Search similar:
|
|
uniqs 132716 |
|
|
|
4 edits
22 recommendations |
ASW Vendors in La-La LandHi All: Mike Healan of SpywareInfo.com and Suzi of Spyware Warrior have early word on some puzzling new developments on the anti-spyware front -- see: Dont Drink the WhenU Kool-Aid http://netrn.net/spywareblog/archives/2005/02/13/dont-drink-the-whenu-kool-aid/ Leading Antispyware Vendors Quietly Drop WhenU Detection http://www.spywareinfo.com/articles/spyware/whenu_detection_dropped.php At the heart of this strange tale is WhenU, the well-known adware vendor that struck a controversial deal with anti-spyware maker Aluria late last year: http://www.dslreports.com/forum/remark,11723816~mode=flat I should note that Mike's and Suzi's reports are based on some routine testing that I performed with the latest version of BearShare, a popular P2P file sharing application that bundles WhenU Save. Here's what we know: 1) Lavasoft has Removed WhenU from its Detections Database Lavasoft removed WhenU's applications from their definitions database sometime in the last month -- it looks like it was probably the Feb. 5 update, but it might have been earlier. It was certainly done after the Dec. 29th update, because WhenU's SaveNow is confirmed detected with that definitions database. The problem is that nowhere did Lavasoft announce this significant change publicly. It certainly didn't appear in any of their recent update announcements, where removals are typically disclosed: 02-05-05 http://www.lavasoftsupport.com/index.php?showtopic=58404 01-25-05 http://www.lavasoftsupport.com/index.php?showtopic=57706 01-11-05 http://www.lavasoftsupport.com/index.php?showtopic=56758 This failure to disclose the removal of WhenU from the Ad-aware detections database to Lavasoft's customers is a serious matter. Whatever one thinks of the de-listing, it should have been disclosed and Lavasoft should have offered an explanation for this change in policy in a clear, public manner. It did not. Instead, it slipped the change into its detections database and failed to inform users, even after users began to complain that WhenU was not being removed, such as this Lavasoft customer did here: http://www.lavasoftsupport.com/index.php?showtopic=58669&hl=whenu 2) Pest Patrol has Removed WhenU from its Detections Database It also appears that Pest Patrol removed WhenU from its detections database, though the situation here is a bit murkier. With the latest definitions Pest Patrol 5 does not flag any of the WhenU Save files. Strangely enough, it does flag a number of WhenU Registry keys, but erroneously labels them as BargainBuddy, Mirar Toolbar, and PurityScan. A sample chunk from a Pest Patrol 5 scan log: said by PPv5Log.txt: 2/13/2005-4:11:05 PM,29692390,-1630934736,Detected,BargainBuddy,Adware,453068324,key "hkey_local_machine \software\whenusave" value "iptomsa_url",-1, 2/13/2005-4:11:07 PM,29692390,-1607404736,Detected,NN_Bar,Toolbar,453077032,key "hkey_local_machine \software\whenusave" value "uninstalltag_rs",-1, 2/13/2005-4:11:07 PM,29692390,-1607304736,Detected,NN_Bar,Toolbar,453077032,key "hkey_local_machine \software\whenusave" value "urlchangecount",-1, 2/13/2005-4:11:07 PM,29692390,-1607304736,Detected,NN_Bar,Toolbar,453077032,key "hkey_local_machine \software\whenusave" value "timeddbupdate_rs",-1, 2/13/2005-4:11:07 PM,29692390,-1607304736,Detected,NN_Bar,Toolbar,453077032,key "hkey_local_machine \software\whenusave" value "heartbeattime",-1, 2/13/2005-4:11:07 PM,29692390,-1607204736,Detected,NN_Bar,Toolbar,453077032,key "hkey_local_machine \software\whenusave" value "msa",-1, 2/13/2005-4:11:07 PM,29692390,-1607204736,Detected,NN_Bar,Toolbar,453077032,key "hkey_local_machine \software\whenusave" value "maxpopups_rs",-1, 2/13/2005-4:11:07 PM,29692390,-1607204736,Detected,NN_Bar,Toolbar,453077032,key "hkey_local_machine \software\whenusave" value "iptomsatime_rs",-1, 2/13/2005-4:11:07 PM,29692390,-1607204736,Detected,NN_Bar,Toolbar,453077032,key "hkey_local_machine \software\whenusave" value "src_url",-1, 2/13/2005-4:11:07 PM,29692390,-1607104736,Detected,NN_Bar,Toolbar,453077032,key "hkey_local_machine \software\whenusave" value "himp_url",-1, 2/13/2005-4:11:07 PM,29692390,-1607104736,Detected,NN_Bar,Toolbar,453077032,key "hkey_local_machine \software\whenusave" value "brandskin_url",-1, 2/13/2005-4:11:07 