 this is my talk. My life as a spyware developer or why I'm probably going to hell. So here is what we'll be covering in the next hour. I will be doing my presentation. I wasn't sure if that was going to work or not so I'm glad it did. Okay, so who am I? Currently my career I am Integrated Solutions Lead from H Conan the office in Toronto in Chicago. Although this is slightly out of date because we just got purchased by Honeywell. So who knows what that job title will be shortly. And basically what that means is I write custom software for power plants. Not part of the talk but kind of like tracking D rates outages, fuel consumption, energy produced, and reports based on that. I've also been doing a lot of NERC SIP work in the past year or so. In a case you don't know NERC SIP is a federal like security regulation. I guess that all the power plants are now obligated to comply with and if you don't the fans the fines could potentially be up to a million dollars per day per infraction so they're not messing around. Previously I have developed pharmacy systems, online casinos, and dating websites. Little bit of everything. And also spyware. And I use the term spyware mainly because a lot of my friends are not technical and that's a word that they understood so malware is probably more appropriate but that's the term I've used throughout my presentation so replace that as you feel necessary. And this is my fourth death con. Yeah and it's an honor to be presenting here. Thank you. So why am I here? I've never seen a talk about the subject, at least not from someone who admitted to actually doing this. I'm sure there may be a few of you in the audience. And I guess potentially someone could have done this talk already but I haven't seen it. And if you're here looking to find out any tricks there aren't any so sorry about that. And I thought it was interesting and I only mentioned this because you know I never thought I'd be the type that would present at this conference and you know maybe you're thinking the same thing so if you have an interesting story I definitely recommend that you present or at least attempt to. Yeah it's been a good experience so far. And also say you don't do what I did. That's kind of the main lessons learned throughout this. As you will see. All right so this story kind of is a bit out of date so the whole thing started back in 2004. I lived in Edmonton up in Canada and then I moved to Vancouver and basically I was broke. And this is where I discovered like it's not what you know it's who you know. All my academic friends and social worker friends were not too useful in helping me get a development job. So you know I had some money saved up but it was running out. So I was getting a bit desperate. And also I want to say emphasize the fact I had no security background whatsoever no spyware I had no idea like I was just really was just a developer. So I had no like specific skill set before I got into this whole thing. Yeah I found the job on Craigslist and like many things on Craigslist you can get yourself into a lot of trouble. I was looking at other places I had a headhunter but they didn't really know development stuff so they were not super useful monster.com. But this is what came up so I applied. Went down to the office. Yeah the guys I think it was on a Thursday interviewed me and basically at the end of the interviews like if you can have the job if you want if you accept to show up on Monday. And I did. And I think it seemed like to him who was completely non-technical that I seemed to know the most so they made me lead developer. So that's what is diligent as they got. And there was five other programmers as well. So the history of this company that hired me. So he had these software people and they were doing some other stuff as well that I wasn't involved with. So there was some other shady character out there funding the whole deal but my boss was just kind of running the business that was putting the software together. So they tried previously with a group of source developers from India and they put it together and what apparently worked quite well. But my boss said that time difference is too much and they had some kind of falling out. So that relationship ended and it turned out that the falling out was that he didn't pay them. So he didn't get the source code which you know should have kind of a bit of foreshadowing if you can't guess. But again my landlord was expecting me to pay money at the end of the month. So that's why we got put together. His former developers were no longer there and he wanted some local people. So here's just some of the overall features of the spy where we developed. Nothing too shocking. The client application where the nasty stuff happens. Run any application we wanted. So once it was installed you basically download an AXE whatever one we wanted and it would run it. Not shocking. And this was mainly with the intention that we would update our own software but we could have done whatever we wanted with ads. Adding links to your favorite list, icons to your browser, shortcuts on your desktop, change your homepage, search provider and also keyword search pop-ups and hyperlinking. So we had the massive XML file with all these keywords in it. For example, flowers. So if you did a Google search or a Yahoo search or whatever search engine we were configured for after you searched it, it would give you a pop-up with the banner ad related to your search term. And it wasn't like a standard HTML pop-up because it was modal. So you couldn't click it into the background. And hyperlinking. So if we found like that word flowers