Joel Spolsky doesn’t trust Microsoft AntiSpyware

Joel Spolsky of Joel on Software is rightly considered one of the smartest developers around. When he writes something, it gets read – especially in Redmond. So his remarks yesterday on Microsoft AntiSpyware deserve a fair parsing:

So far, it looks like this is a nifty program, and consumers should be happy that Microsoft has announced it will be free, but it really, really would have been nice for us here in the software industry if Microsoft had set a price on this thing just to provide some air cover for the other companies working on spyware removal. This is not a software category where a monopoly monoculture will be a good thing.

I think he got this one wrong on two counts. First, the antispyware industry has already established itself as a category where most programs are free. Ad-Aware and Spybot S&D are the two most widely used utilities. Lavasoft, which makes Ad-Aware, has a free version that is presumably its most popular product; Patrick M. Kolla, developer of Spybot S&D, gives the program away for free. There are paid antispyware programs (most notably PestPatrol) but increasingly antispyware features are being folded into larger security suites as added features. Both Symantec and Trend Micro have begun adding spyware detection and removal features to their flagship antivirus programs, for instance.

Which leads me to my second point: Antispyware software should be free. There are gazillions of unethical companies out there that make a living selling deceptive programs that fool unsuspecting users into paying for their worthless “protection” by falsely detecting threats where none exist. When this type of software is a profitable category, it encourages companies to use hype and scare tactics to create threats where none exist.

Joel continues:

Not only that, but I wonder if Microsoft can run an antispyware product without huge conflicts of interest. For example, will they block all the spyware that Real installs on your system? While Real is suing them? Especially when blocking spyware from Real will just give Real more ammunition to use against Microsoft in court? And the next time Microsoft needs a DRM favor from your friendly neighborhood media conglomerate, will the media conglomerate demand exemption from Antispyware removal for their adware in exchange for supporting Windows Media 37.0, with the new brain-zapping feature that prevents you from humming any song unless you bought the performance rights?

Well, that’s a problem already with the the “free” product, as Lavasoft and PestPatrol discovered earlier this week when they removed one widely derided adware program (WhenU) without alerting users.

There’s always going to be suspicion when a single company is making go/no-go decisions on whether a program should be considered a threat or benign. That’s why I like the community-based approach introduced by GIANT AntiSpyware (the original developer of the antispyware product that Microsoft purchased). Microsoft has committed to keeping the SpyNet community as a key part of the final release.

I would like to see as much transparency as possible from all security vendors, especially when you’re talking about products that are legal but unethical. The products in this category aren’t viruses, pushed into the world by anonymous vandals. These are typically commercial products, released by identified companies. The bar to removal should be high (although the user should be able to make the level of protection more stringent). One thing I like about Microsoft AntiSpyware is that it is first and foremost a preventive measure. It alerts you when a program is trying to sneak an auto-starting module into the Registry or change your home page, and it gives you the power to stop damage before it can occur. The real problem with spyware comes when it sneaks onto a computer. Anything that Microsoft can do to prevent Windows from being misused in this fashion is a Good Thing.

Why was Media Player updated?

Updated March 2…

eWeek is out with a news story headlined “Microsoft Updates Media Player to Thwart Spyware Threat”. As far as I can tell, this story is almost completely inaccurate.

Microsoft Corp. has released an update for its flagship Windows Media Player to protect users from a known threat of spyware infection.

Microsoft said the update … installs two components on end users’ computers and will add “additional integrity checks to the DRM [digital rights management] system.”

The company made no mention of a spyware infection, but a spokesperson confirmed the new version of the player was released after Microsoft confirmed that malicious hackers were using the copy-protection mechanism to install spyware, adware, dialers and computer viruses on unsuspecting PC users.

The article refers to the Update for Windows Media Digital Rights Management-enabled players (WindowsMedia-KB891122–x86). I’m still testing, but I see nothing in the KB article that documents this fix that would indicate there is any protection for users. It appears that the spokesperson is in error and the reporter simply accepted the inaccurate statement.

