Forgot your password?
typodupeerror
America Online Privacy Your Rights Online

Buddylinks Stinks 63

Posted by timothy
from the hey-scummy dept.
Omie TheNull writes "After recieving several messages over AIM with the content: "check this out... http://www.wgutv.com/osama_capture.php?HlvU", I went to the page and discovered that it is sponsored by a site called "BuddyLinks." Their website is at http://www.buddylinks.net and they claim that they are NOT a virus. However, when you visit their links and install their "player" it seems that you are also installing software that takes control of your AIM buddy list and sends advertisments to those on your buddy list. The advertisements are obviously designed to look like innocent messages from your buddies asking you to check out certain links. Very scummy, indeed."
This discussion has been archived. No new comments can be posted.

Buddylinks Stinks

Comments Filter:
  • by gl4ss (559668) on Wednesday February 11, 2004 @02:00PM (#8250675) Homepage Journal
    it says there very clearly that "soon your instant messaging software will start sending your friends funny news messages like this".

    tell your friend that he is an asshole if he uses this.

    "3. Open the prize - your friends will love the prize they receive in their funny news message. it might be a game or a funny flash cartoon"

    yeah i'd really love that.

    4. no need to send any new messages when everybodys ignoring you.
    • Looks like you took care of that by giving them a good slashdotting. Good work!
    • "3. Open the prize - your friends will love the prize they receive in their funny news message. it might be a game or a funny flash cartoon"

      So basically Buddylinks is doing what real people have been doing for ages. Specifically, an aquaintance or friend decides to add your email to their address book, and forwards every piece of crap - virus hoaxes/jokes etc to everyone in their book. Yes, why, thank you vague aquaintance - I really did enjoy that list of hugely stupid jokes you sent me. The repeated qu

  • by GTRacer (234395) <.gtracer308. .at. .yahoo.com.> on Wednesday February 11, 2004 @02:02PM (#8250695) Homepage Journal
    ...Only because there are FAR too many people who just don't understand that there are people on the Internet with ulterior motives. I don't want to generalize, but I bet the kind of person easily swayed in this manner is also the telemarketer's best friend.

    The more this type of "attack" keeps happening, the more I wonder if there shouldn't be a license or minimum firewall requirement to get on the 'Net.

    Maybe we have to start teaching "Safe Surfing" along with Safe Sex in the teen years.

    GTRacer
    - speechless

    • by Anonymous Coward
      >>Maybe we have to start teaching "Safe Surfing" along with Safe Sex in the teen years.

      Just abstain from surfing

      Johnny "Come on, just touch it"
      Jill "I don't know Johnny, I told my parents I'd wait until I was married"
      Johnny "It won't hurt you, just give it a try"
      Jill "Are they all this hard and small?"
      Johnny "You mean you've never seen a mouse before!"
    • This has nothing to do with firewalls. All traffic is going through legitimate programs -- AIM/IE. As a matter of fact, firewalls can make these problems worse, since legitimate people try to tunnel more crap through things like IE requests to avoid having their program set of alarms, etc.

      Personal firewalls are, frankly, the worst thing to hit the Net sinc AOL.

      It *would* be interesting to sandbox programs that can use the Internet to some degree. This cannot be done on Windows anytime soon (thanks, IE)
      • Personal firewalls are, frankly, the worst thing to hit the Net...

        I didn't mean personal software-based FW's. I know that Norton and ZoneAlarm can be tricked, bypassed, or even easily misused to give a false sense of security.

        And I know that most of this stuff works by hijacking or piggybacking legitimate port use. I was meaning something along the lines of an agressive, separate piece of FW hardware that would limit port 80 traffic to HTTP under most circumstances, and restrict Active and JavaScript u

        • I'm dubious as to whether this sort of approach would block the buddylinks worm -- the usage is not that excessive or unusual.

          If you have application-level analysis at your firewall, you're talking about more money and maintenance and issues that will crop up. And you want to maintain fairly loose bounds on "legitimate" activity, or else you get false positives for evil activity.

          Advances in FW tech have surely made such a thing possible. I doubt that the average home user needs much more than HTTP and S
  • by orthogonal (588627) on Wednesday February 11, 2004 @02:03PM (#8250709) Journal
    However, when you visit their links and install their "player" it seems that you are also installing software that takes control of your AIM buddy list and sends advertisments to those on your buddy list. The advertisements are obviously designed to look like innocent messages from your buddies asking you to check out certain links. Very scummy, indeed.

