Christopher Boyd (IT security): Difference between revisions

Christopher Boyd, better known as his online pseudonym Paperghost, is webmaster of computer security organization Vitalsecurity.org, a Microsoft Security MVP, and Director of Malware Research for security company FaceTime.

Originating from Liverpool, England, Boyd studied an Honours Degree in Fine Art, working in film, paint and music.

Computer Security

At some point in 2001, Boyd changed direction professionally and threw himself into the study of Spyware, Adware and Malware.

In July 2004, he relaunched Vitalsecurity.org (he was a staff writer for Vitalsecurity.net in 2000-2001) and he has been instrumental in uncovering and bringing to the public attention issues of privacy and spyware.

In November 2004, a modular hacking technique was employed to compromise windows end-users by hacking Apache servers.^[1] When hacked, the servers would redirect a user on any of the server's websites, leading them to a set of ever-changing infection pages. These pages employed recoded viruses, trojans, malware and spyware. This technique is used heavily today by the groups behind CWS.

The idea that alternative browsers such as Opera and Firefox could somehow enhance end-user security was cut down in March 2005^[2] with the discovery of a Java applet that, if agreed to, would install a large (and varied) adware bundle onto the end-users PC.It was found that having the "rogue" site in the user's blocklists and security tools would do nothing, the install bypassing these tactics completely if the end-user clicked "Yes". An updated Firefox .XPI installer (which infected Internet Explorer) was also deployed in some of these installs.

BitTorrent Controversy

In June 2005, it was discovered that more and more Adware makers were turning to alternative sources for their installs, as more end-users become clued up on common install tactics.^[3] A reliance on crude social engineering and P2P systems that were previously clean was now on the rise. Boyd discovered that BitTorrent forums and file-sharing sites were used as a major source of distribution for Aurora (a program produced by Direct Revenue) and a number of other major adware programs, wrapped up in bundles produced by a company (MMG) who lost control of their own network.^[4] Potentially copyright infringing files, illegal pornography and incorrect / absent disclosure was exposed on such a scale as to cause the companies involved (direct revenue, 180 solutions and others) to publicly declare their discontinuation of these methods.

This story caused such an uproar that numerous media pundits weighed in, and (in some cases) made a delicate situation worse. An article by John C Dvorak of PCMag.com alleged Boyd was part of some "Grand Microsoft Conspiracy" to bad-mouth BitTorrent to the benefit of their planned P2P tool, Avalanche.^[5] Furious P2P users (who were not familiar with the backstory of the investigation) even went as far to say Boyd was in league with the RIAA, out to create further problems for file-sharers by bringing these bundles to light. However - Dvorak's piece caused something approaching outrage on the other side of the fence, leading a fellow Ziff Davis Media Publication to go head to head with Dvorak.^[6] Dave Methvin of PC Pitstop followed up the investigation with his findings.^[7] He alleges that some of the films distributed contained potentially illegal underage pornography, and not long after, MMG went offline and the Adware companies all pulled out of this particular distribution.

Fake Google Toolbar

In October 2005, Boyd discovered a "fake" Google Toolbar which was being distributed via Instant Messaging.^[8] The toolbar allowed the user to store credit card details, and also opened up a fake Google search page. Boyd also tracked the toolbar back to 2003, through three different versions, each one exploiting vulnerabilities in the Windows operating system.

Instant Messaging Rootkit

In October / November 2005, Boyd discovered what is considered to be the first known instance of a Rootkit being distributed via Instant Messaging, hidden inside a large payload of Adware and Spyware.^[9] Over a period of months, the group behind the attacks distributed numerous inventive payloads (such as a forced install of BitTorrent^[10] to spread movie files) and were eventually traced back to the Middle-East.

Adware Critic

Boyd is a notoriously fierce critic of Adware companies, famously causing 180 Solutions to label him a "fanatic" on their Weblog, with bad feeling in evidence on both sides to this day.^[11] He is regularly referenced on other leading Antispyware sites such as Sunbelt Blog, Suzi Turner's ZDNet blog and Ben Edelman's home page.

Media Appearances

Boyd makes regular appearances in the media, and has featured on The David Lawrence Show, BBC Radio 5 and in printed magazines such as ITWeek and SCMagazine. He has also spoken at conferences such as the Antispyware Coalition Workshop in Washington D.C., and his site has been known to create a "Mini-Slashdot" effect on sites he has linked to, due to the traffic he himself generates - besides "regular" visitors, he makes frequent appearances on sites that generate large syndication such as Slashdot and Digg.com.

Security Discoveries

In 2006, Boyd has continued to make significant discoveries in the field of security, including

• The discovery of a 150,000 strong Botnet ring that used a custom-built PERL script to steal payment data from third party shopping cart applications^[12]
• An expose of a web-browser that redirected end-users to potentially illegal pornography^[13]
• An Instant Messaging Worm that installs its own web browser.^[14]
• The discovery that Adware makers Zango were promoting their content on Myspace.^[15]
• A modular, multi-chained string of infections dubbed the "Pipeline Worm".^[16]
• An Instant Messaging infection that uses Botnet-style tactics to enable clickfraud.^[17]
• The discovery of a worm using Quicktime files to spread across MySpace with the intent of pushing Zango Adware.^[18]

External links

• Vitalsecurity.org
• Chris Boyd's Microsoft Valued Professional Profile
• Technical report on hacking Apache servers
• Information on hacking Apache servers from SANS.org
• Detailed rundown of an updated version of the Java install
• Sunbelt Blog
• Suzi Turner's ZDNet blog
• Ben Edelman's home page
• The David Lawrence Show
• ITWeek
• SCMagazine
• Antispyware Coalition Workshop Feb 2006

References

1. http://www.theregister.co.uk/2004/11/22/apache_hijack_serves_iframe_exploit/
2. http://www.eweek.com/article2/0,1759,1776347,00.asp
3. http://www.eweek.com/article2/0,1759,1828633,00.asp
4. http://www.vitalsecurity.org/2005/06/aurora-install-source-revealed-and-175.html
5. http://www.pcmag.com/article2/0,1759,1829724,00.asp
6. http://www.eweek.com/article2/0,1759,1831018,00.asp
7. http://www.pcpitstop.com/spycheck/badtorrent.asp
8. http://www.eweek.com/article2/0,1895,1867739,00.asp
9. http://www.eweek.com/article2/0,1895,1888714,00.asp
10. http://www.eweek.com/article2/0,1759,1904429,00.asp
11. http://blog.180solutions.com/PermaLink,guid,0b685813-78a3-4c82-a565-7afc5df011f8.aspx
12. http://www.techweb.com/wire/security/183700661;jsessionid=E1NJFH4BLNDQSQSNDBCCKH0CJUMEKJVN
13. http://www.vitalsecurity.org/2006/04/yapbrowser-serves-up-zango-andchild.html
14. http://www.techworld.com/security/news/index.cfm?newsID=6056&pagtype=all
15. http://www.informationweek.com/news/showArticle.jhtml?articleID=191600169&subSection=Breaking+News
16. http://www.techweb.com/wire/security/193002424
17. http://www.securitypronews.com/insiderreports/insider/spn-49-20061004BotnetTacticsEnableClickFraud.html
18. http://www.infoworld.com/article/06/12/04/HNmyspaceworm_1.html