Support the fight against spyware

This makes my blood boil. At Spyware Warrior, Suzi just posted the full text of a letter she received from the legal counsel for iDownload. They’re demanding that she remove pages that refer to their product as spyware and/or malware. Suzi says:

As owner of this domain, netrn.net, the home of this blog, I am currently obtaining legal counsel and evaluating my options. I will post additional details as they develop.

I have firsthand experience with this company’s products. When I was doing testing for a post on “poisoned media files” I ran across a Windows Media video file that attempted to install the iDownload product on my computer. The ActiveX dialog box called it a “Required: Media Player Version 9 Update.” It is, of course, no such thing. That description is an out-and-out lie. Eric L. Howes documented the installation process at Broadband Reports and captured the following screen:

Legal bills are expensive. Even when you’re right, you can go bankrupt just protecting yourself and your good name. Which is why I just clicked the PayPal Donate button on Suzi’s blog and sent her some financial support.

This appears to be an orchestrated campaign to stifle all criticism of this company, because the same legal team sent a nearly identical letter to CastleCops.com as well. In addition, someone recently targeted anti-spyware activist Ben Edelman’s site for a massive denial-of-service attack.

Is iDownload’s software bad for you? I don’t have enough personal knowledge to say. But many authoritative sources seem to believe it is so.

Symantec, an acknowledged leader in the security software industry and maker of Norton AntiVirus, unequivocally labels iDownload’s iSearch Toolbar as “spyware.” The Symantec listing describes its behavior as follows: “Spyware.ISearch is an Internet Explorer Browser Helper Object and functions as a toolbar. It is a search hijacker and also tracks user activity on a remote server at isearch.com.”
Trend Micro, a respected maker of AntiVirus software, calls the iDownload.com product Adware. Its description begins: “This adware may be downloaded while browsing the Internet without a user’s consent. It attempts to block popup windows and redirect a browser to its server, which is http://www.isearch.com.”
Tenebril, a respected maker of security software, lists iSearch in its Spyware Research Center. Its description says, “ This is a hijacker application. Hijackers take control of your web browser’s settings, and usually change your homepage, search page or other default pages to point to web sites owned by the hijacker. Since the hijackers can make money just based on the number of visits to their web sites, they benefit from forcing you to view their web sites each time your web browser opens.”
The database at Spywaredata.com includes seven instances of iDownload’s toolbar.dll, all of them classified under the parasite label.

The license agreement for the iSearch software includes the following text:

By installing the Software, you understand and agree that the Software may, without any further prior notice to you, automatically perform the following: display advertisements of advertisers who pay a fee to iSearch and/or it’s partners, in the form of pop-up ads, pop-under ads, interstitials ads and various other ad formats, display links to and advertisements of related websites based on the information you view and the websites you visit; store non-personally identifiable statistics of the websites you have visited; redirect certain URLs including your browser default 404-error page to or through the Software; provide advertisements, links or information in response to search terms you use at third-party websites; provide search functionality or capabilities; automatically update the Software and install added features or functionality or additional software, including search clients and toolbars, conveniently without your input or interaction; install desktop icons and installation files; install software from iSearch affiliates; and install Third Party Software.

In addition, you further understand and agree, by installing the Software, that iSearch and/or the Software may, without any further prior notice to you, remove, disable or render inoperative other adware programs resident on your computer, which, in turn, may disable or render inoperative, other software resident on your computer, including software bundled with such adware, or have other adverse impacts on your computer.

This company lies when it offers the software to an unsuspecting user. The license agreement this company wrote, which they know the average user will not read, admits that the software may install additional software or remove programs already on your computer without your knowledge or input (or obviously, your consent). And the company freely admits that its software may have “other adverse impacts on your computer.”

Does this sound like a program you want to install?

Please, support Suzi. Click the PayPal Donate button on Suzi’s blog and help her out.

Updated: Suzi responds to iDownload.

Joel Spolsky doesn’t trust Microsoft AntiSpyware

Joel Spolsky of Joel on Software is rightly considered one of the smartest developers around. When he writes something, it gets read – especially in Redmond. So his remarks yesterday on Microsoft AntiSpyware deserve a fair parsing:

So far, it looks like this is a nifty program, and consumers should be happy that Microsoft has announced it will be free, but it really, really would have been nice for us here in the software industry if Microsoft had set a price on this thing just to provide some air cover for the other companies working on spyware removal. This is not a software category where a monopoly monoculture will be a good thing.

