The Spyware Weekly Newsletter is distributed every week to 20,000 subscribers and read online by hundreds of thousands of visitors. Click here to subscribe. Please read our Terms of Use for quoting guidelines.This edition of the Spyware Weekly Newsletter is archived permanently at http://www.spywareinfo.net/nov4,2005.

Wherever the term "adware" is used, it is referring to a category of software, not to any particular company or product.

The contents of this newsletter is commentary. It should not be mistaken for unbiased, objective journalism.

Permalink | Top

• Sony Music CDs Install Rootkits
• Eazy Backup
• Even More About Sony's Rootkit
• Is The WoW Warden Spyware?
• Viewpoint To Track Browsing, Serve Ads
• Freeware: WhoLockMe
• Headlines

Permalink | Top

You know, it really is a good thing that technology was so primitive when they made the first VCRs. If today's technology were available back then, the VCR never would have taken off. We would have had no way to watch movies once they left the theaters, except perhaps if a heavily-edited version was shown on television.

The movie and television studios feared that a device such as the VCR would mean the death of their industry. They gathered together and plotted the death of the VCR. They tried their best to kill it.

They failed, which is as fortunate for them as it is for us. The amount of money made from the sales of many movies on VHS and DVD makes a mockery of the amount they generate while in the theaters. If nothing else, it guarantees sales for a movie for decades after it has left the theaters.

They tried to sue the VCR out of existence. The company they chose to sue - and the company which beat them - was Sony.

Times sure have changed. The people at Sony appear to have turned their back on consumers and consumer choice. The Sony of today is one of the loudest voices in the clamor to stifle any new technology allowing consumers to enjoy entertainment in new ways. Now, it seems, they are skirting the line of what is legal in order to do that.

While testing an update to RootkitRevealer, Mark Russinovich, co-founder of the company that created it, discovered an unknown rootkit on his own computer. As you can imagine, that was quite a shock.

A rootkit is software which alters the way the operating system works. The purpose of this is to hide files, folders and processes while they are running on the system. They were used in the old days, long before Windows was created, to take over UNIX computers. With a good rootkit, you can hide any piece of software from all but the most determined search. Today, they are used frequently by trojans, spyware and viruses.

After a very thorough investigation, half of which went way over my head, Russinovich tracked it down to a copy protection program installed when he put a Sony music CD into his computer. Two CD-burner device drivers and an NT system service were installed, then promptly hidden from sight by a rootkit.

When this CD is put into a Windows computer, a license agreement pops up declaring that a small program will be installed. The license agreement claims that the software will be used to play the music files and to allow you to make a limited number of copies of the music. It also claims that you cannot play the music files without installing the program.

The agreement contains significant omissions. The fact that a rootkit is installed is not disclosed. The fact that device drivers are installed is not disclosed. That these device driver will disable the CD burner if someone attempts to copy the CD is not disclosed. The NT service is not disclosed and in fact, is given a deceptive name: "Plug and Play Device Manager".

Having tracked down the source of the rootkit conclusively, Russinovich went about deleting this unwanted software. This rootkit put up a better fight than any piece of malware I ever have had the misfortune to run across. Russinovich has very detailed knowledge of how Windows operates and access to some pretty sophisticated tools. He had to put that knowledge and those tools to use in order to scrub this software off of his hard drive.

I have to be honest. From the description he gives in his blog, I don't believe I would have been able to remove this software, at least not without damaging my computer. A regular Windows user never would be able to remove this thing. Most people probably would not notice that it was there in the first place.

Multiple hidden device drivers. A piece of software that can disable a hardware device at will. Deceptively named NT services. All of it hidden from sight by a rootkit. Removing this software breaks the computer, unless you know EXACTLY what you are doing. And none of it is disclosed in the license agreement. All of these things happen just because a person wants to listen to the music they have purchased from Sony.

And the RIAA wonders why people prefer to download music for free?

These are the methods used by illegal malware to do illegal things. Why does Sony use these same methods? Some of these activities are illegal in some countries. It soon may be illegal here in the USA.

Even if this all is perfectly legal, now and in the future, I never would expose my computer to such a thing. I guess I will not be buying music from Sony anymore, at least not on CD.

Permalink | Top

Program: Eazy Backup
Author: AJSystems
License: $49.95
Purchase Link: http://store.eSellerate.net/a.asp?c=0_SKU2467017085_AFL085344836

Catherine has been after me for years to feature a backup program here. The reason that I tend to say "no" is that I don't want to recommend a program that I wouldn't use myself. I use a disk imaging program for backing things up. It makes a complete copy of the entire hard drive. I never have had much use for any other type of backup program. I won't be recommending that disk imaging program here again either. The last time I did, they ripped me off.

