Anatomy Of Drive-by-Downloads (Installation)(Part 2)

On March 23, 24, and 26, I visited a web site named LyricsDomain (http://www.lyricsdomain.com/). This web site purports to help users with the lyrics to popular songs:


In
fact, it is a web site that distributes advertising software from C2
Media, known to many web surfers as Lop.com after one of the company's
main web sites ("lop" stands for "live online portal"). There is
nothing on the home page of the LyricsDomain site, however, that
overtly indicates its association with C2 Media.



Figure 1: LyricsDomain home page
The site's privacy policy (http://www.lyricsdomain.com/privacy.html) is fairly innocuous and even appears to be "consumer friendly":

Although
I was familiar with lyricsdomain.com and the software that I would
encounter there, many consumers would not be, and that lack of
familiarity with the web site or C2 Media could very well play a
crucial role in determining how average consumers handle the
"drive-by-download" process at LyricsDomain.
The "Security Warning" Box

When I landed on the LyricsDomain home page, I was almost immediately
confronted with a "Security Warning" box from Internet Explorer:



Figure 2: "Security Warning" for "Software Plugin"
This
is the standard warning box that Internet Explorer provides users for
ActiveX controls loaded by web sites. Unless they have changed the
security settings for the Internet zone in Internet Explorer, users
should see this warning box whenever they encounter a page that
attempts to install an ActiveX control on their systems. This
particular warning box resulted from a hidden IFRAME (a window within a
window) in the HTML of the LyricsDomain home page. That IFRAME loaded
another small page (count.htm) that itself used JavaScript to begin the
installation of a 12 kb ActiveX control named download.mp3.exe from
lyricsdomain.com. As we shall see, this small ActiveX control was a
stub downloader that would be used to download and install several
megabytes of other software -- in total, eight different programs from
at least three different vendors. That whole installation process,
though, started with the automated installation of this small,
innocuously named file described simply as "Software Plugin."

Despite its title, this "Security Warning" box contains very little
information that would help consumers assess the potential privacy and
security risks of the software to be installed on their systems or even
to understand its purpose and functionality. The text chosen by the
vendor to describe its software ("Software Plugin") is so generic and
vague that consumers could easily mistake the software for a simple
browser plug-in necessary to use the music content of the site. In
fact, this software has almost nothing to do with the content or
functionality of this music site, but the "Security Warning" does
little to indicate that. Moreover, it contains no strong language to
warn users of potential privacy and security risks.

This warning box does contain two links (see Figure 2 above) which
users can click to get more information about the program and to view
the digital certificate of the vendor (misleadingly named "Software
Plugin Ltd.") that digitally signed the software for distribution.
Users might not recognize that those links are in fact clickable links,
though. Even if they do, the information that they will get from those
links is almost worthless. The information link for the vendor opens a
new browser window to a page titled "Search the Web!" (http://www.lop.com):



Figure 3: "Search the Web!" home page
Not
only does this home page have no clearly discernible connection with
the named software vendor ("Software Plugin Ltd."), but it contains no
information at all about the software being installed. There is no EULA
(end user license agreement) or any other information that might help
the user understand the company or the nature of its software. Even at
this stage there is no indication that C2 Media is involved in this
process at all (though savvy internet users might recognize the domain
name lop.com). There is a small "Help" link at the bottom of the page
(not shown in Figure 3 above) that does take users to a page with
information about C2 Media's or Lop.com's software (http://www.lop.com/help.html).
It is doubtful that most users would even know enough to click that
"Help" link, and those did could be forgiven for not understanding the
relationship of the software described on that page with the "Software
Plugin" being installed by LyricsDomain.

The
"Security Warning" box does provide other means for users to get more
information, almost none of it helpful. The link to the vendor's
digital certificate brings up that certificate (see Figure 4 below),
but it contains no useful information about the program itself. The
"More Info" button provides only a help page (see Figure 5 below) with
generic information about digital certificates used to sign ActiveX
controls -- again, of little use to users attempting to make a decision
about this particular "Software Plugin" and what it might do to their
systems:

At
this point we have seen nothing to indicate anything untoward or
suspicious about the "Software Plugin." In fact we have gotten very
little information at all.
The License Agreement
That situation changed dramatically once I clicked the "Yes" button in
the "Security Warning" box (see Figure 2 above) and agreed to proceed
with the installation. Another dialog box popped up with a license agreement (see Figure 6
below).



Figure 6: "Verification Box - Free Software Plugin"
This license agreement
is no simple matter. In fact, this license agreement for "Free Software
Plugin" contains not one license agreement, but EULAs and privacy
policies for three different companies. By clicking the "Accept" button
in this "Verification Box," users are in fact consenting to the
installation of a whole raft of software, not just the "Free Software
Plugin."

Taken together, these various EULAs and privacy policies total almost
eighteen single-spaced pages (thirty-six double-spaced). In 8400 words
of dense legalese packed into numbingly long paragraphs, this
agglomeration of licenses and privacy policies lays out a grim picture
of the software to be installed on the user's system (see note below). What follows is a summary of the key terms (so far as I could make them out) contained in these documents:


Table 1: Summary of License Agreements and Privacy Policies
It
took me almost an hour to plow through these licenses and privacy
policies in a careful manner and extract the key terms of the
agreements, though even now I have to wonder if I caught everything
significant and understood it properly. I think it entirely
uncontroversial to state that this kind of document (or set of
documents) could be read wholly and productively only by a practicing
attorney -- and even then only one with endless amounts of time and
patience.

We should also emphasize at this point that
there was no reason in the world why these three vendors could not have
supplied a more readable summary of the key terms of their software
license agreements, such as I have done above. (We leave aside for now
the issue of just why these companies would be distributing their
software through an arrangement in which users consent to the
installation of an innocuously named "Software Plugin" from a music
lyrics site only to agree to the installation of several megabytes of
other software, all completely unrelated to the functionality of a site
named LyricsDomain.) I know of no average user who would have the
faintest hope of getting through these documents, if indeed they ever
tried.

What all too many consumers will do when confronted with such an
impenetrable wall of legalese is do what I did: click "Accept" (see
Figure 6 above).

Note on the "Free Software
Plugin" License Agreement: It turns out that my
original figures on the length of the license agreement were wrong. When
I performed my trials on Mar. 23, 24, and 26, the "Verification
Box" would not display the entire license. Thus, when I
copied the license from the scroll box, I missed about 1000 words at the
end of the Alset license agreement. I discovered this problem on a
retrial with the download.mp3.exe stub downloader on Apr. 10. During
that partial retrial I used the "Select All" context menu
option to grab the entire license. The complete license agreement
actually spans over nineteen single-spaced pages (almost forty double-spaced) and
totals 9400 words. [return to license
discussion]continued on part 3