The Legacy Sunbelt Software Blog

Interesting interview.  Some snippets:

Q. What’s driven your interest in spyware and advertising on the desktop? Why is Yahoo! the focus of that interest?

A. There’s so much that can be done in terms of how to get onto users’ computers and what to do once your software is there. The concept is so complicated. There are a lot of things that can go terribly wrong, and there’s a lot of room for me to add value by cataloging what’s going on.

Speaking to the second question, time and time again, when I look in dark alleys, Yahoo! is there to be found. I didn’t pick Yahoo!. Yahoo! picked me.

Q. What comes to mind when I say “legitimate adware”?

A. Not much. It’s like “military intelligence” or something. Of the adware that I look at, very little would be installed by a thoughtful, careful informed consumer. It’s just a bad deal. Who wants to trade dozens of pop-up ads for a screen saver that only appears when you’re not even sitting at your computer?

Link here.

Alex Eckelberry

Software Online, a big spender with Direct Revenue, has settled with the Washington State AG.

In April 2006, the State of Washington sued SoftwareOnline.com for unfair business practices arising out of marketing of Software Online’s security software. Complaint (PDF) alleges misrepresenting the extent to which software is necessary for security or privacy, misrepresenting functions on advertisements (e.g. fake user interface ads, where an “x” opened a new ad rather than closing a window), misrepresenting uninstall, and misleading negative-option billing (automatic renewals and future charges). The State of Washington simultaneously announced a stipulated judgment and order (PDF) requiring payment of $40,000 of costs and fees, $400,000 of civil penalties (with $250,000 suspended on condition of complaince with other provisions of settlement). Judgment includes findings of fact as to Software Online’s deceptive practices, as well as conclusions of law as to Software Online’s liability. Settlement prohibits misrepresentation, directly or by implication, of the urgency or need for security products; utilizing fake user interface elements; showing pop-up or pop-under ads through a trial version; and various other deceptive practices.

As you may know, Paul and Robin Laudanski and I started PIRT recently, a project to take down phishing sites.  It’s doing gangbusters and sites are getting shut down at a rapid clip (if you want to volunteer to be a takedown handler, we constantly need help — click here).

Well, sometimes it seems some ISPs just don’t care that much.  Take the example of WebNames in Russia.  

Here’s the email:

—– Original Message —–
From: “WebNames.Ru Support” <support @  webnames.ru>
To: “CastleCops PIRT Squad” 
Sent: Wednesday, April 12, 2006 12:26 AM
Subject: Re: [PIRT #4291] Chase Phish site on your network

CastleCops PIRT Squad пишет:
CastleCops PIRT Squad Report 4291

 It has been discovered that a Chase phish is currently operating at 
location(s):

 http://mmn-chase(dot)com/…/ 

 This domains will be checked and disabled in a two days [my emphasis]

 — 
Regards, Michail Egorov,
WebNames.Ru technical support
 

Two days?  Huh?  Hey WebNames, what’s up, you trying to protect somebody?  These are still live, as I post this blog, stealing people’s money.

Alex Eckelberry

All this upset over the government trying to get search records from Google. But here is another government agency, the IRS, compelling PayPal to turn over records:  

A federal court in San Jose, California, gave the IRS permission to ask PayPal Inc. — a company that enables online money transfers — for account information for American taxpayers who have bank accounts, credit cards or debit cards issued by financial institutions in more than 30 countries reputed to be tax havens.

Link here via /.

I’ve not had bad experiences with the IRS personally.  But income tax is so 20th century.  It was, in fact, deemed unconstitutional by the Supreme Court in the early part of the 20th century, until an amendment had to be ratified just to make it legal. 

How about something like the FairTax, that is strictly a tax on retail items with exemptions for the indigent?  

Alex Eckelberry

No, I’m not talking about the musical.  There was an article in the Oklahoma Gazette today that criticized a new antispyware bill being introduced by the Oklahoma Legislature that was written with the assistance of Microsoft.

If you click that “accept” button on the routine user’s agreement, the proposed law would allow any company from whom you bought upgradable software the freedom to come onto your computer for “detection or prevention of the unauthorized use of or fraudulent or other illegal activities in connection with a network, service, or computer software, including scanning for and removing computer software prescribed under this act.”