To make matters more confusing, an update to Windows Media Player 10 was also released this week, without any documentation of what was changed. Yesterday, Ed Oswald at BetaNews talked with a Microsoft spokesperson who said that this update was the promised fix to the spyware/adware issue:

Microsoft on Wednesday issued an updated Windows Media Player 10 to correct a potential security issue that could allow an attacker to mislead users into downloading malware or viruses instead of a license to playback DRM content.

A spokesperson for Microsoft confirmed that the new WMP release, marked build 3802, was the promised update to take care of issues related to the player’s digital rights management functions.

Needless to say, at least one of these stories is just plain wrong, and I strongly suspect that both are wrong.

CNET News.com has a slightly expanded story that contains similar assertions:

The Redmond, Wash., giant on Tuesday introduced an update to its Windows Media Player, which included changes aimed at blocking the Japanese hackers’ work, as well as a security update.

[…]

The new update also addresses a problem exposed a month ago, in which the Media Player and its digital rights management software could be used to show ads–or even to lure unsuspecting Web surfers into downloading harmful software onto their hard drives, security researchers said.

The process exploited a feature of the Media Player content protection, which allows protected files to pop up a Web page with information about a video or song license. In such a case, that page could be loaded with automatic spyware download mechanisms, Spanish security company Panda Software said.

The new update to the Media Player software contains a setting that allows consumers to request that they be notified any time their computer is going onto the Internet to obtain a content license. By default, this option will be turned off, but computer users can turn it on, Caulton said.

I’ve installed the Digital Rights update on a test PC and compared its options to those on a computer without the update. I can’t find any option in Windows Media Player 10 that matches the description in this story. If it’s there, it’s well hidden. It may be that the option is only available in Windows Media Player 9, but I’ll need to do further testing to see whether that’s the case.

[Update: In a comment to this post, Ben Edelman notes that he has tested the patch with WMP9 and found that it does not change the behavior observed before installing the patch. Ben’s comment includes links to a screen shot and a video of his results showing exactly how the exploit can deceive a naive user. Warning: The end of the video contains explicit sexual content that some viewers may find offensive.]

[Update, March 2: For a follow-up on this story, see “How to Fumble a Security Update.”]

New version of Windows AntiSpyware Beta is out

If you’re using the beta release of Windows AntiSpyware, be sure to get the latest update:

Since releasing Windows AntiSpyware (Beta) on January 6, 2005, we have received feedback from customers and have made enhancements to the software based on this feedback. We have enhanced some of the real-time protection agents, added new threat categories, and improved stability and performance. If you are using a previous version you can simply upgrade to the refreshed version.

I haven’t looked carefully at this yet, but based on the description it sounds like a fairly modest update.

Trend Micro fails the spyware test

A little over a year ago, I evaluated five antivirus programs and decided to switch from Norton AntiVirus to Trend Micro’s PC-cillin. Since then I’ve been happy with its performance. It updates itself regularly, identifies and quarantines those virus-infected attachments that make it past my e-mail gateway, and is generally unobtrusive.

The latest version of the software, PC-cillin Internet Security 2005, includes a firewall, a spam-blocking module, and newly added detection capabilities for spyware and adware. Based on my experiences today, the program’s developers need to go back to the drawing board.

I clicked the Scan for Spyware button to see what would turn up. I know this system is completely clean, so imagine my surprise when it informed me that it had found “3 potential threat(s).”

Tm_spyware

My goodness, how could I have missed these horrible programs? How did they sneak past my defenses and infiltrate my computer? What are these threats, anyway? I selected the first item in the list and clicked the More Information button, which took me to Trend Micro’s Web site. There I read about ADW_IEHELPER.A:

This adware is usually dropped and installed by a Trojan as BHO.DLL. Trend Micro detects the said Trojan as TROJ_LINST.A.

Once installed, it waits for the user to browse the Internet, specifically using Internet Explorer. This adware then scans the Web pages accessed by the user and highlights certain words, usually commercial items. When the mouse runs over one of these highlighted words, it displays a link to an advertising Web page that sells the said highlighted item.

