Month: March 2005

Spyware in Mac Land?

Gartner got some press by saying that Mac’s are potentially in danger of getting spyware in the future (the Gartner guy said a lot more than just that as well). This follows on the heels of Symantec’s warning of increasing dangers in the Mac platform .

Personally, I really don’t see any of this as much of a story, except to provide cruel pleasure to us PC users who have been taunted for years by Mac users about the superiority of their platform.

At Sunbelt, we’ve heard almost nothing about Mac spyware. There is the forum on MacScan that covers the area but there’s little actual information (lots of spam though).

And the only Mac antispyware product I know of is MacScan, and it doesn’t support OS/X.

I was curious about the whole Mac spyware thing this afternoon and went over to our lonely Mac in our testing department. I went to my favorite spyware download site, lyricsdomain, and was pleased to actually be able to navigate the site without it trying to download spyware to my machine.

Mac people, I used to be one of you back in the 80s. I left for the PC business and watched the Mac become the machine of choice for Gap-clothed literati and graphic artists, most of them smug about the Mac’s superiority against PCs — while ignoring the endless system crashes and the outrageously high prices of Mac systems.

But my oldest son has a Mac, and my three other kids have iPods, and I admit after trying to get my kid’s iPods to connect up with the various aging systems in my house, I am actually tempted to go Mac for my kids. The Macs are cheaper and apparently more stable now, even though the software is still pricey and there is no right mouse button (maddening, that).

Alex Eckelberry

new versions of CounterSpy

The CounterSpy Research and Development Teams have updated CounterSpy and its Definition file to to fix a number of false positives (primarily key loggers) as well as improve the detection of known spyware threats.

The latest version for CounterSpy Client is version 1.0.29. The latest definition file version is 150.

Please insure that you have the latest version and definition numbers by performing the following steps from within CounterSpy.

1. Choose the Help menu, then select “About”. Look for the text that says “CounterSpy Version”. It should say 1.0.29. The text that says “Spyware Definition Version” should say “150”.

2. If you don’t have the latest version, choose the File menu, and then select “Check for Updates”. Wait for the software to complete its check for updates, and then follow any instructions on the screen (specifically look a button labeled “Apply Software Update”).

3. If the update does not work for any reason, you can download it manually from this location.

Grokster now has a fat payload (and I don’t mean phat)

As reported earlier, broadcastpc.tv is responsible for a big fat backdoor download of .net. Well, we have confirmed that Grokster is now including broadcastpc.tv in their payload.

Mind you, the .net download is about 23MBs, but installed it’s close to 65MBs.

And from the Deliciously Ironic Department, broadcastpc.tv displays movie trailers. So you have a peer-to-peer application now promoting movie trailers.

A recent Grokster download by one of our researchers showed it installed the following adware programs:

  • AltNet BDE (Brilliant Digital Entertainment)
  • BroadcastPC.tv
  • DelfinProject
  • FlashTrack
  • GAIN/Gator
  • MyWay
  • SurfSideKick2
  • Topmoxie WebCPR

Fun pic below with a Fat Albert ad (and a careful eye will see the Grokster icons):

Alex Eckelberry

False positives and spyware

Users should be careful with any application–antivirus or spyware, as to the possibility of false positives.

In spyware, it is likely to be more common, since the sheer volume of new spyware coming out and the complexity of dealing with all the various pieces. For example, since many programs are written using various off-the-shelf commercial tools, a nasty keylogger could actually use a component that is completely legitimate and used by other programs (such as a DLL to uncompress graphic files, or a standard help file). An antispyware application might get confused and think that this component is part of the keylogger. Good antispyware programs will have safeguards in place but they are not guarantees.

Good practice with any program that’s going to remove something is to a) quarantine it and set a system restore point so that you can get it back if it was a wrong file and b) look at the files being removed to insure they are valid (sometimes very difficult to figure out but at least give it a shot).

We try very hard to minimize this type of thing from occurring but there is always the chance. Telling the developer can help. I know at Sunbelt, the minute we find out about a false positive, we take rapid action to fix it, and generally have an update out within 24 hours after finding it.