for example on the page we would turn into a hyperlink. You click on it. It would go through an affiliate link which I'll get into later where if you bought something off that webpage we would get commission for it. So that was affiliate abuse was kind of the crux of this application. And it was also checked for updates daily. So the application could be updated or this XML file with all the data in there. On the server side we could track installs, updates, like how often they were updating IP address, where it was coming from, manage multiple campaigns as was the term that was used. So I guess different sources of where the spyware was getting installed from. You could see how effective each source was. And we could upload new versions of the software or any file we wanted and it would get run. So when we're writing this, a lot of like antivirus and malware protection software is pretty stupid. It will basically look for specific files and specific relocations and maybe do a hash check and if it matches something in their bad list it will delete the file or attempt to remove it. So to get around this we made each install kind of unique in a variation. So no two installs would be like the file would never have the same file name. It would never be in the same location. System 32 program file slash common, basically any directory on the computer the software could be installed to and each file would have a separate location. And then to get by a hash check some antivirus and malware protection will just check every file regardless. And see if it matches its hash check. So if you just throw some garbage at the end of your file you'll get by that no problem. And again like this is just me as like a regular developer I just it's not like it just made sense to me. It's not like I was like a security researcher or anything like that. Like it was just made common sense. So while I worked there with these basic tricks no where malware protection software was able to remove it or detect it. So I don't know if they needed more time. It was running for a few months. So I don't know if your protection against evil software is defeated by changing the single bit like it's not very effective. We started looking into hiding files into alternate data streams which is basically a not very much used feature of NTFS where you can basically hide files in the file system. And I think the only thing it's really used for is if you in newer versions of Windows if you download a file off the internet and you go to execute it it'll say this file was downloaded off the internet do you want to execute it or not. And that flag is set within alternative data or alternate data streams. But we ran out of time and just didn't really get anywhere with that. So the big money making scheme that this piece of software was supposed to do was affiliate hijacking. So basically every site like amazon.com for example has an affiliate program. So if you run like a Twilight fan page at the bottom of the page you're going to do you want to buy Twilight the movie or the book you click on that it goes through your referral ID and you'll get commission on the purchases. So basically that's what we were hoping to abuse to make money off other people's purchases. So we had a list of doing names in a separate XML file and a list of affiliate links that we had set up and we had done this for hundreds and hundreds of websites. Well not me but the business people that were working for my boss. So if you typed in amazon.com our software would pick that up and redirect you through your affiliate link. The only problem with this is if you went to a direct product link like you would actually clicked on like the Twilight book that you were going to purchase off the fan site would redirect you through our affiliate link and then bring you back to the Amazon homepage. So that'd probably be a clue that something was going on and we could have made that smarter as well I assume but we didn't get that far. And like I said you'll get commission off anything we purchased and yeah there was hundreds of links and you can get these in bundles so you sign up for one program and you'll get affiliate links to dozens of websites for example. And this was in 2004 I'm not sure how this is run now. And we also created a kernel module. So basically this would hide all the files from the users. So if you open up Windows Explorer and browse to the directories that our files are hiding in they would no longer show up. Like if you cracked open like a DOS command prompt and did a directory command it wouldn't show up there either. And even when they were executing they wouldn't show up in the task manager. And if you managed to delete them or managed to show them somehow it would automatically download and replace and re-randomize the files once more. And this would probably be called a rootkit now. Like a lot of this stuff I have terminology for it but back then this was just me like oh well this makes sense to do. I wasn't really thinking in any of these terms I guess. So the technology we used on the client side basically an Internet Explorer plugin. And Microsoft calls these browser helper objects. There's not a lot of documentation on them online but we found out that this is what we needed to do to create our add-on or malware to get into IE and integrate with it. But we found enough information to do everything we needed to do. We programmed this in Visual C++6 which is a bit archaic. And the other developers definitely resisted this. They wanted to do it all on .NET which is a much easier language for sure but also requires that you download the 