Unfortunately, nothing in the Trend Micro interface actually told me which file it had detected or where it was located. That’s especially troublesome given that the removal instructions required me to manually unregister the DLL by entering its full path. The Web page also listed 13 registry keys where this evil program would insinuate itself. Only one of those keys was actually on my computer – a reference to Bho.dll. That file wasn’t on my computer, but a file called SnagItBHO.dll was. It’s a perfectly legitimate add-in for the SnagIt screen-capture program (which I used to capture the screens in this article and have used for every book I’ve written in the last seven years). SnagIt added that registry key and then created values that pointed to its add-in file. Had I followed Trend Micro’s instructions to remove this file, it would have disabled a key feature of my screen-capture program.

What about the next item on the list? The Web page for ADW_BADBITOR.A included no description, only a list of aliases and a long list of IE Favorites, program files, and Registry keys associated with it. The list of aliases made it pretty clear that Trend Micro thought I had installed a version of the ugly Lop parasite or Ezula adware. Once again, most of the files and registry keys ostensibly associated with this threat were simply not on my system. The only ones that matched turned out to be perfectly legitimate components of the BitTorrent program. Presumably, Trend Micro would have zapped BitTorrent had I allowed it to remove this threat.

The final item on the list was easy to identify. I have installed the password-revealing program Snadboy’s Revelation on this system. Fortunately, I know what that program does and also know that I installed it. Unfortunately, the More Information link led to a non-existent page at Trend Micro’s Web site.

OK, now let’s imagine that I’m not a computer professional but instead I’m a concerned Windows user. How am I supposed to react to this report? If I simply trust the software and let it remove these supposed threats, I’ve disabled three perfectly legitimate programs. When they stop working, will I connect the dots? Or will I think that the spyware I removed from my system had done even more damage than I thought?

Everyone wants an all-in-one Windows security solution – a single shrink-wrapped magic software bullet that can snuff out viruses, spyware, adware, Trojan horses, and every other conceivable form of malware. Unfortunately, my experience with Trend Micro’s software provides at least one data point to suggest that there’s no such animal yet.

By coincidence, I ran across two recent reviews of Trend Micro’s software online, both by way of the Security Mentor blog. PC World has a review of Internet security suites that gave Trend Micro top marks for its spyware scanning. The reviews are cursory at best, and Trend Micro earned its ranking because “in our tests only Trend Micro’s suite spotted spyware infections in the Registry.” Well, on my system those scans bore no relation to the actual presence of spyware, so I can’t give the same thumbs-up. This comparative review of antivirus software in Information Security from last October doesn’t mention spyware at all, but it does provide some interesting real-world experiences on how leading security software companies deal with customers.

I’ll continue using and recommending Trend Micro’s software as an antivirus tool. But for preventing and removing adware and spyware, don’t count on it.

Kazaa mess hits the mainstream

An Associated Press reporter picks up the Kazaa story I wrote about last week. For the most part, the details in the short AP story are the same as those I wrote about, although I hadn’t heard this one before:

Mary Still, a lawyer representing Sharman, said in an interview that users have the option of paying $29.95 for an adware-free version.

Sounds like extortion to me. You don’t like the mess we make of your computer? Pay up. Or else.

I will open a bottle of Champagne the day Kazaa disappears from the face of the earth.

A bold suggestion to stop spyware and adware

Ben Edelman explains How VeriSign Could Stop Drive-By Downloads. VeriSign, in case you don’t recognize the name, is the company that controls 95% of the digital certificates used on the Internet today. These certificates are passed out like bubble gum cards to any company that has an address and a check (typically between $200 and $600) for the certificate registration fee. When you visit a Web site that wants to install an ActiveX control on your computer to extend the capabilities of Internet Explorer, VeriSign gets involved by displaying information contained in the official record for the company’s digital signature.

There are countless legitimate and ethical companies that use ActiveX technology for good purposes. Unfortunately, there’s also a disproportionately active community of scammers and charlatans intent on exploiting the trust that is implicit in a digital signature. An enormous amount of crapware has been dumped onto countless computers by this latter group, who use ActiveX permission dialog boxes to sucker unwitting users into “agreeing” to install software that they invariably regret later.

If VeriSign chose to enforce its license agreements, it could revoke the certificates of those companies that misuse the trust they inherit through a digital certificate. And without a certificate, virtually all versions of Windows will reject the proposed software cold, without subjecting the user to a misleading prompt. Ben explains:

Through existing software systems, already built into Internet Explorer and already implemented by VeriSign servers, VeriSign has the ability to revoke any certificate it has previously issued, disabling ActiveX installations that use that certificate. See VeriSign’s Certificate Revocation List server (crl.verisign.com) and Microsoft Certificates documentation of the revocation system.

