A Huge Pile of Scams

2009-03-30T22:53:00.000-07:00

THE "TOO LONG; DIDN'T READ" VERSION: Accidently installed a trojan that brought spyware/adware/malware to my machine and plastered Ask.com toolbars everywhere. Upon further investigation I was able to track down who was hosting the malware, a Mr. Nir Halowani, who he was hosting it with, GoDaddy.com, that he's getting paid for it all by Ask.com with the similar ad referral IDs of 101866 and 101863. and that he's been involved in software fraud in the past. Mr. Halowani is the CTO of a company called Infima Technologies from Israel. I would hope that GoDaddy and Ask.com would investigate further if they don't want to be associated with illegal activity like this.

The other day I noticed Ask.com toolbars appearing both in Mozilla Firefox and Internet Explorer on my Windows machine. Since I exclusively use Google as my search provider and avoid Ask.com like the plague, I knew immediately that something was up. On ClamWin, on Spybot Search+Destroy! On Hijack This to the rescue!

Spybot simply returned a few harmless tracking cookies as it always does. At least it tried and I appreciate the effort! Next up was ClamWin, which upon scanning my system's memory for running processes, immediately notified me that a trojan downloader was detected running, the source at C:\Users\(user)\AppData\Local\TempImages\sys13.exe. The trojan was described as "Trojan.Downloader-68888". Not very descriptive, but upon further Googling I learned that it is used to download and invite yet even more malware to the party. In the same directory were the following files, "ask.bmp", "AskInstallChecker.exe", "askSBarSetup-4.1.0.5.exe", "askToolbarInstaller-1.3.1.0.exe", "skasetup-122-SkapPAP.exe", the infamous "sys13.exe", and "VerChecker.exe". I have struck upon gold!

So I found the source of the Ask.com infestation and could easily remove the toolbar, wipe the virus, and go about my happy day. But nope, that wouldn't be satisfiying enough. Some person had the nerve to infect my computer with malware and plaster Ask.com everywhere without my permission. And I wasn't about to let that just pass. To start with, I ran the "provided" uninstallers for the Ask.com toolbar, and this other sneaky program called SeekApp. I figured that sys13.exe file may be the key to finding out how I got infected exactly, so I open it up with the handy XVI13 hex editor for Windows to dig around and see if I could find any URLs it was phoning to bring the rest of the party guests in.

I use the search function to find any plaintext references to http, becuase really, what other protocol would you use? First hit is good, sinks the Battleship, etc. It refers to a site called SpeedApps with an ad referal URL. No surprise there. Let's hop over to SpeedApps.com and see what they have. A bunch of free applications on a badly designed website, looks like prime territory for some malware. I scroll down the list of 'useful' applications like USB PC Locker and some screen recorder, and there it is, the random I app I foolishly decided to install the other day, "Desktop Switcher". This is how I got infected. Stupid mistake I know.

So an app from SpeedApps.com infected me with malware/adware/everythingware. Who might be responsible for this super useful site? I hop over to the domain WhoIs tool at DomainTools.com. They give me this:

A Mr. Nir Halowani, of Holon, Israel. Oh those crazy Israelis, what will they think of next? It seems like GoDaddy was nice enough to host the site and domain for him. So what else has Mr. Halowani been up to on these grand interwebs? Third result on Google, "Infima - The best executed compression fraud". Looks like Mr. Halowani has been involved in some other software tomfoolery. He was the founder of a new 'company' called Infirma that promised the newest and most advanced audio compression around that was later revealed to be a hobbled together mess of stolen third party software that didn't even work.

Here's a few links for further reading:

http://www.hydrogenaudio.org/forums/index.php?showtopic=43311&mode=threaded&pid=379250
http://sourceforge.net/forum/forum.php?forum_id=849469

The second link is pretty telling:

Thanks to one of the users I've found out that FreeMeter code was stolen... mr. Nir Halowani violated GPL by putting modified version of FreeMeter called Cyber Bandwith Monitor. Not so long ago his modified version was distributed with key logger... Now it is installing Yahoo toolbar without your premission (it is very sad that a comapny like Yahoo! doesn't know that it is doing business with thieves).

So this isn't the first time he's been involved with installing malware on unwitting victims, and stealing other people's programs to insert his own adware into. It's pretty obvious that this is the same Mr. Halowani that runs SpeedApps.com

Just out of curiousity I dug around the URL provided in the trojan .exe file that goes to the ad referral page on the SpeedApps site, www.speedapps.com/adspace_bc_1.asp. Upon viewing the source I find an iframe for another url, /SeekAskSearchRef.htm. Hey! That couldn't be the same Ask.com crap that ended up on my machine, could it be? Over to that htm page and I get redirected to an Ask search page, www.ask.com/web?qsrc=0&o=101866&l=dis&q=Football%20Conference. The 101866 must be Mr. Halowini's referrer ID, or how Ask.com determines who got them traffic so they can pay the person. A similar referrer ID showed up in my Internet Explorer's home page after the ask.com toolbar was installed on my machine "ask.com/?o=101863&l=dis" Not the same one exactly, but three numbers apart? Perhaps he has multiple accounts? That sounds like the sneaky Mr. Halowini I know!

So in conclusion, I stupidly installed a random app off the internet (let that be a lesson to all of you), and got infected with malware, but upon further investigation was able to track down the likely culprit, Mr. Halowini, and all of his contact details and previous exploits. I would urge GoDaddy.com to investigate how their hosting is being used to distribute illegal malware and viruses and if they'd like to be seen as a safe haven for that kind of stuff and Ask.com is somehow paying this virus peddler money to do his thing. I would hope both companies would investigate how they are being associated with software theft and viruses.

In addition, after googling the contact number from the domain whois records, I uncovered another site that Mr Halowani runs, app-zilla.com with the same whois records and all. The site looks to be very similar to Speedapps.com and I would suspect the same kind of crap is going on there with malware disguised as useful applications.

If anyone has any more useful info feel free to leave it in the comment section below.

Here's a compilation of the information I was able to gather about the whole ordeal:

SpeedApps Whois Record:
Nir Halowani
serelin 18
holon, holon 58279
Israel
972544397622

App-zilla Whois Record:
Nir Halowani
Serlin 18
Holon, N/A 58279
Israel
972544397622

http://whois.domaintools.com/app-zilla.com
http://whois.domaintools.com/speedapps.com

Nir Halowani's editor profile on Compression Links
Nir Halowani's LinkedIn profile
Nir Halowani's profile on Israel Venture Capital Research Center

His malware infected apps are also featured on Download.com here presumably pulled from Speedapps.com

Other Links:
Blog post on the official site of InfraRecorder detailing Mr Halowani violating the GPL licence by using a modified version of InfraRecorder on Appzilla.com
Another instance of Halowani violating GPL with a modified version of Prompt Uninstaller on SpeedApps.com
A huge thread at hydrogenaudio.org where Mr. Halowani first tried to scam people with a new audio compression tool
Website for Infima Technologies

Attack of the Hack!

A Huge Pile of Scams