Patrick Jordan joins Sunbelt

The most vexing spyware strains are Cool Web Search and VX2/Transponder.  These are the types of spyware that kill machines.

For a while now, Patrick Jordan (known in the antispyware community as WebHelper), has been helping us with removing these types of spyware.  I would venture that he’s one of the top 3 people in the world when in comes to these nasties.

We finally convinced him to join us, and he is now on staff as a senior researcher.

What’s fascinating is talking to this guy. He is a walking encylopedia on spyware.  Ask him something like: “So who was behind this strain of such and such”, and prepare yourself for a 30 minute detailed run-down of all the players involved and the details of the payload.

Anyway, Sunbelt PR’s official statement here.

 

Alex Eckelberry
President

WhenU listing status in CounterSpy database

We have been in discussions with WhenU over the past several weeks over our detection of their software in our database.  As we had blogged earlier, we have found WhenU’s practices have shown a dramatic improvement over the last year (certainly, better than any other adware vendor we have seen).  The company was forthright in their dealings with us, all of which is detailed in our new WhenU Whitepaper.

Now, not all is perfect.  As much progress as WhenU has made over the past ten months, problems remain. Roughly one-third of its distributions still use poor notice and disclosure regimes. In a small number of cases, not all of WhenU’s programs are fully disclosed during installation. Finally, the conditional uninstallers for the Save advertising program can fail in some instances.

 

Given this mixed bag of commendable improve and lingering problems, the Sunbelt Research team will be making changes to some but not all of WhenU’s programs within Sunbelt’s CounterSpy detections database:

 

SaveNow / Save: This pop-up advertising program will remain classified as “Adware” with a Threat Level of “Moderate risk” and a Recommended Action of “Quarantine.

 

WhenUSearch: This desktop toolbar program will be reclassified as “Low Risk Adware” with a Threat Level of “Low risk” and a Recommended Action of “Ignore.” This re-classification should, as a practical matter, encompass all of WhenU’s re-skinned, co-branded toolbars, including WhenU’s own PriceBandit toolbar.  Since UControl is also bundled with WhenUSearch, it will be treated in the same manner. (UControl is WhenU’s adware program that is actually powered by Aluria…)

 

Weathercast: This weather information program will be reclassified as “Low Risk Adware” with a Threat Level of “Low risk” and a Recommended Action of “Ignore.”

 

ClockSync: This system clock synchronization program will be reclassified as “Adware Bundler” with a Threat Level of “Low risk” and a Recommended Action of “Ignore.”

  

WhenUShop: This shopping companion program is currently not included in the CounterSpy detections database. As it was only recently made a free program (previously it was available only for a fee), WhenUShop will be reviewed over the near future for possible inclusion in a future version of the CounterSpy database.

 

By classifying WhenUSearch (with UControl), Weathercast, and ClockSync as “Low Risk Adware” with a Recommended Action of “Ignore,” we will continue to offer these programs as detections to its customers and users, providing them the opportunity to remove this software if they so choose.

 

The new whitepaper is here. As always, feel free to comment.

 

Alex Eckelberry

 

on Frontbridge

So Microsoft continues its inexorable march toward attempted world domination of the security space with the purchase of FrontBridgeSierra Ventures, one of the VCs, must be happy.

What is FrontBridge?  They are a managed services play for enterprise email security.  You point your mail to them, they clean it, and it gets passed on to you all spiffy and clean. It’s complementary to their Sybari acquisition.

FrontBridge doesn’t use their own antivirus technology.  Instead, they partner with Sophos, Kaspersky and Symantec for virus scanning.

They didn’t buy Postini (a heavyweight in this space), probably because the price was going to be too high.  FrontBridge only had $10 mill in sales, whereas Postini is probably (I’m guessing) 4x that number.

Managed Services for email security is only used by certain types of enterprise customers — those that don’t care about someone else handling their email (security and control are issues).  

Alex

 

Making the Department of Homeland Security a wee more careful

Ari Schwartz of the CDT just posted a framework on what the Department of Homeland Security needs to do to protect personally identifiable information.

“Considering the government’s increasing reliance on commercial data, and the harms that can occur when the government makes decisions about individuals based on inaccurate or irrelevant data, it is imperative that DHS develop rules for use of commercial data, regardless of whether the data is brought into government computers. While the principles of the Privacy Act remain viable, DHS will have to go beyond narrow interpretations of the Act in order to ensure that adequate privacy protections are built into its projects. There are increasing calls to update the Privacy Act, but, in the meantime, DHS can take administrative steps to apply the Act’s principles to all its uses of personal information.”

(Thanks to beSpacific.)

More on the MS security flaw

From news.com

Now it’s known to affect more than just XP.   “Windows 2000, Windows XP and Windows Server 2003 are vulnerable to a denial-of-service attack…”

If you have RDP enabled, you are at risk.  This includes anyone who uses Remote Desktop Sharing, TS or Remote Asistance.  Remember that it’s enabled by default in XP Media Center.