PM,29692390,-1607104736,Detected,NN_Bar,Toolbar,453077032,key "hkey_local_machine \software\whenusave" value "brandstrip_rs",-1, 2/13/2005-4:11:07 PM,29692390,-1607004736,Detected,NN_Bar,Toolbar,453077032,key "hkey_local_machine \software\whenusave" value "brandstrip_url",-1, 2/13/2005-4:11:07 PM,29692390,-1607004736,Detected,NN_Bar,Toolbar,453077032,key "hkey_local_machine \software\whenusave" value "db_incomplete",-1, 2/13/2005-4:11:07 PM,29692390,-1607004736,Detected,NN_Bar,Toolbar,453077032,key "hkey_local_machine \software\whenusave" value "db_server_update",-1, 2/13/2005-4:11:07 PM,29692390,-1607004736,Detected,NN_Bar,Toolbar,453077032,key "hkey_local_machine \software\whenusave" value "db_stamp_rs",-1, 2/13/2005-4:11:08 PM,29692390,-1604494736,Detected,PurityScan,Adware,453073488,key "hkey_classes_root \wusn.1" value "wusn_id",-1, 2/13/2005-4:11:13 PM,29692390,-1551924736,Detected,NN_Bar,Toolbar,453077032,key "hkey_local_machine \software\whenusave" value "brandstrip_rs" data "24",-1, 2/13/2005-4:11:13 PM,29692390,-1551924736,Detected,NN_Bar,Toolbar,453077032,key "hkey_local_machine \software\whenusave" value "brandstrip_url" data "http://spweb.whenu.com/save_brand3.html",-1, 2/13/2005-4:11:13 PM,29692390,-1551824736,Detected,NN_Bar,Toolbar,453077032,key "hkey_local_machine \software\whenusave" value "src_url" data "http://spweb.whenu.com/pop_up/",-1,
As you can see from one of the attached screenshots, Pest Patrol still detects BearShare, the host application, which is an odd arrangement indeed. The situation is just as confused on the Pest Patrol web site, where the "Most Prevalent Pests" as of 2/13/04 listed 4 WhenU applications: http://research.pestpatrol.com/Lists/MostPrevalentPests.asp If you click the names on that page for more information, you'll get next to nowhere, as the most obvious pathways to Pest Patrol's write-ups on WhenU's applications are now broken. The pages can still be found, as Suzi notes -- they're just not findable using the research page search function. There are some tantalizing hints on Google that WhenU's de-listing was disclosed on this page: http://research.pestpatrol.com/News/New_And_Improved_Detections.asp That de-listing seems to have happened with an earlier update that is no longer detailed on the above web page. Even if it was disclosed on that page, the change certainly was not prominently announced, nor do we have a public explanation for Pest Patrol's decision to de-list WhenU. 3) Aluria Security Center 4.0 Detects WhenU as Spyware In what is surely the strangest twist in this whole story, Aluria's recently released Security Center 4.0, which incorporates the latest version of its standard anti-spyware application Spyware Eliminator, *does* detect WhenU Save as "spyware" (see the second attached screenshot above). This comes as a surprise because Aluria recently declared WhenU to be "Spyware-SAFE": http://www.aluriasoftware.com/spyware-safe/site/www.whenu.com/ It also partnered with WhenU to offer an adware-supported anti-spyware application called UControl: http://www.whenu.com/whenu_solution.html Why Aluria's anti-spyware application would be flagging WhenU as "spyware" at the precise moment when Lavasoft and Pest Patrol are de-listing WhenU is puzzling. We don't know at this point why Lavasoft and Pest Patrol apparently decided to de-list WhenU from their defintions databases, though we strongly suspect that these decisions are in reaction to a new notice and disclosure screen for WhenU Save that was recently added to the BearShare installation process (see the third attached screenshot above). Full Disclosure: In the course of my work on spyware and adware issues I routinely talk with a number of companies, individuals, and organizations, including anti-spyware vendors of all sorts. I also have occasion to exchange views with adware and spyware vendors, as readers of this forum will be well familiar with: http://www.dslreports.com/forum/remark,10804038~mode=flat~start=0 As it happens, I became familiar with the new notice/disclosure screens for WhenU that were just recently incorporated into the latest installation of BearShare from several discussions with Avi Naider of WhenU. In fact, it was in the process of reviewing this new BearShare installation that I stumbled across the anomalous behavior with