200 plus meg .NET library which is not something you really want to do if you're trying to infect someone's computer. Every version of Windows since 95 has Visual Studio 6 libraries built into it. So anything you build in C++6 or Pb6 we'll just run out of the box. On the server side the web interface was done in PHP and MySQL back end. So just tracking statistics, uploading new versions and the GUI to maintain this whole system. And everything was hosted on Russian servers guaranteed to never take down content and no matter how many nasty letters they got or who they came from. And true to their promise they never did. I don't know if they're still around. I probably have that in some archive e-mail somewhere. It'd be interesting to see what their name is because I don't remember off the top of my head. So you might be wondering why would anyone want to install this wonderful software? And basically my boss said he would pay $10,000 to whoever found a way to remotely install our software. And I took that challenge up. When you take a job like this for money and offer like this is enticing. So this is another surprise. It's exploits an Internet Explorer flaw. It's shocking. So R exploit and any exploit with remote execution requires two things. You need to get the file on computer and out of the protected IE zones like if you go into the security panel of Internet Explorer you've got like trusted sites, local Internet, that kind of thing. Those are the zones we're talking about. So we want to bust out of those zones. And you also want to execute the file once you get it on the hard drive. So again, me not really being a hacker and I don't claim to be leaked at all. But I basically signed up for security mailing lists and just sat there until something came along that looked like could be used for this. And we found one pretty quickly. What basically you'd create a custom CHM file, which I think had the EXE embedded into it. And those are basically help files. I think it stands for compiled HTML. And for some reason windows media player would be able to execute it once it was embedded in this CHM. I can't remember the exact name of this exploit. It came out just before service pack two for XP came out and Microsoft actually made security a bit of a priority. And that shut down this exploit, but people don't patch their machines. So it's not actually that big of a deal. Yeah, and my boss was convinced that this was not illegal. And you know, I'm not a lawyer. Who knows? I'm also from Canada, so I don't know if the laws are different there than they are here. Plus everything was hosted on in Russia. So that adds more fun to the mix. And I'll show you why he didn't think it was illegal. We basically created a custom installation dialogue. And my boss never paid the $10,000. And I don't say this to make you feel bad for me because I definitely don't expect that. I just want to like this industry surprise, surprise attracts a lot of scumbags. Yeah, don't trust their word. I think basically what happened is the guy who was funding the operation gave him the money and then he gambled all the way. Because apparently I found out later that he was also a gambling addict. Yeah, so there was lots of promises for the money, but not actually any of the money, which is slightly different. Not worth nearly as much. So if you remember back in the glory days of Internet Explorer 6, whenever something asked to basically become integrated with Internet Explorer 6, you would get this dialogue, which was like, I'm not a usability expert, but this is insane. Like, do you want to install and run a .cab file, which your grandma is not going to know what that is. And it says the publisher cannot be determined due to the problems below. The test route has not been enabled as trusted route. Yeah, so very clear. Anyway, like, I don't even think you really need to use an exploit. Like, I think there's a certain percentage of people that will click yes, no matter what. But anyway, we had our exploit and we were using it. So this is our installation dialogue, and it's a bit more devious. I didn't put this together and I didn't word it, but it's pretty hilarious. So it starts at the top, browser enhancer. I'll read this out, because I don't know if people at the back can see it. So browser enhancer and big bold letters. Like, that sounds awesome. Congratulations. You have been awarded a browser enhancement exclamation mark. Key features of our software include, number one, giving the user another opinion while they surf the web, broadening their experience and knowledge of the web. I don't know what that means and broadening is also spelled wrong. Number two, giving options to search the web with great search engines. And three, providing the user with other partner software free of charge. You have previously agreed to our terms and conditions to get this step of installation and can review these terms by clicking right on this link. So this actually would bring up our terms and conditions and it was long. Like, it was like 20 pages if you probably printed it out and basically boiled down to like, we own your machine. And if you can close all the pop-ups, we'll let you use it once in a while. And the last paragraph is pretty good. Like, if you change your mind and would like to continue the installation, please uncheck the box below and close this window. If you leave the box checked and close the window, we will finish your installation free of charge. And there's a little checkbox just off to the bottom left there. And I think it was even more devious than that. So, like, back in the day there was a lot of