Link
We all know that malicious ads can be hosted by legit sites. Generally being fully patched (including third party apps) is a good protection against most attacks other than social engineering.

Ryan Naraine of The Zero Day Blog over at ZDNet reports that malicious Adobe Flash ads are being used to hijack the clipboard until the browser is closed.

I kind of expected to be protected against this because I set IE to prompt before allowing programmatic access to the clipboard. A proof of concept quickly disproved that theory.

Further searching the feeds I read regularly finds mention of this a week ago in the Spywaresucks blog.

Then this guy says he's seen it back in July.

The domain injected into the clipboard is for rogue software antivirus 2008 xp. The domain has been used for bad going back to at least April 2008.

The SANS ISC Diary has a good write up of the Subpoena in a Civil Case malicious email. Wish I had seen that before investigating the copy our CEO received.

The message is from subpoena@uscourts.com with a display From of United States District Court. It says

YOU ARE HEREBY COMMANDED to appear and testify before the Grand Jury of the United States District Court at the place, date, and time specified below.

It has a link to download a document on the matter. The website prompts to install a malicious activeX control.

The malware we received doesn't seem to be the same file the ISC is reporting.

Webroot has posted the Q107 State of Internet Security.

http://www.networkworld.com/columnists/2007/032607edit.html

In a recent study about spyware by Nemertes Research, Senior Vice President Andreas Antonopoulos was surprised to find that 16% of the companies examined were not concerned about the threat.

Perhaps the companies are not concerned because they've solved the problem.

Eugene Kaspersky believe that spyware should be addressed by antivirus vendors, not a separate product. Perhaps these companies feel their antivirus is good enough.

Perhaps they use HIPS and feel that prevents the spyware from being installed in the first place.

Perhaps uses aren't given local administrator right.

Perhaps they just have bigger concerns.

At our company we've used an anti-spyware product ever since enterprise ready anti-spyware became available.

I was a fan of Gerhard Eschelbeck when he was with Qualys. He's been pretty much off my radar sense he took the CTO position at Webroot. Today he comes out swinging against Windows Defender as reported in Information Week.

"If you look at the [Defender] data points, they speak for themselves," says Eschelbeck. "Defender didn't block 84% of the tested malware. That's not the kind of performance users are hoping for." Eschelbeck says that his firm's research team tested Defender against a suite of Trojan horses, adware, key loggers, system monitors, and other unwanted programs, all of which were gathered from in-the-wild threats. Webroot's own Spy Sweeper blocked 100% of the threats.

Hmm, so in tests where they gathered the malware, their own antispyware program detected everything and the competitors didn't do so well. That's quite a shock.

Take a look at Sunbelt Software's response when Webroot and Veritest released results last spring.

Eschelbeck also slammed Windows Defender, and by connection, Vista's security, for infrequent updates. Microsoft currently issues spyware definition updates every seven to 10 days, he says. Webroot, meanwhile, identifies approximately 3,000 new traces of spyware every month. "Users can't wait for a week or so to have their anti-spyware signatures updated," says Eschelbeck.

So Eshelbeck is comparing frequency of updates to number of detections added. Apples/Oranges anyone? Hopefully that is the writer's mistake.

I know nothing about Windows Defender frequency of updates. I do like that it uses an established update channel like Windows Update. However, I prefer my anti-malware apps on the desktop to check for updates hourly.

Getting hit with some spyware laden links here at work. Our blocker got it no problem. But for everyone without IM protection watch out for

hxxp://nsl-school.org/?id=18388
hxxp://nsl-school.org/?id=winning_list
hxxp://mytermex.com/?news_id=18388
hxxp://mytermex.com/?id=virus_shield
hxxp://nsl-school.org/?id=news X-(

http changed to hxxp to avoid anyone accidently infecting themselves. If you go to the sites, you're on your own.

In other news the sky is blue. Porn sites are sleazy. and everything isn't as it seems on myspace.

http://sourcewire.com/releases/rel_display.php?relid=27686&hilite=

A survey of over 600 UK respondents showed that young men are significantly more likely to be infected with spyware than their female counterparts. The likelihood of infection was increased by the risky online behaviour of young males, such as opening instant messages (66%), downloading files (65%) and visiting adult entertainment sites (56%).