Ad-aware, Pest Patrol, and Aluria reported above. Although I, like Mike Healan, regard the new notice/disclosure screens incorporated into BearShare to be a significant improvement on the installation process previously used in BearShare, I cannot recommend that anti-spyware vendors de-target WhenU's applications at this time for a number of reasons. More importantly, though, I am very disappointed that anti-spyware vendors might have de-listed WhenU's applications without publicly and forthrightly announcing and explaining those changes to their users. Anti-spyware vendors are in a business that places a premium on trust, and it is critical that they be forthright with their customers -- many of them the victims of unscrupulous commercial behavior -- at every step of the way. When anti-spyware vendors de-list an adware application like WhenU from their detections, they have a duty to report that change in policy to their users. At the present point in time, it appears that Lavasoft and Pest Patrol did not fulfill this obligation to their users, and that is unfortunate. Conclusion In closing I should also note that I have asked Lavasoft about its removal of WhenU from the Ad-aware detections database -- see: http://www.lavasoftsupport.com/index.php?showtopic=58938 At this time I have received no response from Lavasoft, though I look forward to both Lavasoft and Pest Patrol providing users a forthright explanation of their targeting policies for WhenU and any recent changes they might have implemented in those policies. Best, Eric L. Howes | | |
fascinating post. thank you, & i bet many of us in the forums will keep tuned for new developments.
/end_harm | | |
to eburger68
This is pretty confusing. I'm not sure what it means, or even what you can extrapolate from it.
Is Aluria trying to regain some of the legitimacy they lost in the WhenU deal? Was the WhenU deal only so WhenU could buy a branded version of the Aluria client to sell?
Has WhenU successfully wooed Pest Patrol and Lavasoft? If so, why were the removals done so abruptly, and so secretively? | | | |
to eburger68
Very strange, indeed, Eric. Thanks so much for posting this. I would be very interested in seeing a response from those Antispyware vendors as to why they delisted WhenU without any notice. I'd like to know on what basis this was done and why they didn't tell us. | | Hickerx2God Bless The U.S. Military join:2001-03-04 Franklinville, NY |
to eburger68
There is a question posted regarding this in the Lavasoft forums as well. If they don't come up with a good explanation for this action, I will demand a refund, and recommend against AAW to every one of my customers. WhenU meets every single requirement and all criteria for adware. Omission from detections can only be construed as greed by Lavasoft, as I'm sure monies were paid by WhenU | | Toymaster Premium Member join:2001-12-27 Flint, MI |
to eburger68
My question is does Spybot Search and Destroy still list the above programs or target ad program as spyware...I have not use Lavasoft for awhile now and never use Aluria or Pest Patrol products. At this point I see no reason to use said products. I hope none of this where products you have to actually pay for, I will continue to donate my funds to free products I deem trustworthy, Spybot. And if they where purchase products can the consumer retaliate against said company for false advertising? | | |
to eburger68
Thank you for that wonderful post. I have uninstalled Ad-Aware as I no longer trust Lavasoft and their Ad-Aware product as a tool to identify software that may be malicious or annoying. | | B04 Premium Member join:2000-10-28 |
B04
Premium Member
2005-Feb-14 9:59 am
The Ad-Aware "deal" (if that's what it is) is the only somewhat surprising part of this.
I've viewed Lavasoft with distrust for YEARS now.
Recently I've used it once or twice in a pinch. I now feel very bad about that decision.
Lavasoft hasn't been on the side of the angels in quite a long time.
Long live Kolla (Spybot). He may be the only trustworthy provider of this stuff.
-- B
| | timcuthBraves Fan Premium Member join:2000-09-18 Pelham, AL
2 recommendations |
timcuth
Premium Member
2005-Feb-14 10:20 am
If Patrick Kolla is the only one continuing the good fight, then we should all probably help by sending him some monetary support.
