The Federal Trade Commission has pulled the plug on a massive spyware operation that allegedly used Google Inc.s BlogSpot service to trick millions of computer users into downloading spyware and adware programs.
The FTC on Thursday announced a court order to shut down three California-based companies—Enternet Media Inc., Conspy & Co. Inc. and Networld One—that allegedly used free lyric files, browser upgrades and ring tones to push spyware programs on consumers computers.
The charges stem from the discovery earlier this year that Googles BlogSpot service was being used to spread spyware and adware programs such as “Search Miracle,” “Miracle Search,” “EM Toolbar,” “EliteBar,” and “Elite Toolbar.”
According to the FTC complaint, the spyware ring used the iWebTunes Web site to promise free background music on the BlogSpot-hosted sites.
The JavaScript code that was put in the BlogSpot templates also triggered pop-up advertising that flashed warnings to consumers who visited the Weblog sites about the security of their computer systems.
The pop-up warning promised browser upgrades and other PC maintenance software. Instead of getting security software, computer users who clicked on the pop-ups were tricked into downloading spyware programs that only served more pop-up ads, the FTC complaint alleged.
The federal agency said the court also froze the assets of the three outfits pending a further hearing.
The FTC also plans to ask the court to bar the deceptive and unfair practices permanently and require the operators to give up their gains.
“This is a big bust. Enternet media is the company behind one of the most destructive and abusive spyware programs,” said Eric Howes, a renowned anti-spyware researcher who assisted the FTC with the investigations.
“These are guys behind SearchMiracle and EliteBar, two of the nastiest spyware programs. They were also using rootkit technology to hide files and defeat anti-spyware software. Were talking about one of the worst pieces of spyware around,” Howes said in an interview.
Howes provided Ziff Davis Internet News with numerous screenshots of SearchMiracle and EliteBar pop-up advertising and installations, including logs from RootKitRevealer that show the company was hiding .dll files from the Windows API.
Next Page: A significant decision.
A Significant Decision
Howes said the FTC decision to freeze the assets of the three companies (and several individuals named in the suit) was also significant.
“In other cases, FTC went before a judge and simply got a court order. In this case, they really lowered the hammer. They [the FTC] raided the offices of these companies and shut down the whole operation. I think that sends a very, very strong message.”
Mona Spivack, a spokesperson for the Bureau of Consumer Protection, declined to comment on what assets were seized in the raid and whether doors have been locked at the business sites of companies named in the FTC complaint.
She did say that the Bureau will be seeking to prohibit the parties from continuing their practices in the future. Spivack also said the Bureau would seek to have the named parties disgorge profits and to reimburse consumers where appropriate.
The Bureau was tipped off about the alleged spyware ring by consumers, Spivack said.
“Consumers have complained that the software code was interfering with their ability to use their computers,” she said.
“Weve alleged that the software code tracks their online behavior so it interferes with their online privacy. It inserts advertising tool bars and advertising sidebars onto their browser windows. It hijacks their home pages, and it serves them voluminous pop-up advertisements.”
Richard Stiennon, vice president of threat research at Webroot, said the EliteBar spyware program, allegedly created and distributed by Enternet Media, is third on his companys list of top 10 spyware threats.
In an interview, Stiennon said EliteBar is a deceptive piece of adware that generally propagates through innocent-looking dialog boxes, social engineering methods, or through a Java scripting error.
Spyware researcher Ben Edelman, who first blew the whistle on the use of BlogSpot to spread the spyware programs, said the FTCs description of the allegations exactly match his own research findings.
“Of course these blog-delivered ActiveXes are not all Enternet did. Ive also seen and shown EliteBar installed through security exploits, with no notice or consent. I posted one such video way back in November 2004,” Edelman said.
He described the FTC clampdown as “an important development in the fight against spyware and other software trying to seize control of users computers.”
“Enternets unwanted software has been remarkably widespread—installing through a variety of unsavory practices, from security exploits to the blog-delivered ActiveXes to numerous other misleading tricks. And their software causes serious harm to users PCs—installing a variety of advertising software, adding rootkits with serious effects on system reliability, and of course tracking where users go and bombarding them with extra ads,” Edelman said.
He believes the FTC action will serve as a strong warning to other vendors that currently use, or might consider using, similar tactics.
According to the complaint, the defendants software code also tracks consumers Internet comings and goings; changes consumers preferred home page settings; inserts new tool bars onto consumers browsers; inserts a large side “frame” or “window” onto consumers browser windows that in turn displays ads.
The spyware programs also display pop-up ads, even when consumers Internet browsers are not activated.
In addition, the FTC alleges that once the spyware is loaded on consumers computers, it interferes with the functioning of the computer and is difficult for consumers to uninstall or remove.
In addition to the three companies, the FTC also named Lida Rohbani, also known as Linda Rohhani and Lida Hakimi; Nima Hakimi; Baback (Babak) Hakimi, also known as Bobby Rohbani and Bobby Hakimi; as defendants.
The agencys complaint also charges Nicholas C. Albert, doing business as iWebTunes and www.iwebtunes.com, based in Ohio.
Lisa Vaas contributed to this report.