    What's worse, in an effort to drive traffic to their site, their software hijacks your Slashdot login, forges complaints about their software, and submits those complaints to Slashdot as articles and comments.

    You can distinguish their forged posts because invariably the last three words of any forged post are "Very scummy, indeed".

    Very scummy, indeed.

    • godamn it, now that virus has infected my sid and is now getting me to post a follow up to your thread ...

      Very scummy, very scummy indeed.
  • by the Man in Black (102634) <jasonrashaad.gmail@com> on Wednesday February 11, 2004 @02:06PM (#8250749) Homepage
    My favorite part of this claptrap [buddylinks.net]. To wit: No, our software doesn't PERSONALLY sell your information and the information of everyone on your buddy list. We're merely a conduit for third-parties to do so, and to give us bags of cash for facilitating it. Do you like my hat? It's made of MONEY.
  • by Hollinger (16202) <michael&hollinger,net> on Wednesday February 11, 2004 @02:07PM (#8250764) Homepage Journal
    Here's a copy of what the messages look like:
    InfectedUser (12:30:45 AM): check this out... http://www.wgutv.com/osama_capture.php?hAsH
    I'm wondering what that little hash code on the end is...

    I haven't personally installed that crud, but I'm wondering if SpyBot (google for it) detects it. I clicked around the site, and, to be honest, it looks like they're setting themselves up for a huge "p2p" (I hate buzzwords) marketing push. I'm going to guess that this "jokes and pranks" business will come to an end when they have a sufficent install base, after which they'll start pushing the next new wave of spam for Viagra, Mortgages, Porn, or *checks his SpamNet folder* Internet gambling on you.

    Here's a snippet from the license agreement with my emphasis:
    Services; Modifications to Your Instant Messaging Client. The Software provides you the opportunity to access Content for no charge. In return for the right to access this Content, you acknowledge and agree that the Software contains additional software products provided to PSD Tools by its suppliers which will periodically deliver additional Content such as, but not limited to, advertisements and promotional messages to your Computer and programs that may alter your home page to offer you Content. In addition, the Software will interoperate with your current instant messaging client so as to permit the automatic sending of advertising messages originating from your Computer to your contact or "buddy" list regarding Content offered by PSD Tools or its suppliers. If you desire to stop this activity, you may elect to stop the messages by navigating to the "buddylinks.net" entry in your "Start Menu", selecting the "buddylinks.net Configuration" item, and unchecking the appropriate option. You may also refer to PSD Tools' website at http://www.psdtools.com for an uninstaller. (http://www.buddylinks.net/terms.html)
    • by Hollinger (16202) <michael&hollinger,net> on Wednesday February 11, 2004 @02:10PM (#8250814) Homepage Journal
      Got a little click-happy with the submit button...

      You also agree to: (from the same URL as the parent post)
      Updates to Software. The Software includes an automatic update feature to ensure that you have the most recently released version. You acknowledge and agree that PSD Tools or third parties designated by PSD Tools may from time to time provide automatic programming fixes, updates and upgrades to the Software (collectively, the "Updates"). Updates may include installation of third party applications, through automatic electronic dissemination and other means. You consent to such Updates and agree that the terms and conditions of this Agreement will apply to all such Updates. If you should elect not to have your software updated at any future time, PSD Tools shall not be responsible for any incompatibilities that may arise on your system and Computer.

      Oh, and I forgot to mention that the uninstaller is available at http://www.buddylinks.net/uninstaller.exe [buddylinks.net].

      Good day!
      Mike
      • Yeah, if you're on Windows and you catch it, "Buddylinks Messaging Integration" can be removed via add/remove. Don't know if that's better or worse than the uninstaller. However I'd recommend also going into the registry to check for/remove references to "trickler" and Gator.com. I found them as well on the pc I was working on. Could be coincidental but FYI, YMMV, RTFM, RDA (random disclaimer acronym) etc...
      • great...now spammers are gunna get ahold of these and install their own software. Hope they use decent authentication or something.
    • Spybot doesn't pick this up... yet.
  • Be careful out there (Score:3, Interesting)

    by Rick the Red (307103) <Rick.The.Red@gmail. c o m> on Wednesday February 11, 2004 @02:08PM (#8250782) Journal
    The way to avoid worms, viruses, etc. is to apply some common sense and be careful. For example, never open email attachments when you don't know who sent them.

