 novaflareThe Dragon Was HerePremium
join:2002-01-24
Barberton, OH | reply to RR Conductor
Re: veloz scumware seen on comercial just now said by RR Conductor:
I don't find anything funny in this.
I dont see how any one could no matter what os you use if you value being on the internet with out hasles like slow days on the web and your fav web site being down you shouldnt find any thing about comercials like this claiming to protect your computer. Simply put people who dont know any better will dl it think they are safe open every thing thats sent to them and get infected by various worms trojans etc. These worms and trojans will be used to DDoS various websites weve all seen worms made to do just that over last year or 2. Blaster to name just one. It dont matter if you use mac linux or some os you made your self you are still directly or indirectly effected by this sort of thing.
--
new 3d chat comunity at »planetvirtuel.com my site »spellbound.valshea.com/news.php |
|
 Doctor FourMy other vehicle is a TARDISPremium
join:2000-09-05
Dallas, TX
1 edit | reply to novaflare
Re: veloz, stop sign scumware comercials said by novaflare:
This was not ment as a flame and i respect the fact that you as a employe took the time to post but feel that you are totaly off base and do not know who it is who you work for.
It isn't a flame, it is a rebuttal. When someone who
represents a company that makes spyware tries to defend
their company's actions on a security related website
or forum, such a response is appropriate. In the past,
people from companies with less than trustworthy security
or privacy reputations have tried to defend them, without
success.
When a company employs such tactics as deceptive and
aggressive marketing, activeX drive by downloads, refers
to antispyware products as attackware, charges money
to remove what it may find, and markets itself as a
legitimate security product when it isn't, there is
no defense.
--
"Kayura or Badamon, whichever you are, you should know that I will never give up this battle. By the will of the Ancient, I shall succeed!" - Shuten (Anubis) from the Ronin Warriors. |
|
 keith2468Premium,MVM
join:2001-02-03
Winnipeg, MB | reply to Martinus
Re: veloz scumware seen on comercial just now Martin, I'm not querying what the signatures ID it as. But they simply look for sequences of binary numbers at particular places.
And AV makers, perhaps just the small and mid-sized ones, work on these things in groups. Reportedly they share info. So one false ID could lead to multiple false IDs, especially if the IDing took place during an major outbreak of something else when people didn't have time on their hands for double checking.
PestPatrol makes some pretty clear claims about this product doing some easy to observe things, like blocking firewalls and being a trojan downloader.
So I'm asking if someone who has a test system, one they can re-ghost, would like to try to duplicate PestPatrol's results. (Just put it outside your firewall incase something malicious -- not just adware -- does come in.)
It would be educational if nothing else.
--
(Virus&Hijacking FAQ+Submit suspected malware+Security FAQ) |
|
1 edit | reply to keith2468
Re: veloz scumware seen on comercial just now said by keith2468:
Martin, I'm not querying what the signatures ID it as. But they simply look for sequences of binary numbers at particular places.
And AV makers, perhaps just the small and mid-sized ones, work on these things in groups. Reportedly they share info. So one false ID could lead to multiple false IDs, especially if the IDing took place during an major outbreak of something else when people didn't have time on their hands for double checking.
This is a very good and clear reasoning.
However. From my point of view, all this mess comes down to credibility. Meaning: if KAV, F-Prot, Norman et al say there's a trojan in that dll, I have no reason to think otherwise.
Now, why is there not an eAntology - or stop-sign or whatever the hell they want to be known as - representative refuting here and now the fact that their install setup has a trojan component and that it's mainstream AVs that have got it all wrong?
--
From the GSV "Ethics Gradient" |
|
2 edits | Martin:
You wrote:
said by Martinus:
Now, why is there not an eAntology - or stop-sign or whatever the hell they want to be known as - representative refuting here and now the fact that their install setup has a trojan component and that it's mainstream AVs that have got it all wrong?
From what I can tell, the Win32.Wren trojan downloader is not some separate, independent piece of malware that is being flagged within the eAcceleration stub downloaders (which is what the AV scan reports from earlier posters pertain to). The Win32.Wren trojan downloader IS eAcceleration's stub downloader:
»www.pestpatrol.com/pestinfo/t/tr···en_a.asp
In other words, when these AV apps are reporting that Win32.Wren is found, what they're really saying is that they've detected eAcceleration's stub downloader.