The bill, called the Computer Spyware Protection Act (HB 2083) does have some language which indicates that this may be is the case:

Sections 4 and 5 of the Computer Spyware Protection Act shall not apply to the monitoring of, or interaction with, the Internet or other network connection, service, or computer of an owner or operator, by a telecommunications carrier, cable operator, computer hardware or software provider, or provider of information service or interactive computer service for network or computer security purposes, diagnostics, technical support, maintenance, repair, network management, authorized updates of computer software or system firmware, authorized remote system management, or detection or prevention of the unauthorized use of or fraudulent or other illegal activities in connection with a network, service, or computer software, including scanning for and removing computer software prescribed under this act.

You can read the bill here  and decide for yourself. 

My feeling?  We don’t need new laws.  Believe it or not, we have laws that work just fine for spyware. 

Adding new laws to combat spyware does two Bad Things:

1. Introduces the law of unintended consequences, such as may be the case here.

2. Creates the potential of creating a “safe-harbor” for adware companies and the like (remember, by the time these laws get into legislation, they are watered down by lobbyists, such as we saw with CAN-SPAM, a relatively worthless piece of legislation).

What we need is enforcement of existing laws, and we need to give the Feds more power to work across borders to nail pernicious spyware vendors. 

And if there was one law I would really like to see introduced, it would be punishment for ISPs who knowingly or indirectly support malware sites on their networks.   Why is it you can shut a site down immediately by invoking the dreaded DMCA, but not get it shut down immediately for providing malware? 

Alex Eckelberry
(Thanks Eric)

A group of Jewish “sex commandos” are after porn sites, hacking into them and replacing offensive pictures with a picture of Rabbi Menahem Mendel Schneerson.

More here via the Inquirer.

Alex Eckelberry

I’m sure Marvel would not be too happy about this one.

Captain America used to promote an apparent rogue antispyware application.

IP Address: 66.230.138.193 
IP Location:  – Isprime Inc 

Registration Service Provided By: SOMIC, INC
Contact: +7.8412487023
Domain Name: SPY-ELIMINATOR.COM
Registrant:
  HAYTER MERCHANTS INC.
  Gaspar Santimateo Brias    
  Jasmine Court, 35A Regent Street,POBox 1777
  Belize City
  null,NA
  BZ
  Tel. +420.775688660
Creation Date: 18-Mar-2005
Expiration Date: 18-Mar-2007

Domain servers in listed order:
  ns1.setnames.net
  ns2.setnames.net

Administrative Contact:
  HAYTER MERCHANTS INC.
  Gaspar Santimateo Brias    (info @ i3dk.com)
  Jasmine Court, 35A Regent Street,POBox 1777
  Belize City
  null,NA
  BZ
  Tel. +420.775688660

Status:ACTIVE

Patrick Jordan
Senior Spyware Researcher

Over at Donna’s. 

Patch patch patch.

Alex Eckelberry

Did you know there’s a list of people and companies that you’re not supposed to buy from? 

It’s here.

Washington Post article here via Bruce Schneier.

Alex Eckelberry

If you pass around Office documents (or many other types of files, including even digital camera files), make sure they’re clean of metadata before you send them out.  FCW has an article out today which discusses this very issue:

A new front line of national and corporate security is emerging, and some of the most common document applications, including Microsoft Word documents and PDFs, are putting people on it without their knowledge. In the past several years, federal agencies and private-sector companies have released documents on the Internet that they thought did not contain sensitive content, but they actually did. That has led to embarrassment, scandals, firings and national security breaches when unintended readers discovered the hidden data.

The article discusses tools such as the free Remove Hidden Data tool, something useful to have in your arsenal.

Article link here via beSpacific.

Alex

In a bizarre story, Chris Julian (incidentally, a neighbor of someone I know) was apparently caught up in a 419 scam and started to fear for his life. 

The Topanga Canyon resident found a distraught Christian Julian Irwin saying he feared he was being pursued by Nigerians who had contacted him in an Internet scam, sheriff’s Capt. Ray Peavy said.

Link here.

Alex Eckelberry

How to Use Content Advisor in IE 6.0
If you share a home computer with your kids, you can control access to web sites with Internet Explorer’s Content Advisor, by using rating systems or by specifying sites that users can or cannot view. Here’s how:

1. In IE 6, click Tools | Internet Options and click the Content tab.
2. Under Content Advisor, click the Enable button. This opens the Content Advisor dialog box.
3. To use ratings, click the Ratings tab and adjust the slider bar to the level you want to use for each category (language, nudity, sex, violence).
4. To specify web sites, click the Approved Sites tab and enter the URL of each site you want to allow in the Allow This Web Site box. Click Always or Never to add the site to the Approved or Disapproved list, respectively. To remove a site from the list, click it in the list and click the Remove button.

