The pop-up ad campaign from hell

It's the latest in Web marketing innovation: Hijacked Web surfers, exploited Web browser vulnerabilities and malicious spyware all wrapped up together.

Published May 7, 2002 7:30PM (EDT)

Looking for state-of-the-art Internet skulduggery? Try this: Thousands of unsuspecting visitors to a family entertainment site are discovering a cornucopia of unwanted, potentially malicious software on their computers -- the result of a pop-up ad campaign, a booby-trapped Web site, a compromised Web browser, and strange doings at a shadowy Los Angeles company.

The story starts at Flowgo, a site that prides itself as the leading family entertainment portal. According to officials at eUniverse, the California firm that operates Flowgo, a pop-up ad that ran at the heavily trafficked humor site for a couple of weeks until late April caused the trouble.

The ad, purchased by a Los Angeles Internet marketing firm named IntelliTech Web Solutions, was designed to automatically redirect visitors away from Flowgo (no mouse click required) and to dump them at a booby-trapped site called KoolKatalog.

Once at KoolKatalog, visitors were invited to feed an e-mail address into a digital slot machine created in the Shockwave animation format. Solve the puzzle faster than anyone else, and KoolKatalog would send you a swell prize!

In the nanosecond it took most people to recognize the obvious junk mail trap, the real damage was already nearly done. According to virus experts, code in the pages at KoolKatalog exploited a known flaw in an old version of the Java engine of Microsoft's Internet Explorer browser to covertly download the first of 10 files onto visitors' computers.

KoolKatalog is currently inacessible, but its domain name was registered by an IntelliTech employee and the phone number listed in the privacy statement at KoolKatalog is the number for IntelliTech Web Solutions. Phone messages left with the receptionist who answered at that number were not returned.

A contrite spokeswoman for eUniverse said IntelliTech's automatic redirects violated its ad policy, and eUniverse pulled the pop-ups as soon as it learned what was happening. Flowgo has achieved its success, she said -- and helped earn its publicly traded parent several quarters of profitability -- by taking great care to protect the safety of its visitors.

But according to virus experts, tens of thousands of Internet users have been back-doored by the KoolKatalog-distributed "malware," which they have added to their lists of malicious code for scanning.

"When you exploit a security bug to get your program onto someone's PC, you've crossed the boundary into what we consider malicious," said Craig Schmugar, a researcher with McAfee, which refers to the KoolKatalog-served payload as Downloader-W.

While researchers have not yet completely decoded all functions of the programs, they say two of the files, BVT.exe and ABSR.exe, attach themselves to victims' browsers and covertly monitor which sites they visit. Other components, including a file called AUSVC.exe, appear to enable the program's authors to secretly send updates or other files to the infected computer.

What's more, the install program, a file called CoolStuff.ocx, checks to see whether the victim is running a firewall, and terminates if it finds one. If no security software is monitoring outbound network connections, the installer grabs other files from one of two IntelliTech Web servers, online1net.com and wwws1.com.

"Somebody took a lot of time and attention to create this. There's a lot of error checking and careful programming in there," said Vincent Weafer, director of Symantec's virus research lab. Backdoor.Autoupder, as Symantec calls it, quietly made the software firm's list of the five most-prevalent viruses in April.

While designed to be stealthy, the malicious code was revealed to many puzzled victims in recent weeks when it began causing instability in their PCs or crashed them.

Others discovered the program after updating their anti-virus signature files. Sam Evans, security analyst for a Midwestern semiconductor firm, said an anti-virus update in late April caused a sudden flood of reports from company employees. Cleaning the code off affected computers was complex and required editing the PC's system registry.

"We thought we disinfected all the computers, but our intrusion detection system is still reporting that internal machines are attempting to send information out," said Evans, who added that the company had "black-holed" (blocked access to) the range of Internet protocol addresses used by KoolKatalog and related sites.

