|
Your generous donations
help keep this site online! Click here to support cexx.org.
|
Advertising Spyware: Blackstone Data Transponder and its derivatives
It is hard to tell where this piece of spyware originated. It was first seen as Blackstone Data's Transponder, but repackaged versions of the same product are popping up under several different companies. It is currently distributed under these names:
According to the VX2 website:
The software goes along with the user of the software as they are surfing around the web and builds reports on the activity.It is a Browser Helper Object that is distributed with unknown third-party software, including AudioGalaxy Satellite. While the user is browsing the Web, it will pop up advertisements based on what page is being visited, what's being searched for, how quickly the user is surfing, etc. Transponder's ad-displaying algorithm appears to weight the occurrence of ads in such a way that they appear to come from the page(s) being visited.
The software monitors the click stream activity of the consumer and communicates with servers.
The software monitors some activity of the PC and communicates with servers.
For the remainder of this document, the terms "VX2", "Transponder", etc. will be used interchangably to refer to this class of spyware product.
Since the product is supplied by several companies with minor changes, first you must determine which you are infected with. We strongly recommend using one of these spyware removal tools to remove this parasite, as they can painlessly detect and remove all the known variants. Or, please use one of the links below to jump to the removal procedure for the particular distribution that appears on your system.
VX2 RespondMiter
(VX2.dll) (installed by AudioGalaxy, iMesh and others)
Blackstone
Data Transponder (IEHelper.dll)
AADCOM: Please follow Transponder instructions.
NetPal
TPS108.DLL
VX2 RespondMiter Removal Procedure
Select VX2 from Windows Add/Remove
Programs dialogue located in Control Panel. Press Add/Remove.
If this entry is not present, do the following:
Easy Way:
replacing C:\Windows\VX2.dll
with the path you noted earlier. (You should then see a message window such
as "DllUnregisterServer in C:\Windows\VX2.dll succeeded.")
Hard Way: (from VX2 web site)
This is the official uninstall
information from the Blackstone docs, with some formatting and grammatical
fixups to improve readability.
|
|
|
|
|
1
|
Click "Start" in the task bar, then select "Control Panel"
|
"Control Panel" Window is opened
|
|
2
|
In "Control Panel" window select "ADD/REMOVE Programs" Look For
"BlackStone"
|
"BlackStone" should be found in the "ADD/REMOVE Programs"
|
|
3
|
If "BlackStone" is found Select it and click the "Remove" button
to remove it
|
"BlackStone" should be removed.
|
|
4
|
If "BlackStone" is not present in the "ADD/REMOVE Programs" close
any open Web browsers.
|
All the browsers should be closed.
|
|
5
|
Click "Start", select the Search button and search for "IEHelper.dll"
in the "C: drive".
|
"IEHelper.dll" file should be found.
|
|
6
|
Delete "IEHelper.dll"
|
"IEHelper.dll" file should be deleted.
|
|
7
|
Click "Start", select the Search button and search for "domlst.cch"
in the "C: drive".
|
"domlst.cch" file should be found.
|
|
8
|
Delete "domlst.cch"
|
"domlst.cch" should be deleted.
|
|
9
|
IF the system does not permit the file to be deleted... Select
"START" then select "Run", type "regedit" and press "ok".
|
A new "Registry Editor" window is opened.
|
|
10
|
In the left side of the Registry Editor, select the key and its
subkeys as follows.
HKEY_LOCAL_MACHINE-----SOFTWARE-----Microsoft-----Windows---CurrentVersion-----Explorer-----BrowserHelperObjects\
|
You should find the "{00000000-5eb9-11d5-9d45-009027c14662}" key
|
|
11
|
Delete the key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser
Helper Objects\{00000000-5eb9-11d5-9d45-009027c14662}
|
The key is deleted.
|
|
12
|
Reboot the computer. Click "Start", then click "Search". Search
for "IEHelper.dll"
|
You should able to find the "IEHelper.dll" file now.
|
|
13
|
Now delete IEHelper.dll
|
The "IEHelper.dll" should be able delete now.
