Dutch regulator slaps spyware purveyors with €1m fine
Millions of PCs infected
Telecoms watchdog OPTA has fined three Dutch firms and their two directors a total of €1m for the illegal distribution of spyware.
It is the first time OPTA has imposed fines for spreading malicious Trojans, and has been called "one of the biggest cases of illegal software crime", by the regulator.
In 2005, the two unnamed businessmen distributed software called DollarRevenue among millions of internet users. Approximately 450 million software files were installed on 22 million computers in the Netherlands and abroad.
The adware application silently downloaded advertising software and installed it to the computer without the user's knowledge. DollarRevenue was also bundled with some ad-supported products and was extremely difficult to remove.
The software was also directly linked to certain botnet attacks, with over 7,700 machines hacked within 24 hours.
DollarRevenue was popular for its high payouts to affiliates on a pay per install basis. It paid 30 cents per install in the USA, 20 cents per install in Canada, 10 cents in the UK, one cent in China, and .02 cents in other countries. OPTA estimates that the trio of companies grossed more than €1m.
Although the directors deny any wrongdoing, OPTA believes the companies deliberately contacted hackers and cybercriminals, often after learning about them on the web. Its biggest partner became InfraDollars.biz, a Russian gang which at one point offered websites $0.06 for each machine they infected with adware and spyware.
You can find the judgement, in Dutch, here®
To some of us the concept of a registry seems unneccesary to begin with...
...and there's almost certainly software (oooo, can't think of *any*) that can remove malicious registry entries far more reliably and quickly than any human can even find them ;)
Will Blake> Just for accuracy this is actually "iframedollars"
Presumably that's what they're trying to refer to. (I can find no record of 'infradollars' ever having existed.)
However, although CWS.IframeDollars were a big DR installer (they were affiliate 1030), the exploit group associated most strongly with DollarRevenue was CWS.VladZone. They went as far as hosting their worse installs at VladZone servers under the DR name.
Alan Donaly> I don't recall meeting this one
You would have met the things it then went on to install. Whilst DR did have their own spyware, their primary tactic was installing other people's for cash.
> On the other hand trojans you never really get rid of you have to reinstall.
And DR have bundled exactly those kinds of trojans (rootkits etc.).
In any case, unless you're a security expert (and sometimes even then) you're not going to be able to detect the stealthier malware, so you must assume the machine is still compromised and re-install.
Russian Business Network (RBN)
Just for accuracy this is actually "iframedollars" - at last good to see RBN affiliates getting nailed for their antics.
By the way, still active after a few deceptive moves by the RBN, most recent write up is here
Update as of today "iframedollars" still active and based on Hostfresh and myrdns.com (AKA Atrivo), same source as the Bank of India hack and others.....