The Spyware Weekly Newsletter is distributed every week to 20,000 subscribers and read online by hundreds of thousands of visitors. Click here to subscribe. Please read our Terms of Use for quoting guidelines.This edition of the Spyware Weekly Newsletter is archived permanently at http://www.spywareinfo.net/nov4,2004.

Wherever the term "adware" is used, it is referring to a category of software, not to any particular company or product.

Permalink | Top

In a surprising and unpopular move, the maker of Spyware Eliminator, Aluria Software, has announced that they have entered into a partnership with WhenU.com, a well-known adware company.

There are three separate but related events that have occurred here. First, presumably Aluria Software has removed Whenu.com's software from the targeting database of their Spyware Eliminator product. That means that WhenU software no longer will be flagged for users of Spyware Eliminator. If those people are among the nearly 90% of "users" who don't even realize WhenU's software is installed on their computer, they may not know that it is there until it begins popping up advertisement windows.

The second issue is that Aluria has certified WhenU.com and their software as "spyware free" with a certification program the company maintains. Aluria began this program several months ago.

I always have been of the opinion that trying to maintain a list of software or web sites free of spyware is a lost cause. That list would need to be updated on a daily basis and might lead to expensive and pointless lawsuits.

Many people disagree that WhenU's software should be certified as "spyware free". Earlier this year, Ben Edelman published a study showing that WhenU software transmits the web address of the page a person is visiting when something on that page triggers a WhenU advertisement.

This behavior was inconsistent with WhenU's privacy policy which stated that URLs would not be transmitted to any party. Edelman's study was mentioned by panelist Chris Hoofnagle of the Electronic Privacy Information Center during the FTC's spyware workshop in April of this year.

Not long after this study was publicized, WhenU.com updated their privacy policy to be more consistent with the behavior of the software. I think most people would have preferred that the software's behavior be updated to be consistent with the privacy policy.

The last issue is one that has caused a blizzard of bad publicity both for Aluria and WhenU and has led several antispyware groups, including SpywareInfo.com, to denounce Aluria. Aluria has entered a partnership in which Aluria Software and WhenU.com will develop software together. These two companies now are business partners.

WhenU.com now distributes a program called Ucontrol Scanner, powered by software from Aluria and branded by WhenU, that works as an antispyware scanner. WhenU and Aluria now are in the questionable position of targeting competing adware programs.

Also, WhenU has released another program called WhenUSearch Toolbar which incorporates into it the scanning engine from Aluria Spyware Eliminator. If Eric Howes will excuse me for quoting him, "It now appears that the Aluria scanner is actually bundled or integrated into the WhenUSearch Toolbar. In other words, by removing the WhenUSearch toolbar, other anti-spyware vendors will effectively be removing a competing anti-spyware product."

Some experts are predicting that this whole situation will lead to lawsuits for unfair competition.

The first two issues are disturbing enough. Certainly they led to much anger in the antispyware community and made me question personally whether I wanted to continue to promote Aluria's software on SpywareInfo. The last issue, Aluria forming a partnership with WhenU, decided the question for me.

For some time WhenU has been trying to portray itself as a company undergoing positive changes. Recently their outspoken CEO Avi Naider stepped down to make way for a new man. WhenU claims to have stopped using ActiveX installers, the infamous so-called "drive by download" technique. Probably this was due in large part to the fact that ActiveX installation of software has become more difficult with the recent security updates to Windows XP.

Aluria says it has based its decision on their belief that WhenU has cleaned up its act, that it is now one of the good guys. Certainly no one objects to a company cleaning up its act. There have been several adware or spyware companies which formerly were labeled as one of the bad guys who reformed their behavior. The software of most of those companies have been removed as targets from antispyware scanners. I'll discuss some of those cases later in this newsletter.

The problem here is that Aluria has gone way too far way too soon. Not that I am conceding that WhenU has cleaned up its act but, for the sake of argument, let's say that they have. Let's assume that WhenU has made a complete reversal of its practices and truly is one of the good guys now. Even with this change, it is still outrageous for Aluria to form a partnership with them so soon.

While it is good when a bad company changes their ways, you have to monitor that company for a while to make sure they stay committed to their change.

New.net (or NewDotNet) was targeted by Lavasoft's Ad-aware back in 2001. There were several reasons for this, including questionable distribution policies, lack of disclosure and an uninstaller that simply did not work.

