Garry Pejski did some penance yesterday. In a room full of his peers, he admitted something that he was ashamed of. He told the crowd of hackers and security researchers at the Defcon security conference in Las Vegas that he once wrote spyware, or software that spies on people and tricks them into doing things.

Living in Toronto, the 31-year-old has since reformed and now writes custom software and tests security for power plants. But his time spent as a spyware developer in 2004 has haunted him for years. His tale is a cautionary one for young hackers, and it offers a rare glimpse inside the shadowy world of spyware, a massive underground industry which dances on the edge of legality. (See our roundup of all Black Hat and Defcon stories)

Six years ago, Pejski was an unemployed programmer living in Vancouver.

“I was broke,” he said. “My money was running out. I was getting a bit desperate. I had no security technology background. I was just a developer.”

Pejski had a two-year technical degree and a bartending certificate, so he wasn’t in high demand. On Craigslist, he found a listing for a job as a programmer. He applied and did an interview on a Thursday. His boss, a 19-year-old kid, told him to start working the following Monday. Pejski seemed to know the most about programming, so he was appointed lead programmer on a team of five people. The kid was paid by somebody else to run this shady business, which actually had pretty nice offices. Before, the kid had been using an outsourced programming team in India, but it didn’t work out. There was a falling out, Pejski found out later, because the kid never paid the team in India for the code they created.

That’s why the local Canadian team was put together. They were told to build spyware. Pejski didn’t know anything about it, but he joined a security email group and read up on the subject by doing Google searches. He found that it didn’t take much skill. They created a spyware program that tricked people into clicking on a link, which would then initiate the installation of a software program on the user’s computer. That software gave Pejski’s team the power to take over the machine. Pejski’s software could change the home page of the computer, modify the search provider, initiate pop-up ads, and install new programs. Pejski (pictured below) declined to name the company he worked for or his boss.

How the spyware worked

The big task at hand was to get the spyware installed on a computer so that the user or protection software wouldn’t notice it. The spyware server software ran on servers in Russia. The Russians guaranteed that no one would ever succeed in shutting down their servers, and that turned out to be true. Technically, Pejski’s team programmed in Visual C++ and created ways to hide their files from users who would go searching through their computer hard drives. The spyware software could be installed by exploiting a bug in a file that was associated with the Windows Media Player. That bug persisted for years until it was fixed in the middle of 2004. The bug allowed the spyware to remotely take control of a user’s machine and pretty much do whatever it wanted to do. The spy program was hidden in an IFrame, or a microscopic box that was invisible to the human eye.

“Basically, we owned your machine if you got hit with the spyware,” he said.

Once it popped up on a user’s screen, the spyware was hard to evade. When a user clicked on an ad that advertised it, a pop-up screen would appear, advertising a “browser enhancer.” The box explained, “Congratulations! You have been awarded a browser enhancer” that would provide considerable amounts of software “free of charge.” There was a link on the page to about 20 pages of terms of service. That link is what Pejski’s boss said kept the whole thing legal. It disclosed in fine print everything it would do. That was the legal escape valve. If the spyware company were ever questioned in court, it could say that it told users everything that it was going to do to their machines. Pejski didn’t bother finding out the truth about the legality of the spyware and the disclosure statement at the time.

“This wasn’t hard at all,” Pejski said. “All you needed was no conscience. The business attracted the worst scum bags.”

Pejski’s boss told him that the software was legal. Users saw a page that looked like a pitch for free software. If they clicked on the “X” before they unchecked a question box, the software would install anyway. If they unchecked the question box, and then clicked on the X, the software would install. It was only if the user clicked on the left side of the box and unchecked the question box would it fail to install. Every time the pop-up appeared, it pretty much led to the installation of the software.

