AdWare author

14 Jan 2009

So I was reading this article about a guy who used to write Adware.  As someone who made a decent amount of money removing adware for people, I always find it interesting to see the other side of the coin.  One of the things that is really interesting is when you consider how adware authors fight each other as well as the end-user.  So certain types of adware could actually make your infected computer run better.  Sort of a Darwinian survival-of-the-fittest kind of virtual ecosystem going on, with your computer playing host to the battleground:



S: Did you feel this was the gently sloping path to Hell?

M: Oh yeah! Absolutely. [ laughs ] I actually believe that if you sum up everything I did it comes out positive, if only because I kicked off an awful lot more adware than I installed.



I never personally came across a registry key I couldn't delete, but I did find his description of creating "immutable" registry keys fascinating -- something I'd like to try out at some point.

We did create unwritable registry keys and file names, by exploiting an “impedance mismatch” between the Win32 API and the NT API. Windows, ever since XP, is fundamentally built on top of the NT kernel. NT is fundamentally a Unicode system, so all the strings internally are 16-bit counter Unicode. The Win32 API is fundamentally Ascii. There are strings that you can express in 16-bit counted Unicode that you can’t express in ASCII. Most notably, you can have things with a Null in the middle of it. That meant that we could, for instance, write a Registry key that had a Null in the middle of it. Since the user interface is based on the Win32 API, people would be able to see the key, but they wouldn’t be able to interact with it because when they asked for the key by name, they would be asking for the Null-terminated one. Because of that, we were able to make registry keys that were invisible or immutable to anyone using the Win32 API. Interestingly enough, this was not only all civilians and pretty much all of our competitors, but even most of the antivirus people.



http://philosecurity.org/2009/01/12/interview-with-an-adware-author



Posted by John on Wednesday, January 14, 2009 at 1:22 AM | 0 TrackBacks

Leave a comment

Recent Entries

  • Website Maintenance

    Some (ok, none) of you may have noticed that the website has been down for a few weeks.The combination of WordPress and Gallery2 have been...

  • Honeymoon Pictures

    Videos and photos from the honeymoon are up. If you are very diligent, feel free to check out the additional "raw" photos (these are the...

  • Exotic Honeymoon Vacation

    Sometimes, you don't realize that you've been busy for a long time.  You're rushing around doing one thing after the other and making steady progress...

  • Wedding Photos

    [caption id="" align="alignnone" width="150" caption="On our way"] [/caption] I have a large collection of photos taken by family members during the wedding, reception and other...

  • Game Over

    Alternatively: Your princess is in this castle. In many games, once you "save the princess, save the world", the game is then over. I was...

Close