pop-ups. Pop-up blockers weren't really integrated into browsers. So when you saw something pop-up you would automatically just close it right away. Like, it was like almost completely subconscious. So if you had done that, you would have installed the software. And I, like, I probably would have fell for this. So if you click the X in the top right or the big close this window button, it would have the same effect. And I think even if you unchecked the box, what you actually had to do was go to the left hand icon at the top left low MFC icon there. There's a custom context menu item added saying exit without installing. So you had to uncheck the box and then close it from there. So it's even more diabolical because everyone uses that left-hand context menu all the time, right? So I covered most as custom installer, bypass the standard install method, legal disclaimer, and my boss claims was not needed but just in case. And you know what? He might actually be right like this. And this dialogue probably only would, like the vast majority of people probably would have still got hung up by it. But it does present the terms and conditions. So you know what? Like, he could have been right. But again, I'm not a lawyer so. And it's tricky not to install obviously. So how do we deploy this installer? Because again, even with this message, you're not going to want to do it. So this is another thing that I've since learned to call drive-by downloads. But back then it just, it just seemed like the way to do it. And I didn't come up with this idea. I think one of my bosses got this idea from some other scam they were pulling. So putting the exploit in banner ads. So basically websites don't know what ads they run. They sign up with an ad network and they agree to host their ads and they get paid for it. And I think there was, you can configure like I only want certain categories. I don't, they definitely don't have anything like they get to view every single ad before it shows up on their website. This was five years ago. There's almost six years ago now. So I don't know if it's different. But that's how it was back then. And also as someone who is serving up these ads we didn't know what websites it would show up on. I think the biggest site we got put on was yellowpages.com or whitepages.com and the installs went through the roof once they got on there. So basically the ads are hosted on our servers. The ad networks I guess don't want to host them themselves. If they did they probably could have detected half this stuff and done something about it. And maybe they do that now but that's how it was done back then. So you would run the ad campaign for a few days and once I guess they were satisfied that was legit we would then open up our zero by zero iFrame. It is essentially another page that had the exploit into it. And we could set it up so that it was only configurable to a fraction of viewers. So like 0.05% if you know you're going to get a lot of traffic. Only because it would be harder to track down for people to track down where it was coming from. If you went to another machine you wouldn't get exposed to it again. But my boss was greedy and that was basically cranked up to 100 all the time. And we would check for like if you were running a Mozilla browser or some opera or something like that we wouldn't expose the iFrame to you because it clearly wouldn't work. It was IE6 specific. And we'd also keep track of the IP addresses on the server and not show it to the same IP address twice. And we'd set a cookie as well but you know we didn't really rely on that because the user actually has control over their cookies or maybe not depending which talks you've seen. So how does this whole business make money? So we ended up with over 12 million installs of the software. Which I don't know you might with our ability to run whatever executable we wanted I guess you could maybe even call this a botnet. I don't know like we weren't thinking in those terms at all but so guess how much money our software made with 12 million installs. Anyone want to shout out some numbers? Not a dime. So it's really depressing that you have this evil shitty software and you get installed it on 12 million of grandma's computers and no money was made on it. So the funny thing is like affiliate programs for these websites like amazon.com and everyone else they they know people are going to abuse their affiliate system so they have all this fraud protection in place so they're watching out for it. So they'll watch out to it to the degree that they will not pay you but they will still continue to allow these pieces of software to serve up their ads and allow people to buy whatever they're selling through them. So they could easily just shut off the banner ads because they're the ones actually hosting them or like at least put up a message saying like you've been infected with something, something illegitimate is giving you these pop-ups but they're willing to take your money but they're not willing to pay the scam artists that are actually making it happen so that's interesting. Again I don't know if it's different now but that's how it was back then. But my boss still made a lot of money so this is interesting. So how is this done? So our software would make money by installing other people's software. Basically you can make around ten cents per install of someone else's software. I think it ranged from as little as five cents to as much as twenty five cents depending on the package and you know some of this might have been like legitimate software but the majority of it was other spyware with people convinced that they