A Revolution is the Solution
My guess for the purpose of the rootkit revealer: inventory control. "Surely the owners are too stupid to bother with using it!"
Funny how after all the blowhard noises Zango180Delusions made about their new 'affiliate' policing software that no unwanted installs would happen, here we go, right back to square one. Wanna bet they spew much more of the same as before as it relates to the reasons it happened, not to mention the shocking fact they actually happened?
I can see their blog already with all sorts of kudos to PG for finding out and rooting these affiliates out(nudge-nudge-wink-winkwe knew about 'em) so we can kill them off comments.
They suck, and what a way to start off the year, they will once again have their names dragged thru the mud like the weights at a mudbogs race.
Well done.
Excellent information. Your analyst will surely save me days of frustration.
Chris, I just checked our database and we've already seen two cases of palsp.exe this week (none of lockx.exe as far as I can tell). I just added an entry that points to the FaceTime press release for anyone who we find is infected.
systems allover showing palsp.exe
dont these guys ever stop ..
what do we have to do blow up the mainframes till they get the message ??
no im not advocating the use of high explosives :-/
just incase someone gets the wrong idea .....
he's right - never use high explosives. Low ones are much better, they take suckers out at the ankles :P
Btw thanks for keeping an eye out, Dave 
http://www.spywarewarrior.com/vi...pic.php?
t=18665
There is only one true solution that is to never trust the integrity of a Pc afterall total security cannot be guaranteed by no one/no thing.
Security is an ongoing process and not a constant that can ever be totally achieved.
Very good find. My money is on the fact that the Rootkit Revealer software is installed only to make the user think that he/she hasn't been infected. The rootkit remover software is most likely hacked to not find any of the rootkits installed. Damn hackers...
Start of a new online war, methinks. Bad h4xxors vs. PG backed by millions [milligans? ].
Objective: To outsmart each other
Let the tournament begin...
Whatever happens at tournament, I am sure of-
END RESULT: Another one (sucker) bites the dust!
lol I see PG Believes in the Daisycutter method of Foistware control
We became aware of the situation at about 5pm PST Friday. By 6:20pm PST, we had identified and shut down the distributor responsible for these installs.
1. We can confirm that there were only 64 installs from this now former partner in the last two days combined (January 5th and 6th) that occurred through this worm before we were able to shut down this partner.
2. We can confirm [as shown in Paperghost's blog] that the proper notification screen was shown and that user consent was required prior to our software being downloaded. In other words, NONE of these installs were "silent." They all required user consent.
3. However, as a show of good will, we took the extra step of using our new Closed Loop System technology to message each user who received the 180solutions software via the AIM worm, requiring them to re-opt in to the installation even though proper consent was obtained the first time.
4. The action taken by this distributor was unquestionably against our strict code of conduct and likely illegal given the person was using a worm to push down our software.
5. We would likely have detected this problem even earlier, but because the proper notification screen was shown and consent was required before install, the number of installs he was getting was not out of the ordinary and therefore didn't trigger some of the internal alarms when bad installs happen.
6. This former partner will not receive payment for these installs. There is no financial incentive for partners to act this way.
7. We would also like to thank our friends at FaceTime who were extremely responsive to our requests for additional information. This information helped shorten the time it took us to respond.
8. We are working with federal and international law enforcement to assist them in determining if there is criminal legal action to be taken.
9. We are also considering civil action of our own but our first priority is helping law enforcement to support criminal action.
Even with all the effort and resources we've dedicated in the last 12 months to building more fraud-resistant software and completely dismantling our distribution network, we know, as all software companies do, that nothing is impenetrable. We also know that short of us being the only distributor of our software, something few other software companies do, there will from time to time be those who try and game the system. WhenU, who has the same distribution model as we do yet has only a small number of partners, experienced this very problem only a few weeks ago.
This is a great example of how the changes we've put in place are indeed working. Because of these changes, these installs happened only with proper notice and consent, we knew exactly who was responsible for them and we had the ability to immediately shut them down.
Truly amazing, best piece of read I've had in quite a while.
Thanks for the good amount of work you and the rest put into this, PG!
Commenting by HaloScan