Best,
Eric L. Howes |
|
| said by eburger68:
From what I can tell, the Win32.Wren trojan downloader is not some separate, independent piece of malware that is being flagged within the eAcceleration stub downloaders (which is what the AV scan reports from earlier posters are scanning). The Win32.Wren trojan downloader IS eAcceleration's stub downloader:
That's exactly what I mean. I have the cab file right here, and the flagged trojan is an integral component of their install routine.
Of course, any Devil's Advocate could reason that mainstream AVs either have it all wrong or that this is a conspiracy to flush out new players in the market, but somehow, given the many different AVs - with different engines - flagging this software as a trojan, well...like a said before: credibility is what you got to hang to.
I'd still like to hear a stop-sign representative's arguments. Deafening silence.
--
From the GSV "Ethics Gradient" |
|
novaflareThe Dragon Was HerePremium
join:2002-01-24
Barberton, OH | reply to keith2468
said by keith2468:
Martin, I'm not querying what the signatures ID it as. But they simply look for sequences of binary numbers at particular places.
And AV makers, perhaps just the small and mid-sized ones, work on these things in groups. Reportedly they share info. So one false ID could lead to multiple false IDs, especially if the IDing took place during an major outbreak of something else when people didn't have time on their hands for double checking.
PestPatrol makes some pretty clear claims about this product doing some easy to observe things, like blocking firewalls and being a trojan downloader.
So I'm asking if someone who has a test system, one they can re-ghost, would like to try to duplicate PestPatrol's results. (Just put it outside your firewall incase something malicious -- not just adware -- does come in.)
It would be educational if nothing else.
While the last version the version i installed some time back to play vircoms the 4th profacy (after it was closed down and sold off by vircom to smaller companies) had no add remove program entry adaware removed it very easly. Triggered avg like mad during the ad aware scan though soon as the scan hit the eanthology files and dirs. Id install it my self but wouldnt know where to begin in disecting what it dls during install and after.
--
new 3d chat comunity at »planetvirtuel.com my site »spellbound.valshea.com/news.php |
|
keith2468Premium,MVM
join:2001-02-03
Winnipeg, MB
2 edits | reply to novaflare
quote:
However. From my point of view, all this mess comes down to credibility. Meaning: if KAV, F-Prot, Norman et al say there's a trojan in that dll, I have no reason to think otherwise.
KAV and F-Prot are as good as they get. But some equally credible authoritative organizations at the time once said the world was flat. I believe God was supposedly one of them. 
Aristotle thought that determining facts by direct observation was something for weak minds, and that a strong mind could determine the truth by pure discussion and reasoning.
And people followed Aristotle.
And science stood still for almost 2,000 years.
My background is science. We go for direct observation.
I'm looking for someone up to the direct observation task.
I'd like to spot-check some of these "adware" products, see how accurate the anti-adware companies are in their descriptions of the products.
I'm not expecting everyone to have 2 free hours and a test computer, I just need one person.
Edit: In light of what Eric says just below, I'm thinking of the stop-sign package here, not just the downloader.
--
(Virus&Hijacking FAQ+Submit suspected malware+Security FAQ) |
|
|
|
keith2468Premium,MVM
join:2001-02-03
Winnipeg, MB | reply to eburger68
quote:
what they're really saying is that they've detected eAcceleration's stub downloader
So a plain ordinary downloader, or not?
Would that be like triggering on Kazaa-lite because it is part Kazaa which is associated with adware?
--
(Virus&Hijacking FAQ+Submit suspected malware+Security FAQ) |
|
keith2468Premium,MVM
join:2001-02-03
Winnipeg, MB | reply to ojing
Re: Write to Congress ojing, excellent idea.
It is a tricky one though, because a lot of the software people here like has some of the characteristics of the stuff we'd like to outlaw.
Maybe:
"The Department of Homeland Security should regulate the installation of computer software via the Internet, to prohibit installations that occur without the informed consent of the computer user."
The thing is, what about java scripts in web pages. Or macros. Could they not be interpreted as software too. Are we going to have to explicitly agree to each web page? Or is there a better wording?
One factor is, we are drawing up a petition, not writing the final version of the law.
A petition just has to be clear enough for the people signing it to know if they agree or not. The details are for those who spend their lives worrying about the details of the law.
So would it be the DHS or the FTC or the FCC? Or should the petition just ask the government to outlaw it, and the government can figure out which department should do it?