I think he got this one wrong on two counts. First, the antispyware industry has already established itself as a category where most programs are free. Ad-Aware and Spybot S&D are the two most widely used utilities. Lavasoft, which makes Ad-Aware, has a free version that is presumably its most popular product; Patrick M. Kolla, developer of Spybot S&D, gives the program away for free. There are paid antispyware programs (most notably PestPatrol) but increasingly antispyware features are being folded into larger security suites as added features. Both Symantec and Trend Micro have begun adding spyware detection and removal features to their flagship antivirus programs, for instance.

Which leads me to my second point: Antispyware software should be free. There are gazillions of unethical companies out there that make a living selling deceptive programs that fool unsuspecting users into paying for their worthless “protection” by falsely detecting threats where none exist. When this type of software is a profitable category, it encourages companies to use hype and scare tactics to create threats where none exist.

Joel continues:

Not only that, but I wonder if Microsoft can run an antispyware product without huge conflicts of interest. For example, will they block all the spyware that Real installs on your system? While Real is suing them? Especially when blocking spyware from Real will just give Real more ammunition to use against Microsoft in court? And the next time Microsoft needs a DRM favor from your friendly neighborhood media conglomerate, will the media conglomerate demand exemption from Antispyware removal for their adware in exchange for supporting Windows Media 37.0, with the new brain-zapping feature that prevents you from humming any song unless you bought the performance rights?

Well, that’s a problem already with the the “free” product, as Lavasoft and PestPatrol discovered earlier this week when they removed one widely derided adware program (WhenU) without alerting users.

There’s always going to be suspicion when a single company is making go/no-go decisions on whether a program should be considered a threat or benign. That’s why I like the community-based approach introduced by GIANT AntiSpyware (the original developer of the antispyware product that Microsoft purchased). Microsoft has committed to keeping the SpyNet community as a key part of the final release.

I would like to see as much transparency as possible from all security vendors, especially when you’re talking about products that are legal but unethical. The products in this category aren’t viruses, pushed into the world by anonymous vandals. These are typically commercial products, released by identified companies. The bar to removal should be high (although the user should be able to make the level of protection more stringent). One thing I like about Microsoft AntiSpyware is that it is first and foremost a preventive measure. It alerts you when a program is trying to sneak an auto-starting module into the Registry or change your home page, and it gives you the power to stop damage before it can occur. The real problem with spyware comes when it sneaks onto a computer. Anything that Microsoft can do to prevent Windows from being misused in this fashion is a Good Thing.

New version of Windows AntiSpyware Beta is out

If you’re using the beta release of Windows AntiSpyware, be sure to get the latest update:

Since releasing Windows AntiSpyware (Beta) on January 6, 2005, we have received feedback from customers and have made enhancements to the software based on this feedback. We have enhanced some of the real-time protection agents, added new threat categories, and improved stability and performance. If you are using a previous version you can simply upgrade to the refreshed version.

I haven’t looked carefully at this yet, but based on the description it sounds like a fairly modest update.

Multi-layered defenses

I’ve been reading a couple of long discussions about antispyware software lately, and one piece of advice that comes up a lot is the need for a multi-layered defense. I agree that multi-layered defenses are essential, but I’ve seen advice from too many people who are unclear on the concept. More than a few people think that they’ve achieved the goal of having multiple layers of protection if they install a whole bunch of security software. Sorry, that’s not correct.

A true multi-layer defense includes effective protection at different sequential points along the route to you. It deliberately does not duplicate protective software at a single layer. So, to take spam as an example, this would constitute an effective multi-layer protection strategy:

Filtering at your e-mail server.
Filtering at your e-mail client.
Technical measures to hide your e-mail address on Web pages and online forums.
Use of temporary e-mail addresses for correspondence with untrusted people or firms.

See how that’s different from just loading up on two or three different anti-spam programs? Likewise, a proper multi-layered defense against spyware consists of at least the following measures:

Measures to completely block unauthorized software.
Measures to prevent social engineering attacks.
Restrictions to limit the ability of untrained or unsophisticated users to make damaging changes to the system.
Effective measures to undo system changes and completely remove installed software.
Periodic scanning routine to verify that all layers are working.

Notice that I didn’t say “Scan your system weekly with three different antispyware programs”?

Will new Microsoft add-ons trigger new antitrust charges? No.

In a comment on another post , Thomas Brock asks:

So… Will these additions to AV services, the anti-spyware services, the media playsforsure services and the internet and desktop search services add to the monopoly charges?

Short answer: No. Everything Microsoft does with Windows has to be cleared by the Department of Justice. That was one of the terms of the original antitrust settlement. Reasonable (and not-so-reasonable) people may disagree over how fair that settlement was, but the DOJ holds the cards and they get veto power over lots of decisions. You can also be certain that any decision to add a feature has already been reviewed by a room full of lawyers.

