180solutions sponsors Yapbrowser and... child porn?

My head is swimming and I feel ill.  I just read the blogs about 180solutions' latest -- Yapbrowser, installed from 180's servers no less, that directs all search requests to child porn sites.  And this from a company that has made countless claims of cleaning up their act.  Oh, but -- 180 does like to talk about the "long tail" of the internet and "trusting the affiliate model"

Excuse me while I get sick.

Long time spyware expert Andrew Clover of Doxdesk.com has a short video (.avi file) showing exactly what Yapbrowser is and does, and how it installs from 180's servers, complete with http log. You might need a special codec from here, although the video opened fine for me in Windows Media Player. Note in his report, Andrew says "Parts of the video are obscured for reasons about to become obvious." Paperghost gives a narrative rundown of the video:

00:19 seconds: Full disclosure of the Zango software about to be installed, with accept / decline options.

00:23 seconds: The Zango software begins to download onto the PC.

00:46 seconds: Yet another notification, this time from the Yapbrowser application, stating that it doesn't contain anything harmful(!) such as "Bookmarks", "Grecian Horses" and the like. Phew, that's a relief.

1:11 minutes: He clicks the green "go" button, and....child porn! Not just any old UA porn, mind you, but the stuff you have to pay for. $79 for a month, no less.

1:31 minutes: He does a search for the word "Spam" in the Yapbrowser search bar, and the screen goes blank.

1:46 minutes: He types in Microsoft.com, hits the "go" button, and....more child porn!

SunbeltBLOG has a write up and this screenshot. If the child porn connection isn't bad enough, get this.  Andrew Clover, SunbeltBLOG and a post at PCPitstop connect this Yapbrowser to CoolWebSearch, a large loosely connected group of criminals that run exploits from porn sites and install all manner of nastiness on computers. In fact, Sunbelt has a document (PDF), recently found in the wild by their researchers and translated from Russian to English, that seems to describe Yapbrowser and mentions Yapsearch (dot) com. The discussion indicates plans for some very nasty spyware installs. Just who is behind Yapbrowser and Yapsearch and the affiliate program at Yapcash.com? (Links to whois info.) Andrew Clover provides some details to help answer that question.

So who is this ‘Enigma Global Inc’ that the YapBrowser installer claims is responsible for the program? The language in the license agreement, claiming that the software contains no "Grecian horses" suggests English isn't their first language, that's for sure; the site are hosted at Pilosoft, one of the largest US ISPs for the Russian-language adult webmaster community and their security exploits, hijackers and PPC sites collectively known as CWS.

The whois information for yapcash.com, the affiliate scheme for yapsearch.com and yapbrowser site, is given as "John Malkovich" obviously fake, but with a probably-not-fake e-mail address at yahoo. The same details are used for a group of sites at Eltel, a Russian ISP, including one site that redirects the user to browser exploits at paradise-dialer.com, which load trojans, spyware (via the CWS Cactus group) and dialers (from PremiumBilling, aka Coulomb).

Paradise-dialer's whois places it as part of the CWS group known as Dimpy, aka BigBuks. Since the BigBuks whois is also given by mix-click, referred to by the yapbrowser/yapsearch whois, and the aforementioned servers at Pilosoft and Eltel (as well as the paradise-dialer server also at Pilosoft just a few IP addresses away) run many other sites that link back to browser exploits and child porn promotions run by BigBuks, it seems reasonable to assume that they are the same group of people.

If you check the whois info, note also the domains are registered through Estdomains, the registrar that is part of Atrivo/InterCage/Esthost, another ISP known for hosting CWS sites and spyware.

All things being considered, this is an interesting alliance for 180solutions -- child porn sites and the CWS gang.  Way to go, guys.  Since the Yapbrowser is downloaded directly from 180's servers, it will be interesting to see how they try to get out of this one.

I see Techdirt and Wayne Porter have picked up this story and are asking "Shouldn't A Child Porn Distributor be Considered a Rogue Affiliate?" My question would be this -- what legitimate company would want to be affiliated with 180solutions after learning of 180's apparent liaison with child porn and CoolWebSearch?

Update 6:25 PM: The domains Yap domains seem to be down at present.  I'll check again later.

Note:  the notice above that says Podcast and download the MP3 is not a MP3.  It's actually a link to the video by Andrew Clover of the Yapbrowser installation. The notice has been corrected to indicate a video.-- Editor.