Christopher Boyd (IT security)

Early Security Work

Christopher Boyd, widely known by his online pseudonym Paperghost, established himself as a computer security researcher in the early 2000s. In July 2004, he launched Vitalsecurity.org, a website dedicated to bringing privacy and spyware issues to public attention. The site became a platform for documenting emerging threats at a time when spyware and adware were rapidly evolving in sophistication.

In November 2004, Boyd documented a modular hacking technique that compromised Windows end-users by targeting Apache servers. Once hacked, those servers would redirect visitors to a rotating series of infection pages deploying recoded viruses, trojans, malware, and spyware — a technique later adopted heavily by groups behind the spyware CoolWebSearch.

Notable Discoveries

In March 2005, Boyd challenged the prevailing assumption that alternative browsers such as Opera and Firefox offered meaningful security advantages over Internet Explorer. He identified a Java applet that, when accepted by the user, installed a large adware bundle regardless of blocklists or security tools. An updated Firefox XPI installer that subsequently infected Internet Explorer was also found in some of these deployments.

In June 2005, Boyd uncovered that adware distributors were increasingly turning to BitTorrent forums and file-sharing sites as distribution channels. He found that Aurora, a program produced by Direct Revenue, and several other major adware programs were being bundled and distributed through Metrix Marketing Group (MMG). The investigation also exposed potentially copyright-infringing files, illegal pornography, and absent or incorrect disclosure practices. The findings prompted Direct Revenue, 180solutions, and other companies to publicly announce they were discontinuing these distribution methods.

The investigation attracted significant media attention, including a column by John C. Dvorak of PC Magazine alleging Boyd was part of a conspiracy to discredit BitTorrent on Microsoft's behalf — a characterization that generated considerable controversy. Dave Methvin of PC Pitstop subsequently followed up with his own findings, alleging that some distributed films contained potentially illegal underage pornography. MMG subsequently went offline and the adware companies withdrew from that distribution network.

In October 2005, Boyd discovered a fake Google Toolbar being distributed via instant messaging. The toolbar allowed users to store credit card details and opened a fraudulent Google search page. Boyd traced the toolbar back to 2003 through three distinct versions, each exploiting vulnerabilities in the Windows operating system.

Also in late 2005, Boyd identified what is considered the first known instance of a rootkit distributed via instant messaging, concealed within a large payload of adware and spyware. Over several months, the group behind the attacks deployed a range of payloads — including a forced BitTorrent installation used to spread movie files — and were eventually traced to the Middle East.

2006 Research

Boyd continued to produce significant security findings throughout 2006. These included the discovery of a 150,000-strong botnet that used a custom-built Perl script to steal payment data from third-party shopping cart applications, an exposé of a web browser redirecting users to potentially illegal pornography, an instant messaging worm that installed its own web browser, and evidence that adware maker Zango was promoting content through MySpace. He also documented a multi-chained infection chain he termed the "Pipeline Worm," an instant messaging infection employing botnet-style tactics for click fraud, and a worm using QuickTime files to spread across MySpace to push Zango adware.

Career

Boyd served as Director of Malware Research at FaceTime and subsequently as a Senior Threat Researcher at Sunbelt Software, which later became GFI Software. In December 2013, Malwarebytes announced that Boyd had joined their Malware Intelligence team to research new threats.

Recognition and Criticism

Boyd developed a reputation as a fierce critic of adware companies. His scrutiny of 180solutions led the company to publicly label him a "fanatic" on their weblog. His work was regularly referenced by prominent antispyware voices including Sunbelt Blog, Suzi Turner's ZDNet blog, and Ben Edelman's website.