    Another example, which applies here, is to avoid certain software. The "A" in "AIM" stands for AOL; therefore, I've never installed AIM and thus I avoid this latest marketing ploy.

    Similarly, the "Windows" in "Windows Messenger" stands for Microsoft Windows, so I disabled it. Yes, I run Windows (because I can't avoid it for a variety of reasons), but I only run it behind an OpenBSD firewall, and I also run ZoneAlarm and Norton Anti-Virus. As Gene Simmons says, if it's raining wear a raincoat.

    Mod this "flamebait" if you must, but you know I'm right.

    • I've installed an AIM client, but I don't tend to make friends with abject morons, so I have avoided this latest marketing ploy.
    • How is this AOL's fault ? It seems that buddylinks is just exploiting their client (or some Windows vulnerability) to send viruses to people. I don't blame McDonalds for making me fat, and I don't blame AOL for making me install other people's backdoors.

      Note that it doesn't matter how evil McDonalds or AOL are; some things just aren't their fault. They're the user's fault.

    • This is just the same stuff they tell Windows-users everyday and it's not quite correct.

      Actually, that "never open email attachments from someone you don't know" is a myth to a great extent. If you're in someone's address book, possibly your best friend, and they get a worm, you'll be on it's hit list.

      No, the way to avoid worms and virii is to not use Windows with the ineternet. Believe me, I used Windows for 2 years, and no matter how careful I was, it had a virus or worm almost once every month, not t

  • by KDan (90353)
    What, and you're surprised? That's expected of that type of scum. Hardly worth mentioning on Slashdot... there are probably a hundred other companies doing the same scummy thing all over the net. This one's not any more or less worthy of notice.

    Daniel
    • But this particular one is spreading rather quickly. Heck, I got a link for one of those earlier, and was thinking it was a virus.
    • Like Windows? What I want to know is where I find 'Windows' in the Add/Remove Programs dialog. No wonder people call it a monopoly, you can't uninstall it!
  • That'll be up to the law to decide I guess.
  • Even though it is obvious what they are from their front page, they look bad for spamming your friends, you look bad for trusting obvious slime, and your friends look bad for including you on their list.

    It's one big disfunctional love-triangle.

  • by monkeyserver.com (311067) on Wednesday February 11, 2004 @02:53PM (#8251381) Homepage Journal
    Some one at work clicked one of those links (it throws a link in your profile) and her machine was infected. It altered her ie's homepage, and it made it constantly write the page it was viewing to some temp dir. It also installed about 5 other progs. We tried to remove it, first with windows... no good it reinstalled itself,. Then we tried the uninstaller, well that got some of it, but there were still a good few side affects.

    MY DEAR LORD!! stay away from these sleezballs, they make bonzia buddy look like a good idea. If anyone is deserving of a serious slashdotting it is them.
    • If anyone is deserving of a serious slashdotting it is them.


      well, a few things:
      a) I'm sure that they expect to get a good psudo-slashdotting (not from slashdot, but from the virus/worm/etc)

      b) It'll just push the number of hits they get up higher, making it seem like they are being more successful that they really are which will make them do this kind of thing more often

      and c) when does anyone deserve a good slashdotting?
  • It's NOT a virus. (Score:2, Informative)

    by Matchstick (94940)
    It's a trojan!
  • I've heard (Score:5, Funny)

    by TheOnlyCoolTim (264997) <<tim.bolbrock> <at> <verizon.net>> on Wednesday February 11, 2004 @03:31PM (#8251813)
    The phone number on the WHOIS for wgutv.com will connect you to the guy who wrote the virus... Use this for good, not for evil.