You can also create a supervisor password so others who use the computer won’t be able to change these settings: Click the General tab, then the Create Password button and type in and confirm your password.

How to Disable Office Online Featured Links
Microsoft Office 2003 includes the featured links in Microsoft Office Online that lets you view new and updated information about Office, but some folks prefer to disable this feature. You can do this by editing the registry. Here’s how:

1. Open your favorite registry editor and navigate to the following key: HKEY_CURRENT_USERSoftwareMicrosoftOffice11.0CommonInternet
2. Double click the following value: UseOnlineContent
3. In the value data box, type the desired value as follows: 0 = never show Office Online content, 1 = Use only offline content (.chm files) when available, or 2 = use Office Online content when available.
4. Click OK and close the registry editor.

You can also use the Help menu to modify Online Content settings. For instructions on this and other ways to control these settings, see KB article 891158 here.

How to help protect yourself from spoofed web sites and malicious links
Web spoofing is a tactic used by phishers to create web pages that look like those of a legitimate company or individual, usually for the purpose of getting you to enter information such as credit card numbers or passwords that they can then use for fraud or identity theft. IE 7.0 contains the anti-phishing filters to help protect you, but what can you do while you’re still using IE 6.0? KB article 833786 contains tips for steps you can take to protect against this threat.  Link here.

“Access Denied” error when you try to open or save a file in Office
If you try to open or save a file in a Microsoft Office program such as Word or Excel, and you get an error message that says “Access Denied,” then the program closes unexpectedly, it may be an issue with permissions on redirected folders. You can resolve the problem by following the instructions in KB Article 891636 here.   

Error Event occurs if you repeatedly restart the computer
If you restart your Windows XP computer several times, you may find an error event added to the System log that says the System Restore filter encountered the unexpected error ‘0xC0000035’. This happens because System Restore can’t successfully rename the Change.log file. You can work around the problem by turning System Restore off and then back on, but you’ll lose your existing restore points if you do this. For more information, see KB article 903264 here.

Having someone obsessed with you – whether out of anger or unwanted affections – can be a real ordeal, and it’s not just high-profile celebrities who find themselves dealing with a foe or “fan” who won’t let go. Even if the person doesn’t physically threaten you, the fact that someone is following you around, keeping tabs on what you do, and/or contacting you when you want to be left alone is annoying at best and can disrupt your life.

The Internet has opened up a whole new world of opportunities for those with a propensity for this sort of behavior. If you visit chat rooms, participate in discussion boards and email lists, have a web site or otherwise interact with other people on the ‘net, you may eventually find yourself the target of a cyberstalker. Someone who gets angry at you because of the political views you express on your webpage or a list message may start bombarding you with nasty email messages, or someone who likes your web page photo may start sending love letters.

That’s bad enough, but sometimes it escalates beyond online harassment – your stalker may be able to use online resources such as Zabasearch to find out your address and/or phone number. And once he/she knows where you live, if you own your home it’s easy in some places to look you up on the county property tax rolls, many of which are online. These sites include the value of your home, and sometimes also show the floor plans and photos of your home. And if your car happened to be sitting in the driveway the day the tax assessor’s personnel took the picture, your stalker may now know what kind of vehicle you drive and the license plate number. Oh, joy.

Most jurisdictions have laws against harassment and stalking, and these usually are worded to include online activities. For instance, The Texas Stalking By Electronic Communications Act, enacted in 2001, covers sending of any repeated electronic communications in a manner likely to harass, annoy, alarm, abuse, torment, embarrass or offend another. There are a few states that don’t yet have laws that specifically pertain to electronic harassment, but most do. To find out what the law is in your state, see the list of U.S. laws here.  

Bills have also been introduced in Congress to make cyberstalking a federal offense, due to the interstate nature of Internet communications. In January 2006, a new Violence Against Women Act was signed into law that amends the federal telecommunications harassment laws in the Communications Act of 1934. The new law makes it a federal crime (punishable by two years in prison and large fines) to anonymously annoy another person using any device or software that can be used to originate telecommunications or other types of communications that are transmitted, in whole or in part, by the Internet.

If you’ve ever been the victim of harassment, this sounds like a good thing – but it has engendered a lot of controversy. Some legal experts argue that this will stifle freedom of speech on the Internet, making it illegal to post “annoying” or “offensive” criticism of a politician on a blog. There is indeed a difference between being offensive and harassing or stalking: someone who flames you on a mailing list is being offensive; someone who sends you dozens of hate mails privately is harassing. The new law doesn’t seem to distinguish between the two.