I suggest that VeriSign can and should use its existing certificate revocation system to disable those certificates issued or used in violation of applicable VeriSign rules.

Ben documents three products that clearly violate the VeriSign contract. After presenting the proof, he writes:

Each of these misleading installations is contrary to VeriSign contract, contrary to VeriSign’s duty to its users, and contrary to VeriSign’s many promises of trustworthiness. In the first installer, VeriSign affirmatively certified the “click yes to continue” company name — although it seems that there exists no company by that name, and although that company name is facially misleading as to the purpose of the installation prompt. In the second and third examples, VeriSign certified companies that subsequently used VeriSign’s certification as a necessary step in deceiving users as to the function of and (alleged) need for their programs.

Given VeriSign’s claims (such as its old motto, “the value of trust”), VeriSign should want to put an end to these practices. When VeriSign certificates are issued wrongfully (as in the first example) or are used deceptively (as in the second and third), VeriSign should take action to protect users from being tricked. In particular, when an application offers a facially invalid and misleading company name, VeriSign should refuse to issue the requested certificate. When an applicant violates basic standards of truth-telling and fair dealing, VeriSign should revoke any certificates previously issued to that applicant.

Read Ben’s article. If you think VeriSign should follow through on its responsibility to you and me as users of their digital signature technology, why not give CEO Stratton Sclavos a call at 650-961-7500? If he’s not there, ask for Judy Lin, Executive Vice President, Security Services. (If anyone has a good e-mail address for either of these individuals, let me know and I’ll update this post.) Update: Send your e-mail to stratton@verisign.com.

And spread the link to this post and to Ben’s article. There’s nothing like a little publicity to help big companies like VeriSign understand their responsibilities to their ultimate customers – us.

Why I hate Kazaa (and why you should too)

Ooooooh, I love this! Australia’s apcmag.com has been diligently following Kazaagate, a civil trial now going on in Sydney’s Federal Court. Today, reporter Garth Montgomery reports on a whopper of a confidential document that Kazaa’s owners tried to suppress:

It’s a philosophical rant from [Sharman CTO Philip] Morle, which is printed and packaged to resemble a legitimate academic text, complete with footnotes and the longest title in the history of quasi-academia.

In it, Morle acknowledges what any PC support professional has known for years: Kazaa is riddled with adware and will turn your computer into a doorstop:

“We need to be careful with user resources. Most obvious is in the adware we add to their machine upon installation. This software slows down users’ machines and can affect other activity such as browsing the Internet (as we have seen with PerfectNav). It is reasonable that we show ads in order to create our free software, but I do not believe it is reasonable to place a user in a position where this free software will also make their machine sluggish. Consider how many people that work for Sharman Networks and its partners that hate installing Kazaa on their machines.”

Yep, the people who work for the company that makes Kazaa don’t want it on their computers because it’s such a viper’s nest. Lawsuits are an essential tool, sometimes the only way, to get confirmation of how a company really works as opposed to what it claims to be doing. That was true in the Microsoft antitrust trials and it’s certainly true here.

If you know someone who still uses Kazaa or Grokster, do them a favor and do whatever it takes to help them get rid of it. They’ll thank you.

How often do you need to scan for spyware?

Last week, in “Ten things you need to know about spyware,” I got some vigorous disagreement with two items on my list. It was good feedback, so I wanted to revisit both issues. In item #4, I wrote: “If you have to scan your system for spyware every week, you’re doing something wrong. … Running a weekly scan is probably not a bad idea, from a belt-and-suspenders point of view. But it shouldn’t be necessary…”

Suzi at Spyware Warrior took issue with that statement:

Well, perhaps for knowledgable users who understand how to protect their computers, that might be true. Truth be told, I don’t scan my computer very often, but that’s because I know exactly what’s going into and and leaving it all the time. How many users can say that? A very small percentage of current internet users, I’d say. Pehaps Ed’s blog is targeted to savvy users, I don’t know. For the average user, I’d certainly recommend scanning at least few days, maybe every day for frequent web flyers. An exception would be for users surfing with an alternative browser such as Firefox or Opera.