After long, contentious and heated discussions, the software was updated to address the concerns that people had with it. Not everyone was convinced but the changes were good enough for Lavasoft. They made the decision to delist New.net's software - with the understanding that they would be watching it closely.

About a year later, New.net released new software which clearly was adware and which people felt was being installed with inadequate disclosure and with no way to opt-out of installing it. It was a backslide from their earlier decision to stay on the straight and narrow and may have played a part in Lavasoft's decision in 2003 to retarget New.net. Apparently the idea came from New.net's marketing department and was unpopular even within the company. It was withdrawn quickly and the project was ended.

New.net is a good example of a bad company willing to change its ways. It also is a good example of why you must continue to keep an eye on the former bad guys. Had Lavasoft entered into some kind of partnership with New.net, they would have looked pretty stupid a year later when New.net slid backwards briefly. What is Aluria going to do if ever the day arrives when WhenU decides they aren't making enough money and goes back to their old ways?

Aluria's questionable decision has earned them the denouncement of nearly all of the antispyware community. Aluria has been expelled from ASAP, a group of antispyware message board sites formed earlier this year in response to the denial of service attacks on SpywareInfo, TomCoyote and Net-Integration.

Many web sites in the antispyware community are removing Aluria from their list of recommended spyware cleaners. The Ucontrol Scanner may well end up being listed as a rogue application on the Spyware Warrior web site. It is even possible that Aluria may find itself listed there, although I wouldn't support that decision.

I have made the decision to delist Aluria's software from my list of recommended software and no longer will promote it here, something which I have done many times in the past. I also made the decision to revoke Aluria's access to my private mailing list for antispyware researchers and developers as well as to the large collection of malware files that I maintain. Given Aluria's partnership with WhenU, I am unwilling to risk giving WhenU access to these resources. If that partnership were to end, I probably would reinstate their access.

The entire situation is very sad. I like Aluria and I like their antispyware program. I've recommended and promoted it here in this newsletter several times in the past. I have friends that work there. I've put my own credibility on the line more than once to defend the company from accusations of wrongdoing.

My relationship with this company soured quickly after word of the WhenU partnership came out. I even received a harassing email from their CTO at one point. I thought it was a prank at first but it turned out that it was really their CTO writing to insult me and make threats.

It is with profound and sincere regret that I say goodbye to Aluria. Our long and friendly relationship is over.

Links:

http://pcpitstop.com/spycheck/whenu.asp :: WhenU Survey at PCPitstop
http://www.benedelman.org/spyware/whenu-privacy/ :: WhenU Violates Own Privacy Policy
https://netfiles.uiuc.edu/ehowes/www/main-nf.htm :: Eric Howes' Privacy Web Site
http://asap.maddoktor2.com/ :: ASAP
http://www.dslreports.com/forum/remark,11723816~mode=flat :: WhenU Enters the Anti-Spyware Market
http://www.spywareinfo.net/mar26,2004#aluria :: Some bad business at Aluriasoftware

Permalink | Top

Virtual box. Product is available only as a download

Program: Startup Organizer
Author: Metaproducts
Platform: Windows 95/98/ME/NT/2000/XP/2003
License: $25.00
More Info: http://www.metaproducts.com/so/
Purchase: Click here to purchase

You may have noticed your computer becoming slower and slower to start up and slower to operate as time goes by. Even after checking for and removing any viruses and spyware, the computer will become slower than it was right after you brought it home. What causes that? Among other things, the biggest reason for this might be that far too many programs are loading at start up.

We do have programs for use at our message board to help us see what is starting up on a spyware victim's computer. Unfortunately, some of these programs are not friendly to inexperienced users. Startup Organizer makes it extremely easy to manage the software set up to load when your computer restarts.

Startup Organizer looks like Windows Explorer. All of the locations from which software can load is listed on the left in a directory tree. Click on any location to see what files are loading from that location, whether it be the startup folder or from the registry. Programs that load at start up will be shown on the right as if they were files in a folder.

You can disable programs that you do not want loading at start up. You can add programs which you do want to load at start up. If you install a program and it loads up when other users on the computer log into their account, you can alter it so that it loads only when you log into your account. If you want it to load no matter who logs in, or even if no one logs in, you can do that also. If someone else on your computer has installed a program which they use on their account and it annoys you by loading when you log into your account, you can alter it to load only for that particular user.