Basically:

“Until a patch is available, Microsoft suggests users block TCP port 3389 (the port used by RDP) on their firewall, disable Terminal Services or Remote Desktop if not required, or secure remote desktop connections using either Internet Protocol Security or a virtual private network connection.”

 

Off topic — couple of great blog tools

OT: Two nifty tools to help bloggers.

RSS Popper — I personally don’t like RSS programs that put feeds in a separate app. Having RSS feeds come into Outlook is a real time saver.I’ve been using this RSS feeder for a while and it’s great. Free. Highly recommended

Blogjet — I’m using Blogjet and love it.  Despite a few very minor quirks, it’s a fast, easy way to get blogs up.  Free trial, $39.95 if you buy.

Alex Eckelberry

 

The only “dual-engine” antispam for Exchange environments

We’re excited about this new product release. This is a significant upgrade to Sunbelt’s iHateSpam for Exchange. The new version 1.7 delivers the industry’s only system with dual spam detection engines, allowing administrators to specify the Sunbelt antispam engine, Cloudmark’s antispam engine, or both.

Version 1.7 uses the original iHateSpam for Exchange heuristic engine and the latest Cloudmark signature engine. With the integration of dual spam detection engines, iHateSpam for Exchange now delivers even greater spam detection with current tests reporting almost 100% spam detection with low false positives when both engines are used.

Read the press release.

call for beta testers

We have a new version of iHateSpam (consumer) that we have available for testing.  This new version is not a significant upgrade, but it does have some changes in the code that need testing.

If you’d like to join the beta, go to beta.sunbelt-software.com and do the following:

1. Click on “Register”
2. Click on “I Agree to these terms and am over or exactly 13 years of age”.
3. Fill out the registration form.
a) Choose your own Username and Password.
b) Items marked with a * are required unless stated otherwise.
c) Submit your information.
4. After you register, an activation email will be sent out. Check your email and click on the link in that email to activate your account.
5. Log in with your Username and Password.
6. Click on “Usergroups”
7. Select a beta group that you want to join and click on View Information. (iHateSpam Client 4.0.5. Beta)
8. Click on “Join Group” to request permission to join that group.
9. Please allow up to 24 hours for the beta forum’s moderator to review your account and assign you permissions to view that beta’s forums.
10. Once you’re given permissions to that beta’s forums you’ll be able to view the forum.

Alex Eckelberry

 

So just what does “Ignore” mean?

Untitled

Lots of news lately about Microsoft downgrading Claria (and other applications) to “Ignore”. Just what does this mean? Not much in practice, but more in philosophy.

 

Let me explain: There are very few antispyware programs I’m aware of that have an “Ignore” option, with Microsoft Antispyware and Sunbelt CounterSpy being the most notable. And that’s because they both originally shared the same code base (although each product has gone in its own direction).

 

The practical aspects to this approach is that either one of us can modify the recommended action for the user, to one of three options: Ignore, Quarantine or Remove. The idea (at least from our perspective) is to use Ignore on programs that are relatively harmless. Quarantine is the next level up. And Remove is reserved for truly pernicious applications that need to get off the system right away.

 

Most other antispyware programs simply offer to quarantine a piece of spyware. That’s not to say that’s wrong, it’s just a different approach.

 

Setting the “Ignore” flag is part of an assessment of adware that becomes multi-dimensional. It starts with two basic aspects: The threat level (High, Moderate, Low, etc.) and the default recommended action (Ignore, Quarantine, and Remove). So you can set a dangerous piece of spyware to “High Threat”, “Remove”; you can set a run-of-the-mill adware program to “Moderate Threat”, “Quarantine”; or set a relatively harmless adware program to “Low Risk”, “Ignore”. It gives a great deal of flexibility in defining what a threat is.

 

Now, there are relatively innocuous adware programs that merit being set to Ignore. Let’s use WeatherBug as an example. In most or all cases, people downloaded the program with the intent of getting weather alerts. Disclosure is fairly adequate, it doesn’t blast popups in your face while you’re surfing, it’s not installed through stealth, etc. So that is a case where one might say “Ok, we’ll put it in as Ignore, because chances are that someone actually wanted this, but we need to make sure the user knows it’s on their system”.

 

Another use of “Ignore” is for applications which might cause a privacy risk for a user. For example, a remote control program used in the wrong hands is a dangerous piece of spyware. However, in almost all cases, the user already knows about the remote control program on their system, so we simply offer advice on what the potential threat is and put the default action to Ignore.

 

Here’s the interesting part: “Ignore” is often ignored by users. That is to say — you can put Ignore in as a recommended action, and many users may still remove the application.

