Moral arguments aside, Matt used some really sophisticated techniques to protect their adware installation. My favorite is injecting code into a “ring” of host processes, which monitor their two neighbors and re-inject code if necessary.
He even started using Scheme to give himself a development-time edge on rival adware programs, who frequently fought over the same turf:
There was also of course Scheme. Eventually, we got sick of writing a new C program every time we wanted to go kick somebody off of a machine. Everybody said, “What we need is something configurable.” I said, “Let’s install a Turing-complete language,” and for that I used tinyScheme, which is a BSD licensed, very small, very fast implementation of Scheme that can be compiled down into about a 20K executable if you know what you’re doing.
Eventually, instead of writing individual executables every time a worm came out, I would just write some Scheme code, put that up on the server, and then immediately all sorts of things would go dark. It amounted to a distributed code war on a 4-10 million-node network.