My personal opinion is that security features belong in the operating system. Internet connectivity and Web browsing tools are an essential part of any computer operating system today. Forcing Microsoft to maintain an environment where users must purchase add-on products so that they can safely use core features of the operating system is just wrong.

Search capability belongs in the OS as well. In fact, it’s always been there; it just hasn’t been implemented well. If other people can do it better, more power to them. That’s been the model so far for alternative browsers, and it seems to be working just fine. Firefox has been downloaded 25 million times, mostly by people using Internet Explorer. There’s nothing in Windows that keeps me from downloading, installing, or using Firefox. This is a great example of a product that does a better job than Windows and is deservedly reaping success.

Update: Symantec’s CEO, John Thompson, seems to agree, according to these remarks from yesterday’s RSA conference, as published in the seattlepi.com Microsoft Blog:

On whether Symantec would raise antitrust objections over Microsoft’s decision to offer free anti-spyware protection to Windows users: “I’d rather fight Microsoft in the marketplace because we’re convinced we can whup ’em. So this is not about showing up in Washington or whining on someone’s doorstep about what Microsoft can or might do. To the extent that they violate the position of prominence that they have, be assured that we’ll be watching, but whining in Washington about press releases or pointing to left field by Bill and his team, I mean, of what value is that?”

Not to mention that the complaint would go nowhere.

Microsoft to offer antivirus software

Bill Gates’ announcement at the RSA security conference today also included the bombshell that Microsoft will provide a consumer-level antivirus product sooner than anyone thinks.

Gates expanded on Microsoft’s recently announced plans to acquire security vendor Sybari Software Inc., which provides solutions to help protect messaging and collaboration servers from malicious software. Gates noted that when the acquisition is closed, Microsoft intends to ship a Microsoft engine, based on the GeCAD technology acquired in 2003, as one of the multiple scanning engines supported by Sybari’s flagship Antigen software. Gates further noted that the Microsoft engine would also be integrated into a broad consumer offering by the end of this year.

This should be interesting.

Protect yourself at hotspots

The Security Mentor has some interesting comments on the Windows Firewall that’s included with Windows XP SP2. He notes that, unlike the Internet Connection Firewall in SP1 and earlier, the Windows Firewall assumes that you want to trust all computers on your local network:

So the built-in Windows firewall hides file and print sharing from the Internet at large but makes them completely available to your local area network. That way you can share a printer with your wife but keep your files safe(r) from strangers on the Internet.

Q: You’re about to point out a catch, aren’t you?

Yes.

What happens when you’re at a coffee shop?

The whole coffee shop is one local area network. The firewall is going to assume that since all the other customers are on the same local network that it can trust them.

Ah, but the designers of the Windows Firewall were clever enough to plan for that scenario. The next time you’re out and about with your WiFi-equipped notebook and decide to connect to a wireless network, do this first:

Click Start, and then click Control Panel.
Double-click the Windows Firewall icon. (If you’re using the Category view of Control Panel, click Security Center and then click the Windows Firewall icon at the bottom of the dialog box.)
On the General tab of the Windows Firewall dialog box, make sure On is selected and then click to select the Don’t allow exceptions check box.
Click OK. Traffic from all local network sources is now blocked.

Win_firewall

Remember to clear this check box when you get back to your trusted network.

Trend Micro fails the spyware test

A little over a year ago, I evaluated five antivirus programs and decided to switch from Norton AntiVirus to Trend Micro’s PC-cillin. Since then I’ve been happy with its performance. It updates itself regularly, identifies and quarantines those virus-infected attachments that make it past my e-mail gateway, and is generally unobtrusive.

The latest version of the software, PC-cillin Internet Security 2005, includes a firewall, a spam-blocking module, and newly added detection capabilities for spyware and adware. Based on my experiences today, the program’s developers need to go back to the drawing board.

I clicked the Scan for Spyware button to see what would turn up. I know this system is completely clean, so imagine my surprise when it informed me that it had found “3 potential threat(s).”

Tm_spyware

My goodness, how could I have missed these horrible programs? How did they sneak past my defenses and infiltrate my computer? What are these threats, anyway? I selected the first item in the list and clicked the More Information button, which took me to Trend Micro’s Web site. There I read about ADW_IEHELPER.A:

This adware is usually dropped and installed by a Trojan as BHO.DLL. Trend Micro detects the said Trojan as TROJ_LINST.A.

Once installed, it waits for the user to browse the Internet, specifically using Internet Explorer. This adware then scans the Web pages accessed by the user and highlights certain words, usually commercial items. When the mouse runs over one of these highlighted words, it displays a link to an advertising Web page that sells the said highlighted item.