“The chances of becoming infected with spyware rapidly increase when performing certain online behaviour, such as visiting adult entertainment sites or social networking sites such as MySpace.com, “ said David Moll, CEO of Webroot. “These sites have become a breeding ground for spyware.”

Sunbelt Blog asks if newly minted MVP Patchou is an adware pusher.

Suzi Turner asks, "should antispyware products detect cookies" in her latest blog entry at ZDNet.

Here is some test results from Ben Edelman on how various antispyware programs treat cookies.

I'm coming at this from the perspective of a corporate information security guy. Several years ago, I started an initiative to purchase enterprise ready antispyware. It was readily apparent that spyware was a problem. Users were installing unlicensed copies of software like adaware and spybot s&d. After reviewing the "free" license, it was apparent that the company could be liable to software piracy charges, particularly since the corporate helpdesk was often the party installing this software. We purchased Webroot Spysweeper Enterprise to resolve this issue.

When we rolled out Webroot, one of the common complaints I heard was that it wasn't detecting as much. The "free" antispyware products were deleting all the cookies and including that in the detected spyware count. I find that disingenuous.

I debated turning on the cookie detection in Webroot, but it seemed like I was losing cookies that were remembering my login information on various sites. My Techtarget cookie was a regular target.

I continued the rollout without enabling cookie detection. There have been many versions of Webroot Spysweeper since then. I wonder if its time to take another look at detecting cookies.

I added two Websense RSS feeds into my RSS Reader today. One feed is for alerts. It contains alerts about new phishing attacks or interesting dangerous sites. The other feed is their blog.

http://www.websense.com/securitylabs/RSSFeed.php

The server update contains the following changes:

• Improved navigation tree structure and UI
  
• Additional controls for new client functionality (see client changes below)
  
• Support for Informational definitions
  
• Support for Incremental definitions
  
• Numerous stability enhancements
  
• SQL Server 2005 Express Database Support
  

The client update contains the following changes:

• Completely new Kernel level driver engine
  
• Rootkit detection and removal capabilities
  
• 4 New Smart Shields
  - ActiveX Shield
  - Browser Helper Object Shield
  - Spy Communication Shield
  - IE Trusted Sites Shield
  
• New Client Homepage
  
• Command-line access to client
  
• Support for Incremental Definitions
  
• Support for Informational Definitions
  

It now operates in a Kernel mode to offer protection much earlier in the boot process.

I think I'm kind of excited that development continues one what has always been a highly rated product. The activeX shield sounds like it will be a replacement for Spywareblaster. So that is less work for me monthly.

At the end of this article defending the need for Spysweeper even after Vista is released Webroot CEO David Moll says that Webroot will soon offer antivirus in addition to antispyware. Its not clear if they are going to bundle with a competitor, if they are developing from scratch, or if they are going to buy someone.

Other interesting notes:
-Webroot has a half million dollar "usability" center where they observe normal people using the product.
- They take time to play offense against their product, trying to be the bad guy and look for ways to circumvent the product, so they can close those holes.
- If you get a patent while working for the company you only get a 2k bonus.

Webroot has sent out a press release annoucing the results of a four month VeriTest bakeoff between Webroot Spysweeper Enterprise 2.5.1, McAfee Antivirus Enterprise with AntiSpyware Module 8.0 and Sunbelt Counterspy Enterprise version 1.5.268. Webroot was more than three times as effective as Sunbelt and nearly twice as effective as McAfee at cleaning all types of spyware.

The rigorous testing methodology included a test bed of two hundred randomly selected spies, divided into the following categories: adware, system monitor, and Trojans. Each product was judged on its ability to "fully clean" each piece of spyware -- a comprehensive term for detecting and removing -- from multiple machines. The results of a product's effectiveness against each of the 200 spies was measured against an extremely sophisticated set of criteria that required each to be met in order to gain a "clean" rating.