|
|
14
|
Reboot the computer now, and search again for "IEHelper.dll"
|
You should not be able to find the "IEhelper.dll" file any where
in your system.
|
|
15
|
Click Start button on the task bar and click the "Run...".
|
a Run window is opened at the down left corner of the desktop.
|
|
16
|
Type "regedit" in the Run window and press "ok"
|
A new "Registry Editor" window is opened.
|
|
17
|
Search for HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser
Helper Objects\{00000000-5eb9-11d5-9d45-009027c14662}
If the key if still found, proceed to the next step.
|
You should not find the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser
Helper Objects\{00000000-5eb9-11d5-9d45-009027c14662}
key.
|
|
18
|
Follow from step 5 to step 10.
|
This time the uninstall succeeded. It may be a good idea to check
by repeating the steps 1 through 17.
|
NetPal Removal Procedure
The NetPalNow site now provides
a removal utility for its trash.
Unfortunately, Net Pal seems
to really take VX2's capabilities up on the offer of installing more spyware
-- whether the removal utility also wipes out the third-party spyware downloaded
by NetPal remains to be seen. At the time of this writing, there are several
additional components installed [ClickTheButton, yourspecialoffers.com, FavoriteMan,
and an unknown start page hijacker], and probably more I don't know about.
Also, it is difficult to determine which files and Registry keys belong to
which spyware.
There is not a verified removal
procedure as of yet. If you are an advanced user, you can try the following
and see if it works:
Remove the following Registry entries:
Transponder keys
VX2/Transponder files
This information thanks
to Andrew, Jerry, and posts on the Lavasoft forums.
TPS108 Removal Procedure
Easy Way: (follows VX2.DLL removal procedure)
replacing C:\Windows\tps108.dll
with the path you noted earlier. (You should then see a message window such
as "DllUnregisterServer in C:\Windows\tps108.dll succeeded.")
Delete tps108.dll
Hard Way: (from their
Web site)
To remove TPS108:
If TPS108 is not present:
If the system does not permit
the file to be deleted proceed
as follows:
The software covertly collects all sorts of information about your Web surfing habits, including lists of Web sites you visit (and even sites you've visited before installing their software), any terms you enter into a search engine, and contents of online forms--including "secure" forms using SSL encryption(!). The company has the audacity to claim that this is done "in order to save you the time and trouble of submitting such information to us yourself". It also stores cookies to persistently identify you across sessions.
The software collects and transmits your full name name and e-mail address as used by the Outlook mail client. It also transmits back a laundry list of information about your system, which is described in more detail below. Finally, the software transmits details about your interaction with the software.
The software also includes an auto-update capability with the stated purpose of updating not only the VX2 spyware itself, but also installing additional third-party programs, including additional spyware.
Information
Gathered by Transponder
Upon
its first load, VX2.dll will look for a file in your Windows directory called
oeminfo.ini. If present, this file contains information about your computer
provided by the OEM--who you bought it from, serial #/etc., processor and
configuration, tech support info, and maybe your name. (IIRC, this information
is displayed if you go to Start > Settings > ControlPanel > System
and view the first tab.) More information about the oeminfo.ini file is available
here.
Transponder
then connects to sputnik.vx2.cc and transmits data. The information transmitted
includes, but is not limited to, the following:
On first connection, or when triggered remotely:
Intermittently during normal Web browsing:
A stated
purpose of the information Transponder gathers is to send direct mail (a.k.a.
spam), possibly with the help of NetGeo
(see later). I am guessing this to mean Outlook users (or former Outlook users)
will get more spam thanks to this spyware.