On the server side, Pejski could see reports of how fast the spyware was spreading on a daily basis. Pejski’s team had experimented with antivirus software at the time. If the spyware program had remained unchanged each time it was installed on a user’s machine, antivirus software would catch it. But Pejski got around that by making each software installation unique. The software, for instance, created random filenames on the computer as it installed itself. No malware protection software was able to detect it. There were other tricks that Pejski’s team used, but he chose not to share them with the Defcon crowd. Pejski doesn’t know if today’s antivirus software is smart enough to catch such morphing programs. The antivirus vendors themselves say they can catch them; one technique that works well is “whitelisting,” where users are allowed to visit only pre-approved clean sites. If they click on spyware, they are warned of a problem; Microsoft’s Windows 7 has such warnings in place, though they’re not particularly easy to use.

A money-making scam

Pejski’s boss and his boss’s boss had a scheme to make a big pile of money through “affiliate hijacking.” This was an abuse of affiliate referral programs run by companies such as Amazon.com. The spyware would redirect the user to a web site that was selling something. If the user clicked and bought something, then the seller kicked back some money to the referring site, which was the spyware program. If you were a fan of Twilight, for instance, you would click on “buy Twilight merchandise” and the site gets credited for a sale. There were hundreds of different affiliate sales deals.

Thanks to its deceptive trickery, the spyware software was installed on more than 12 million machines. But the affiliate deals led to not a single dime of revenue. The anti-fraud departments of the merchandise sellers were on to the spyware vendors. While the sellers made money from all of the referrals, they refused to pay any money to the spyware companies that made those sales possible.

“They took the consumers’ money, but weren’t willing to pay the scam artists who made the deals happen,” Pejski said.

As a result, the company started running dry on money. But Pejski’s boss made a lot of money. That was because the scam that worked was “pay per install.” That was a deal where companies paid the spyware company 10 cents for every program that it succeeded in installing. So something like 20 software programs were installed on a machine every time that the spyware was installed itself. Sometimes, the spyware creators got so greedy that they would install tons of software that completely bogged a computer down.

The installations were comic. There might be a bunch of search tool bars installed, each affiliated with a different advertisers. The software programs would try to uninstall rival software. Some would even install antivirus programs that deleted everything else except the spyware. The customers who paid the spyware company per install would pay for about 60 percent of the installs. Based on 12 million installations, with about 20 programs, and payment of 10 cents each for 60 percent of the installs, Pejski calculates that someone made $14.4 million from the spyware installs, which happened in a relatively short period of time.

Somebody got rich off of this kind of scam. But it wasn’t Pejski. One day, on a pay day, Pejski’s boss didn’t show up at work. The company shut down. Apparently, the boss had gambled the money away and never paid the programming team again. Pejski still needed work, so he went to work doing the same thing for the boss’s boss. The other programmers went off to start their own company. Pejski worked on his own, putting in 80 hours a week. He made enough money to get started on a search for a real job.

The hard lessons of creating spyware

The problem was that, once he had a little money in his pocket, Pejski had a conscience.

“I like to be able to sleep at night,” he said. “This stuff we were doing goes on grandma’s computer and victimizes her. The reason I am giving this talk is to say that it is not worth compromising your ethics for money. I was broke. I knew it was wrong. It was just not worth it.”

He made the switch to working on legitimate software. On his resume, he put down that, at this time during his career, he was doing “contract work.” Pejski said that during the whole time the spyware company operated, it was never threatened with prosecution. He is now a consultant and programmer.

Pejski said he isn’t sure how to put an end to spyware. He isn’t confident that antivirus software will be able to purge the ever-evolving spyware programs and other malware. He believes whitelisting will help, but that limits what kinds of sites users can visit. For neophyte users who aren’t technical, that might be acceptable.

As he closed his speech, Pejski got a huge round of applause. Though he was nervous, Pejski held the crowd spellbound. Defcon was a good place for Pejski to tell that story, since it is full of impressionable young hackers who want to make a name for themselves. To make sure they got his point, he repeated it.

“Creating spyware is not hard,” he said. “You can easily make a lot of money on the internet. if you have no scruples. Stay away from the scum bags, because they will rip you off. Your honor is worth more.”

[photo credit: Flickr, Robbert van der Steeg and davemora80]