Unfortunately, nothing in the Trend Micro interface actually told me which file it had detected or where it was located. That’s especially troublesome given that the removal instructions required me to manually unregister the DLL by entering its full path. The Web page also listed 13 registry keys where this evil program would insinuate itself. Only one of those keys was actually on my computer – a reference to Bho.dll. That file wasn’t on my computer, but a file called SnagItBHO.dll was. It’s a perfectly legitimate add-in for the SnagIt screen-capture program (which I used to capture the screens in this article and have used for every book I’ve written in the last seven years). SnagIt added that registry key and then created values that pointed to its add-in file. Had I followed Trend Micro’s instructions to remove this file, it would have disabled a key feature of my screen-capture program.

What about the next item on the list? The Web page for ADW_BADBITOR.A included no description, only a list of aliases and a long list of IE Favorites, program files, and Registry keys associated with it. The list of aliases made it pretty clear that Trend Micro thought I had installed a version of the ugly Lop parasite or Ezula adware. Once again, most of the files and registry keys ostensibly associated with this threat were simply not on my system. The only ones that matched turned out to be perfectly legitimate components of the BitTorrent program. Presumably, Trend Micro would have zapped BitTorrent had I allowed it to remove this threat.

The final item on the list was easy to identify. I have installed the password-revealing program Snadboy’s Revelation on this system. Fortunately, I know what that program does and also know that I installed it. Unfortunately, the More Information link led to a non-existent page at Trend Micro’s Web site.

OK, now let’s imagine that I’m not a computer professional but instead I’m a concerned Windows user. How am I supposed to react to this report? If I simply trust the software and let it remove these supposed threats, I’ve disabled three perfectly legitimate programs. When they stop working, will I connect the dots? Or will I think that the spyware I removed from my system had done even more damage than I thought?

Everyone wants an all-in-one Windows security solution – a single shrink-wrapped magic software bullet that can snuff out viruses, spyware, adware, Trojan horses, and every other conceivable form of malware. Unfortunately, my experience with Trend Micro’s software provides at least one data point to suggest that there’s no such animal yet.

By coincidence, I ran across two recent reviews of Trend Micro’s software online, both by way of the Security Mentor blog. PC World has a review of Internet security suites that gave Trend Micro top marks for its spyware scanning. The reviews are cursory at best, and Trend Micro earned its ranking because “in our tests only Trend Micro’s suite spotted spyware infections in the Registry.” Well, on my system those scans bore no relation to the actual presence of spyware, so I can’t give the same thumbs-up. This comparative review of antivirus software in Information Security from last October doesn’t mention spyware at all, but it does provide some interesting real-world experiences on how leading security software companies deal with customers.

I’ll continue using and recommending Trend Micro’s software as an antivirus tool. But for preventing and removing adware and spyware, don’t count on it.

Protecting kids from Kazaa

In the comments to an earlier post, Ken asks:

Is there a way, e.g., a setting from within Internet Explorer, or perhaps his antivirus program (Norton, I think), to prevent his teenage daugher (the real culprit here) from downloading this especially malicious crudware in the first place?

Sure there is, and I’ve done it for neighbors. This assumes, of course, that they’re using Windows XP and that they are willing to enforce some serious rules. Set the daughter up with a Limited user account (LUA). Give Mom or Dad the password to the Administrator account and tell them not to share it with the kid no matter what. A user who logs on with an LUA cannot install a software program that tries to write any files outside of their own user account. They can’t make changes to global security settings, and they can’t install add-ons for Internet Explorer. In other words, they can’t be tricked into installing adware, spyware, or viruses.

The kids will scream when they can’t do what all the other kewl kids are doing, but that’s just too bad. When I set this up at my friend’s house, the deal was that if her son wanted to install any program, he first had to research it and prove that it was safe, reliable, and trustworthy. Needless to say, Kazaa never made it back onto the machine, and I’ve never had to go back and clean up a single piece of spyware. Oh, and he just made the Dean’s list.

Using Norton AV? Get this fix

Earlier this week, Symantec published technical details of a security flaw that affects many of its consumer and enterprise products. (Read Symantec UPX Parsing Engine Heap Overflow for the gory details.)

If you use Norton AntiVirus 2003 or 2005, you’re OK. If you use Norton AntiVirus 2004 or Norton Internet Security 2004, you might need to download an update manually. I don’t have Norton installed here, but if I recall correctly the default settings for Symantec’s Live Update only deliver updates to virus definitions. You may need to run LiveUpdate manually to get the updated program code.

If there are any current Norton users out there who can fill in other details, please leave a comment.