Noted adware supplier 180solutions said Thursday that it was the target of an alleged denial-of-service (DoS) extortion attempt by one of its own distributors, a Dutchman who, with help from two others, created a botnet of some 1.5 million machines.
The admission not only revealed some of the behind-the-scenes business that goes on in the adware world, but identified the American company that Dutch law enforcement officials said had been victimized by a trio of men arrested last month.
The three, ages 19, 22, and 27 -- Dutch law prohibits the release of the names of those charged -- allegedly created a massive botnet of some 1.5 million compromised computers, then used that network to spread adware and spyware, and threaten a then-unknown U.S. firm with a DoS attack.
Sean Sundwall, 180solutions's director of communications, confirmed that the Seattle-based marketing firm had been the target of the extortion attempt in early August.
"When we refused to pay the ransom, our ZangoCash.com site was attacked," said Sundwall. "It was offline for a couple of hours, but the impact was minimal. It happened during off-peak hours."
180solutions took the information to the Federal Bureau of Investigation (FBI), which said that the company's efforts resulted in the continued detention of two of the Dutch suspects. "The information provided to us by 180solutions helped ensure the continued detention of the subjects arrested in the Netherlands," said FBI Special Agent in Charge Laura M. Laughlin, of the Seattle office, in a statement Thursday.
Denial-of-service attacks may be rare, but they're not unknown. What's striking about the 180solutions incident is that one of its own distributors was the attacker.
180solutions, like other marketing firms, signs up third-party distributors -- Web site owners for the most part -- to spread its software. Those distributors are paid for each installation of the 180solutions software, which includes a host of programs identified as adware by anti-spyware firms.
"When this guy signed up, he had a gaming site and was delivering [our software] to his customers," explained Sundwall. "But at some point he turned to the dark side, and created or leveraged this botnet and started distributing our software via that means."
When 180solutions noticed that the Dutch distributor was claiming extraordinary numbers of installations, it shut him off from further payments, said Sundwall.
"He amassed a few thousand bucks, that's all," Sundwall said.
The Dutch case isn't the only one in the works, said Sundwall. Other investigations are underway, with more distributors or former distributors suspected of using botnets to spread 180solutions' software in violation of the company's contracts. "We're continuing to work with law enforcement, but the only thing I can say is that some of the cases are domestic." He wouldn't say when the investigations might be revealed, or how many bots were involved.
The use of botnets to spread adware is nothing new, said Richard Stiennon, the director of threat research for Boulder, Colo.-based anti-spyware vendor Webroot. "Botnets are great vehicles for distribution because you can install anything you want, whether it's adware or spyware or other malicious programs."
But the 180solutions scenario, where a distributor turned on its partner, is a new twist, said Stiennon, and shows how easy it is for distributors to circumvent agreements with adware suppliers.
It also demonstrates how companies like 180solutions could be doing more to prevent renegades like the Dutch operation. "180solutions has said it will shut off the money to these types by the end of the year," Stiennon said. "But why don't they shut them off immediately?"
180solutions' Sundwall listed a series of changes that the company has made to its distribution process since June, including after-the-fact notification that it's installed software, and a new rule that forbids third parties from using ActiveX controls to install software via Internet Explorer.
"And as of Jan. 1, 2006, people who don't use our 'Safe and Secure Search' will not be paid, period," Sundwall said. "There will be no money involved in illegally distributing our software." Safe and Secure Search (S3) is 180solutions' name for a technology to prevent the suppression of the notification and consent dialog boxes the company's designed for its Zango Search Assistant and 180search Assistant.
But companies like 180solutions may find it tough to make money as they change their business practices. "I think the days of most adware companies are numbered," said Stiennon. "As they try to go legit, they're just not going to be as profitable as they once were."