McAfee Labs

Adware 2.0 Finds a Distribution Channel

By on Jun 01, 2010

Years ago adware was distributed primarily in two forms.

  • Adware vendors sought out mainstream software vendors to distribute their programs in bundling arrangements. The Adware makers often used a pay-per-install model, paying as much as $1 or more to those responsible for the installation of the ad-delivering components. Often users could opt out of the adware installation.
  • Malware authors abused the pay-per-install model, silently installing adware via drive-by-download exploits, or instructing already infected computers (bots) to install the adware.

The end of an era
Adware maker Direct Revenue profited from questionable business practices that ultimately resulted in a $1.5 million settlement with the FTC. That settlement included a ban on using affiliates that engage in drive-by downloads and other questionable practices. Shortly thereafter Direct Revenue closed shop; the then adware king was dethroned.

Over time other adware vendors closed, including 180Solutions/Zango/Hotbar and Claria.

The programs created by some of these entities were resurrected by Pinball Corp., which acquired Zango’s assets in 2009.

Recently Pinball began engaging in a reverse bundling of sorts. Rather than partnering with commercial vendors looking to participate in ad-supported software, Pinball is going after open source products, but with a twist. Historically users would run an installer for KaZaa, for example, and adware might be bundled within. Pinball is bundling open-source applications such as VLC, Vuze, and Audacity with their adware, such as Hotbar. One example is a file distributed as VLCSetup.exe, which is digitally signed by Pinball. When run, we see the following screen:

The installation screen states “Downloading this version of VLC from Hotbar’s servers also requires installation of the Hotbar software. …”Â  VLC’ is distributed under the GPL V2 license and Pinball Corp. seems to justify the required Hotbar installation under the terms of this license:


“You may charge a fee for the physical act of transferring a copy, and you may at your option offer warranty protection in exchange for a fee.”

Oddly enough the installation screen also states “This distribution of VLC is provided free of charge. …”  I guess there’s free and then there’s “free.”

What the setup program doesn’t tell you is that in addition to installing Hotbar, it also adds Search Toolbar, a program digitally signed by Zugo Ltd. Even if you opt out of installing ShopperReports and Blinkx Video Screensaver, you still end up with Hotbar and Search Toolbar.

I was able to cancel the VLC installation, yet still wound up with Hotbar, making this more of an open-source supported adware, rather than the other way around. I personally object to this installer being promoted as VLCSetup.

Just as they did many years ago, malware authors have exploited this situation. In a raft of viral Facebook applications that spread hyperlinks to “videos,” users are told they need to install this VLCSetup to view the content. This ruse is enabled by Pinball’s installer as well as by their pay-per-install program.

Whenever you want to install an application, you’re best off going to the primary distributor, such as:


  • Uhh the 995 guys have been doing similar things for years, is just a repackaged sourceforge project (pdfcreator) that installs ads on your system to upgrade to their paid version that is still just the repackaged pdfcreator, they even have OpenOffice995 (open office repackage), Zip995 (7-zip), PhotoEdit995 (gimp) and it goes on.

  • I’m glad somebody prominent mentioned these. I managed to take down a site that was doing the exact same thing with Firefox and I’ve had the VLC and Pinball Network on my hitlist.

    Here’s my write-up of the Firefox incident:

    Frankly, I just don’t understand how Pinball has not closed up shop underneath a massive lawsuit.

Leave a Reply

Your email address will not be published. Required fields are marked *