A consumer advocate and advertising software expert claims that a recent update to advertising software from 180Solutions fails to prevent the unauthorized installations it was designed to stop.
Spyware expert Ben Edelman said on Feb. 20 that unscrupulous partners were using security exploits to install 180s Zango software, despite the companys new S3 installer, which was designed to prevent unauthorized installs.
180 said it was the victim of “hacking” and charged Edelman with unethical disclosure of a vulnerability in its products.
The exchange is just the latest salvo in an ongoing war between Edelman, a Harvard University Law School student and advertising software industry gadfly, and 180Solutions, of Bellevue, Wash., which sells and distributes pop-up advertisements through programs like Zango and Seekmo.
180Solutions has a network of partners who get paid to install the programs on Internet users computers.
Edelman and other spyware experts have repeatedly charged 180Solutions with deceptive business practices. Among other things, Edelman said the company has not been forthcoming about the nature of its software in license agreements that users read before agreeing to install the programs.
Edelman also said 180 turned a blind eye to unethical installation practices by its partners. Those methods include so-called “drive-by downloads” that use software security holes to install 180 Software without the users explicit agreement.
180Solutions has taken steps to improve its reputation in recent months. In December, the company announced a new version of its S3 (Safe and Secure Search) technology and said it would stop supporting 180 Search Assistant, which Edelman and others claimed was frequently installed improperly by the companys advertising affiliates.
S3 requires users to view and agree to a 180 license agreement before the companys software is installed on their systems. The software also makes it easier to remove unauthorized downloads and track installation behavior by 180s partners, the company said in a statement.
“The promise of the platform is that thousands of distributors would be unable to cheat 180Solutions and 180 users,” Edelman said.
But the S3 protections are easy to circumvent, and unscrupulous partners have already figured out how to bypass the user acknowledgement step and illegally install 180s software, he said.
Edelman recorded a nonconsensual installation of 180s Zango software, along with a bundle of other advertising software programs on Feb.17. The programs were installed using a “bootloader” program that was installed on a vulnerable Windows system using an exploit of the recent WMF (Windows Meta File) vulnerability.
The attackers bundled the S3 program with another program that acknowledged the 180Solutions license agreement as soon as it appeared on the desktop. The 180Solutions License Agreement is visible on the users screen for a fraction of the second before it disappears and the software is installed, according to a video of the attack captured by Edelman.
Sean Sundwall, a spokesperson for 180Solutions, said the company accepts Edelmans analysis of the illegal install, but takes issue with his disclosure of the attack.
“Responsible disclosure is well-practiced in the security industry. We feel like the way this was handled was far from the best interests of consumers,” he said.
In a news release Feb. 20, 180Solutions said its software was “hacked” by an online publisher who used the name “Sniper84” and that the company had shut down the Web site that was distributing the attack.
180 would have spotted the illegal installs earlier, but lacks an integrated system for monitoring telltale signs of rogue behavior, like an unusually high rate of user acceptance of the 180 software (the rate is typically between 5 and 10 percent), or an unusually rapid consent to the license agreement, Sundwall said.
180Solutions is working to improve its internal monitoring systems and integrate those measurements, he said.
The company will also make changes to address problems in its license agreement raised by Edelman, he said.
Next Page: Policing distributors.
Policing Distributors
A promised version of the license agreement will make it clear that 180 installs pop-up advertising software and changes to the S3 application will enable those who view the agreement to print it out, Sundwall said.
But 180s problems go deeper than license agreements, Edelman said.
The company maintains a long list of distributors, many of them outside of the United States.
In the past, many of those partners have acted unethically, but 180 has not abandoned the affiliate model for distributing its software, or shown a willingness to perform “due diligence” before permitting companies to distribute 180s wares, Edelman said.
“180s problem is that they do business with thousands of different distributors. They could say were only going to do business with companies that are real companies, or only with companies in the United States, or where weve actually met the people personally … But theyre not looking carefully at who these people are,” he said.
Among other things, 180 should look closely at distributors operating out of the former Soviet Union, Africa and other countries with little legal infrastructure for addressing cyber-crime, he said.
Sundwall disputes that argument. He said 180 has culled thousands of distributors from its books, and the company currently uses only around 1,000 partner companies to distribute its wares, down from 7,000 six months ago.
180 will continue to use non-U.S. distributors because they often offer attractive content that draws Internet users, even though 180 values U.S.-based installs over those in Europe or other countries, he said.
However, he said, it is more difficult to vet distributors who are not in the United States.
There is evidence that consumer rights advocates are running out of patience with the companys efforts to reform. In January, the Center for Democracy & Technology filed a compliant with the U.S. Federal Trade Commission about 180s practices, which CDT called “illegal and deceptive.”
Edelman said 180 will have to push the envelope to get people to install its software, because few Internet users would willingly install it.
“If this is such a service, why pay people to put it on [the users] computer?” he asked.
“The reality is these are companies with millions of dollars of assets. This is big money,” he said.
Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.