Conduit Ltd - The Conduit Spyware Engine

It has been a while since I last had to fight a virus or malware but today I came across an especially nasty bit of spyware on my girlfriends computer: The Conduit Toolbar. It was drive-by installed through some other software, which AFTER installation provided a pre-checked checkbox with the caption "I have read and agree with the license agreement and privacy policy of xy toolbar and wish to install it." (wording may be a little different depending on which drive by you catch) It is really easy to overlook, even I nearly fell for it.

When she saw the first effects she called me immediately and I took a quick look. It was obvious that there was a big problem when I tried to find some way of removal via google searches. It turns out that not only there is no article with a solution, there are dozends of articles, forum posts and websites claiming the tool was harmless and could just be uninstalled using the normal mechanisms. These were obviously written by Conduit stakeholders.

So I started the tedious process of manually searching for rootkits and hidden files / startup entries / registry entries and so on. It took me almost a day(!) to get rid of the tool. This included blocking the website via the hosts file, through which the software re-downloads and re-installs itself after a partial removal. I also had to delete many registry entries and well hidden files all over the system. And of course I had to remove all browsers and re-install them.

I also analyzed some of the software and it turns out that this is a spyware and backdoor of the worst imaginable kind. Even worse, it will open up your computer to all kinds of additional malicious applications from third parties, which can be installed without you even noticing, once the primary backdoor is open.

After that I was very angry of course and started to prepare for some retailation / legal action. I filed an FTC complaint and other things, but usually such measures do little on the short term. So I researched the guy who is ultimately responsible for this crap: Ronen Shilo, an israeli nationalist who makes a living out of the misery of unexperienced computer users. You can easily find him on facebook: So obviously he is not very intelligent overall, just in business things if his numbers are to be believed.

A few interesting additional facts if you have also been fucked by his software: His websites and especially currently do not adhere to law concerning the whois entries. (I have already filed complaints, but the more the better) The whois data leads you to a phone number which will play a recorded ring-back tone, so you have to pay the connection fee for a while until you realize that you are being fucked - again. 

However, it won't hurt this guy even if someone would take down his company, since he has already sold it and moved on to further (probably also criminal) "projects" and besides he is rich like shit already, so that's not the way to hurt him. But he (yet) has a social life and "friends", so there will be other ways to make him aware of his mistakes. Which I will continue to do until he sends me a perfect apology. (this will never happen of course)

PS: I am sure it is just a matter of time ;) until a decent decompile turns up so that... well all grey hats will know what to do :)