dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
132716
eburger68
Premium Member
join:2001-04-28

4 edits

22 recommendations

eburger68

Premium Member

ASW Vendors in La-La Land

Click for full size
Click for full size
Hi All:

Mike Healan of SpywareInfo.com and Suzi of Spyware Warrior have early word on some puzzling new developments on the anti-spyware front -- see:

Don’t Drink the WhenU Kool-Aid
http://netrn.net/spywareblog/archives/2005/02/13/dont-drink-the-whenu-kool-aid/

Leading Antispyware Vendors Quietly Drop WhenU Detection
http://www.spywareinfo.com/articles/spyware/whenu_detection_dropped.php

At the heart of this strange tale is WhenU, the well-known adware vendor that struck a controversial deal with anti-spyware maker Aluria late last year:

http://www.dslreports.com/forum/remark,11723816~mode=flat

I should note that Mike's and Suzi's reports are based on some routine testing that I performed with the latest version of BearShare, a popular P2P file sharing application that bundles WhenU Save.

Here's what we know:

1) Lavasoft has Removed WhenU from its Detections Database

Lavasoft removed WhenU's applications from their definitions database sometime in the last month -- it looks like it was probably the Feb. 5 update, but it might have been earlier. It was certainly done after the Dec. 29th update, because WhenU's SaveNow is confirmed detected with that definitions database.

The problem is that nowhere did Lavasoft announce this significant change publicly. It certainly didn't appear in any of their recent update announcements, where removals are typically disclosed:

02-05-05
http://www.lavasoftsupport.com/index.php?showtopic=58404

01-25-05
http://www.lavasoftsupport.com/index.php?showtopic=57706

01-11-05
http://www.lavasoftsupport.com/index.php?showtopic=56758

This failure to disclose the removal of WhenU from the Ad-aware detections database to Lavasoft's customers is a serious matter. Whatever one thinks of the de-listing, it should have been disclosed and Lavasoft should have offered an explanation for this change in policy in a clear, public manner. It did not. Instead, it slipped the change into its detections database and failed to inform users, even after users began to complain that WhenU was not being removed, such as this Lavasoft customer did here:

http://www.lavasoftsupport.com/index.php?showtopic=58669&hl=whenu

2) Pest Patrol has Removed WhenU from its Detections Database

It also appears that Pest Patrol removed WhenU from its detections database, though the situation here is a bit murkier. With the latest definitions Pest Patrol 5 does not flag any of the WhenU Save files. Strangely enough, it does flag a number of WhenU Registry keys, but erroneously labels them as BargainBuddy, Mirar Toolbar, and PurityScan. A sample chunk from a Pest Patrol 5 scan log:
said by PPv5Log.txt:
2/13/2005-4:11:05 PM,29692390,-1630934736,Detected,BargainBuddy,Adware,453068324,key "hkey_local_machine \software\whenusave" value "iptomsa_url",-1,
2/13/2005-4:11:07 PM,29692390,-1607404736,Detected,NN_Bar,Toolbar,453077032,key "hkey_local_machine \software\whenusave" value "uninstalltag_rs",-1,
2/13/2005-4:11:07 PM,29692390,-1607304736,Detected,NN_Bar,Toolbar,453077032,key "hkey_local_machine \software\whenusave" value "urlchangecount",-1,
2/13/2005-4:11:07 PM,29692390,-1607304736,Detected,NN_Bar,Toolbar,453077032,key "hkey_local_machine \software\whenusave" value "timeddbupdate_rs",-1,
2/13/2005-4:11:07 PM,29692390,-1607304736,Detected,NN_Bar,Toolbar,453077032,key "hkey_local_machine \software\whenusave" value "heartbeattime",-1,
2/13/2005-4:11:07 PM,29692390,-1607204736,Detected,NN_Bar,Toolbar,453077032,key "hkey_local_machine \software\whenusave" value "msa",-1,
2/13/2005-4:11:07 PM,29692390,-1607204736,Detected,NN_Bar,Toolbar,453077032,key "hkey_local_machine \software\whenusave" value "maxpopups_rs",-1,
2/13/2005-4:11:07 PM,29692390,-1607204736,Detected,NN_Bar,Toolbar,453077032,key "hkey_local_machine \software\whenusave" value "iptomsatime_rs",-1,
2/13/2005-4:11:07 PM,29692390,-1607204736,Detected,NN_Bar,Toolbar,453077032,key "hkey_local_machine \software\whenusave" value "src_url",-1,
2/13/2005-4:11:07 PM,29692390,-1607104736,Detected,NN_Bar,Toolbar,453077032,key "hkey_local_machine \software\whenusave" value "himp_url",-1,
2/13/2005-4:11:07 PM,29692390,-1607104736,Detected,NN_Bar,Toolbar,453077032,key "hkey_local_machine \software\whenusave" value "brandskin_url",-1,
2/13/2005-4:11:07 PM,29692390,-1607104736,Detected,NN_Bar,Toolbar,453077032,key "hkey_local_machine \software\whenusave" value "brandstrip_rs",-1,
2/13/2005-4:11:07 PM,29692390,-1607004736,Detected,NN_Bar,Toolbar,453077032,key "hkey_local_machine \software\whenusave" value "brandstrip_url",-1,
2/13/2005-4:11:07 PM,29692390,-1607004736,Detected,NN_Bar,Toolbar,453077032,key "hkey_local_machine \software\whenusave" value "db_incomplete",-1,
2/13/2005-4:11:07 PM,29692390,-1607004736,Detected,NN_Bar,Toolbar,453077032,key "hkey_local_machine \software\whenusave" value "db_server_update",-1,
2/13/2005-4:11:07 PM,29692390,-1607004736,Detected,NN_Bar,Toolbar,453077032,key "hkey_local_machine \software\whenusave" value "db_stamp_rs",-1,
2/13/2005-4:11:08 PM,29692390,-1604494736,Detected,PurityScan,Adware,453073488,key "hkey_classes_root \wusn.1" value "wusn_id",-1,
2/13/2005-4:11:13 PM,29692390,-1551924736,Detected,NN_Bar,Toolbar,453077032,key "hkey_local_machine \software\whenusave" value "brandstrip_rs" data "24",-1,
2/13/2005-4:11:13 PM,29692390,-1551924736,Detected,NN_Bar,Toolbar,453077032,key "hkey_local_machine \software\whenusave" value "brandstrip_url" data "http://spweb.whenu.com/save_brand3.html",-1,
2/13/2005-4:11:13 PM,29692390,-1551824736,Detected,NN_Bar,Toolbar,453077032,key "hkey_local_machine \software\whenusave" value "src_url" data "http://spweb.whenu.com/pop_up/",-1,
As you can see from one of the attached screenshots, Pest Patrol still detects BearShare, the host application, which is an odd arrangement indeed.

The situation is just as confused on the Pest Patrol web site, where the "Most Prevalent Pests" as of 2/13/04 listed 4 WhenU applications:

http://research.pestpatrol.com/Lists/MostPrevalentPests.asp

If you click the names on that page for more information, you'll get next to nowhere, as the most obvious pathways to Pest Patrol's write-ups on WhenU's applications are now broken. The pages can still be found, as Suzi notes -- they're just not findable using the research page search function.

There are some tantalizing hints on Google that WhenU's de-listing was disclosed on this page:

http://research.pestpatrol.com/News/New_And_Improved_Detections.asp

That de-listing seems to have happened with an earlier update that is no longer detailed on the above web page. Even if it was disclosed on that page, the change certainly was not prominently announced, nor do we have a public explanation for Pest Patrol's decision to de-list WhenU.

