdStatus Service)
41996b RegOpenKeyExA (HKLM\SOFTWARE\Windows AdStatus)
41996b RegOpenKeyExA (HKLM\SOFTWARE\Windows FormatAd)
41996b RegOpenKeyExA (HKLM\SOFTWARE\AdTools Service)
41996b RegOpenKeyExA (HKLM\SOFTWARE\Preview AdService)
41996b RegOpenKeyExA (HKLM\SOFTWARE\Media Pass)
41996b RegOpenKeyExA (HKLM\SOFTWARE\Media Access)
41996b RegOpenKeyExA (HKLM\SOFTWARE\Media Gateway)
41996b RegOpenKeyExA (HKLM\SOFTWARE\MediaGateway)
Wait a minute...I haven't accepted the EULA yet!
Let's discuss.
DEBATE
You know my opinion, I think Zango's offerings are spyware, I always have and I always will. They'd prefer their products be referred to as adware and that they're harmless. I have debated this issue with them in person (perfectly nice people, but analysis supplants personality), and they would argue that, because their software only installs with the explicit consent of the enduser, it can't be labeled as spyware. To which I say, if it calls home, reports behavior, and shapes a response based on said behavior, it's spyware, EULA or not. Round and round we go, where we stop, no one knows. The searches define:spyware and define:adware will provide impetus for the debate.
If a user knowingly installs a widget or a piece of software with a EULA that describes it behavior, can it objectively be called spyware or malicious?
Comments welcome. Cheers.
Instead, I'd like to offer a bit of analysis, then invoke a debate.
ANALYSIS
I ran Setup.exe, as found in hxxp://static.zangocash.com/Setup/46/Zango/Setup.exe, through the analysis mill and I think the evidence speaks for itself.
IMPORTANT NOTE FOR YOUR CONSIDERATION: All of the following occurs BEFORE you accept the EULA.
IPs called:
66.150.14.74 Zango
66.150.14.65 Zango
66.150.14.61 Zango
64.94.137.72 Zango
URLs:
http://installs.zango.com/downloads/valueadd/SRS/UCI/R1/seekmo.html
http://installs.zango.com/downloads/valueadd/SRS/UCI/R1/zango.html
http://installs.zango.com/downloads/valueadd/SRS/Installer/2.0.26/R1/Installer.exe
http://static.zangocash.com/Setup/Update/
http://public.zangocash.com/php/rpc_uci.php
http://te.seekmo.com/TrackedEvent.aspx
http://te1.zango.com/te.aspx
Registy Keys:
HKEY_CURRENT_USER\Software\ZangoInstall
HKEY_CURRENT_USER\Software\ZangoDebugSettings
softwaredistributionfaild
HKEY_LOCAL_MACHINE\Software\MediaGateway
SoftwareList
hkey_local_machine\software\seekmo
hkey_local_machine\software\zango
softwareurl: %s, registry: %s
GetSoftwareList
The software you are trying to install does not yet support Windows Vista@.
The software you are trying to install does not support your operating system.
Anti-virus and firewall applications can interfere with this and other software installation programs.
You may want to temporarily disable these applications during software installation.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
HKEY_LOCAL_MACHINE\software\Mozilla\
HKEY_CURRENT_USER\Software\
HKEY_LOCAL_MACHINE\Software\
Software\Microsoft
softwarecount=%d&retrycount=%d&reason=%s
HKEY_LOCAL_MACHINE\SOFTWARE\ShoppingReport
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\
HKEY_LOCAL_MACHINE\software\microsoft\Internet Explorer\ActiveX Compatibility
Software
API Log (edited for brevity, but oh so interesting):
416a68 LoadLibraryA(crypt32.dll)=762c0000
762ec91d RegOpenKeyExA (HKLM\Software\Microsoft\Cryptography\OID)
77ddecaf RegOpenKeyExA (SOFTWARE\Microsoft\Cryptography\Providers\Type 001)
77dded3f RegOpenKeyExA (HKLM\SOFTWARE\Microsoft\Cryptography\Defaults\Provider Types\Type 001)
77ddee3b RegOpenKeyExA (HKLM\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Strong Cryptographic Provider)
77ddf4b3 ReadFile()
77e6ce44 CreateFileA(C:\WINDOWS\System32\rsaenh.dll)
ffeb87e ReadFile()
77ddf43f LoadLibraryA(C:\WINDOWS\System32\rsaenh.dll)=ffd0000
ffe8206 RegOpenKeyExA (HKLM\Software\Microsoft\Cryptography)
ffeb11f RegOpenKeyExA (HKLM\Software\Microsoft\Cryptography\Offload)
762ec6c4 RegOpenKeyExA (CryptDllFindOIDInfo)
What are we encrypting and offloading? Hmm?
