Once I accepted the agreements, the stub downloader
(download.mp3.exe) proceeded to download and execute a number of other
installer programs. These executable installers ranged in size from 228
kb to 1074 kb. As each one finished downloading, it proceeded to
install various software programs on my system. New directories were
created in C:\Program Files\ on my hard drive for these programs,
though a few files were installed to C:\Windows and C:\Windows\System.
New browser windows and pop-ups appeared as the freshly installed
programs began running, and my system slowed dramatically, becoming
increasingly sluggish as more programs executed and loaded into memory.
When the dust settled and the installation process finished, my PC was
the unhappy new home to no less than eight different programs, not all
of which were clearly flagged in the EULAs and license agreements that
I had read. What follows is a summary of the programs installed on my
system by the "Software Plugin" from C2 Media:
| Company | Program | Install Directory | In EULA? |
| C2 Media | Window Active | C:\Program Files\Window Active | Yes |
| C2 Media | Window Searching | C:\Program Files\Pop User Jugs | Yes |
| C2 Media | ErrorOnce | C:\Program Files\Dead Remote | Yes |
| AdIntelligence | Apropos Media | C:\Program Files\SysAI | Yes |
| AdIntelligence | AutoUpdate | C:\Program Files\AutoUpdate | Yes |
| Alset | HelpExpress | C:\Program Files\Alset | Yes |
| Alset | Coupons and Offers | C:\Program Files\couponsandoffers | Yes |
| ?? | Rads01.Quadrogram | C:\Windows\ | ?? |
Table 2: Installed Programs Some
explanation of this breakdown of installed programs is in order. I have
identified and classified the programs that were installed not only by
examining the directories and files that were created on my hard drive,
but by reviewing the license agreements and looking for key words. The
uninstallation information contained in the Add/Remove Programs Control
Panel applet proved useful as well, especially for determining the
names of some applications. I have also based this classification on
the scan results from
SpyBot Search & Destroy and
Ad-aware,
two anti-spyware programs that I used to clean up my system (see the
last section, "The Cleanup," for more details). In some cases I have
consulted online resources in order to identify the programs for what
they were. As a general rule I have regarded software as a clearly
distinguishable program when it was installed in a unique directory
(e.g., C:\Program Files\SysAI vs. C:\Program Files\AutoUpdate).
Although each of those directories might have contained several
executable files, I have still classified those files as a single
program or application.
There is some doubt as to
the identity of at least one of the programs installed. The
Rads01.Quadrogram program was installed to the C:\Windows directory --
the only program file of its kind. It consisted of a single executable
file (emsw.exe) that Ad-aware flagged as emanating from a unique
"family" or vendor named Rads01.Quadrogram. Online research seems to
cast doubt on that identification, though. Rads01.Quadrogram.com is a
domain associated with the "Peper" trojan -- see the information from
Network Associates (
http://vil.nai.com/vil/...) and Kephyr.com
(
http://www.kephyr.com/...).
The "Peper" trojan uses random 14 character file names, not the
emsw.exe file name. That file name is reported to be associated with
Alset HelpExpress -- see the information pages on "emsw.exe" from
SysInfo.org (
http://www.sysinfo.org/) and "HelpExpress" from PestPatrol
(
http://www.pestpatrol.com/...).
As I was unable to determine which of the several installers was
responsible for installing this program, I am not certain whether this
program was covered in any of the license agreements or privacy
policies (thus the "??"). Whether the vendors involved in this package
of downloads consider that program to be covered, I do not know; it is
unclear to me even which vendor was responsible for putting that
program on my system.
This seems a good point to
emphasize the great difficulty in sorting out just what was actually
installed on my system. It has taken considerable effort to sort
through all of the newly installed files and directories and identify
the programs as well as the vendors responsible for them. And despite
its great length (8400 words), the collection of license agreements and
privacy policies was of only minimal help in determining what had been
installed and where.
The Apropos Media program is a good illustration of this confusion.
That program was installed to C:\Program Files\SysAI, yet the
installation program responsible for creating that directory was named
AproposClientInstaller.exe. As there was no Add/Remove Programs entry
to clarify the name of the program (as was the case with Window Active
and Window Searching), I had to rely on the anti-spyware programs (
Ad-aware and
SpyBot Search &
Destroy)
to identify the program as Apropos Media. While the name "Apropos" does
not appear anywhere in the AdIntelligence license agreement or privacy
policy, the privacy policy's discussion of the "AdIntelligence
AdServer" software does seem to cover what the anti-spyware programs
labeled Apropos Media. Moreover, the Apropos Media web site also
indicates its association with AdIntelligence (
http://www.apropos-media.com/). Similar problems hindered my efforts to identify several of the other installed programs as well.
When software vendors dump such a confusing mix of programs and files
on users' hard drives and then slap consumers with eighteen pages of
dense legalese to explain the resulting mess, those consumers have very
little choice but to take vendors at their word -- the chances that
they could ever verify that vendors are abiding by the terms of the
license agreements are slim to none. Consumers who are faced with such
business practices simply cannot be expected to make informed decisions
and choices about the software they encounter on the internet.
I should also note at this point that I performed this
"drive-by-download" process at LyricsDomain twice on Mar. 24 and once
again on Mar. 26 in order to verify my results (I initially visited the
site on Mar. 23 to confirm its association with C2 Media). In between
installations I completely cleaned up the system, using a combination
of vendor-supplied uninstallers, anti-spyware programs, and a manual
process of searching for and removing leftover files and directories.
The results for this "drive-by-download" process were the same each
time I went through it.
Continued on Part 4
Subject: Anatomy Of Drive-by-Downloads (Installation)(Part 3) 
