So, you want to see what prOn spyware popups look like?

Just recently, we’ve seen a couple of cases where investigators and prosecutors have gone after serious criminal convictions against people with porn on their systems — Julie Amero’s case and the recent case involving a teenager. In both cases, the defendants had systems that were infected with spyware. And in both cases, the prosecuting parties did not appear to fully comprehend the problem.

Yesterday, Francesco in our spyware research team took a video which clearly shows what can happen in a spyware infestation that results in porn popups. In this case, the machine was infected by the HotSnow trojan (a nasty new rootkit-based trojan) while visiting an innocent site. The infestation, which appears related to a KlickVip affiliate, infected the machine through the use of a now-patched exploit (MDAC).

Notice that the infection site was a relatively innocuous gaming site. Note the immediate porn popups (and this was very hardcore stuff which we had to heavily pixelize) as well as the fact that the images from the popups are then stored on the user’s PC, which Francesco shows by going to the local temporary internet files directory.

http www sunbelt software com ihs alex pornpopup10009999991231323 thumb jpg

To an untrained investigator, the popups will appear to be sites that have been visited, rather than popups. And images from the popups are stored locally on a PC. (Of course, there’s also the even worse situation where one could have a trojan turning your system into an FTP server serving porn.)

You can see the video here.

The old adage “where there’s smoke, there’s fire”, isn’t necessarily applicable in these types of situations. It takes expert forensic investigation and a thorough knowledge of the problem before one can come to the conclusion that a real crime has occurred, rather than popups from an innocent spyware infection or web browsing.