    Tim
    • Re:I've heard (Score:3, Informative)

      by 0x0d0a (568518)
      Unlikely. The whois information for wgutv.com refers to a register.com administrator...unless this was intended to be a joke and just went over my head. :-(
  • Oh my god! (Score:4, Funny)

    by jarran (91204) on Wednesday February 11, 2004 @03:33PM (#8251825)
    You mean, you downloaded a program being advertised by spam and it was crap?! My god, d'ya reckon it's a one off or should I cancel my penis enlarger and v1agra?
  • I got the message from a friend last night thru AIM on my laptop at work. I never got any sort of IE message about installing software - nothing, nil, notta. Looked like a dead link. Now, today, on a totally separate computer, I'm sending AIM messages to everyone in my list. I have NO IDEA how (1) it was installed on my laptop without the pop-up message / approval and (2) how it made it to my home machine (thru AIM?). Also note, contrary to other posts, that this is not removed by using control panel add/
    • One of my friends got it, and according to them, they were never presented with a yes/no box. However, I was presented with a yes/no box when I clicked the link. I was up-to-date on my IE patches but my friend was not. Was your machine up-to-date on IE patches? It's possible the the virus spreads through an IE hole as well.
    • If you don't have security settings on IE set properly, it might not question the install.

      That is, you wouldn't HAVE to get the message for it to have installed.

      Bizarre that it's on another computer, though.

  • technically, would it be a worm? ;)
  • by Anonymous Coward
    ..and you had to post the same scummy links on Slashdot. Perhaps 40% of the thousands of viewers will click the links just to see if they hold any information.

    How much they're paying you per visits? Was it _you_ that authored the scummy-links?
  • Are all these sites down, or is my university blocking them on the router level?
  • by 0x0d0a (568518) on Thursday February 12, 2004 @02:34AM (#8255936) Journal
    You can stress-test their system by running the following script:

    cat /usr/share/dict/words| perl -pe 'system("curl http://www.buddylinks.net/support.php?sn=$_");' >/dev/null

    This will start removing everyone in their database, and will also eat cycles on their system.
    • ...if you're a clever perlmaster, and can come up with a short way to synthesize usernames other than just using the entries in the system wordlist, feel free to post it.
    • by DrSkwid (118965)
      why not use a decent shell like rc [le.ac.uk] ?

      for (w in `{cat /usr/share/dict/words})
      curl 'http://www.buddylinks.net/support.php?sn=' ^$w > /dev/null

      • Because bash/zsh are everywhere, and rc is as scarce as hen's teeth -- and I have to use other systems than my own.

        It's just as easy in sh:

        for w in `cat /usr/share/dict/words`; do curl http://www.buddylinks.net/support.php?sn=$w >/dev/null; done
        • Also, I went through a ton of shells back in the day to find one to settle on -- doesn't rc lack job control? I consider that a pretty mandatory feature...
        • Because bash/zsh are everywhere

          That's odd, perhaps you mean 'Because bash/zsh are in GNUserland'

          'cause they sure as shit aint in *BSD or Unix by default or plan9 by design

          So is it rare as in 'you can download bash, zsh and rc if you want and use them'?

          Thanks for the sh example, I knew it would be in other shells but when perl is your hammer you'd better watch your fingers ;)

  • by 0x0d0a (568518) on Thursday February 12, 2004 @09:57AM (#8257371) Journal
    Let's take a brief look at these folks:

    $ host buddylinks.net
    buddylinks.net has address 63.251.131.235
    $ whois 63.251.131.235
    [Querying whois.arin.net]
    [whois.arin.net]
    Internap Network Services NETBLK-PNAP-11-99 (NET-63-251-0-0-1)
    63.251.0.0 - 63.251.255.255
    ClickSpring LLC INAP-BSN-CLICKSPRING-0041 (NET-63-251-131-232-1)
    63.251.131.232 - 63.251.131.239

    # ARIN WHOIS database, last updated 2004-02-11 19:15
    # Enter ? for additional hints on searching ARIN's WHOIS database.

    Googling for clickspring llc turns up a number of hits. Apparently, ClickSpring has been in the business of writing advertising worms and trojans commercially for some time now. They are responsible for PurityScan as well as some other nasties out there.

    Normally I wouldn't care -- another Windows virus -- but now I'm getting masses of useless messages from infected friends.

    Obviously, nobody has bothered to charge ClickSpring with computer crime charges, which is quite frusterating.
  • http://www.cnn.com/2004/TECH/internet/02/11/instan tmessenger.ad.ap/index.html Looks like even the AV companies might be blocking it soon. -Shadowkat
  • Anybody who has to make it clear that, whatever they are, they're not a virus, is somebody that I'm gonna be very worried about installing their software.

We want to create puppets that pull their own strings. - Ann Marion

Working...