can make money where we did not using the same techniques. So my boss would package as much spyware as he could get paid for around 20 different packages into one big payload and then try to get paid for all of it and he probably would have done more but at that point your computer is essentially unusable and they would only the companies would always argue about the number of actual installs they had but so they would generally only pay around sixty percent of installs but when you're simply by opening up an iframe you're getting twenty million installs and this was over a couple months times about ten cents per twenty different packages like that's very easy money and a lot of it. So what happens when you install twenty pieces of spyware at once? So some programmers were a bit lazier than ours and they actually would install they would have like a like a 900k executable and attempt to download the .NET framework which is like 200 megs and you and you can't they didn't even do it silently so you can see like if you let it download it it would actually like you see the progress bar and the .NET framework getting installed like and I'm actually convinced that the .NET framework allows you to do silent installs they were just lazy. Your computer will never be slower we had a series of test machines and with images we would just refresh all the time to test this out and it was it was brutal but you'd open up Internet Explorer and it would just be nothing but search toolbars and even some of the pop-ups that would happen would have them too and they would try to uninstall each other because they know if your machine is vulnerable and you've got their software installed on it like there's a good chance that they had other people's stuff installed on it too but the only one of their pop-up showing not other people so they would try to uninstall each other and this include installing antivirus so if if your software using basic polymorphic techniques like we were like and I was an expert on this stuff like and they knew that antivirus wasn't picking up their software they would install antivirus with the hopes that it would not remove everyone else's and I don't know but maybe they were getting paid to install the antivirus which would be really interesting actually so you want to be a millionaire because you can so all the technical stuff I've covered is easy like any developer should be capable of this all you need is access to Google and you can figure this stuff out yourself like it's not rocket science at all like there's there's nothing difficult on the technical level of any of this stuff all the work is making like having the business people sitting there and make sure they get paid for all the installs and that's mainly what my boss was dealing with but the technical part is like it's all out there on the internet like it's even on like Microsoft sites this is how you create Internet Explorer add-ons like you once you've got that you can do whatever you want with it and my boss was convinced that no laws were broken and I that's mainly because of the custom installer and I think it didn't really even hurt the you probably lost like maybe five percent of installs by throwing it up there which is like insignificant if it covers your ass legally and he was very he did not want to get go to jail and you know what that may have worked I'm not sure and all you need is basically no conscience I've worked for a few internet companies and it just seems to attract especially well web startups I'll say and it just seems to attract like the worst scumbags they seem to think like the internet's this big get rich quick scheme and yeah I basically have a policy of not working for web startups anymore been burned too many times and you also need people you can trust like as I've said all this stuff is super easy to put together and once people are working in or doing this they like everyone gets the same idea around the same time like my boss is making how many millions of dollars for no effort like why do I need him so everyone that was working for my boss basically went off on their own and tried to do the same thing to the point where my boss only worked with family at that point because you knew you could trust them everyone else like tried to go it all out on their own so how did this all end but yeah and I covered this but much like other internet companies have worked for they basically locked their doors and stop paying everyone once it became apparent the venture capital ran out or they just thought they take the money and run or whatever again I don't want you to feel bad for me but that is what happens and of course it was on payday like he was around every day that month except that one day for some reason and it's also happens to be the time that your rent is due as well so I found out after the fact that the company was founded an AA meeting that's not really relevant but I thought it was interesting weird but apparently that's what happened and I guess probably like you know they my boss fell off the wagon that's why he took off so but I didn't know this laughter the fact so I went on to work for the person who was paying my boss and funding the whole operation again like I was determined to I knew what I was doing was not great but I also needed money to eat and live so I once I saved up enough money and gave myself some time to find a new job I was going to do that so this surprise kind of throw up messed up those plans so yeah I went on to work for him he knew I was doing most of the work anyway software was basically done so what do you need everyone else for and I did