Note that there are some unscrupulous companies out there that use false positives to lure people into buying their product. If you find a developer who doesn’t seem to care about false positives, find another product fast.

Alex

Looking for a few good spyware fighters

I’m looking for between 40-50 spyware fighters to be part of an advance test team on new spyware technologies and spyware definitions.

This would entail helping us test new definitions and new software versions and providing feedback on the product to us.

In return, you’ll get a free license to the product, direct access to our quality assurance team, and the knowledge that you’ll be a key part of helping a lot of other users.

One key role you would provide as a Sunbelt Spyware Fighter is helping us do “rapid response” testing.

We currently have over 25,000 new threat signatures in the queue for testing. The challenge of putting in threat signatures is that each type of spyware needs to be painstakingly tested for depth of removal, as well as to insure there are no false positives. Our research team is putting them in as quickly as possible, but we need a second line of testing right behind them. As part of being a rapid response tester, you would get live definitions directly from Quality Assurance prior to them being released to the public.

Let me know if you’d like to become involved. Simply email me at here.

Alex Eckelberry
President
Sunbelt Software

180 Solutions…

3/24 update here
3/14 updated

180 Solutions has been trying to become legitimate (see, for example, Wayne Cunningham’s post on his blog). Their joining COAST (the antispyware consortium) was the primary reason COAST recently fell apart.

As a result of 180 Solutions contacting us, we followed up with our usual extensive analysis of their practices. However, during the analysis we discovered some other things. We have written a whitepaper that details the issues we found here.

The whitepaper will be released in a formal fashion over the next several days, but I thought I would give a bit of advance notice on the blog.

The evidence is not in 180’s favor.

There’s a lot in this writeup, but as Suzi at SpywareWarrior pointed out, the areas that are probably most interesting to people are on pages 9-10 and and 18-26.

Here’s the quick and dirty:

As part of 180’s COAST certification, 180 agreed to a “CBC Force Prompt”. This feature is designed to alert users to the installation of 180’s software.

This prompt is shown when a certain registry key is set to “0”. If it’s set to “1”, there is no prompt.

This is a serious weakness in the 180 installer. It is trivially easy for a rogue affiliate to simply set the value to 1, and the 180 install sails through, with the end-user none the wiser.

However, it appears that 180solutions is itself electing to bypass the “CBC Force prompt” in order to avoid alerting users to the installation of 180’s software, and the implications of this are serious.

Sunbelt observed several installations of older versions of the 180search Assistant in which that software was updated to the latest version. After older versions of the 180search Assistant were “stealth-installed” via a Windows Media Player file and via a Java applet at lyricsdomain.com, that software called out to 180’s servers, and downloaded and installed the latest, COAST-certified version of the 180search Assistant.

This behavior is especially disturbing because many of the installations that 180solutions is silently updating through this method are the possible products of “force-installs” of 180’s software of users’ PCs, where those users received no notice or warning whatsoever of the 180search Assistant.

Instead of alerting users to the presence of 180’s software on their systems, 180 is updating those older software installations and versions to the latest 180search Assistant, allowing 180 to continue deriving economic benefit from those installations, entirely contrary to its publicly stated intention to clean up its distribution channels.

Alex Eckelberry

WeatherBug privacy guy wants standards

WeatherBug privacy czar Dan O’Connell posted a long blog entry on setting standards in the adware business.

Comparing the adware label applied to adware as a “Scarlet A” (a reference to Hawthorne’s The Scarlet Letter), he supports some type of industry definition of spyware/adware.

He makes a good point with this statement: “What has been missing in the largely academic debates on the topic is a nod to the consumer…I dare say that, in the minds of most ordinary, software consuming folks, adware equals spyware.”

He’s right, of course. Adware=spyware=adware=spyware. It’s just the way the term has evolved.

Now, WeatherBug is actually a legit player and I laud O’Connell for what he’s done at that company. We list them in our product as “low risk”, and code the default action as “ignore”. The company has been exceptional in their notice, disclosure, and the ability for people to remove the program easily.