Paul Thurrott reviews Windows Defender (formerly Microsoft Antispyware, formerly Giant Antispyware), and its well worth the read.

Thurrott reports that the reason for the long delay is Microsoft needed to rebuild it from the ground up in order to prepare for a 64 bit future, and to allow for region language versions amongst other reasons.

I haven't tried it out for myself yet, my computers are busy troubleshooting a work problem. But their is some cool stuff here such as it pdates through the automatic updates service.

One thing I am wondering is, will this download automatically through the update mechanism of beta one? All I have heard is that I can install beta 2 over beta 1.

While I was offline earlier this week, a new vulnerability was disclosed in Winamp. Although it a new version of Winamp was made available the next day, the bad guys also moved fast. The Sunbelt blog is reporting that CWS and spysherrif are being installed through this vulnerability. They have some good screen shots.

So better doublecheck if you have winamp installed. Even if you dont use it, you are vulnerable if you have it installed. You should be running version 5.13 Winamp is a media player that you may have installed as a stand alone product or it may have come bundled with Netscape back in the day.

"Trend Micro, Symantec and McAfee are joining forces with ICSA Labs and Thompson Cyber Security Labs in a bid to standardise methods for sharing spyware samples and testing anti-spyware products and services." reports The Register.

Infoworld has reported that ZoneAlarm 6 Internet Security Suite is phoning home. Rather ironic since one of the reasons you would want a personal firewall that controls outbound access is to stop products from phoning home.

The term rootkit entered more people's lexicon as it was used to describe the Sony Digital Rights Management software. Spyware vendors have been using rootkits to prevent the uninstallation of their malware. Increased usage of antispyware products and their incorporation in antivirus products have caused them to use less obvious and more lasting methods.

Gregg Keizer of techweb reports:

Richard Stiennon, director of threat research for anti-spyware vendor Webroot, agrees that rootkits are being used by spyware and adware vendors.

"In the first half of the year, all we really saw was proof-of-concept code rootkits in spyware," says Stiennon. "Once they got that to work, though, since May really, we've seen several different rootkits in use."

There are dozens of simple ways to hide from the Windows file system, some enough to defeat elementary defenses, notes Stiennon, but the more sophisticated spyware suppliers have turned to rootkits. "It's still a minority of the spyware and adware that's using rootkits," he says. "But it's the cutting edge for them. All the new stuff we're seeing uses rootkit techniques.

"It's more important to hide if you rely on revenue-generating software that most people want to uninstall," he adds.

Its more important now than ever to make sure your antivirus and and antispyware products are able to detect rootkits as this problem is only going to get worse.

I finally have Webroot Spysweeper 2.5 in my hands. I've been waiting for this since August. The admin console now has some good reports available. I'm happy about that.

I was perusing the Webroot website when I found the Phileas page. It sounds like the Microsoft Research Honeymonkeys project.

Phileas is a ground-breaking online spyware research system developed by Webroot. Using patent-pending technology that scours the entire Web, Phileas discovers spyware on the Internet faster and more efficiently than any other research method. More importantly, it does so before home computer users or corporations unwittingly become infected.

Back in August I wrote about a purchase of Aluria by Earthlink. I speculated that might end the relationship with AOL.

Well, the shoe has finally dropped. AOL has announced that AOL Spyware Protection 2.0 will be using Computer Associates Spysweeper product. And AOL just couldn't resist some potshots at Aluria suggesting they couldn't be trusted to catagorize spyware, the dont have a large antispyware database, they dont update often enough, they dont offer realtime protection and their scans take forever. Funny AOL wasn't singing that tune when they went with Aluria, previously unheard of company from Maitland Florida.

I've only evaluated the enterprise version of the Spysweeper product. It was ok back in June 2004, but now it is not performing well on recent bakeoffs.

I called support yesterday to check in on any possible interactions between Symantec Antivirus Corporate Edition version 10 and Webroot Spysweeper Enterprise. SAV 10 now has realtime spyware protections and I wanted to see if there would be any issues. Symantec warns about using the antispyware parts with other realtime antispyware programs. Support says there should be no issues. Just make sure you dont have the install block turned on when you try to upgrade (duh). Also they say I might want to have SAV exclude the webroot directories for performance reasons.