3) Aluria Security Center 4.0 Detects WhenU as Spyware

In what is surely the strangest twist in this whole story, Aluria's recently released Security Center 4.0, which incorporates the latest version of its standard anti-spyware application Spyware Eliminator, *does* detect WhenU Save as "spyware" (see the second attached screenshot above). This comes as a surprise because Aluria recently declared WhenU to be "Spyware-SAFE":

http://www.aluriasoftware.com/spyware-safe/site/www.whenu.com/

It also partnered with WhenU to offer an adware-supported anti-spyware application called UControl:

http://www.whenu.com/whenu_solution.html

Why Aluria's anti-spyware application would be flagging WhenU as "spyware" at the precise moment when Lavasoft and Pest Patrol are de-listing WhenU is puzzling.

We don't know at this point why Lavasoft and Pest Patrol apparently decided to de-list WhenU from their defintions databases, though we strongly suspect that these decisions are in reaction to a new notice and disclosure screen for WhenU Save that was recently added to the BearShare installation process (see the third attached screenshot above).

Full Disclosure:

In the course of my work on spyware and adware issues I routinely talk with a number of companies, individuals, and organizations, including anti-spyware vendors of all sorts. I also have occasion to exchange views with adware and spyware vendors, as readers of this forum will be well familiar with:

http://www.dslreports.com/forum/remark,10804038~mode=flat~start=0

As it happens, I became familiar with the new notice/disclosure screens for WhenU that were just recently incorporated into the latest installation of BearShare from several discussions with Avi Naider of WhenU. In fact, it was in the process of reviewing this new BearShare installation that I stumbled across the anomalous behavior with Ad-aware, Pest Patrol, and Aluria reported above.

Although I, like Mike Healan, regard the new notice/disclosure screens incorporated into BearShare to be a significant improvement on the installation process previously used in BearShare, I cannot recommend that anti-spyware vendors de-target WhenU's applications at this time for a number of reasons.

More importantly, though, I am very disappointed that anti-spyware vendors might have de-listed WhenU's applications without publicly and forthrightly announcing and explaining those changes to their users. Anti-spyware vendors are in a business that places a premium on trust, and it is critical that they be forthright with their customers -- many of them the victims of unscrupulous commercial behavior -- at every step of the way. When anti-spyware vendors de-list an adware application like WhenU from their detections, they have a duty to report that change in policy to their users. At the present point in time, it appears that Lavasoft and Pest Patrol did not fulfill this obligation to their users, and that is unfortunate.

Conclusion

In closing I should also note that I have asked Lavasoft about its removal of WhenU from the Ad-aware detections database -- see:

http://www.lavasoftsupport.com/index.php?showtopic=58938

At this time I have received no response from Lavasoft, though I look forward to both Lavasoft and Pest Patrol providing users a forthright explanation of their targeting policies for WhenU and any recent changes they might have implemented in those policies.

Best,

Eric L. Howes
harmisajedi
join:2004-10-16
Mountain View, CA

harmisajedi

Member

fascinating post. thank you, & i bet many of us in the forums will keep tuned for new developments.

/end_harm
Scaramouche8
join:2004-09-10
Philippines

Scaramouche8 to eburger68

Member

to eburger68
This is pretty confusing. I'm not sure what it means, or even what you can extrapolate from it.

Is Aluria trying to regain some of the legitimacy they lost in the WhenU deal? Was the WhenU deal only so WhenU could buy a branded version of the Aluria client to sell?

Has WhenU successfully wooed Pest Patrol and Lavasoft? If so, why were the removals done so abruptly, and so secretively?

CalamityJane
Premium Member
join:2002-08-27
Eustis, FL

CalamityJane to eburger68

Premium Member

to eburger68
Very strange, indeed, Eric. Thanks so much for posting this. I would be very interested in seeing a response from those Antispyware vendors as to why they delisted WhenU without any notice.