But we still list them. Why? It comes down to our philosophy, a mix of objective and subjective criteria. Our listing criteria lays out the core principles of how we determine a program is adware or spyware. And our blog entry discusses some of the thinking behind it.

O’Connell says this: “I still believe that a distinction has to be drawn between adware and advertising-supported software. The former can be a “threat” if delivered without meaningful notice and consent. The latter is not.”

Well, there are problems with this thinking. A nasty piece of adware can provide plenty of meaningful consent and even provide a handy-dandy uninstaller. But what about the problem of rogue affiliates who backdoor-install adware? And what about the problem of system instability by having programs spawn pop-ups, mess with your browser settings, install themselves as browser helper objects, install themselves into the LSP stack (part of TCP/IP), etc.?

Who will define these definitions of adware/spyware? A consortium? The government? Well, we’ve seen what a consortium can do with COAST . I don’t necessarily mind a consortium of spyware vendors. But I sure don’t want adware vendors in there as well, smoothly lobbying for a few “practical points of view”. And the government is worse. Any legislation will get watered down by slick lobbyists, as we saw with the CAN SPAM act, an absolutely worthless piece of law.

There are plenty of listing criteria available on the ‘net, but the ultimate test will be by the consumer: After installing this adware, is my machine loaded with popups? Did I really know my default search engine would be replaced with something else? Do I really understand that when I type in something in your search engine, the results I’m getting are sponsored results? Is my internet access slower? Is my machine now unstable? Do I now crash more often?

The consumer, in the end, is the ultimate arbiter of what is spyware and adware. If you’ve spent time with the average consumer lately, you know how desperate they are for information, guidance, and help. To us veterans of the ‘net, it’s all easy and simple. But the average consumer is just drowning in confusion, popups, spam, system crashes and the rest; and has absolutely no idea why it’s happening.

I say this from experience: I’m the local neighborhood spyware remover and also have four children. It’s pretty harrowing what people are going through out there, and it’s absolutely disgraceful what many adware vendors are doing in their undisguised lust for impressions and click-throughs.

To O’Connell, I applaud you for doing the right thing with WeatherBug. I only wish some of your contemporaries would do the same.

Alex Eckelberry
President

From the “Firefox-is-not-as-secure-as-you’d-like-to-think” department

As it seems to go in security research, a few people working independently come to the same conclusions. At the same time one of our crack researchers was researching exploits in Firefox, VitalSecurity was working in the same direction.

Firefox is more secure than IE in many ways, but it’s still subject to social engineering. In fact, our own researcher working on this project (no stranger to spyware) inadvertently loaded a piece of 180 Solutions adware by accidentally clicking on a JavaScript prompt in Firefox.

Any alternative browser user need only go to Lyricspy to see what can happen (WARNING-THIS IS SPYWARE DOWNLOAD SITE).

This is the real problem with spyware. People click on things and that lands them into trouble.

Much more later on this story….

Alex

FTC cracks down on misleading marketer of spyware

We’ve all seen misleading advertising on the internet about spyware. Popups that claim “your machine is infected!” Then you download the program, only to find that it requires you to buy the program in order to actually do anything about the problem. And it might even lure you into buying by showing lots of false positives. While no spyware vendor is immune from false positives (including us), they certainly shouldn’t be a core part of the “marketing plan” for the company.

The FTC has acted against MaxTheater.com/SpywareAssassin and a fellow called Thomas Delanoy for false and deceptive claims in their advertising and scanning. According to the FTC, the company provided free scans that detected spyware that wasn’t there (false positives) and didn’t remove all spyware as it promised.

The full complaint can be found here and the restraining order here.

If you want to a SpywareAssassin page in action, you can go here, as this site (apparently an affiliate) is still live.

SpywareAssassin is a member of Eric Howes’ Rogue/Suspect antispyware programs.


Typical JavaScript popup for SpywareAssassin.
 Posted by Hello

Which P2P Software is the safest?

