McAfee Labs

Adware 2.0 Finds a Distribution Channel

By on Jun 01, 2010

Years ago adware was distributed primarily in two forms.

  • Adware vendors sought out mainstream software vendors to distribute their programs in bundling arrangements. The Adware makers often used a pay-per-install model, paying as much as $1 or more to those responsible for the installation of the ad-delivering components. Often users could opt out of the adware installation.
  • Malware authors abused the pay-per-install model, silently installing adware via drive-by-download exploits, or instructing already infected computers (bots) to install the adware.

The end of an era
Adware maker Direct Revenue profited from questionable business practices that ultimately resulted in a $1.5 million settlement with the FTC. That settlement included a ban on using affiliates that engage in drive-by downloads and other questionable practices. Shortly thereafter Direct Revenue closed shop; the then adware king was dethroned.

Over time other adware vendors closed, including 180Solutions/Zango/Hotbar and Claria.

The programs created by some of these entities were resurrected by Pinball Corp., which acquired Zango’s assets in 2009.

Recently Pinball began engaging in a reverse bundling of sorts. Rather than partnering with commercial vendors looking to participate in ad-supported software, Pinball is going after open source products, but with a twist. Historically users would run an installer for KaZaa, for example, and adware might be bundled within. Pinball is bundling open-source applications such as VLC, Vuze, and Audacity with their adware, such as Hotbar. One example is a file distributed as VLCSetup.exe, which is digitally signed by Pinball. When run, we see the following screen:

The installation screen states “Downloading this version of VLC from Hotbar’s servers also requires installation of the Hotbar software. …”Â  VLC’ is distributed under the GPL V2 license and Pinball Corp. seems to justify the required Hotbar installation under the terms of this license:


“You may charge a fee for the physical act of transferring a copy, and you may at your option offer warranty protection in exchange for a fee.”

Oddly enough the installation screen also states “This distribution of VLC is provided free of charge. …”  I guess there’s free and then there’s “free.”

What the setup program doesn’t tell you is that in addition to installing Hotbar, it also adds Search Toolbar, a program digitally signed by Zugo Ltd. Even if you opt out of installing ShopperReports and Blinkx Video Screensaver, you still end up with Hotbar and Search Toolbar.

I was able to cancel the VLC installation, yet still wound up with Hotbar, making this more of an open-source supported adware, rather than the other way around. I personally object to this installer being promoted as VLCSetup.

Just as they did many years ago, malware authors have exploited this situation. In a raft of viral Facebook applications that spread hyperlinks to “videos,” users are told they need to install this VLCSetup to view the content. This ruse is enabled by Pinball’s installer as well as by their pay-per-install program.

Whenever you want to install an application, you’re best off going to the primary distributor, such as: