Adware ploy dupes IMers with bin Laden 'news'

A Trojan horse program uses bogus news of the al-Qaida leader's capture to get AOL Instant Messeger users to open a program that installs adware called BuddyLinks on the victim's PC.

Robert Lemos Staff Writer, CNET News.com
Robert Lemos
covers viruses, worms and other security threats.
Robert Lemos
3 min read
Beware of instant messages bearing news of Osama bin Laden's capture.

Several victims told CNET News.com on Wednesday that a new Trojan horse advertising program, called BuddyLinks, masquerades as a news Web site with a story on the al-Qaida leader's capture in an attempt to fool users of America Online's instant-messaging program into downloading software and receiving advertising.

Although the software has some of the properties of an Internet worm, the program has been classified by security software company Symantec as a lesser form of an irritant known as adware. BuddyLinks doesn't qualify as malicious, because it doesn't delete anything and can be easily uninstalled, said Steve Trilling, senior director of research for Symantec.

"In many cases, the difference between malware (malicious software such as viruses and worms) and software is how aware you are of what the program is doing," Trilling said. Many security products--including several from Symantec--will block programs that have been deemed to be adware or spyware, depending on the user's settings.

Spyware and adware have become irritations to Internet users. Almost 1,300 adware program were released on the Internet last year, according to security software firm PestPatrol.

The application sends an IM to every person on an America Online user's buddy list and includes a link to a fake TV news Web site. A dialog box then asks if the user wants to install a "news player." However, the program instead plays a simple animated game, reconfigures AOL's instant messenger to receive advertising and once again sends a link to the fake news Web site to everyone on the new victim's buddy list.

The spread of the software between IM users has angered America Online, which could sue the creator of the program, AOL spokesman Andrew Weinstein said.

"We are strongly opposed to this piece of adware," Weinstein said. "It's a particularly slimy piece of software, and we are looking into legal and/or technical steps we can take to prevent this from affecting our users."

The online giant's instant-messaging network has an acceptable-use policy that prohibits sending spam to its users, he added. America Online is also readying a new version of its software that has built-in protections against adware and spyware.

BuddyLinks and its parent, PSD Tools, did not respond repeated requests from CNET News.com for comment.

A site that explains what the surreptitious program does and how to uninstall it stated that the author had received complaints but that the program is legitimate.

"Please understand, our flash games are in no way a virus," the BuddyLinks site stated. "We simply combine peer-to-peer, social networking, and instant messaging into one spectacular technology."

The site also uses social engineering. The link sent in IM is prefaced with "check this out," and the site is designed to look like a TV station's Web site. Victims miss the light gray text at the bottom of the page that announces "Note: This is not an actual news story. This is the prologue to a Flash video game."

Although the program doesn't require someone to click on a license agreement to install the software, the Web site has a link to a "Terms and Privacy Policy" that states what the program does.

The power of such licenses to transform a viral program into a legal--albeit questionable--application has some legal experts worried that future Internet attackers could get protection by using one of the software industry's best weapons: the "click wrap" license.

People who have accidentally installed the program can uninstall the software using Windows' "Add/Remove Program" feature, found in the control panel.