If you have a lengthy list of programs loading at start up, they can fight with each other for the CPU and hard drive and slow the entire computer down with each reboot. Startup Organizer lets you set programs to run in whatever order you want so that they are not fighting with one another. You can even make the computer restart with nothing loading at all. That is useful if you are installing system updates and have to reboot often.

How does StartUp Organizer offer protection for the computer user?

The program`s StartUp Guard will check and block standard and non-standard ways to start suspicious programs and trojan intrusions. The latest version of StartUp Guard detects DLL files which have access to the memory of your running applications, giving you protection against the next generation of trojan and virus attacks.

A typical computer has more than a dozen programs that are started automatically each time the computer is powered up. Some of these programs are essential utilities that Windows requires. Many of them are remnants of software that you uninstalled months ago, programs that search the Internet to see if there are upgrades for software that you`re no longer using and other dubious software that may be using valuable RAM and hard drive space. By not running unnecessary programs, your computer will run faster and have fewer system conflicts and crashes.

StartUp Organizer offers a real-time monitoring system to alert you when your startup configuration is being changed by a third-party program. This monitoring can be set to warn you when a trojan or other spyware is inserted into your startup processing. It can also be set to automatically ban such programs from being included in your startup process. You can even automatically detect and remove programs which were added to your startup configuration by other software, and easily restore them if, in fact, they don`t pose a security threat.

If you buy Startup Organizer between now and October November 10, 2004, you will receive a free registration code for Metaproducts' Download Express program. Download Express is a free program that makes downloading files from web sites much easier and much more convenient, especially if you are on dialup. It can make some programs download faster by opening several connections at once to the server. The registration code will activate several advanced features not found in the free version. You should receive your Download Express code in your email within 12 hours of your purchase.

If you have any problems with the ordering page or do not receive your Download Express registration code within 12 hours, please email Catherine http://www.spywareinfo.com/email2.php.

Links:

http://www.metaproducts.com/mp/mpProducts_Detail.asp?id=18 :: Download Express
http://www.metaproducts.com/so/ :: More info about Startup Organizer
http://www.spywareinfo.com/email2.php :: Contact Catherine

Permalink | Top

I mentioned earlier that several companies who put out adware or spyware have cleaned up their act. I want to discuss a few of those companies here. I think it's important to point it out when a bad boy starts to behave. Those companies deserve a mention every now and then. It's also important to point out that, when a company truly does turn away from parasitic advertising and installation, they can and will be removed from antispyware scanners.

Kontiki

Kontiki download manager used to install a copy protection program without the knowledge or permission of users. Kontiki was targeted by many antispyware programs for this reason.

After a series of discussions with the developer of Spybot S&D, the developers of Kontiki changed the software so that it no longer installed unrelated software. After confirming that it no longer behaved in an objectionable manner, Kontiki was removed as a target.

TurboTax

In late 2002, Intuit released a new version of TurboTax which included controversial copy protection software from Macrovision. The software, called SafeCast currently but known previously as C-Dilla, was highly suspected to be capable of monitoring and reporting on a user's PC activities as well as disabling CD-ROM drives. In an independent test, PC Magazine tested the software and discovered that it would write data to part of the hard drive from which it could not be removed short of a destructive process known as a low level format.

After an unbelievable storm of protest and under threat of class-action lawsuits and boycotts, Intuit decided to drop SafeCast. In the two years since then, Intuit continues develop TurboTax free of SafeCast.

NewDotNet

I mentioned New.net (or NewDotNet) earlier. It still is controversial and still is disliked by many. In my opinion, nothing about the software in its current form calls for it being targeted by antispyware scanners. However, I would prefer better disclosure when it is bundled with another application and that it be an optional install in every case.

UCMore

UCMore used to be a classic example of advertising spyware. It was installed along with other, unrelated software with no disclosure. Once installed, it would track the URLs a person is visiting on the web, combine that with a unique tracking number and send it to a company server.

Newer versions of the software do none of this. UCMore is not stealth installed with other applications and does not track URLs. It is bundled, with full disclosure, with at least one web browser (Maxthon, formerly MyIE2). I'm not sure if every antispyware scanner has dropped detection for this one. If they haven't, I think probably they should.

There are others that I could mention. This newsletter is going to be too long as it is, so I will stop the list right here.

There is a perception that the antispyware community holds a grudge and never accepts when a spyware company tries to go straight. Certainly Aluria and WhenU both are saying that right now. This is not true. However it is extremely difficult for a company to shed its reputation as a maker of parasitic software.