719546f9 LoadLibraryA(UxTheme.dll)=5ad70000
41996b RegOpenKeyExA (HKLM\SOFTWARE\WindUpdates)
4195f3 RegOpenKeyExA (HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run)
41996b RegOpenKeyExA (HKLM\SOFTWARE\Winad Client)
41996b RegOpenKeyExA (HKLM\SOFTWARE\Windows SyncroAd)
41996b RegOpenKeyExA (HKLM\SOFTWARE\Win Comm)
41996b RegOpenKeyExA (HKLM\SOFTWARE\Windows AdTools)
41996b RegOpenKeyExA (HKLM\SOFTWARE\Windows AdControl)
41996b RegOpenKeyExA (HKLM\SOFTWARE\Windows TaskAd)
41996b RegOpenKeyExA (HKLM\SOFTWARE\Windows AdService)
41996b RegOpenKeyExA (HKLM\SOFTWARE\Windows ControlAd)
41996b RegOpenKeyExA (HKLM\SOFTWARE\Windows ServeAd)
41996b RegOpenKeyExA (HKLM\SOFTWARE\Admilli Service)
41996b RegOpenKeyExA (HKLM\SOFTWARE\DeskAd Service)
41996b RegOpenKeyExA (HKLM\SOFTWARE\Admanager Controller)
41996b RegOpenKeyExA (HKLM\SOFTWARE\AdStatus Service)
41996b RegOpenKeyExA (HKLM\SOFTWARE\Windows AdStatus)
41996b RegOpenKeyExA (HKLM\SOFTWARE\Windows FormatAd)
41996b RegOpenKeyExA (HKLM\SOFTWARE\AdTools Service)
41996b RegOpenKeyExA (HKLM\SOFTWARE\Preview AdService)
41996b RegOpenKeyExA (HKLM\SOFTWARE\Media Pass)
41996b RegOpenKeyExA (HKLM\SOFTWARE\Media Access)
41996b RegOpenKeyExA (HKLM\SOFTWARE\Media Gateway)
41996b RegOpenKeyExA (HKLM\SOFTWARE\MediaGateway)
Wait a minute...I haven't accepted the EULA yet!
Let's discuss.
DEBATE
You know my opinion, I think Zango's offerings are spyware, I always have and I always will. They'd prefer their products be referred to as adware and that they're harmless. I have debated this issue with them in person (perfectly nice people, but analysis supplants personality), and they would argue that, because their software only installs with the explicit consent of the enduser, it can't be labeled as spyware. To which I say, if it calls home, reports behavior, and shapes a response based on said behavior, it's spyware, EULA or not. Round and round we go, where we stop, no one knows. The searches define:spyware and define:adware will provide impetus for the debate.
If a user knowingly installs a widget or a piece of software with a EULA that describes it behavior, can it objectively be called spyware or malicious?
Comments welcome. Cheers.
Thursday, September 06, 2007
Spyware mill Zango strikes out...again
In their relentless pursuit of legitimacy, Zango had sued Kaspersky Lab "to force the company to reclassify Zango's programs as "non-threatening" and to prevent Kaspersky's security software from blocking Zango's programs."
Zango just doesn't get it. The simple fact that everything Zango "offers" is spyware is indisputable. Why can't they just embrace reality? It's very much like Darl McBride and SCO's claim that they "own" Linux. Pure twaddle. That Zango might actually have a legitimate software offering is pure twaddle.
So, when "the U.S. District Court for the Western District of Washington ruled in favor of Kaspersky Lab, granting the security company immunity from liability in a suit filed by Zango" the Best Damn Spyware Company swung and missed again. I recall chuckling for hours when Zango founder Daniel Todd decided to step down last month, and Zango tried to spin it like it was news, and that Todd's contributions to Internet society were extraordinary. Oh, the illusions of grandeur. All the rebranding, repositioning, and regurgitating in the world won't change the facts: Zango is a spyware company.
And I have to look at them everyday, right across I90.
Quoth Bill the Cat..."Thbbbt!"
Zango just doesn't get it. The simple fact that everything Zango "offers" is spyware is indisputable. Why can't they just embrace reality? It's very much like Darl McBride and SCO's claim that they "own" Linux. Pure twaddle. That Zango might actually have a legitimate software offering is pure twaddle.
So, when "the U.S. District Court for the Western District of Washington ruled in favor of Kaspersky Lab, granting the security company immunity from liability in a suit filed by Zango" the Best Damn Spyware Company swung and missed again. I recall chuckling for hours when Zango founder Daniel Todd decided to step down last month, and Zango tried to spin it like it was news, and that Todd's contributions to Internet society were extraordinary. Oh, the illusions of grandeur. All the rebranding, repositioning, and regurgitating in the world won't change the facts: Zango is a spyware company.
And I have to look at them everyday, right across I90.
Quoth Bill the Cat..."Thbbbt!"
Friday, May 18, 2007
Zango sues PC Tools, therapy suggested
Denial is a powerful tool in the arsenal of companies who refuse to accept who they are. Much like individuals in denial, the illusions of grandeur or the premise of being something they are not is pervasive. These situations often require therapy, so let's begin.
Such is the case with Zango, who this week decided to sue PC Tools for $35 million dollars, based on the pretense that their "software" isn't spyware and is thus being wrongly removed by PC Tools' Spyware Doctor.
Here's where reality sets in: Hey Zango! YOU ARE SPYWARE! YOU'VE ALWAYS BEEN SPYWARE! Rebrand yourselves all you wish. Change the name of the company. Deny the reality of the situation all you want. It won't change the simple truth.