I also asked them when Webroot 2.5 will be available for existing customers. The support tech reports that will be available after Labor day. So I can push Webroot down my list of things to do until next week.

Spy Sweeper Enterprise 2.5 is currenntly available for new installations only. They say they will be releasing an upgrade package for current customers "shortly."

Just as well, I've got some other things to be working on anyway.

Another bit of news from Donna's security flash. Earthlink has picked up the assets sof Aluria software.

Aluria is a small company from Lake Mary Florida. That's just north of Orlando, so I know the area a bit from my time down there. Although Aluria's consumere product has been highly rated, I was never high on them. I seem to recall some controversy about them whitelisting whenu.

Doesn't Aluria currently provide the antispyware functionality in the AOL Security Edition? Also I believe that Webroot had been providing Earthlink's antispyware capability. Interesting changes, hmmm.

I figured after Pestpatrol got bought by CA that two things would happen: 1) Pestpatrol would no longer be highly rated. 2) There would be more consolidation as the major companies try to buy into the antispyware market.

I saw over on Donna's Securityflash that Webroot has put out a press release that their enterprise version 2.5 is now available. I'm sure as a customer, they'll let me know this sooner or later. :) Actually there is a "news" page within the product, so I would probably have learned this next time I opened the admin console.

http://www.webroot.com/resources/archive/pr/2005/aug/ssenterprise2-5.html

Sounds like they have some good features including enhanced reporting, faster scan times, the ability to set a safe mode scan, enhanced scanning ability, and a new web admin interface, alternate data stream prevention, and enhanced client updates for mobile users.

Sounds like I have a few busy days ahead of me. I probably should resist the urge deploy for about a week and let other people be the guinea pigs. I'll probably at the least deploy the upgrade to my test group now.

Sunbelt Software Counterspy has an article analyzing WhenU practices here.

I thought I'd said all I was going to say on the hijacked 404 web page, but there was a little bit of news today.

1. A moderator reports that the problem is resolved. So at least that is progress if they are admitting there was a problem. I'd prefer to know what was wrong and how they made sure it doesn't happen again. That's how we treat users where I work, I and I'd expect the same when I'm the customer.

2. POWWeb support did get back to me Sunday morning (1.5 days after the ticket was entered). All they really said was there was no problem and they closed the ticket.

3. PoWWeb locked a thread on their bulletin board discussing this issue. I dont think the thread was at all out of line. I'm a bit annoyed at their ham-handedness in closing the thread as well as their unresponsiveness in general.

Over the past 6 months I'm really starting to doubt powweb's commitment to security. Certainly users installing Content Management Systems like phpnuke doesn't help things. People picking dumb passwords doesn't help things. But when I do everything I can to run a secure site, and the host fouls things up, that pisses me off.

I got a note back from websense today that they've added the link I sent them to the block list, so Websense customers with the Premium Spyware Group will be protected from that little baddie.

I also finally added in the custom 404 redirect. I didn't take the time to add in a redirect for 401,403 or 500. I really should do that, just to protect myself from further ISP incompetence. I haven't noticed any 404 hijacking for the past day or two, so we may be out of the woods.

I took the files that the fake 404 error page was attempting to install and sent them to Symantec. As I mentioned in my last post, virus total showed several other vendors detecting it as a virus, but not Symantec. I should mention that virustotal.com does not use version 9 of Symantec and would be unable to detect adware, so I checked it myself before submitting with SAV 9.0.2.

Symantec's Antvirus Response Center reports that the chm file is a trojan downloader and the exe file is a trojan adclicker. The 4/17 intelligent updater files should contain defs for this.

Another user on the web server cluster I am on reported that users of his website are reporting virus detections. Sure enough, with McAfee when I go to his site, I get a virus detection immediately. I can see in the source for the page I get that there is an iframe loading something from a .la TLD. This is like what happened to me. I suspect that he has a bad link on his page.

Just like my problem, it comes and goes. 3 hours later, I now cant reproduce the problem on his site.