The maker of Comet Cursor tried several times to have Lavasoft delist their software. New.net actually sued Lavasoft in order to be delisted. Gator went so far as to change the name of their company to Claria as the word "Gator" has become almost synonymous with "spyware" as far as many people are concerned.

As the examples above show, a company truly committed to changing its ways can be forgiven, if not entirely forgotten. I think the perception that the antispyware community never forgives a bad company is due to the fact that when many companies try to have their software delisted, they haven't done enough to deserve being delisted.

Take Comet Cursor for example. Comet Cursor's creator came to Lavasoft several times trying to have it delisted. I meant to participate in that debate but it was about that time that I became disgusted with Lavasoft over a different issue and resigned as an administrator for their message board.

Comet Cursor wanted desperately to come off the target list. Lavasoft would not remove it and CC's developer complained loudly about it. The fact of the matter is that Comet Cursor still deserved to be targeted at that time. Comet Cursor was a drive-by download, installing silently on PCs if ActiveX security had been turned down. In fact, I had it happen to me once and that is how and why I started as an antispyware crusader.

As long as Comet Cursor was unwilling to make its software an optional download instead of an ActiveX drive-by, it had not done enough to be removed as a target. It had nothing to do with a belief that Comet Cursor was spyware. In fact, it was not and never was spyware. Some will dispute that, pointing out that it sends URLs to company servers when the page at that URL includes Comet Cursor code. As far as I'm concerned, that is little different from an advertising banner and really doesn't count as spyware.

Some spyware makers ask to be delisted even when they have made no changes to their software. Some make changes but those changes simply are not good enough. When antispyware vendors rightly turn down their request to be delisted, they make quite a lot of noise about how the antispyware community is just holding a grudge.

So what changes does a spyware company have to make before its products will be deemed acceptable and delisted? That is a hard question to answer today simply because the market is flooded with antispyware removers. Some of those programs themselves deserve to be targeted and all of them are in competition with one another.

Also, while I may be a highly visible voice in the antispyware community, I do not speak for all of its members. I can have a piece of software targeted if I wanted to do so but I would have nearly as much trouble lobbying for something to be removed as would the spyware companies themselves.

Bearing all that in mind, this is what it would take for me, personally, to recommend that a program be delisted once it has appeared on targeting lists. These are the changes that I would have to see in the software.

The software must stop tracking URLs, keyword searches and all other information and sending that information across the internet. That includes unique tracking numbers, no matter what the purpose of the number is. To this I add one exception. If the software displays ads, I have no problem with it reporting which ads are shown or clicked.

The software must not contact, download from or install from any location remote from the PC on which the software is installed, unless the user gives the software permission to do that. That means no autoupdaters that cannot be disabled. That means no downloading or installing software from other partners. That means never, ever connecting to the internet without the user deliberately making it happen.

The software's installer must include at least one screen explaining what it is and that it will install and must include a way to opt out of installing it. If the user chooses to decline the installation, it must not install. If it is bundled with another application, that application cannot be made dependant upon your software being present. That means that if the user turns your software down, the other application which they actually meant to install will continue to install.

If the software is installed using ActiveX, two changes are required. One, it cannot be served on a third party site. That means you cannot run advertising that installs the software via ActiveX. Two, the ActiveX installer must include at least one screen explaining what it is and that it will install and must include a way to opt out of installing it. If the user chooses to decline the installation, it must not install. Better yet, abandon ActiveX entirely and just offer the program as a downloadable installer.

Just because a person is cruising around the web with his security turned off is not an excuse to exploit the situation by installing software without permission. Yes, it is stupid to leave home with the door unlocked. That doesn't excuse someone from walking in and plastering ad posters all over the walls.

Basically, you must move entirely away from the model of "installation at all costs". Adware companies make a lot of noise about users consenting to the installation of their software. When the number of people who don't even realize your software is installed runs at well over 80% of your total users, obviously you are doing something to sneak it onto the system. A user must know the software is going to be installed and cannot be allowed to install it accidently.

As part of the software's operation, it cannot rewrite links in order to generate commissions. By this I mean that when a user clicks on an advertisement or purchase link, your software cannot rewrite the address of that link to include your affiliate ID number. It especially cannot alter an existing affiliate ID number if it belongs to someone else. That does not include advertisements generated by the software itself.

The software cannot change the user's browser settings. This includes, but is not limited to, the home page, the search page, the error handling and especially the security settings. If your software is a toolbar, then it had better add nothing but the toolbar and it cannot change any other settings.