In the Privacy Policy, VX2 asserts "We have undertaken technical measures to make sure that VX2 never collects credit card numbers, account numbers or passwords." Examining the spyware's source code (more on that later as well), the "technical measures" are the following:
Portions from the VX2 Privacy Policy as of 10/21/01:
"VX2’s software collects and transmits to VX2’s servers the URLs of the Web pages visited on your browser. URLs are the addresses of the web pages that your browser visits (http://www.VX2.com, for example). The VX2 software collects and maintains information on both current and historical browsing. VX2 will use this information to build a summary of your interests and general web trends.Some other portions are of interest:VX2’s software also collects some information from online forms that you fill out. This information is automatically sent to VX2 in order to save you the time and trouble of submitting such information to us yourself. We have undertaken technical measures to make sure that VX2 never collects credit card numbers, account numbers or passwords. If such data data were, despite VX2’s best efforts, ever inadvertently collected VX2 would immediately purge such information from its database.
VX2’s software also collects the query terms entered into search engines. VX2 uses this information to help generate a more complete summary of its users' interests and general internet trends.
When you install VX2’s software, it collects several bits of information about the configuration of your computer. This information includes information about the computer's hardware configuration, such as the amount of free space on your hard drive, and software configuration, such as the version of the operating system. These examples are representative, and the specific information collected may vary from time to time. This information is used to determine whether the VX2 software is compatible with your computer. It may also be used to help generate a more complete summary of your interests when appropriate.
It is possible that, in some instances, the operation of certain third party websites may result in some personal information being included in URL data, which can result in that data being captured in the course of the normal operation of the VX2 software. Such instances are rare and are the result of poor security practices by these third party websites. In the unlikely instance that such information is captured, it may be stored in our database, but it will not be used or disclosed in any manner inconsistent with our Privacy Policy.
Occasionally, VX2 may collect information about your interaction with the VX2 software. This may include information such as how often users use the software. This information is used to access the effectiveness of our products and services. It may be shared with VX2’s partners for the purpose of evaluating the success of marketing programs.
The VX2 software and cookies: The VX2 software uses cookies to identify itself to the VX2 server. The cookie maintains a unique anonymous id for you as a user. We use this information to allow you to opt out of the VX2 service if you so choose. It is also used to organize the information in our database and help our artificial intelligence algorithms to discern the various preferences and interests of each user."
"From time to time, VX2 may decide to update it's software in order for it to work at it's peak performance. Upgrades may include third party applications. Certain third party applications may have to be installed in order for the software to work properly. VX2 users are not responsible for these additions and/or updates, they will be done automatically in the background while you are surfing the web in order to cause the least amount of inconvenience to our users as possible."
- This gives the company carte-blanche to install other software on your PC, including additional third-party spyware.
Suffice it to say that I would not trust these fools with my grocery list. Those who have already been had by this spyware should be concerned about Blackstone's security practices (or lack thereof) as they pertain to users' personal information.
Much of the information you see below was gathered thanks to bad password security and generally bumbling idiocy on the part of your friendly neighbourhood spyware company. (We did not "hack" into their systems; they gave out their (un-changed software default) admin password complete with detailed online explaining how to log into the administration system :) I stumbled on them when they came up in Google's search results. If you've ever wanted a sneak peek inside a spyware company, take the .
For a period of a little over a week, Blackstone Data Transponder infectees may have seen this ad campaign, inserted into Blackstone's lineup by my fictional cohort, Jane Morgandorfer.. (Think it may have had something to do with Blackstone changing their passwords? :) I deactivated the ad-campaign when it caused the load on my server to suddenly quadruple, jumping from about 45k requests/day at that time to 170k. Apparently, Transponder infections are more widespread than I had previously thought.
This graphic, found on a Blackstone cohort's server, appears to give a detailed description of how Transponder works. Beware: apparently, the same idiots who run the Blackstone servers also did the graphic--much of the text is scrunched and very hard to read! The line "Periodic export to warehouse for mining & Direct mail" I found particularly unnerving.
Other in-the-clear files included keyword-hierarchy listings, code signers and what appear to be certificates and privatekeys (.spc, .pbk, .pvk).
Another anti-spyware advocate wandering Blackstone's unsecured servers obtained the complete c++ source code of the application. This has been very helpful in determining the software's capabilities and possible security concerns.
The
newest incarnation, TPS108, was recently discovered in with Blackstone's files.