 

The problem is the thinking behind this. Those judgment calls are part of the gray area of adware definitions. And this is where I stop. Because there are a number of fundamental problems in the industry these days with defining adware:

 

“Standards are needed!” Don’t listen to the BS (largely coming from PR flacks in the adware business) that “standards are needed to define what is adware”. It’s not an issue of standards. If you’re stupid enough not to be able to tell the difference between an ad-supported copy of Eudora and Hotbar, well get out of the business. It’s adware. Period. See this post for more.

   

“Objective Criteria”. We’ve seen others get into this trap. They want to solely rely on “Objective Criteria” to determine what adware is. That is to say, you plug in the various attributes of a program, and the objective criteria tells you whether to list it or not in your database. Of course, it’s human nature to try to have some taxonomy, some order.

 

This is so idiotic it’s painful. All that happens is adware companies simply work themselves into the “Objective Criteria”. It also doesn’t take into account the real issues in defining adware, which often come from your gut. Isn’t it obvious that there is a difference between AOL Instant Messenger (which is ad-supported) and Hotbar? Of course there is. But if you rely on objective criteria, you will get stuck in a trap of not being able to list a program.

 

We agonized over our listing criteria, as do many other commercial antispyware companies. We consulted with our lawyers. We carefully evaluated all the gray areas. And we came to the conclusion that you cannot rely on an objective criteria alone when defining adware. At some point, you have to rely on your ability to observe and think — beyond the confines of an “Objective Criteria”.

 

“Antispyware is a business”. Well, it is, but it isn’t. If you’re in the business of making antispyware tools strictly to make money, or to fill another slot in a product portfolio, or to sell more overpriced subscription products, you’re in the wrong game. Antispyware vendors have a duty to users which goes above the normal duties of making software.

 

Your users are relying on you to make the tough calls, to take the heat, and even go to court if you have to. It’s why they shelled out the bucks to buy your product. It’s not something to be done by committees.

 

A number of very smart men have said that there are no statues for committees. And that’s true. In the antispyware business, there has to be a strong, central philosophy that flows throughout the organization. That philosophy usually comes from one or two people. Obviously, the problem at Microsoft is that they have competing demands in the organization — Legal wanting to stay out of lawsuits, MSN trying to make a business in online marketing and the antispyware people trying to make a good antispyware product.

 

“Being reasonable”. Being reasonable is a trap in this business. Adware vendors all have “reasonable” arguments as to why they shouldn’t be listed. Remember your users, those people who sprang their hard-earned money to buy your product, and then think twice about “being reasonable”. As my grandfather used to say in his classic irascible way: “You want a medal, or a chest to pin it on?”

 

Now, I temper my normal aggressive rhetoric with some balance. To those adware vendors who read this blog (and there are many), you will always get fair and just treatment from us. We’re not crazed vigilantes in a mindless battle against advertising. We know that you’re running a business. It’s just that we’re in the business of protecting users and enterprises from adware and spyware. And that goes above any other discussion.

 

Alex Eckelberry

President

 

What’s the difference between AV and Spyware?

Robert Vamosi at CNET thinks the antispyware market should be more like the antivirus market in terms of things like sharing data and listing criteria.

There are a number of differences between viruses and spyware.

Let’s tick them off.

  • Virus writers don’t sue antivirus companies for listing them. This is why a standards coalition to “define” adware is potentially dangerous. It’s only going to give antispyware vendors a nice way to argue their way out of being listed.
  • Antivirus companies don’t capitulate to threats from virus writers to delist them.
  • Putting aside conspiracy theories, virus writers don’t get in bed with virus companies
  • Due to the high number of files and registry entries made on a spyware install, there is a significant risk of false positives in antispyware products, which on desktop antivirus solutions is fairly low (something I suspect the antivirus guys are only now figuring out).
  • There are a few new viruses popping up every once in a while. There are new spyware strains every day.
  • There is a vast amount installed when you get a big spyware infestation. Ben Edelman did a test which showed that ONE Active/X prompt resulted in 31 programs in 58 folders, 786 files and 11,915 registry entries!
  • And his point that there is a cozy community sharing data in the antivirus world, with an assumption that the same doesn’t occur in the antispyware world, is false. There is a tremendous amount of data shared in the community, on hidden experts boards such as Spyware Warrior and Broadband reports.

Alex Eckelberry
PS Remember that the only people screaming for standards are the adware vendors.

ITtoolbox Enterprise Spyware Survey

ITtoolbox has released their enterprise spyware survey.

Findings:

Corporations are still underutilizing available solutions for its detection and removal.

88% had detected spyware on their corporate network but only 52% had purchased and were using an anti-spyware software solution.

* Increased spam, network congestion, and network crashes were the top three security issues that corporations face as a result of spyware.
* 63% of respondents stated that their organization had spyware adequately controlled, but would benefit from improvements in spyware detection and removal.
* Pop-up ads, other Web sites, and drive-by downloads were the top three ways spyware gained access to corporate networks.