I'd like to know on what basis this was done and why they didn't tell us.
Hickerx2
God Bless The U.S. Military
join:2001-03-04
Franklinville, NY

Hickerx2 to eburger68

Member

to eburger68
There is a question posted regarding this in the Lavasoft forums as well. If they don't come up with a good explanation for this action, I will demand a refund, and recommend against AAW to every one of my customers. WhenU meets every single requirement and all criteria for adware. Omission from detections can only be construed as greed by Lavasoft, as I'm sure monies were paid by WhenU

Toymaster
Premium Member
join:2001-12-27
Flint, MI

Toymaster to eburger68

Premium Member

to eburger68
My question is does Spybot Search and Destroy still list the above programs or target ad program as spyware...I have not use Lavasoft for awhile now and never use Aluria or Pest Patrol products. At this point I see no reason to use said products. I hope none of this where products you have to actually pay for, I will continue to donate my funds to free products I deem trustworthy, Spybot. And if they where purchase products can the consumer retaliate against said company for false advertising?

Ctrl Alt Del
Premium Member
join:2002-02-18

Ctrl Alt Del to eburger68

Premium Member

to eburger68
Thank you for that wonderful post. I have uninstalled Ad-Aware as I no longer trust Lavasoft and their Ad-Aware product as a tool to identify software that may be malicious or annoying.
B04
Premium Member
join:2000-10-28

B04

Premium Member


The Ad-Aware "deal" (if that's what it is) is the only somewhat surprising part of this.

I've viewed Lavasoft with distrust for YEARS now.

Recently I've used it once or twice in a pinch. I now feel very bad about that decision.

Lavasoft hasn't been on the side of the angels in quite a long time.

Long live Kolla (Spybot). He may be the only trustworthy provider of this stuff.

-- B

timcuth
Braves Fan
Premium Member
join:2000-09-18
Pelham, AL

2 recommendations

timcuth

Premium Member

If Patrick Kolla is the only one continuing the good fight, then we should all probably help by sending him some monetary support.

Tim

speedwell
@65.197.x.x

1 recommendation

speedwell to eburger68

Anon

to eburger68
I'm going to go give that good man some cash right now...

dadkins
Can you do Blu?
MVM
join:2003-09-26
Hercules, CA

6 recommendations

dadkins to eburger68

MVM

to eburger68
Is this next?

markwp2001
Spreadhead
Premium Member
join:2002-05-25
Long Beach, MS

markwp2001 to eburger68

Premium Member

to eburger68
Many thanks for staying on top of this, eburger. Hope I can buy you a beer or single malt one of these days.

salzan
Experienced Optimist
Premium Member
join:2004-01-08
WA State

salzan to eburger68

Premium Member

to eburger68
Very interesting post. It makes me wonder how many other backroom deals may have been struck that are as yet undiscovered.

Perhaps AdAware would be more effective using a pre Dec. 29 database for the time being. Obviously this would be a short term solution...
mstrlogcrw
join:2002-11-23
Granada Hills, CA

1 recommendation

mstrlogcrw to eburger68

Member

to eburger68
One angle of this we might be overlooking is that there may be certain legal proceedings going on in the background that are forcing certain companies to remove detection from their products. Whenever an anti-virus vendor has a false positive, everybody gets up in arms and the people whose software is falsely identified seem to start legal proceedings. I don't doubt the spyware vendors would try and push the anti-spyware companies out of business.

Do we know if Lavasoft is being pressured behind the scene?

Just a thought,
Chris

Doctor Four
My other vehicle is a TARDIS
Premium Member
join:2000-09-05
Dallas, TX

1 recommendation

Doctor Four to eburger68

Premium Member

to eburger68
I'm glad I dumped CA's EZ Antivirus in favor of Avast
Home edition a few days ago. Even though their Pest
Patrol division pulled out of COAST (of which WhenU
is a member), the fact they removed WhenU from their
detections make me trust them even less. And Lavasoft,
who has been known to post in this forum at times, is
curiously silent on this. I'm waiting for them to
respond to this situation; if none is forthcoming
within a timely manner, I will dump Ad Aware by the
end of the week.
B04
Premium Member
join:2000-10-28

1 recommendation

B04 to mstrlogcrw

Premium Member

to mstrlogcrw
said by mstrlogcrw:

One angle of this we might be overlooking is that there may be certain legal proceedings going on in the background that are forcing certain companies to remove detection from their products. Whenever an anti-virus vendor has a false positive, everybody gets up in arms and the people whose software is falsely identified seem to start legal proceedings. I don't doubt the spyware vendors would try and push the anti-spyware companies out of business.