Let's review from a technical perspective, shall we?
From BleedingEdge Threats (Bleeding Edge Snort) we find the harsh reality of the situation. Consider a few fine signature examples from Matt Jonkman and team. There are no less the 25!
Posted as recently as April 23, 2007 we find:
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Zango Spyware (tbrequest data post)"; flow: to_server,established; uricontent:"/tbrequest"; nocase; uricontent:"&q="; nocase; pcre:"/\/tbrequest\d+\.php/Ui"; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/
adware.180search.html; classtype: trojan-activity; sid: 2003610; rev:1;)
We'll cover the fundamentals here. flow:to_server, established means that we're monitoring traffic as leaves to report back to your server. Not unlike spyware, yes? And if I'm not mistaken, a tbRequest.add to a PHP platform is a POST. What might we be posting? User profiles perhaps, so you can invade their privacy and feed them BS? I think so.
Why not take a look at the reference URL as well:
securityresponse.symantec.com
Why would our friends at Symantec label you a medium risk as adware and eradicate you in their defintions? Hmm...I can hear your crack legal team warming up the machinations of litgation once more. Oh wait, they sued you (or at least Hotbar) a few years back. Nevermind.
But let's get back on track.
Instead of spending $35 million to sue PC Tools, keep you hard earned money and spend a bit of time working on corporate moral and an enterprise wide reality check. Embrace who you are. Accept that you are part of the "series of tubes" that is the Internet, and that you are knowingly filling those tubes. I'd go so for as to suggest hiring corporate counselors (not the legal kind) to aid your staff in accepting reality. I'd even go so far as invite Senator Ted Stevens to come for a day to rally the troops thus: "The Internet is not something you just dump something on. It's not a big truck. It's a series of tubes. And if you don't understand those tubes can be filled and if they are filled, when you put your message in, it gets in line and it's going to be delayed by anyone that puts into that tube enormous amounts of material, enormous amounts of material".
Just face the truth and we'll all be better for it. Soul searching serves us well. But when that fails, rename yourselves again. I suggest TheBestDamnSpyware.com. Best of luck in your endeavor.
Such is the case with Zango, who this week decided to sue PC Tools for $35 million dollars, based on the pretense that their "software" isn't spyware and is thus being wrongly removed by PC Tools' Spyware Doctor.
Here's where reality sets in: Hey Zango! YOU ARE SPYWARE! YOU'VE ALWAYS BEEN SPYWARE! Rebrand yourselves all you wish. Change the name of the company. Deny the reality of the situation all you want. It won't change the simple truth.
Let's review from a technical perspective, shall we?
From BleedingEdge Threats (Bleeding Edge Snort) we find the harsh reality of the situation. Consider a few fine signature examples from Matt Jonkman and team. There are no less the 25!
Posted as recently as April 23, 2007 we find:
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Zango Spyware (tbrequest data post)"; flow: to_server,established; uricontent:"/tbrequest"; nocase; uricontent:"&q="; nocase; pcre:"/\/tbrequest\d+\.php/Ui"; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/
adware.180search.html; classtype: trojan-activity; sid: 2003610; rev:1;)
We'll cover the fundamentals here. flow:to_server, established means that we're monitoring traffic as leaves to report back to your server. Not unlike spyware, yes? And if I'm not mistaken, a tbRequest.add to a PHP platform is a POST. What might we be posting? User profiles perhaps, so you can invade their privacy and feed them BS? I think so.
Why not take a look at the reference URL as well:
securityresponse.symantec.com
Why would our friends at Symantec label you a medium risk as adware and eradicate you in their defintions? Hmm...I can hear your crack legal team warming up the machinations of litgation once more. Oh wait, they sued you (or at least Hotbar) a few years back. Nevermind.
But let's get back on track.
Instead of spending $35 million to sue PC Tools, keep you hard earned money and spend a bit of time working on corporate moral and an enterprise wide reality check. Embrace who you are. Accept that you are part of the "series of tubes" that is the Internet, and that you are knowingly filling those tubes. I'd go so for as to suggest hiring corporate counselors (not the legal kind) to aid your staff in accepting reality. I'd even go so far as invite Senator Ted Stevens to come for a day to rally the troops thus: "The Internet is not something you just dump something on. It's not a big truck. It's a series of tubes. And if you don't understand those tubes can be filled and if they are filled, when you put your message in, it gets in line and it's going to be delayed by anyone that puts into that tube enormous amounts of material, enormous amounts of material".
Just face the truth and we'll all be better for it. Soul searching serves us well. But when that fails, rename yourselves again. I suggest TheBestDamnSpyware.com. Best of luck in your endeavor.
Subscribe to:
Posts (Atom)
-
toolsmith and HolisticInfoSec have moved. I've decided to consolidate all content on one platform, namely an R markdown blogdown sit...
-
When, in October and November 's toolsmith posts, I redefined DFIR under the premise of D eeper F unctionality for I nvestigators in R ... -
You can have data without information, but you cannot have information without data. ~Daniel Keys Moran Here we resume our discussion of ...