Eazy Backup is different from most other backup programs. All the others have complicated interfaces and are just inflexible enough to make it a pain to use. They also miss things. Or they include things that shouldn't be backed up, like browser cache or the recycle bin. Eazy Backup must have been created by someone who was just as irritated at the other programs.

The most obvious thing that makes Eazy Backup stand apart is the plug-ins. Ever restore a backup, just to be faced with reinstalling dozens of programs? This program backs up those programs along with their settings. A plug-in for Eazy Backup tells it where to find the files and all settings associated with a program you have installed. There are plenty of plug-ins covering the more common programs.

If you have a program whose settings you want backed up and there is not a plug-in for it, you can create your own. You simply tell it where the files and folders are located. If you know how to find it, you can tell it the location of the registry entries. You also can group several different programs together, along with their settings, into a single plug-in.

For instance, I told it how to find the files and registry entries for Ad-aware, Spybot, Spyware Doctor, HijackThis and several other antispyware utilities. I put all of this into a custom plug-in called "Antispyware Tools". The same thing can be done for games, office utilities or practically anything.

Eazy Backup will save your desktop wallpaper, your email, your email settings, things installed in the "common files" folder, your entire "My Documents" folder .... basically anything you could think of that would be useful if you had to restore the backup.

If you save the backup archive to CD or DVD, it will split up the archive into different files just large enough to fill it up without exceeding space limits. You also can set your own size limit, which allows you to save your backup to something like floppies, old ZIP disks or USB flash drives.

You can choose whether to make new backup files or to update changes made since a previous backup. You can save all of your backup options to a configuration file. In one configuration, you can back up the entire system. With another, you can back up your "My Documents" folder. You can schedule any of these backups to happen at any time you choose.

This newsletter is going to be twice its normal size if I keep going on about the features of this program. I will say just one more thing about it. Sooner or later, you will regret not having a backup program. If you don't have a backup program now, this is the one you want to have.

If you have any problems with the ordering page, please email Catherine http://www.spywareinfo.com/email2.php.

Permalink | Top

News certainly happens fast sometimes. In between the time I first heard of this Sony rootkit and the time I finished writing about it, the story exploded around the web. Sony appears to have been caught flat-footed by the sudden, highly-negative publicity.

One aspect of this rootkit, which I didn't mention in my first article, is that it allows someone to hide any file or memory process on the system. All you have to do is add a certain word to the beginning of the file's name and you'll never see it again (without a rootkit detector anyway). Some people speculated that this situation could be put to nefarious use.

I did not mention this in the earlier piece because it was unlikely to be of much danger. A malware creator would be relying on dumb luck to protect his software. What I didn't consider was a person buying a Sony CD with the intention of using the rootkit for his own, less-than-honorable intentions.

Well, that is exactly what has happened. In another part of this same newsletter, I mention the controversy surrounding World of Warcraft's Warden anti-cheat program. That is a program which searches a computer's memory for evidence of a program used to cheat at the game. After word of Sony's rootkit made the news, some of these cheating programs were altered to take advantage of it.

The method couldn't be simpler. If you want to circumvent the program looking for a cheat, you simply go out and purchase a Sony music CD. You put the CD into your computer and let it install the rootkit. Then all you have to do is rename your cheating program so that the rootkit will hide it. WoW's Warden program will never know it is there.

Great work Sony. I'm sure World of Warcraft players will be thanking you after their favorite servers are overwhelmed by cheaters.

Realizing that they have done something wrong and that they have been caught doing it, the geniuses at Sony have decided to provide an uninstaller for their rootkit. It won't remove the copy protection software but it will stop hiding it.

Permalink | Top

I nearly wrote this piece for the last newsletter. I decided against doing it because I felt the issue was being overblown. Since then, the story has appeared at Electronic Frontier Foundation's web site and in the BBC News. Since both places have reported the situation inaccurately, I feel compelled to write about this.

The story that I am talking about is the controversy over the World of Warcraft's (WoW) Warden client. Someone evidently debugged the program while it was running and found it to be reading the window title of every program running on the PC. The conclusion was that WoW Warden qualified as spyware.

For my part, I'm not so sure about that. I will try to explain what this program does, how it does it and why.

The Warden is installed and loaded when someone connects to a server to play World of Warcraft. Its purpose is to check for any cheating programs running on the player's computer. This is an unfortunate necessity due to a large number of people who cheat to advance in the game unfairly. I have played some online games myself. There is nothing more irritating than having to deal with a cheater with the software-enhanced ability to beat every other player there.

Warden finds the title of the window of every program running on the computer. It turns that title into a hash - a long string of characters generated from the characters in the title. It compares that hash to a database of known cheating programs. If it finds a match, it reports it to the WoW server and the administrator then will keep an eye on that player. If the player seems to be cheating, he is kicked off the server and banned from reconnecting.