--
(Virus&Hijacking FAQ+Submit suspected malware+Security FAQ) |
|
ojing
join:2004-03-09
Norwalk, CT | Wow. I suffer from a lack of imagination. I was thinking only of exposing this particular company to the various powers who have expressed interest in stopping malware. They can hold them up as an concrete example of all that they rail about. Local District Attorney and police authorities get TV news airtime as they stand alongside US Representative. That sort of thing. |
|
2 edits | reply to keith2468
Re: veloz scumware seen on comercial just now said by keith2468:
...some equally credible authoritative organizations at the time once said the world was flat. I believe God was supposedly one of them.
Well, it was probably a wrong human interpretation of a god, not the God. Anyway, It didn't take more than an extraordinary man to change all that: "Epur si muove".
Anyway, this is not about an interesting phylosophical debate at the agora in ancient Athens about the metaphysic world. It's all about something as earthly, boring, dull and sad as a supposed AV company embedding a trojan in their installer.
Now, Keith, why don't let them who know that we are wrong, namely Stop-Sign, stand up and face the music? You could also be wrong trying to justify their intentions and I know you are not a fool. Heck, I don't think even Mother Theresa with all her compassion would stand up for these guys.
--
From the GSV "Ethics Gradient" |
|
| reply to novaflare
AntiVir Says... Even the Free Stuff works good!! |
|
1 edit | reply to novaflare
Re: veloz scumware seen on comercial just now Martin:
I think you missed my point. My point was that the term "Win32.Wren" is simply another name for the eAcceleration stub downloader. That's it, that's all. Thus, trumpeting the fact that a few AV programs flagged a "trojan downloader" in the eAcceleration .CAB files is overblown, because it makes it sound like the .CAB files are bundling something else nefarious when in fact the AV programs are merely identifying the eAcceleration product with another name.
Those .CAB files do bundle a stub downloader -- what the AV programs are labeling a "trojan downloader." The stub downloader unpacks from the .CAB file, executes, and downloads and installs the rest of the eAcceleration Stop-Sign package.
My guess is that the AV companies labeled the stub downloader a "trojan downloader" because of the "drive-by-download" installs at third-party web sites (coupled with onboxious, deceptive advertising detailed in previous threads here at DSLR) back in 2002 and 2003. That's what eAcceleration got sued for. And that's what likely prompted the AV companies to label the eAcceleration stub downloader a "trojan downloader" -- because it was being initiated without the full knowledge and consent of users visiting third party web sites to download and install software they didn't want (or need).
So far as I can tell, that kind of advertising has stopped -- under the duress of legal action. If anyone can find an ad at a third-party web site that initiates the download process and installation, please do post a link to it. I haven't been able to find it.
My ultimate point here is to urge people to keep a bit of perspective and not let galloping speculation lead to unwarranted conclusions.
Best,
Eric L. Howes |
|
1 edit | Eric. You are right.
But then again I think this is an issue of credibility. Nothing more and nothing less.
When I click on that Stop-Sign link and KAV pops-up with an alert of a trojan downloader, and when I can confirm that it is not a false positive, taking into account that all major AVs also flag it, I don't really care much what the reason or naming politics are or even why or how this stuff tries to get in your box. That's all an academic exercise.
The only real thing here is that if you download an AV, it should not contain dubious code. And I say dubious giving these guys some slack.
I can understand that if you install Kazaa or the DivX player, ok, there are some things you will need to cope with, but an AV is a whole different, dare I say,ethics game.
I mean. If you can't trust your AV, who you gonna trust? 
--
From the GSV "Ethics Gradient" |
|
keith2468Premium,MVM
join:2001-02-03
Winnipeg, MB | Forget God then, Stephen Hawking is now saying he has been wrong about blackholes for 2 decades.
All it will take is an experiment with direct observation on a test computer.
It can't be done with blackholes, but it can be done with stop-sign.
I strongly suspect Eric is right on this about this one file. It sounds like what I've seen anti-adware companies openly admit to -- labelling software based on association -- but again, the experiment is not prohibitively difficult if someone has the system and tools available.
And this is especially so because Kaspersky didn't write up anything in its virus dictionary on the file (that I could find). So I doubt they did their own research on it. And Kaspersky is as good as AV companies get.