Tim | |
1 recommendation |
speedwell to eburger68
Anon
2005-Feb-14 10:35 am
to eburger68
I'm going to go give that good man some cash right now... | | dadkinsCan you do Blu? MVM join:2003-09-26 Hercules, CA
6 recommendations |
to eburger68
Is this next? | | markwp2001Spreadhead Premium Member join:2002-05-25 Long Beach, MS |
to eburger68
Many thanks for staying on top of this, eburger. Hope I can buy you a beer or single malt one of these days. | | salzanExperienced Optimist Premium Member join:2004-01-08 WA State |
to eburger68
Very interesting post. It makes me wonder how many other backroom deals may have been struck that are as yet undiscovered.
Perhaps AdAware would be more effective using a pre Dec. 29 database for the time being. Obviously this would be a short term solution... | |
1 recommendation |
to eburger68
One angle of this we might be overlooking is that there may be certain legal proceedings going on in the background that are forcing certain companies to remove detection from their products. Whenever an anti-virus vendor has a false positive, everybody gets up in arms and the people whose software is falsely identified seem to start legal proceedings. I don't doubt the spyware vendors would try and push the anti-spyware companies out of business.
Do we know if Lavasoft is being pressured behind the scene?
Just a thought, Chris | | Doctor FourMy other vehicle is a TARDIS Premium Member join:2000-09-05 Dallas, TX
1 recommendation |
to eburger68
I'm glad I dumped CA's EZ Antivirus in favor of Avast Home edition a few days ago. Even though their Pest Patrol division pulled out of COAST (of which WhenU is a member), the fact they removed WhenU from their detections make me trust them even less. And Lavasoft, who has been known to post in this forum at times, is curiously silent on this. I'm waiting for them to respond to this situation; if none is forthcoming within a timely manner, I will dump Ad Aware by the end of the week. | | B04 Premium Member join:2000-10-28
1 recommendation |
to mstrlogcrw
said by mstrlogcrw:One angle of this we might be overlooking is that there may be certain legal proceedings going on in the background that are forcing certain companies to remove detection from their products. Whenever an anti-virus vendor has a false positive, everybody gets up in arms and the people whose software is falsely identified seem to start legal proceedings. I don't doubt the spyware vendors would try and push the anti-spyware companies out of business. Do we know if Lavasoft is being pressured behind the scene? Good point, but what's the difference? The issue Eric raises is NOT that they apparently and significantly changed the database for reasons unknown, but that they did so without clearly notifying their own customers. -- B | | dadkinsCan you do Blu? MVM join:2003-09-26 Hercules, CA |
to eburger68
| | |
Drize a bone to eburger68
Anon
2005-Feb-14 11:41 am
to eburger68
For pity's sake! I only purchased the Plus version of Ad-Aware about 8 weeks ago to help support their good work. Now they do this!!! It won't stop me uninstalling it and looking for something else though. If they don't give a reasonable explanation then it's going. I'll have to start revising some alternatives that run on Win ME. | |
6 recommendations |
eburger68
Premium Member
2005-Feb-14 11:41 am
Hi All: I'm glad to see that you've found this information useful and informative. I thought I'd add some other information to head off any potential confusion or misunderstanding. First, while testing the BearShare/WhenU installation yesterday, I confirmed that a number of reputable anti-spyware applications still detect WhenU Save. Still detecting WhenU Save are: Intermute SpySubtract McAfee AntiSpyware Microsoft Anti-Spyware PC Tools Spyware Doctor Spybot Search & Destroy Sunbelt CounterSpy Webroot Spy Sweeper Xblock X-Cleaner As you know, there are many more anti-spyware applications available on the Net, and I have not tested all of them against the BearShare/WhenU installation. The applications listed above do detect that adware bundle, though. Second, as noted on all my pages at Spyware Warrior, since late November 2004 I have performed part-time consulting work as an independent contractor for Sunbelt Software, makers of CounterSpy. Because of that relationship and the conflict of interest that it represents, I must recuse myself from public comment on CounterSpy. That means that I cannot and will not publicly evaluate, test, or even recommend Sunbelt's anti-spyware product. The anti-spyware products that I do recommend, all of which are competitors to CounterSpy, are listed here: » spywarewarrior.com/asw-f ··· .htm#recYou'll notice that Pest Patrol and Ad-aware are still on that list. Although I find this situation disturbing, I cannot justify removing those two applications from my short list of recommended anti-spyware applications before having heard a response from the companies involved. Best, Eric L. Howes | | B04 Premium Member join:2000-10-28
1 recommendation |
B04 to dadkins
Premium Member
2005-Feb-14 11:41 am
to dadkins
"Advertising You Want" To Inflict On Others. They're marketing to THEIR customers. -- B | | dadkinsCan you do Blu? MVM join:2003-09-26 Hercules, CA 1 edit |
to eburger68
Sic 'em Eric! EDIT: Thanks for the list of vendors that are still targeting this BS! Intermute SpySubtract McAfee AntiSpyware Microsoft Anti-Spyware PC Tools Spyware Doctor Spybot Search & Destroy Sunbelt CounterSpy Webroot Spy Sweeper Xblock X-Cleaner I have three of these still attacking WhenU... time to go get #4. | | ltship join:2002-08-11 Sturgeon Bay, WI |
to eburger68
Eric is on track and doing what he does best.. letting everyone know where the problems are and asking the right questions of the vendor(s).