I did some googling using the the code strings in the exploit. According to K-OTik Security Research this is commonly called Trojan.ByteVerify. It exploits the Internet Explorer/Outlook CHM File Processing Arbitrary Code Execution Vulnerability (MS04-013) and the Microsoft Virtual Machine Remote Code Execution Vulnerability (MS03-011).

So it looks like nothing really interesting is going on here. No new exploits or anything like that. I was hoping the use of 404 would be significant, but it seems they just used that to get traffic. If indeed they compromised 404 on the webserver as a whole, they could get quick a bit of accidental traffic.

The following is output from using a text based browser built into Sam Spade. To me it shows that I am getting redirected by the server. Am I wrong?

04/15/05 23:26:22 Browsing http://www.[edited].org/asdfasdfasdf.html
Fetching http://www.[edited].org/asdfasdfasdf.html ...
GET /asdfasdfasdf.html HTTP/1.1

Host: www.[edited].org

Connection: close

User-Agent: Sam Spade 1.14

HTTP/1.1 302 Found

Date: Sat, 16 Apr 2005 03:26:31 GMT

Server: Apache/1.3.33 (Unix) FrontPage/5.0.2.2635 mod_ssl/2.8.22 OpenSSL/0.9.7d PowWeb/1.1

Location: http://euscorp.net/ error404.html

Connection: close

Transfer-Encoding: chunked

Content-Type: text/html; charset=iso-8859-1

d4

Found

< edit > placed space in the url to make it less likely someone will accidently go to the exploit page. Remove part of the html code, dont want to confuse any browsers with multiple html tags.

I'm minding my own business, reviewing my website logs when I notice that someone has checked to see if I've got formmail.pl. As you probably know, that file is included in some CMS packages thus spammers look for them. I can see that the attacker got a 404, but I wanted for verify for myself that it wasn't there.

So I go do www.infosecblog.org/cgi-bin/formmail.pl. What happens? I see a 404 page, but the url at the top of the page is http://euscorp.net/error404.html rather than a error page from my web hosting company (powweb).

Checking with a text based browser I see that the powweb 404 has a 302 moved message forwarding me to the euscorp page.

I check into euscorp.net. They are hosted by my webhosting company. The site is very out of date and it belongs to Enterprise Utility Solutions.

Now before I go further, I should mention that other people have reported similar problems in my webhosts support forum. However they've been told its a problem with spyware on their machine. I'm reasonably sure I dont have local spyware.

By looking at the source of the 404 page from euscorp.net I see that there is an iframe to tgp.la/or.html. At first glance tgp.la appears to be a presecription drug spamvertized website and they are just trying to run up the counter. Again I look at the source and I see an IFrame tag which calls http://www.globolook.com/v058/wow.html.

At that globolook site they are attempting to run a chm type of exploit to download and run files on your system. I ran the files through virustotal and 6 antivirus scanners detected it. Kaspersky calls it Trojan-Downloader.Win32.WarSpy.d. Other antivirus calls it codebase. Another engine calls it adware.serch.a.

The case is not over. What is causing this? I've checked my machine. I am clean, and I only see this redirect on some powweb sites. I've put in a support ticket with powweb. We'll see what happens. If they dont do something soon, I think I can use .htaccess to implement my own 404 pages and avoid this problem.

So bottom line is be patched, and dont go to any non-existant pages on my site. :)

Eugene Kasperksy kicked over a beehive in his March 3rd comments posted in his weblog. Kaspersky heads up an antivirus company of the same name. He makes a claim that spyware is nothing more than malicious code which has traditionally been detected by antivirus. He would say that if your antivirus cannot handle malicious code than you should look into other antivirus software. He accuses the entire anti-spyware industry of just being a way of separating the ignorant from their money.

Kaspersky is correct in one aspect. Antivirus companies should detect this crapware and should have done so all along! Keystroke loggers, backdoor trojans and other snoopers have no place on a system. A cottage industry of anti-spyware began because the AV companies weren't meeting a need. Antivirus companies were ill-prepared to respond to this more pernicious threat model. And I suspect they were unprepared to deal with it from a legal perspective.