Others worry that even correctly written laws have a high potential for abuse. If a former boyfriend or girlfriend gets angry at you, he/she could use the emails sent during your relationship (perhaps editing them) and claim that they were unwanted. In fact, anyone who wanted to cause you trouble could send forged threatening or obscene messages to him/herself from a free web mail service and claim you sent them. Other laws, such as the domestic assault laws, have already been misused in this way and the potential for false accusations is even greater when fake evidence is so easy to create.

It’s a fine line to walk. How do we make the Internet a safe place without going too far and creating cures that are worse than the disease? What do you think? Should there be penalties for saying anything offensive about anyone, anytime? Should anonymous email be outlawed altogether? Should there be federal legislation addressing this or is a matter that should be left up to the states? Have you ever been the victim of cyberstalking – or of overly broad cyberstalking laws? Tell us your opinions.

Deb Shinder

Microsoft research has released a new tool, URL Tracer, which reveals third party domains: 

When a user visits a Web site, her browser may be instructed to visit other third-party domains without her knowledge. Some of these third-party domains raise security, privacy, and safety concerns. The Strider URL Tracer, available for download, is a tool that reveals these third-party domains, and it includes a Typo-Patrol feature that generates and scans sites that capitalize on inadvertent URL misspellings, a process known as typo-squatting. The tool also enables parents to block typo-squatting domains that serve adult ads on typos of children’s Web sites.

Link here via Sandi.

Alex Eckelberry

You can see the possible future of Google through a little string of code.

There’s these little green bars on the side, which ostensibly show the amount of content available on the various sections of Google.

Google US users can see this by going to Google, then entering the text on this page into your browser address bar.

After entering the text, refresh the page and go searching.

(If you’re in the UK, you would replace google.com with google.co.uk, and if you’re in Australia, google.co.au, other countries the same thing).

Via LifeHacker, but Digg is where I got this code.  Other reference sites: imilly.com and Google Blogoscoped.

Good luck.

Alex Eckelberry

Back in February of last year, I blogged about “Why Adware works”.  The answer was simple:  It’s very profitable.  I detailed how much money Claria had made, based on information from their S-1 (the initial filing made with the SEC to go public). 

It’s not only Claria.  180Solutions is quite profitable, and has some flashy offices to show for it:

 I notice that each of the company’s departments is fitted with large, wall-mounted plasma screen televisions that display graphs charting 180’s daily and weekly sales and revenue numbers. The display nearest the marketing department showed that 180 pulled in more than $1 million in the past week alone serving ads to people who have its adware installed on their computers. Today’s estimated revenue is slightly more than $100,000; the graph showing how much the company has actually earned so far today reads $2,966, but then again it is just after 10 a.m.

Link here.

The profit extends throughout the entire distribution chain.  A fellow can set up a crappy little website with some stupid videos, and require that in order to watch the videos, you have to download a piece of adware. For each adware install, he gets $.25 from the adware company.  It’s small, but consider some guy with 5 websites that each have 1,000 downloads a day.  That’s $1,250 a day in almost pure profit. The adware company then sells advertising inventory (inventory that happens to be on the desktops of millions of PCs) for big bucks. 

Now, we see Direct Revenue was awash in cash, at least in one year we examine.  In 2004, the company made almost $30 million dollars in pre-tax profit on $38 million in revenue.

Link here.

Of course, this was back in the heyday of DR’s madness, and the numbers are certainly lower now.

The owners can also do well.  While salaries are just great, sometimes VCs will enter the picture, purchasing stock from the owners (this is usually done as an investment into the company and then the owners get the money distributed to them).  We know of three major adware players that have done distributions in this manner. (By the way, the VCs investing in these firms are not small time players, as we can see here, a list which has not been updated with the ABS Capital investment in WhenU and the follow-on investment by Trident.)

To wit, our Dear Friends Alan Murray, Daniel Kaufman, Joshua Abram and Rodney hook got a total of $12 million distributed to them from an investment by Insight Venture Partners back in 2004:

Link here.

It’s all about the money, idn’t it?

Alex Eckelberry
(With thanks to Ben Edelman)

(If you’ve come here from the PC Magazine story, you can find more of our posts on fake Codecs here.)