Web sites cannot be added or removed to or from the trusted and restricted zones without explicit permission. The HOSTS file cannot be altered in any way, even if your own web site(s) appear in the file.

The software must appear in the Windows add/remove list and must uninstall completely if the user chooses to remove it. That includes all registry entries, files and directories. There cannot be any trace that the software ever was there.

Under no circumstance whatsoever may the software interrupt its own removal. There can be no screens that pop up asking if the user really wants to remove it. There can be no surveys or questions about why the user is removing it. Once the uninstaller is triggered or another program begins removing it, it simply must disappear.

Yes, that is a long and strict list of changes. I'm sure I could add more if I thought about it for a few more minutes. And yes I am disallowing things that legitimate software does without objection. However, if your company and software currently is considered a legitimate target of spyware scanners, you need to be held to stricter standards in order to prove you are serious about changing.

Sorry if that seems unfair but you shouldn't have let yourself be targeted in the first place. By behaving badly, you brought this on yourself. There are many legitimate adware programs that never have and probably never will become targets of spyware scanners. I'll talk about one of those in the next article.

Permalink | Top

Another misperception - well, disinformation really - about the antispyware community is that we really are all against all forms of advertising. Spyware makers, irritated by the drop in their revenue shortly after we discover their software and inform the public about it, like to claim that we just hate advertising and will oppose anything with an ad banner.

As with their claims of "informed consent", that is a bunch of hooey.

I addressed this myth a few months ago, so if you will excuse me for plagiarizing myself...

Without a doubt, the most common piece of misinformation that you will hear from the malware makers is that "some people just don't like advertising." They will claim that they are doing the public a service by allowing developers to distribute their programs without charging for them by paying them to bundle advertising software. If they are to be believed, the entire controversy over spyware, adware and browser hijacking is by a very vocal minority who don't want to look at advertising.

This is complete garbage. It's a strawman argument that they use to divert attention away from the nastier aspects of their software. Advertising has nothing to do with it.

Sure, there are people who seem to be mortally offended at the whole idea of advertising. They run complicated proxy software and edit their HOSTS files to block thousands of advertising servers just so they won't sully their eyes by seeing a banner ad. The malware makers are right on one point, those people are a minority. In fact, they have nothing to do with the antispyware crowd.

The antispyware community doesn't care that malware causes advertising. Who cares about ads? If someone wants to distribute software for free and pay for it with an ad banner embedded into the program, that's fine. Who cares? No one thinks the Opera web browser is evil because it is adware. You can buy it for 40 bucks or you can have it for free with a banner ad at the top. Advertising has nothing to do with it.

What people complain about is the fact that most of this malware installs without being disclosed. If it is disclosed, the disclosure usually is buried in a huge license agreement. It often cannot be uninstalled easily. It pops up advertisements even if you are not using the program which installed it. It changes browser settings and refuses to let you change them back. In the case of advertising spyware, it logs the addresses of web sites visited, keywords searched for and other information and transmits that back to the company responsible for it.

Many of us in the antispyware community use the Opera browser, do not object to the ads and would be outraged if one of the vendors began to target it. The difference between Opera and the software which we label as spyware is that 1.) it is not foisted upon us by an ActiveX drive-by or by other means and 2.) Opera does not track our activities as part of serving the advertisements.

Most certainly it is adware. It has a full-sized 468x60 ad banner embedded right into the program. Opera also happens to be the web browser of choice of many in the antispyware community. Those people are fiercely loyal to this browser and react harshly to any comments critical of it. No one has ever targeted it as spyware and likely no one ever will.

Opera is very up front about the ads. If you want the advertisements to be more relevant, there is a window in the options panel that lets you fill out a survey. What they do with that information I couldn't say but it is entirely optional. You also can choose to have it display Google ads which will pick advertising based on the context of whatever site you are viewing currently. That's right, contextual advertising in a desktop application and the antispyware community doesn't mind it one bit.

There are other examples of adware programs which are not in the least bit objectionable that I could name but this newsletter already is way too long. Don't believe anyone who tells you that people like me are freeloaders who hate advertisements. It's not true. They are trying to divert your attention away from their own practices - practices about which we rightly object.

Links:

http://www.opera.com :: Opera Web Browser
http://www.spywareinfo.net/aug18,2004#myths :: Lies, Damn Lies and More Damn Lies