Spyware Weekly Newsletter :· September 3, 2003

The Spyware Weekly Newsletter is distributed every week to 20,000 subscribers and read online by hundreds of thousands of visitors. Please read our Terms of Use for quoting guidelines. http://www.spywareinfoforum.info/newlsetter/sep3,2003.

Permlink | Top

Sharman Networks has released a premium version of its Kazaa peer-to-peer file sharing software. The new software, Kazaa Plus, does not come bundled with the advertising spyware applications found in the free version. Kazaa Plus sells for $29.95 (USD).

In addition to being free of advertisements, Kazaa Plus also sports several new features. Kazaa Plus enables users to start searches that run every 30 minutes for a 24-hour period, offering potentially up to 9,000 results; customer email support by Avalon Online Distribution; faster and more effective search and download capabilities, allowing users access to up to 3,000 results per search; download files from up to 40 sources at one time, up from only eight in the advertising supported version; set the default homepage of your choice; enhanced virus protection, courtesy of the built-in antivirus program, BullGuard.

Please note that I have not tested this piece of software and cannot verify the claim that it is free of all adware and spyware.

In what I presume is an unofficial part of their marketing strategy, Sharman Networks recently issued a DMCA violation notice to search engine giant Google. The notice asks Google to remove fourteen specific web sites from any search for the keyword "kazaa", claiming that those sites host software that infringes on their copyright. In fact, six of those sites are download mirrors for various versions of Kazaa Lite, an unauthorized copy of Kazaa which users have decompiled to remove the bundled spyware.

Google did remove the web sites listed in Sharman Network's letter, but they also sent that letter to Chilling Effects, a web site that archives threatening "cease and desist" type letters. A search for Kazaa on Google now includes a notice about the listings that have been removed, including a link to the DMCA letter. The letter lists the address of every single site that Sharman wanted removed from Google's search results. Sharman's attempt to censor Google's search results actually has resulted in far more exposure to those sites than they otherwise would have received.

Does this mean that I recommend Kazaa now? No, it does not. I still recommend WinMX, which has never included ads or spyware, and hopefully never will. It is also free.

Links:

http://www.kazaa.com :: Kazaa web site
http://www.winmx.com :: WinMX seb site
http://www.zeropaid.com/news/articles/auto/08282003d.php :: Kazaa Plus press release
http://www.chillingeffects.org/dmca512/notice.cgi?NoticeID=789 :: DMCA notice sent to Google

Permlink | Top

Author: Spyblocker Software
Platform: Microsoft Windows XP, 2000, Me, 98
Purchase Options:
Spyblocker $19.95
Spyblocker plus lifetime upgrades $39.95 $33.96
[15% off for SpywareInfo readers until September 10, 2003]
Newsletter subscribers, use the links in your email, not the links on this page.

Many Web sites have ads that are distracting and a drain on bandwidth. Some sites send cookies and other files to your computer. Still others acquire information about you, your machine, and your browsing habits by using single-pixel Web bugs and other methods.

SpyBlocker monitors this type of Web activity and allows users to control or block the ads and tracking systems. But SpyBlocker goes one step further. SpyBlocker strips ads out of ad-supported software, disabling the ad module and tracking capabilities without disabling the functionality of the program until you discover the program is 'spying' and remove it.

Spyblocker is a favorite among the experts who regularly help people out at the SWI support forums. It's a powerful program that can go a long way toward securing your computer from all sorts of malware that can infect you just by browsing the internet (activex drive-by, rogue javascripts, etc). It can even block spyware from calling home if you don't realize you have it installed.

http://www.spywareinfoforum.info/downloads/spyblocker/ Spyblocker feature page

Permlink | Top

Symantec has announced that Norton AntiVirus 2004 will be capable protecting against rogue applications such as keystroke loggers and spyware. "The additional protection provided by Norton AntiVirus 2004 helps combat spyware and keystroke logging programs, which can be left behind by some of these new blended threats. Spyware can also be acquired through everyday Web surfing, installing itself in the computer's background, is also frequently with most users never knowing it is there," says Steve Cullen, senior vice president of Consumer and Client Product Delivery at Symantec.

For my part, I don't know what criteria Symantec will have for adding targets. Will they add commercially available keylogging spyware such as e-blaster and WinWhatWhere? Or only the keyloggers that are installed by hackers to steal information from victims? Other than the price tag, there is no real difference between a commercial spyware program and a remote access trojan. Existing antispyware products treat one no different from the other, and I hope Symantec follows this example and gives no special treatment to commercial spyware.

I also hope they give no special treatment to advertising parasites such as Gator, SaveNow, and CommonName. Traditionally, antivirus products have paid no attention to spyware and adware, and it remains to be seen what they will target and what they will not. Nothing would be worse than to have Norton Antivirus declare a computer to be free of spyware despite the presence of an unwanted parasite such as Gator.

I worry about this because other antivirus products target a limited number of spyware and browser hijackers. Usually these are limited to targets that exploit java and ActiveX flaws to install or that are distributed in a manner similar to viruses or trojans. Other software that should be targeted often is not included. I worry about people having a false sense of security.

