Mr. Smarty Pants

PestImagine you had an application that gets over 1,000 downloads a day. Imagine that this application’s soul purpose is to create other applications. Imagine those applications are distributed by you users, some bigger some smaller. Imagine those derived applications get downloaded over 1,000,000 times a day. Feeling good yet?

Now imagine someone would offer you 0.001$ for each user that opens one of those derived applications. That’s over 1,000$ a day. 30,000$ a month. 360,000$ a year. Perfect, ain’t that right? You’re sitting on your porch, a beer in your hand, music in the background and the skies are raining green bills. Does it get any better?

Sounds too good to be true? How about we dig in a little? Say, mister money pants… What exactly do I have to do for this money? “Nothing really”, he responds. “All you have to do is include our little library in every derived application your application creates”, he adds. Move a little uncomfortably in your chair and he’ll satisfy you, “it just gives the user nice and unobtrusive advertisements specifically targeted at him”. Sold yet? I sure am!

So you decide to wrap it up. But you still feel a little bit uncomfortable with it. Maybe because you don’t want people to know you’re making money of your free software, or maybe because you still don’t trust this guy too much. What do you do? You move his library a bit further. Assuming your application is called XYZ, you pack money pants’ library into XYZ Media which will be silently installed by your application’s derived applications. No one will know it’s you now. It’s ingenious!

Best deal ever? Right? You dig? Well? No? Why? Come on… You with me or what? Of course not. Why would I ever want to do something like that?

  1. My software is not only free, it’s open-source and is freely hosted on SourceForge. It costs me nothing but time. I’ve got no bills to cover.
  2. I’ve got a job, I don’t need an additional income. I’ve also had my share of incomes from the free software, without the need for deals like that.
  3. It’s completely evil. Besides forfeiting my ever-elusive seat in heaven, it’d also send my software right down the drain. Even if I remove XYZ Media later, no one will ever want to use it again. 1,000 downloads a day? Try one closed project.

As you’ve probably already guessed, I’m talking about NSIS and NSIS Media. NSIS Media is an extremely annoying adware package, or so reports say. It installs itself on both Internet Explorer and Firefox. On Firefox, it installs an extension with a file named NSIS.jar. These browser extensions pop-up advertisements titled “NSIS Media Advertisement” for the user at what appears to be random times. It shows an uninstaller in the Add/Remove control panel, but as long as the carrier program is installed, it’ll just come back.

According to reports online, it comes with eMule++ and every download from Openwares. The eMule++ installer and each installer I have downloaded from Openwares install two DLLs to the Windows directory. DLL names include wmidext.dll winsdrv.dll, msxmlu.dll and even nvrssid.dll pretending to be shell extension of nVidia. As you can see, it doesn’t really smell too good. But as can be seen in the picture below, it does ask the user for permission, at least with the original eMule++ installer.
eMule++ NSIS Media page
In Openwares installers, on the other hand, there is no such page. So what is this Openwares? It’s a company that would, at least according to their front page, freely repackage your installer with NSIS, publish it on their website and on CNet’s Download.com. The latter seems to be most fertile ground for their deployment.

So is it evil or not? The eMule++ installer page might suggest it’s not. So does NSIS Media’s website, especially the uninstall page. But do they enforce this installer page on all of their partners? It doesn’t seem like they care too much for Openwares’ installers which seem to be pretty wide spread. Add the weird DLL naming and the very peculiar company name choice; and one thing you won’t get is positive credit. More specimens, outside of Openwares, or a direct contact at NSIS Media are required to determine the true nature of the beast.

But we’re not here to discuss the business affairs of this advertisement company. We have gathered here today to discuss my righteousness. Some people actually think I’m responsible for this mess. Probably some just Google up “NSIS” and find my e-mail address as the first result. But some people actually believe I’m behind this abomination. I got everything from polite requests for removal instructions to death threats. My favorites follow.

“As you can see, I am an IBM employee. Somehow the NSIS Media Trojan Horse has invaded my system. Please promptly send me instructions on how to remove it so that I don’t have to report this issue to IBM Legal.”

“CUT THE CRAP (read: spy-ware) !!!” (this one is actually longer, I trimmed it a bit…)

Some even plot a NSIS-Firefox grand conspiracy in their heads.

“Why there is no info on the Firefox / NSIS spyware scandal? Some malicious code installs into Firefox browsers and Thunderbird mail clients via JAR files by abusing a yet unpatched NSIS security hole and the bombards the user with many pop-up windows and downloads further spyware. The Net is up in arms about it, especially in Europe, where Firefox has 20% share in browsing. Firefox developers accuse NSIS developers of indifference and lazyness in fixing.”

All of the above and many more like those, got the appropriate response in the lines of “NSIS is not NSIS Media, go away”. Poor saps, fooled three times in a row. The first time, they’ve downloaded their application of choice from a bad source. Next, they miss the warning signs in the installer or all of those privacy statements. And finally, when reality pops-up in their faces, they miss the word “media” and blame yours truly.

So what have we learned today?

  1. NSIS Media is in no way related to NSIS.
  2. Download only from trusted sources and read carefully what the installer tells you.
  3. kichik doesn’t make 1000$ a day 😦

4 thoughts on “Mr. Smarty Pants

  1. NSIS has been NSIS for a good chunk of time – choosing a name like ‘NSIS Media’ sounds like a deliberate attempt to leech off of NSIS’s good name. If you can find any contact for these guys, I’d suggest sending a cease and desist. IMO, this is deliberate.

  2. I agree. This doesn’t seem to be an innocent choice, especially seeing as there’s no explanation regarding the name’s meaning on their website. Cease and desist is one of the routes I’m taking to get this to a stop. Once some progress shows, I’ll write an update post.

  3. […] Right after I finished writing the last post, I was greeted with a nice pop-up suggesting I should get a green card. I was quite surprised I was infected with NSIS Media, because I only opened the installers on a Virtual PC. After a little meditation, mainly to cool myself, but also to dig in my memories, I recalled I opened one of the installers to take a screenshot. Foolishly, I assumed it’d only install this malware along with the program itself. How deep was my mistake to think they’d actually be that nice. The malware installed itself even before the first wizard page showed up. All doubt was removed. This software is pure evil. […]

  4. I am the IBM employee who, back in 2006, sent you the nasty letter that you quoted here. I can’t believe that I happened to find you a second time by accidentally stumbling across this blog tonight, by the way. I’ve been working on cleaning up some bad registry entries today and I suppose one of my keywords led me here. When I saw the post about an IBMer it rang a bell, so I went through my e-mail archives and found that the message you refer to did in fact come from me. After I sent you that message, you sent me a reply. And once you explained that I was mistaken, I explained with this final reply:

    “Amir, I was pointed to your company by someone on a message board. I apologize if you are the wrong source.”

    As you know, I was having some serious system problems before I contacted you, largely due to NSIS media. After doing a bit of research, someone with another company pointed a finger in your direction. So I lashed out hastily I admit, but I regretted it and I did send you that brief apology. Anyway, I read a lot of your blog tonight and it’s great. Keep it up.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s