If and when we see what Lavasoft's reply is to Eric's inquiry should we then decide what course to take.. of course, I myself will weight Eric and other professionals opinions on if AdAware is to be a trusted removal program for the future in my suite of removal tools I use daily in my shop.
With other programs out there able to find and remove WhenU, we have time to sit and wait.. so the sky is not falling.. yet.
Tks Eric.. | | antiseriousThe Future ain't what it used to be Premium Member join:2001-12-12 Scranton, PA |
to eburger68
... thanks again eric ... just one more reason NOT to depend on any one product to 'cover your rig' ...
... good luck getting a straight answer from Lavasoft ... and while I respect Patrick for Spybot, when S&D recently 'pre-checked' a few 'Ignore Products' did they announce or disclose that? ... I don't recall seeing any notice - but to be fair, they DO provide a way to go in and 'un-check' those exclusions (which I do and recommend) ... I can see no way to undo what Lavasoft has done, short of the 'revert-to-older-defs' route some suggested (which I don't see as a viable solution) ...
... f w i w ...
| | COMMANPlug Me In join:2000-07-17 Mount Juliet, TN
1 recommendation |
to eburger68
Eric, For your efforts, and for your sense of ethics (SO lacking in SO many people/companies), THANK YOU!!!!
If the company you are presently consulting for produces an anti-spyware app. based on your work, then you SHOULD talk about it. If they think enough of your work to support it commercially, then by all means I think enough of them to buy their product. There are too few of you "real white-hats" left on the net, and I believe in putting my money where the good guys are.
Keep up the good work! | | StraitShootWho Loves Ya Baby? - Theo Kojak Premium Member join:2003-02-08 Clinton, MA |
to eburger68
Believe me, from what I am seeing, and what I've been testing lately, the only 3 anti spyware apps I like are...
1. Spysweeper 2. McAfee Antispyware..(it isn't too bad, actually) and of course Spybot S&D.. but Spysweeper seems to have the edge IMHO... | | SnowyLock him up!!! Premium Member join:2003-04-05 Kailua, HI |
to eburger68
If Lavasoft's decision to de-list is based even in part on the new "BearShare comes with ads - Please read this carefully" disclosure/acceptance agreement then it would seem a fair question to ask is "Have all the installs previous to this new disclosure been giving opportunity to visit the new disclosure & decide wether to keep or scrap the installation? There's no question they have the ability to present this new disclosure on any/all of the systems infected by them. | | |
Hi All: Paul Laudanski at CastleCops has weighed in with his thoughts: WhenU lives on the edge of danger » castlecops.com/article5739.htmlBest, Eric L. Howes | |
your moderator at work
hidden :
| EFudd Premium Member join:2001-09-08 Brownsville, OH |
to eburger68
Re: ASW Vendors in La-La LandThis may be of interest to others:
This past Friday I was trying to remove a combination of trojan and adware from my sisters Win98 computer. I was able to knock everything out with both Norton, Ad-Aware, and using Add/Remove Programs except for one pesky adware program.
I didn't pay that much attention to Ad-Aware not removing it, nor did I think to try and find out what program it could have been.
I was able to remove its reference in the Registry Run key after I disabled the program by doing the ctrl-alt-dlt and EndTask. It would re-add itself to the registry if you didn't EndTask on it by pointing to 2 different filenames( size around 498kbyte ) in the C:\Windows\System directory that had the hidden attribute activated.
I don't know if this is part of When-U, but if its not, maybe it points to a new Adware program that isn't in the definitions yet, or worse... possibly more delistings.
Whatever the reason, this was definitely Adware as it had pop ups when connected to the net( without opening a browser ) and would try to get you to connect to the net when you first turned the computer on if you weren't already connected to the net. | |
|