Hopefully the next generation of antivirus will be prepared to attack this problem and not require us to purchase extra products just for antispyware.

I also posted this in the security forums over at http://myitforum.com/forums.

Webroot Spysweeper 2.0 Enterprise by default creates a website on port 8080. The webserver is an Apache Jetty server. This website is used to sent updates to the clients.

The website is misconfigured so the "PUT" command is enabled. This allows anyone to upload files to the server and potentially replace the files that are there. Traditionally leaving the PUT command enabled can lead to complete system compromise.

If you go to http://servername:8080/updates, you will see a list of folders with sequential naming: 0057F161...0057F165. Each folder contains a zip file and an INI file. The zip file contains a mst file and an INI file. I have not tested this, but I postulate that at best an attacker could overwrite these files preventing client updates. At worst an attacker could create their own mst files that could crash webroot and potentially run hostile code on the clients.

I called webroot today. At first the professed to have no idea what I was talking about. After explaining it a few times, it turns out this has been discovered and will be fixed in version 2.1 due next week.

Matthew Fordahl identified as an AP technology writer wrote a recent review titled Microsoft Anti-Spyware Ineffective.

The article begins by berating Microsoft's viral cleanup tool for not ridding his dumbass family members infected machine. Clearly he does not understand what this utility is supposed to be. That's like screaming because McAfee's Stinger utility doesn't clean every virus off the machine. This is particularly galling when the problem is obviously spyware, and not viruses.

So half way through the article he finally gets Microsoft Antispyware installed. I dont understand people who criticize MS Antispyware. 1. Its a beta release. 2. Its still basically Giant's product. The first thing this guy criticizes is the GUI. Clearly the author has not used other Antispyware products. This interface is head and shoulders above that used by Adaware, Spybot Search and Destroy etc. He is unable to get the machine clean, blames the product and reloads the operating system (In my opinion revealing his complete lack of technical skills).

As usual, Microsoft is criticized where other products are not.

Microsoft released a beta of their antispyware software this week. The release notes caution to disable realtime scanning to avoid interference with Enterprise management tools.

As you might expect, I found the GUI to be quite nice compared to other antispyware programs. That's not Microsoft being GUI-centric, its still the same as what GIANT was using in their software. I liked the install encouraging users to run a scheduled scan and have automatic updates. My first scan found a false positive in WinPCap. I was able to tell it to ignore that forever.

There is not currently any Enterprise management capability to this software. GIANT was working on controlling setting via Group Policy so we hope Microsoft will continue down that path. I have also heard they are looking at releasing updates via SUS so there will be centralized updates.

The program looks pretty nice and will likely be a future leader in enterprise antispyware applications. But for now, I'm happy we've made the decision to go with Webroot. I just hope we get Webroot deployed before Microsoft has a viable enterprise antispyware solution.

Risk Your PC’s Health for a Song?
http://www.pcworld.com/news/article/0,aid,119016,00.asp

Protect Yourself From Audio Adware
http://www.pcworld.com/news/article/0,aid,119063,00.asp

These articles don't go into a lot of detail. It appears that via the DRM feature in Windows Media Player a malicious content provider could cause Media Player to go to a website of their choosing when you play the file. It uses Internet Explorer to to open a webpage of the authors choosing (even if that is not your primary browser). It will load whatever code is there, including exploits for Internet Explorer that could be used to install spyware.

Vulnerabilities in Internet Explorer and most applications require the user to follow a URL to be exploited, this provides a new vector of attack. It is likely much easier to socially engineer a user to open a Windows Media File than to open a URL. The old adage about not opening unexpected attachments is true. One wonders if this is something antivirus vendors will even be able to stop since it is bascially just calling a URL.

Microsoft bought Giant Antispyware last week. Here's an article where Paul Thurrott interviews a co-founder of Giant prior to their being bought out.

Pretty nice article in the AP today about spyware. Users Often Invite Spyware Trouble.