Further, I should note that no one from Symantec has contacted me about joining the mailing list sent to nearly all other antispyware developers. Spywareinfo is the place where most new spyware is reported first, and we have the means of alerting the professional software developers of these new targets.

We are commonly first to receive samples of new spyware and are usually the first to figure out a manual fix. We also have a password-protected private area at SpywareInfo that contains hundreds of live samples of spyware, browser hijackers, trojan, and other parasites.

At the risk of sounding arrogant, no product that claims to target advertising spyware really can be taken seriously unless they are on that mailing list. The mailing list is available free of charge to any developer of legitimate software that protects the privacy of consumers, including antispyware and antivirus software.

If anyone at Symantec is reading this, contact me so that we can include your developers on that list. That offer is also for the developers of any other legitimate software in this category that are not already on the list. Developers of non legitimate software need not apply.

Links:

http://www.spywareinfoforum.info/forums/ :: SWI Forums
http://www.symantec.com/press/2003/n030825a.html :: Symantec press release
http://www.safer-networking.org/?page=knowledgebase/ripoffs :: Software allegedly ripping off Spybot S&D

Permlink | Top

A nasty new browser hijacker/trojan has been discovered and is spreading across the web at a rapid pace. Dozens of threads have sprung up at the support forums started by people infected with the Surferbar hijacker.

There are two known variants of this hijacker currently, which I'll call Surferbar.a and Surferbar.AFlooder. Both variants hijack Internet Explorer's start page to www.surferbar.com.

Surferbar.a is a simple browser hijacker and can be cleaned up easily using HijackThis (download). Look for the following entries in HijackThis and have it remove them:

O4 - HKCU\..\RunOnce: [win32] c:\program files\winsrv32.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.surferbar.com/
O3 - Toolbar: SurferBar - {FF7FD490-34E7-4FA1-927A-F5799E6AAD7B} - c:\PROGRA~1\win32.dll

When you have done that, find and delete c:\program files\winsrv32.exe.

A few victims are convinced they received Surferbar.a after downloading and installing Kazaa Lite K++. I haven't had a chance to clarify if they meant the software itself installed the hijack, if a pop up ad on a mirror site installed it, or if they both used the same download mirror. Presently, this information is very much unconfirmed. However, I recommend staying away from Kazaa Lite even without this problem, as it's an unauthorized cracked version of the real Kazaa.

Surferbar.AFlooder is rather more complicated. In addition to hijacking the start page and adding an unwanted toolbar, this variant appears also to be either a keylogger or a remote access trojan (or both), and possibly an SMTP proxy for spammers to use to relay spam.

Surferbar.AFlooder uses an obscure method of writing data to an NTFS-formatted hard drive to embed itself directly into your system32 folder. Not inside the folder, actually embedded within the folder itself. It sounds nuts, but the NT File System allows that to happen using something called "Alternate Data Streaming" (ADS).

ADS allows you to store information "under the hood" of the file system, where normally you cannot see or manipulate it. Think of ADS information as metadata, similar to track/artist/title information that can be stored in an MP3. Unfortunately, Microsoft has provided no way to view or manipulate this ADS information without the use of third-party tools.

Fortunately, this parasite includes a not-so-secret uninstall command, which is revealed in a string of text within the file. If you or someone you are helping has been hijacked to surferbar.com, but you do not have the winsrv32.exe startup entry, then you probably have the AFlooder variant. Your HijackThis results will be similar to this:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.surferbar.com/
O3 - Toolbar: SurferBar - {FF7FD490-34E7-4FA1-927A-F5799E6AAD7B} - c:\PROGRA~2\win32.dll
O4 - HKLM\..\Run: [tywsmhd] rundll32 C:\WINDOWS\System32:tywsmhd.dll,Init 1

Removing these entries with HijackThis is of no use. A program running in the background immediately will reinstall any entries that are removed. Even booting to safe mode won't help with this.

Pay attention to the path of the dll file, C:\WINDOWS\System32:tywsmhd.dll in the example above. The exact name of the dll will be different each time. Click the "Start" menu, select "Run", and type: rundll32 C:\WINDOWS\System32:tywsmhd.dll,Uninstall. Remember to change the name of dll file to match that found on your computer. Click on "OK", and that should uninstall the parasite completely.

Those of you reading this online, please bear in mind that is information was written on September 2, 2003, and may be out of date by the time you read this. If these instructions do not help you remove this parasite, please ask for assistance at our support forums.

Links:

http://tomcoyote.org/hjt/ :: Download HijackThis
http://www.spywareinfoforum.info/forums/ :: SWI Forums
http://patriot.net/~carvdawg/docs/dark_side.html :: Alternate Data Streaming explained

Permlink | Top

The popular search engine Dogpile has released a new toolbar add-on for Internet Explorer. Sadly, rather than create a useful utility and promoting it in an acceptable manner, Dogpile has chosen instead to create a parasite and force it onto the computers of unwitting web surfers.