Someone objected to my earlier editorializing about P2P software. It’s true, I’m no great fan of many P2P file sharing programs. Many load your machine up with adware, and there are people who use them to share files illegally. But putting that aside, I agree that there are completely legitimate uses for them, and programs like BitTorrent (as one reader pointed out), are actually a huge benefit to the ‘net community.

Also, as I said earlier, there is the practical reality that people use these programs, and they download them by the millions.

Ben Edelman’s recent tests , under contract from Limewire, indicate that Limewire is the most “honest” of the bunch. Note that Ben didn’t include Grokster, which is a fairly popular P2P tool (and a well-known way to get adware).

In fact, Limewire looks completely honest and acceptable. Surprise.

Ironically, it was just a few days ago that I found Limewire on a neighbor’s machine and told them it wasn’t a good idea to have it on their system.

There is lots of additional information in his review worth going through.

Alex Eckelberry

Your ATM machine running Windows?

Wells Fargo recent move to web-enable ATM machines, moving from OS/2 to Windows is a bit scary.

Gartner analyst Avivah Litan said it succinctly: “not great news for the security of the system. I’m sure there’s a lot of holes that will be created because of this.”

As would be expected, Slashdot techies are having a field day with this story.

According to the ComputerWorld article, Wells Fargo’s architecture uses Java Enterprise (J2EE) to integrate the Windows-based ATMs with their back-end systems, with XML (through SOAP) to communicate between “various backup platforms”.

One Slashdot poster makes the point that “TCP/IP and HTML have been heavily stress tested” and “there are flaws but they are known and everybody and their dog has had a chance to work out flaws with them.”

True. But there’s another point. The problem isn’t necessarily in TCP/IP or HTML. The problem is in the fact that Windows is the most hacked (and hence, least secure) operating system in the world.

Call me a luddite. But I’d rather see my ATMs running some ancient proprietary, character based system, based off some old hardened Unix code. Something that script kiddies haven’t had a chance to play with, or don’t even know how.

Alex Eckelberry
President

Is Spyware real?

Eugene Kaspersky and his wife, Natalie, are some of the leading minds in antivirus research, and they make a well respected antivirus product.

However, this article shows the odd thinking of not only Eugene, but the rest of the antivirus industry (sorry Eugene, I have huge respect for you, but in this you’re off the mark).

He makes astounding claims like this one: “”The term spyware is basically a marketing gimmick…Just to separate new ersatz-security products from traditional ones, just to push almost zero-value products to the security market.”

The AV industry has sat by the sidelines as the spyware problem has EXPLODED. The big players, lazy and fat from subscription revenues off the vast profits from their huge, unwieldy, bug-ridden suites have completely missed the real problems of the users.

Viruses are a threat. But they come out maybe once every few weeks. Easy for an AV company to stay on top of the problem. New spyware comes out HOURLY.

The AV guys think that “dat” files can handle the problem of spyware. That is so incomprehensibly wrong thinking that it baffles the mind. Try to get rid of CoolWebSearch or VX2/Transponder with a few definition files. Forget it. You need code to remove this stuff. And it’s not easy.

The term “spyware”, obviously, is a broad term encompassing lots of different categories of malware. Really, what people mean when they say spyware is “adware”. Stuff that loads your machine up with junk ads, turns it into the equivalent of an electronic toaster, and makes your life hell.

True, I remember the early days of antispyware programs, where alarms would practically go off if they found a cookie (cookies are fairly benign). One could argue that was snake oil type selling. But now the problem is real. There are vast amounts of infested, crashy, buggy machines, loaded with junk like CoolWebSearch and plenty of other stuff.

The problem is this: Antivirus programs are a commodity (“a mass-produced unspecialized product Merriam-Webster). As a vendor like Sunbelt, you can shop for AV technologies out there on the open market and pick them up for next to nothing.

Spyware, as we can see from these test results, is vastly different. It’s till proprietary technology. Enormous amounts of research are required to battle spyware. For the most part, it still takes two different programs at least to completely get rid of a spyware infestation.

So the AV guys don’t get it, which is bad for the users, but good for the antispyware vendors.

Alex Eckelberry
President