This is starting to get intriguing and quite disturbing. Antispyware heavyweight Andrew Clover left this very interesting post on SpywareWarrior’s blog on Grokster last night:

“Apart from the usual suspects Grokster installs (BroadcastPC, MSearch/MyGlobalSearch etc.) we are seeing something else here as pictured in the screenshot on Alex’s blog.

That something is simply an advert spawned through Grokster’s normal in-application advertising system (Cydoor). However this uses IE to display the ads, so is vulnerable to all the same exploits IE can meet during normal browsing. The ad network let exploits in, so will be serving spyware to everyone who views ads on that network, through Grokster or otherwise.

In this case the exploit is a new variant on 2ndThought, going under the name KVM Media. 2ndThought is a perennial source of exploits served through mainstream ad networks.

Other names used by the company behind 2ndThought (and the related FreeScratchAndWin/xzoomy, EnhanceMySearch and RebateShoppers parasites) include CPM Media, PopNugget, SoftTech, Advolt, AdsLimitless, LeadTaxi, WMG Media, Pacimedia, PacerD, AdSavior, Pan-Advert, More Media One and ICANNNews.”

This KVM attempted force-install I wrote about last week (pictured below) is very nasty.  We also have an unconfirmed report from a reliable source that one of the apps KVM installs turns your machine into a spam zombie. 

Kvm123

We should see some interesting new developments over the next week…

Alex Eckelberry