Some mild digging leads to an interesting find
:)
Suspected Supporters
Transponder Technology
I'm not suggesting ANY guilt on the part of the makers of these third-party tools used by AADCOM/Blackstone/etc. They are general-purpose software that has no apparent connection to these creepy scum.
Ad campaign insertion, management and billing are handled by OASIS (Open-source Ad Serving and Inventory System): http://oasis.sourceforge.net/
Communicating with Sputnik (VX2, yadayada) is done via Java servelets at transctl*.blackstonedata.net and transctl*.vx2.cc, which are for all intents and purposes the same server (e.g. accessing a bogus file on blackstonedata.net, *.vx2.cc is listed on the 404 error page). The servelets are run with Caucho Technologies' Resin 2.0.2 software: http://www.caucho.com/
The data for OASIS and other things is stored in an SQL database, periodically exported to Mindset Interactive and NetGeo.
Whois Data (further evidences that many of these companies are in fact one and the same)
blackstonedata.com
Registrant:
Blackstone Data Corporation
(BLACKSTONEDATA-DOM)
PO
Box 27103 C/o VX2 Corporation
Las
Vegas, NV 89126
US
VX2.cc
Registrant:
vx2 (VX52-DOM)
po
box 27103
Las
Vegas, NV 89126
US
Both list a Hotmail address as their admin, tech. and billing contact.
aadcom.com
Registrant:
AADCOM (AADCOM2-DOM)
34700
Pacific Coast Hwy
Capistrano
Beach, CA 92624
US
Admin., etc. contact is at
internettechcorp.com
Transponder Advertisers
These advertisers are currently
listed as active in Blackstone's system. However, some of them are test entries
and many have invalid billing addresses. A number of these are listed as
having unpaid invoices. (Maybe has something to do with the invalid billing
addys? :)
| AADcom.com | Ad Power Zone | alinq.com | alinq468 | ARS |
| Barnes And Noble (test) | Bettergolf | Bid Clix | Casino | CasinoOnNet |
| Civil War Facts Inc (test) | creditcardmenu | CyberErotica | Fast Cash | Feature Price |
| HomeGain | JDR Media | kentucky | Lending Universe | LowerMyBills |
| Magellan | Magellan: Team Nova & Trim Life | Mindset Opt-In / Opt-Out | MyInk.com | New York Times (test) |
| NextCard | No Credit Card Needed | OASIS | OptionHotline | Orbitz |
| Playsys | PriceQuotes | Pyramid Casino | Shockwave Marketing | SlickStreet |
| Steve Smith | Test Advertiser | TEST PYRAMIDCASINO | The Baby Outlet | Traffix |
| TranzAct Media | X10.com | Zmedia |
Windows Failure issue associated with Transponder
It has been reported to me that a number of users have experienced complete
failure of MSIE and Windows Explorer as a result of infection by the Transponder
parasite. The common symptoms are that Internet Explorer will not start at
all (nothing happens), and trying to restart Windows Explorer only repaints
the existing desktop. One such occurance is reported on a Windows 2000 system.
The symptoms cleared up once Transponder/VX2 was removed.
Links
Transponder
AdWare Program (Guest)
Information about
Transponder (and derivatives)
SpywareInfo: Aadcom
and.doxdesk.com Parasite
Detection Script - Alerts you if you have VX2, Toptext, etc. parasites
installed!
BHO Cop
- Hypnos' article on thehun.net walks you through using BHO Cop to remove
Transponder.
Transponder Video from Hypnos
- An informative video showing the Transponder parasite in action on an infected
system. Note: In the video are pictures of "adult" popup ads--as always, view
at your own discretion.
VX2 Homepage - some mentions
of what it does and removal info.
Credits
Blackstone Data Transponder was
and continues to be among the most difficult pieces of spyware to research.
This would not be possible without the huge amounts of help and information
provided by Robert (dualsmp), Dingo (SpywareInfo), Andrew (and.doxdesk.com) and others,
as well as the grc.spyware community. A big thanks to everyone!
If anyone I have forgotten, please let me know!
|
|
|
"All trademarks are hereby
acknowledged as the property of their respective owners." So don't even THINK
about suing me :)