According to Javacool Software, developer of SpywareBlaster, ActiveX applets loaded from hidden windows are installing this toolbar on at least one web site. That behavior is called "drive by downloading" and it makes the toolbar "foistware". That by itself qualifies the toolbar as a legitimate target of such programs as Aluria Spyware Eliminator and Spybot S&D.

In addition to installing from an Activex driveby, the toolbar also spies on anyone that has it installed.

http://www.infospace.com/_1_5CYUEV03GDNRZM__blsrch.dp/tbar/privacy.htm

In the course of using the Downloadable Toolbar, the Downloadable Toolbar automatically records certain information about your use of the Downloadable Toolbar and the Internet: time and date of login; duration of session; URL hits during session; advertisements served during the session via the Downloadable Toolbar; software add-ons installed via the Downloadable Toolbar; when you send a message sent via the Downloadable Toolbar, the time you send the message and the recipient's user name or email address. This information enables us to catalog traffic patterns and other usage statistics, which helps us better tailor our services to the needs of our users.

The behavior described in that privacy statement matches exactly the definition of 'advertising spyware'. It is unfortunate that Dogpile has chosen to take their business in this direction. It is exactly this kind of behavior that launched the antispyware movement in the first place, and I expect that this toolbar will be added to target lists very soon.

Links:

http://security.kolla.de/ :: Spybot
http://www.dogpile.com/ :: Dogpile's web site
http://www.spywareinfoforum.info/rd/aluria/ :: Aluria Spyware Eliminator
http://www.wilderssecurity.net/spywareblaster.html :: Spyware Blaster

Permlink | Top

The popularity of SpywareInfo never ceases to amaze me. Every time I think I've upgraded the hosting package to the point that I don't need to worry about bandwidth, it turns out to be not enough. Between ten and fourteen thousand people visit the site each day now. There was one day last month where I logged almost 20,000 visits before midnight rolled around.

Last month, a quarter million visitors downloaded fifty-five gigabytes of data from the SpywareInfo server. Unfortunately, my hosting plan only pays for forty of those gigabytes. The rest are billed as an "overage" at $2 per gigabyte.

The usage was over in July also, but it was by a trivial amount and I considered it to be a fluke. Unfortunately, it doesn't look like a fluke anymore.

Yesterday, 13,916 people visited the site. The day before that, it was 13,738 people. Between them, they used nearly four gigabytes of bandwidth, and there's still 28 days left in this month! This is not a good sign.

I guess I'll be renegotiating my hosting package again sooner than I expected.

Permlink | Top

As some of you know, I receive a commission for the sale of much of the software listed on the web sites's software page. These listings help pay for the site's hosting bill (see previous item).

One of the companies whose affiliate program I am signed up for, LIUtilities, distributed a mailing yesterday to their affiliates. In this mailing, they strongly recommended that we all start advertising their software with pop up ads. After reading that email, I was livid.

I don't agree with the practice of blocking most web site advertisements, but I make an exception for pop up ads. The scumbag who came up with the idea of pop up ads deserves a fiery afterlife for the hell he has made the internet. I block all pop ups by default and recommend that everyone else also block them.

I understand that many of the companies whose products I pitch on the site or in this newsletter use pop ups on other sites. That's fine, but those pop ups will never be used on SpywareInfo, ever. However, to send a newsletter to affiliates recommending that they all use pop ups -- that is just over the line.

LIUtilities sells SpeedUpMyPC, Wintasks Pro, and some other program whose name escapes me. Wintasks Pro used to be listed on the software page. The link has now been removed. I was planning to review it at some point in the future, but that is canceled now. I was also going to review SpeedUpMyPC at one point, but I didn't like it when I tried it, so I decided not to bother with it.

I know that the marketing people and developers for several of the things listed on my site read this. Pay attention to this one section, even if you glaze over the rest of the newsletter. I loathe pop ups, as does every other person with internet access that I have ever talked to. What your other affiliates do is none of my concern (to a point). Don't send a mailing to me that encourages lord knows how many affiliates to use pop ups, or I'll remove every link to your company from my site. I don't care how much money that costs me.

Links:

http://www.spywareinfoforum.info/downloads.php :: Software Page

Permlink | Top

Do you like SpywareInfo and this newsletter? Then please tell a few friends about it! We are trying to come up with ways to increase the number of visitors to the web site and the number of subscribers of this newsletter.

Recently I signed up for RecommendIt's service, also used by Scot Finnie and Fred Langa. When you use RecommendIt's service to send a link to a friend or family member, you can also choose to enter a contest with a grand prize of $10,000.

The privacy policy of the site looks solid and I did ask around if anyone had heard anything bad about it before I signed up for it. You can use their service to recommend SpywareInfo to someone you know at http://www.recommend-it.com/l.z.e?s=881459

Of course, you don't *have* to use RecommendIt's site to send a friend a link to the site. Just sending an email will also do the trick.

Links:

http://www.scotsnewsletter.com Scot Finnie's Newsletter
http://www.langa.com/newsletter.htm The Langalist