Do we know if Lavasoft is being pressured behind the scene?
Good point, but what's the difference?

The issue Eric raises is NOT that they apparently and significantly changed the database for reasons unknown, but that they did so without clearly notifying their own customers.

-- B

dadkins
Can you do Blu?
MVM
join:2003-09-26
Hercules, CA

dadkins to eburger68

MVM

to eburger68
Huh?

Drize a bone
@zqwdrqsz.com

Drize a bone to eburger68

Anon

to eburger68
For pity's sake! I only purchased the Plus version of Ad-Aware about 8 weeks ago to help support their good work. Now they do this!!! It won't stop me uninstalling it and looking for something else though. If they don't give a reasonable explanation then it's going. I'll have to start revising some alternatives that run on Win ME.
eburger68
Premium Member
join:2001-04-28

6 recommendations

eburger68

Premium Member

Hi All:

I'm glad to see that you've found this information useful and informative. I thought I'd add some other information to head off any potential confusion or misunderstanding.

First, while testing the BearShare/WhenU installation yesterday, I confirmed that a number of reputable anti-spyware applications still detect WhenU Save. Still detecting WhenU Save are:

Intermute SpySubtract
McAfee AntiSpyware
Microsoft Anti-Spyware
PC Tools Spyware Doctor
Spybot Search & Destroy
Sunbelt CounterSpy
Webroot Spy Sweeper
Xblock X-Cleaner

As you know, there are many more anti-spyware applications available on the Net, and I have not tested all of them against the BearShare/WhenU installation. The applications listed above do detect that adware bundle, though.

Second, as noted on all my pages at Spyware Warrior, since late November 2004 I have performed part-time consulting work as an independent contractor for Sunbelt Software, makers of CounterSpy. Because of that relationship and the conflict of interest that it represents, I must recuse myself from public comment on CounterSpy. That means that I cannot and will not publicly evaluate, test, or even recommend Sunbelt's anti-spyware product. The anti-spyware products that I do recommend, all of which are competitors to CounterSpy, are listed here:

»spywarewarrior.com/asw-f ··· .htm#rec

You'll notice that Pest Patrol and Ad-aware are still on that list. Although I find this situation disturbing, I cannot justify removing those two applications from my short list of recommended anti-spyware applications before having heard a response from the companies involved.

Best,

Eric L. Howes
B04
Premium Member
join:2000-10-28

1 recommendation

B04 to dadkins

Premium Member

to dadkins


"Advertising You Want" To Inflict On Others.

They're marketing to THEIR customers.

-- B

dadkins
Can you do Blu?
MVM
join:2003-09-26
Hercules, CA

1 edit

dadkins to eburger68

MVM

to eburger68
Sic 'em Eric!

EDIT: Thanks for the list of vendors that are still targeting this BS!

Intermute SpySubtract
McAfee AntiSpyware
Microsoft Anti-Spyware
PC Tools Spyware Doctor
Spybot Search & Destroy
Sunbelt CounterSpy
Webroot Spy Sweeper
Xblock X-Cleaner

I have three of these still attacking WhenU... time to go get #4.
ltship
join:2002-08-11
Sturgeon Bay, WI

ltship to eburger68

Member

to eburger68
Eric is on track and doing what he does best.. letting everyone know where the problems are and asking the right questions of the vendor(s).