You say you get a drive-by download with default settings on a patched up-to-date Windows XP SP2 system with MSIE 6. I don't see that, but then my system has had a lot of security stuff installed over the years, so my system probably has lots of obscure settings that are no longer defaults. Could this be an SP2 bug?
Does anyone with up-to-date MS supported non-beta Windows XP or W2K and non-beta up-to-date MS supported MSIE 6sp1 have this start downloading on its own?
We know that Firefox downloads to the cache anything on a page visited (I read this in a FF topic here), requested or not. So Firefox merely downloading this to cache doesn't mean a hijack -- it is normal Firefox behaviour. Executing it without a user request -- that would not be normal Firefox behaviour.
The real determination on stop-sign requires an experiement and direct observation.
--
(Virus&Hijacking FAQ+Submit suspected malware+Security FAQ) |
|
1 edit | reply to Martinus
Martin:
That an AV program flags the download as containing a "trojan downloader" should be cause for alarm among users. But those looking into the software in a Security forum such as this one need to go beyond that initial report and investigate the underlying basis for the detection ('Win32.Wren Trojan Downloader").
Thus, this endless posting of screenshots of AV programs' detection of the eAcceleration stub downloader doesn't tell us much. We already knew that AV products were flagging the stub downloader as far back as 2002/2003 because of the distribution techniques used by eAcceleration. But the detection in and of itself tells us very little.
Let me be clear: I wouldn't recommend eAcceleration's software to anyone -- and I say that having actually gone through the full download and installation several times at this point and having actually used the software (I've got several megs of screenshots, scan logs, notes, copies of web pages, copies of various versions of the software, et al).
Moreover, I think the AV companies have been perfectly justified in targeting eAcceleration's software based on their past behavior -- behavior for which the company remains completely and utterly unrepentant, by the way. That alone is enough for me to continue to list this software on my "Rogue/Suspect Anti-Spyware" page ( »www.spywarewarrior.com/rogue_ant···ware.htm ) -- because the company is simply not a trustworthy source for anti-malware software, in my judgment.
You'll notice, though, that the entry for Stop-Sign in that "Rogue/Suspect Anti-Spyware" list does not specify that Stop-Sign "installs malware." There's a reason for that: namely, the detection that has been reported in this thread is for the stub downloader itself, not a separate piece of malware. So far as I can tell, you can install Stop-Sign without fear of having a virus, trojan, worm, or other piece of malware dropped on your box. The software may not be a very good anti-malware scanner, but it doesn't install malware itself.
In other words, it's a matter of classification at this point. And readers who see the screenshots of AV programs detecting "Win32.Wren Trojan Downloader" ought to be clear on just why that detection is happening and what it means.
Eric L. Howes |
|
| reply to keith2468
said by keith2468:
Forget God then, Stephen Hawking is now saying he has been wrong about blackholes for 2 decades.
But of course. And this is due to the simple reason that all these reasonnements are theories based on interpretations of measurements - read this right: Interpretations of Measurements -. There is not the tangible Newtonian apple falling to the ground here. It's all human extrapolations and humans, alas, sometimes they are mistaken.
As for this AV. I'm thru' with it. If you want the cab file I still have it in my Recycle Bin. That's the best place I could find for it in my box.
I've used almost all day - except when my wife reminded me that it was my turn to make dinner - writing and posting about this stuff which I know I'll never have nothing to do with but that somehow it hits a nerve in me knowing that a lot of people with good intentions are going to fall in its trap.
If it's a trojan or not in the pure etymological sense, I can't say, but I know that potential customers buying this software as a protecting AV are going to be cheated. And this is a fact that you, I and anybody with a minimum sense of computer security know for sure.
--
From the GSV "Ethics Gradient" |
|
2 edits | reply to eburger68
said by eburger68:
So far as I can tell, you can install Stop-Sign without fear of having a virus, trojan, worm, or other piece of malware dropped on your box.
Thanks, Eric, but I reckon I'll pass on that invitation for now. I'll remember it though when I go to help my worst enemy cleaning his box and setting an AV for him.
But, of course, instead of installing the free AVG or BitDefender or Avast,or Ad-Aware and SpyBot I'll install this eAnthology - or was it Stop-Sign? - free software which does the following:
"*Free Trial version detects but does not cure threats.
**Free Trial version detects but does not remove spyware.
***Free Trial version has limited functionality."
And if he is satisfied, I'll introduce him to the stub downloader.
--
From the GSV "Ethics Gradient" |
|