that for a few months I think two and a half months until I saved up enough money to finally get out of there and like start a real job search and I was working like about 80 hours a week because I was doing the work of about five people and I can do that for a while but I can't do it for a few months it was a bit of a wreck and I like to be able to sleep at night so the fact is like I think all of us know we should keep our patches up to date and we know how to browse safely or at least we think we do so most of this stuff is going on like grandma's computer that only has a computer she so she can look at her grandkids pictures on Facebook so it's it's a pretty scummy thing to do and you know I never liked it but I had definitely had enough at the end in this period on my resume is listed as contract work which is accurate but I definitely don't get into the specifics at all so my boss was also doing other scams and I wasn't involved on these but I thought I'd list them out for you anyway so trying to throw a search engine results I don't know the specifics of it but like certain search terms like like asbestos lawsuits are highly valuable to search engines because the ads that associated with them are I think the highest in the business so this is also known as search engine optimization so I don't know where the legit version starts and ends and they add their own search engines with paid top results so they would get other people to pay for top links to their search engine and they were like I saw a couple of them and they were never websites I'd ever heard of and I'm assuming they only ever got used through other malware that got installed and this other thing with news video pop-ups where apparently the most valuable pop-up to show is a video so they had a specific version of software to force users to watch a video a day and that's where all the the biggest money is for advertising I guess at least four years ago so what can be done about spyware or malware so as long as there's money to be made someone will try even if money can't actually be made which is kind of what we saw as long as they can get a venture capitalist person to give the money to attempted this software will exist yeah so I don't think this is going away anytime soon unfortunately or even if you think you can make money off people who think they can so this is kind of where we ended up because our software didn't make any money but we were making up our money off people who thought they could so it's very meta and like it's basically a big pyramid scheme as long as someone's willing to pay you to do it even if it never makes a dime they will try and I think black listing is just useless I you know maybe it's a bit smarter now but as I mentioned if your evil software can get by the system by changing a single bit like it's your blacklist will always be out of date there's always be around ways around it so you basically you have a list of software that you don't want your computer to run and it will always be behind the attacker will always have the advantage so I think white listing is the future at least should be I've seen white listing so it's basically rather than you can't run these programs it's you can only run these programs and any other executable that gets on the system is basically denied access of anything and I think these can be made consumer friendly I've seen some enterprise versions of the software and it works quite well it's not perfect but at least I know if I got a bad piece of software on my machine I can go to a list and see like oh it's that one and I can remove it and it's no longer a problem and as for why white listing software is not like out there nearly as much as antivirus or malware protection even though I see it as vastly more significant effective I guess you just can't make money selling virus signature updates with it so I imagine at some point this will be baked into windows or something like that it almost has to be because it doesn't make sense for all the software to not be polymorphic and it's like I could do it so anyone can do it so it's only a matter of time before all this stuff is and then blacklisting gets you nowhere so what did I learn creating spyware is not hard I did it I had no specific security background this big idea is what I thought it should do and I made it do it it wasn't rocket science in the least and you can easily make a lot of money on the internet if you've got no scruples it's kind of depressing so yeah the software will be here always AV and malware protection seems almost useless I don't know maybe I'm wrong or maybe it's smarter than I think it is but and then I wasn't it was shockingly easy to get around it the software is not going away and again back to people thinking they can make money on it it's just kind of depressing like as much of this stuff comes up for machines and all this spam we get to think that it's all for nothing like like not even a single person at the other end is benefiting from it monetarily like slightly depressing and this is kind of a note I want to end on it's not worth compromising your ethics for money I did it because I was broke I knew it was wrong I did it anyway I don't know maybe I should ask my parents for money or something but you know it's it's just not worth it so stay away from these scumbags because I'll rip you off in the end anyway and yeah yes your your honor is worth more and that's basically it I'll be in the question room at the end of the hallway so if you have any questions or want more technical details because I was pretty light on that I'm more than willing to be there for an hour