Trend Microsystems, which since April 23 has received nearly 5,000 reports of infections by TROJ_SUA.A, as it calls the software, has released a free tool that automates the 49 steps required to remove IntelliTech's code from an infected PC.

IntelliTech itself has done little to clear up the mystery surrounding the surreptitious installation of its spyware.

Frank Bigott, a resident of Santa Monica, Calif., who holds the domain registration for KoolKatalog, said he had "zero knowledge" of the backdoor program prior to being contacted by Salon. Bigott referred all other questions to his attorney.

The lawyer, William W. Bloch of Beverly Hills, said Bigott resigned his position in sales and marketing at IntelliTech after learning of the incident from Salon. Bloch also gave Salon the cellphone numbers of three men whom he identified as IntelliTech management, but voice-mail messages left at those numbers were not returned.

Bloch says that Bigott determined that IntelliTech's management had placed the spyware programs on users' computers "to gain certain things that would result in increased revenue," such as commissions from affiliate marketing programs.

Susan Henrichsen, deputy attorney general for the state of California, declined to comment on specifics of the IntelliTech situation. But she noted that downloading software onto someone's computer without permission is tantamount to hacking.

"If, on top of that, you track people with spyware with the intent of selling the information, that goes way over into unfair and deceptive practices. It's really pretty appalling," she said.

The spyware tar pit that users encountered at KoolKatalog may have been connected to an earlier software development effort by a company called Volton Technologies, which also had ties to IntelliTech.

The agent of record for the incorporation of Beverly Hills-based Volton Technologies is Michael Osborn, one of the names provided by the lawyer Bloch as a member of IntelliTech management. Volton Technologies previously offered for download an apparently legitimate program that may have provided the technical foundation for KoolKatalog's twisted creation.

The program, which Volton termed a "browser toolbar enhancement," offered access to search engines and e-mail from a control panel at the bottom of Web browsers. According to the program's license, in exchange for the free software, users agreed to allow Volton to collect "anonymous" data on Web page views and responses to ads, as well as an inventory of the software on the user's PC.

The front door of Volton's search site, BestoftheWeb.com, invites users to download the toolbar. But the download page offers no link to the software and merely states, "Our new and improved toolbar is coming soon."

Similarly, a download link at Volton's BrowserToolbar.com site was disabled for weeks -- before suddenly reappearing May 3, when the site was relocated from an IntelliTech-owned hosting firm in Los Angeles, New Directions, to a new ISP in Canada.

Click the download link at Volton's new version of BrowserToolbar.com, hosted by Alberta-based Myrias Computer Technologies, and a message says a file called Coolstuff4.cab is being installed. But the toolbar installation fails because the server containing the file, online1net.com, is unreachable.

Online1net.com, along with wwws1.com and KoolKatalog, was summarily unplugged last week by Alchemy Communications, the Internet collocation facility that services New Directions.

When contacted by Salon on April 26 about reports of malicious code at the IntelliTech sites, Alchemy's vice president Jamie Daquino said his position was Shut down first, ask questions later.

"For someone to get written up as a virus, that's pretty serious. If they're doing what people are saying, it's illegal. We don't want to be associated with that," said Daquino.

Daquino noted that New Directions, which also goes by aliases including AlphaHostCo, Online Connect Group, Zones Now, Interhostland and Quik-Net, appears to be "companies within companies."

With its sites darkened by Alchemy, and its devious pop-up ads pulled by eUniverse, IntelliTech's misguided experiment in viral marketing appears to have been halted.

But Roger Thompson, malicious-code expert for TruSecure, said that spyware like that found at KoolKatalog.com remains a serious threat to the thousands of users who are infected and not aware of it.

"They are definitely still at risk. Only the original authors know exactly how compromised those PCs are. No one should want any uninvited back door on any PC," said Thompson.


By Brian McWilliams

Brian McWilliams is a freelance business and technology reporter based in Durham, NH.

MORE FROM Brian McWilliams


Related Topics ------------------------------------------