Emcodec, of the same ilk as Vcodec, is one of these fake “codecs” that doesn’t do any good for you. (Google search here).

It’s used as a way to get spyware on your machine.

Update: I had graphics on here but had to remove them as they were live linked to another site and not getting update.

Not surprisingly, V-Codec.com is hosted on Intercage, a notoriously spyware friendly ISP.

Beware of these fake codecs. They are bad news.

Alex Eckelberry
(Thanks to Sunbelt spyware researcher Adam Thomas and a hat tip to WinHelp2002 at SpywareWarrior.com)

Many of my faithful blog readers already know about this, but I thought I’d bring it up just in case.

There are two tools that Eric Howes, Sunbelt’s Director of Malware Research, has developed for the good of the community.

IE-SPYAD adds a long list of bad domains to the Restricted sites zone.  

Enough is Enough (EiE) securely configures the Internet zone. It is a pretty significant “lock-down” of IE and will give a system a much more secure configuration than the default options in IE, but many won’t be able to handle the hassle of adding frequently visited sites to the Trusted sites zone. In such cases, IE-SPYAD is a good alternative — less intrusive, yet still protective against known nasty sites.

Alex Eckelberry

Pretty interesting today from the EFF:

“The evidence that we are filing supports our claim that AT&T is diverting Internet traffic into the hands of the NSA wholesale, in violation of federal wiretapping laws and the Fourth Amendment,” said EFF Staff Attorney Kevin Bankston. “More than just threatening individuals’ privacy, AT&T’s apparent choice to give the government secret, direct access to millions of ordinary Americans’ Internet communications is a threat to the Constitution itself. We are asking the Court to put a stop to it now.”

Link here.

Alex Eckelberry
(Thanks Jarrett)

Amazing but true. DR is bombastically and self-rightously rebutting the NY AG’s lawsuit. It’s almost funny if it weren’t so sad.

“This lawsuit is a baseless attempt by the Office of the Attorney General to rewrite the rules of the adware business. It focuses exclusively on the company’s past practices – practices we and other industry leaders changed long ago [how long is “long ago”? The AG’s investigation has evidence from as late as June of last year of pernicious practices – ed] – and says not a word about what we’re doing today,” said a company spokesperson. “We are proud of our products and the value they bring to both advertisers and consumers — the former by delivering positive, measurable results for their ad dollars, and the latter by offering free content and applications in exchange for viewing a few targeted advertisements per day.

“Mislabeling our products as ‘spyware’ does a disservice not only to our company, but also to the public by creating an atmosphere of hysteria, confusion and inaccuracy.” Direct Revenue’s software adheres to the following fundamental principles:

Consumer Consent: we obtain explicit and affirmative consent from the computer user prior to installation, and we tell the user–in plain English–that the software they are about to download is advertising-supported.

Easy Removal: we make it easy to remove our software, both by supplying a link directly from every advertisement to a consumer opt-out process, and by being listed in Add/Remove Programs.

No Personally Identifiable Information: We collect no Personally Identifiable Information (PII) about our users.

Control of Distribution: We do not use third-party affiliates to distribute our software.

“Moreover, Direct Revenue is a member of the Network Advertising Initiative, has pledged to adhere to TRUSTe’s proposed adware guidelines, and already adheres to HR 2929, even though it has not been enacted. This suit complains solely about past practices – practices, in fact, that were consistent with those of virtually all of the leading players in the rapidly evolving adware industry, including some publicly-traded companies much larger than Direct Revenue. The OAG knows that none of the challenged practices have been in use for at least six months and that this case will change nothing about our business model going forward.”

Direct Revenue is represented by the Andrew G. Celli, Jr. of New York law firm Emery Celli Brinckerhoff & Abady LLP.

“While we emphatically believe that all of the contested past practices were in fact legal, we have made a good faith effort to settle this matter with the Office of the Attorney General. To that end, we offered the Office of the Attorney General a resolution of this matter which would provide a blueprint for other adware companies to comply with the Attorney General’s view of the law and afford the broadest possible protection to consumers. The Office of the Attorney General refused,” said Celli. “Accordingly, we will defend our conduct vigorously and we are confident that the courts will bring clarity and a satisfactory conclusion to our case.”

Direct Revenue’s founders are represented by Richard Strassberg and David Goldstone of Goodwin Procter LLP.

Link here.

While DR may have changed its ways, the Spitzer lawsuit is about a fairly staggering amount of things that occurred during their investigative period last year. A review of the evidence is damming.

Alex Eckelberry