If and when we see what Lavasoft's reply is to Eric's inquiry should we then decide what course to take.. of course, I myself will weight Eric and other professionals opinions on if AdAware is to be a trusted removal program for the future in my suite of removal tools I use daily in my shop.

With other programs out there able to find and remove WhenU, we have time to sit and wait.. so the sky is not falling.. yet.

Tks Eric..

antiserious
The Future ain't what it used to be
Premium Member
join:2001-12-12
Scranton, PA

antiserious to eburger68

Premium Member

to eburger68

... thanks again eric ... just one more reason NOT to depend on any one product to 'cover your rig' ...

... good luck getting a straight answer from Lavasoft ... and while I respect Patrick for Spybot, when S&D recently 'pre-checked' a few 'Ignore Products' did they announce or disclose that? ... I don't recall seeing any notice - but to be fair, they DO provide a way to go in and 'un-check' those exclusions (which I do and recommend) ... I can see no way to undo what Lavasoft has done, short of the 'revert-to-older-defs' route some suggested (which I don't see as a viable solution) ...

... f w i w ...

COMMAN
Plug Me In
join:2000-07-17
Mount Juliet, TN

1 recommendation

COMMAN to eburger68

Member

to eburger68
Eric,
For your efforts, and for your sense of ethics (SO lacking in SO many people/companies), THANK YOU!!!!

If the company you are presently consulting for produces an anti-spyware app. based on your work, then you SHOULD talk about it. If they think enough of your work to support it commercially, then by all means I think enough of them to buy their product. There are too few of you "real white-hats" left on the net, and I believe in putting my money where the good guys are.

Keep up the good work!

StraitShoot
Who Loves Ya Baby? - Theo Kojak
Premium Member
join:2003-02-08
Clinton, MA

StraitShoot to eburger68

Premium Member

to eburger68
Believe me, from what I am seeing, and what I've been testing lately, the only 3 anti spyware apps I like are...

1. Spysweeper
2. McAfee Antispyware..(it isn't too bad, actually)
and of course Spybot S&D.. but Spysweeper seems to have the edge IMHO...

Snowy
Lock him up!!!
Premium Member
join:2003-04-05
Kailua, HI

Snowy to eburger68

Premium Member

to eburger68
If Lavasoft's decision to de-list is based even in part on the
new "BearShare comes with ads - Please read this carefully"
disclosure/acceptance agreement then it would seem a fair question
to ask is "Have all the installs previous to this new disclosure been giving
opportunity to visit the new disclosure & decide wether to keep or scrap
the installation? There's no question they have the ability to present this
new disclosure on any/all of the systems infected by them.
eburger68
Premium Member
join:2001-04-28

eburger68

Premium Member

Hi All:

Paul Laudanski at CastleCops has weighed in with his thoughts:

WhenU lives on the edge of danger
»castlecops.com/article5739.html

Best,

Eric L. Howes
Expand your moderator at work

EFudd
Premium Member
join:2001-09-08
Brownsville, OH

EFudd to eburger68

Premium Member

to eburger68

Re: ASW Vendors in La-La Land

This may be of interest to others:

This past Friday I was trying to remove a combination of trojan and adware from my sisters Win98 computer. I was able to knock everything out with both Norton, Ad-Aware, and using Add/Remove Programs except for one pesky adware program.

I didn't pay that much attention to Ad-Aware not removing it, nor did I think to try and find out what program it could have been.

I was able to remove its reference in the Registry Run key after I disabled the program by doing the ctrl-alt-dlt and EndTask. It would re-add itself to the registry if you didn't EndTask on it by pointing to 2 different filenames( size around 498kbyte ) in the C:\Windows\System directory that had the hidden attribute activated.

I don't know if this is part of When-U, but if its not, maybe it points to a new Adware program that isn't in the definitions yet, or worse... possibly more delistings.

Whatever the reason, this was definitely Adware as it had pop ups when connected to the net( without opening a browser ) and would try to get you to connect to the net when you first turned the computer on if you weren't already connected to the net.