The articles that I have read about this suggest that Warden sends all manner of personal information to WoW servers. Well, that is not what it is doing. Unless the technical information about the program is a flat-out lie, all it does is report the hash of a cheat program, so that the server administrator can keep an eye on that player. If they are lying about what it does, someone should call the Federal Trade Commission or the FBI and show them some proof.

The main piece of ammunition being expended to call Warden "spyware" seems to be the fact that it reads the title of every program's window. To that, I have just two questions: "So?" and "What's your point?".

The Windows Task Manager also reads and displays window titles. Does that make it spyware? Other process managers do it too. I know of at least one program that shows you the title of every window, hidden or visible, and lets you manipulate them. Is that also spyware? Of course not.

Warden does not qualify as spyware. All it does is look for the hash corresponding to known cheat programs.

This is a much-needed feature which makes the game more attractive. Nothing ruins a game more than having to play against a cheater. If what Warden does angers you, direct that anger at the cheaters who make its existence necessary. And let us save the label "spyware" for things that do some actual "spying".

Permalink | Top

Years ago, I wrote about a mysterious media player that I had discovered on my computer, the Viewpoint Media Player. I didn't pay much attention to it at the time.

Months later, someone called it spyware on the message board. I decided to do a little investigating at that point. After tracking down Viewpoint's web site and finding their privacy policy, I was inclined to agree with the opinion of that person on my message board.

To hear Viewpoint describe the program, it is nothing to worry about. They describe it as a browser plug-in to play multimedia embedded into web pages, little different from Flash or Java. Reading the privacy statement led me to a much different conclusion.

When I tried to find a current privacy policy for Viewpoint software, all I could find was a policy covering their web site. Their software privacy policy that I found two years ago disclosed some very disturbing behavior about the software. It set a unique tracking ID number, updated itself automatically, tracked what the plug-in was displaying, the address of the page with the embedded Viewpoint content and how the person interacted with it.

None of the legitimate plug-ins do that. Macromedia does not know when my browser sees flash on a web page. Sun does not receive reports when a Java applet is loaded. Microsoft is not informed when Internet Explorer runs an ActiveX applet. Why does Viewpoint need to track all of that?

After some digging, I discovered that this thing was installed alongside AOL Instant Messenger (AIM). I didn't remember agreeing to install a media player or browser plug-in when I installed AIM months earlier. I downloaded the current AIM installer, as well as an older installer for the version I once installed. I installed both of them on a test computer and read every word of every agreement. The word "Viewpoint" was nowhere to be seen.

To make things worse, the AIM program later was redesigned. Not only did it install this software without permission, it also reinstalled it if you removed it! A large number of people reported this at the message board.

I just performed a quick test and found that AIM STILL installs Viewpoint and STILL doesn't disclose it. The only improvement that I can see compared to a year ago is that it did not reinstall Viewpoint after I removed it from add/remove.

The reason that I bring all of this up again is the following announcement from Viewpoint: they intend to start serving advertisements through the software. According to this article, "It will work by collecting clickstream data on users who have installed the Viewpoint media player, then using that data to target ads and content on the company's partner sites.".

Putting that into plain language, it means that Viewpoint's software will track your web surfing and tailor advertisements based on the web pages you are visiting.

Is the Viewpoint Media Player spyware? Read my definition of spyware, then read the definition published by the Antispyware Coalition. I will let you draw your own conclusion. The answer to that question, at least to me, seems to be very obvious.

Permalink | Top

Has this ever happened to you? You try to delete a file, only to be told that the file is in use. This happens when a running program tells Windows to put a lock on a particular file.

Sometimes the culprit is obvious, like if you try to delete an MP3 file while a program is playing it. More often, you are left without a clue as to what is keeping the file in memory.

This happened to me while I was testing something several weeks ago. I was trying to delete a file and Windows refused to let me do it. After griping about it in the chat room, someone pointed me to this little gem: Dr. Hoiby's WhoLockMe program.

After you install this program, a new item is added to the pop-up menu you see when you right-click on a file or folder. If something is preventing you from deleting a file, you can right-click on the file, choose the "WhoLockMe" item and a window will appear showing you exactly what is keeping the file locked. Close whatever program is responsible and suddenly Windows will obey your command to delete the file or folder.

The program is free and works on Windows 2000 and Windows XP.

Permalink | Top

SpywareInfo has a new(ish) feature, listing news headlines relevant to spyware, privacy and safely using the computer. There is a saying that "all politics are local". It seems that this also applies to the internet. It is a close community in that problems can spread from anywhere. If you see a local story that you think deserves attention, please let us know. Use this mail form, tell us some details and we will follow the story.

This Spywareinfo News Section is updated every day - and several times during the day. It is a section of Spywareinfo that we hope will keep you informed on a daily basis - and keep your internet time a bit safer. Go have a look.