I think we’re closer to agreeing on this issue than it might sound at first. Suzi doesn’t need to scan her computer regularly, because she knows exactly what’s going into and leaving her computer at any time. So do I. So does my co-author Carl. So do friends and clients of mine who have asked for my help in keeping their systems free of spyware and viruses. And so can anyone who is willing to learn about the problem of spyware. If you incorporate some basic technological solutions and modify your behavior using common-sense guidelines, you can keep your PC spyware-free. (See “Six steps you can take to block unwanted software” for more details.)

But simply installing an anti-spyware program (or two or three) on an average user’s computer and telling them to scan daily or weekly isn’t enough unless you also train them in effective techniques for keeping crapware at bay. If you do that job right, the clean spyware scan becomes the weekly report card that proves they learned the lesson.

I have Microsoft AntiSpyware Beta 1 installed here and I allow it to do its nightly scan. It’s unobtrusive and the only real side effect is a dialog box that I need to dismiss each morning. It never finds anything. Over the past few months, during the course of researching the upcoming Windows Networking and Security Inside Out, I’ve experimented with just about every available anti-spyware program. They never find anything except cookies (which are not spyware and can easily be managed) and false positives.

Look, I have antivirus software on my computer. It’s constantly intercepting and quarantining infected attachments that arrive via e-mail. Every week, the antivirus program scans my system to verify that I am not infected with any viruses. It never finds anything. If it does, I know I have a serious problem and that I need to figure out how the unwanted software slipped past my defenses. The same is true with spyware. If your weekly scan reveals that you’ve picked up an unwanted and potentially hostile program, you need to remove it. And then you need to figure out how it got there and fix your defenses so it doesn’t happen again.

So, based on Suzi’s feedback, I’m changing item #4 to read: “If you have to scan your system for spyware and remove unwanted programs every week, you’re doing something wrong.”

In a follow-up post, I’ll address the controversy over how many spyware scanners you should use. One, two, as many as it takes?

Six steps you can take to block unwanted software

Last week, I published “Ten things you need to know about spyware” and got some great feedback. Today, I’m following up with some advice on how you can prevent unwanted software from ending up on your PC in the first place. This piece, like the last one, is an extremely condensed (and preliminary) version of content that will appear in an updated version of Windows Security Inside Out, which is due to be published this spring.

As I noted last week, trying to remove spyware/adware/viruses is a difficult proposition. You’re much better off if you can prevent an unwanted program from being installed in the first place. This is the advice I give to clients in my consulting practice, and it’s been successful. If you follow this advice, your likelihood of being attacked should drop to nearly zero.

If you have comments or questions, add them in the comments or create an entry on your own site and give me a trackback link. The list appears in the full version of this post. (If you’re reading this in Bloglines or another reader that doesn’t properly handle extended posts, click here to continue.)

Continue reading “Six steps you can take to block unwanted software” →

Ten things you need to know about spyware

Update: I’ve made some small but significant changes to this list based on excellent feedback from the anti-spyware community. I’ve also published a second installment in this series. See “Six steps you can take to block unwanted software.”

Carl Siechert and I are currently working on an update to our 2002 book Windows Security Inside Out. It’s been only a little over two years, but a lot has changed in the computer security landscape during that time. So much, in fact, that the update is much more extensive than we originally envisioned.

The biggest change, in my opinion, is the explosive growth in what’s commonly called spyware. We spent about four paragraphs on the topic in the first edition, basically telling readers to install a firewall and use Ad-Aware. In this edition, we’re devoting an entire chapter to spyware, and we’ll have significant coverage of related topics in at least four other chapters.

One frustrating aspect of the whole spyware topic is the extraordinary amount of misinformation floating around about what spyware is, how it gets on your computer, and how you can protect yourself most effectively from being a victim. To organize my thinking, I’ve put together the following list of ten essential facts about spyware. This list forms the basis of the spyware coverage in the new edition. I recognize that some of these statements may be controversial, and I’m open to alternative points of view. (If you want to reply, add a comment or create your own blog entry and send me a trackback.)

The list begins after the jump.

Continue reading “Ten things you need to know about spyware” →