I read over at the Spyware Warrior Blog that Aluria has certified WhenU as "spyware safe." Aluria is an antispyware comany with a fat contract from AOL to provide its customers with software. WhenU is best known as an adware program. AFAIK, WhenU is generally installed by users who know they are getting ad supported software.

Adware is a pain, but if you dont like it and can choose to uninstall it, and it uninstalls cleanly, I just dont see what the problem is.

Adware and spyware are two different things.

http://www3.ca.com/Press/pressrelease.asp?CID=61871

Computer Associates, the collector of software companies, has purchased PestPatrol. Pestpatrol was most recently in the news for providing a spyware plugin for the Yahoo toolbar, but conventiently turning off the detection for Claria (Gator) which provides a large portion of Yahoo's income.

Pest Patrol has also released a first generation corporate anti-spyware scanner that has an interface resembling a high schoolers c++ final project.

Spybot Search and Destroy has gained legitimate accolades as a anti-spyware tool. Some people have tried to take advantage of that by pretending to be Spybot but offering a different product and charging for it (Spybot S&D is free).

Make sure that your friends and family are getting the real deal from Patrick Kolla at http://security.kolla.de/ or www.safer-networking.org (same site). The software is also available from tucows and download.com. Dont fall for fakes

Symantec is being sued for labeling a product as spyware according to a news.com article. It says that Symantec has labeled TrackEight's product "Spyware Nuker" as adware and as such they have lost business. The SARC writeup is linked here.

SpywareNuker is on the list of rogue/suspect spyware applications maintained by spywarewarrior.com. It seems that TrackEights parent company includes adware in most of the products they release. Earlier versions of spyware nuker were ripped off of adaware and spybot search and destroy. This earlier version is still being distributed.

Although the current version is reported to not have these same problems, their sibling companies are responsible for Bargain Buddy, WhenU and MySearch crapware. Do you really want to be using software to remove adware/spyware from the same company that put it there in the first place?

I couldn't wade through this thread but it remains pretty clear to me that TrackEight are not reputable people.

It will be interesting to see how this plays out assuming the results become public knowledge.

Interesting article over at zdnet . According to Forrester Consulting 44% of companies with 20,000 employees or more employees have someone paid to monitor email. There are concerns of disclosure of proprietary information, compliance with Sarbanes-Oxley, and worries of a hostile workplace lawsuit.

I'd love to see the actual report rather than this santized Zdnet version. Would they say any company that blocks spam and reviews the quarantine for false positives also counts as having an employee who reads the mail?

I suppose this zdnet article is supposed to spark moral outrage. Companies walk a fine line when it comes to being seen as big brother. But each of the concerns listed in this article are legitimate. Some are required by legislation. This all gets back to company policy. Be up front with what monitoring is occuring and why. The policy must be clear and enforced. It cant be a document that is stuck in a drawer.

Back on May 23rd, I wrote a short article on the controversy surrounding "Did They Read It", a program that adds a webbug to your email so you know that it was read, and how many times it was read.

At the time I predicted that Congress would soon have a law forbidding webbugs. Well, its not Congress, but according to this article at BroadbandReports.com the French have announced that under French law it is already illegal for a French citizen to use didtheyreadit.com.

I'd go see if DidTheyReadIt.com has a response, but Websense doesn't let me access that website. Websense as them in the spyware catagory.

I cant help but feel that people who get this sense of violation when the read about didtheyreadit are unaware of webbugs and how they are likely used in all the html newsletters and promotional material that you already get. This just makes the technology available to the average user.

If you want to remain in control of your email, you need to make sure you're reading in a "text only" mode. Or run a personal firewall that will disallow or prompt outbound http attempts from your mail client. I imagine that Outlook 2003's default of not loading images on mail from external people would help also.

Webroot released an update to their enterprise antispyware product lastnight. Version 1.1

The main improvements reported by Webroot are:
1. Now uses MSI to aide in deployment
2. Ability to run a scan on demand
3. Ability to obtain updates through a proxy server.

Although I'm still in an early stages of the eval process, I can say that webroot meets a lot of my needs for an enterprise level product.

1. Updates are retrieved from the central server. You can check for the client to check in hourly and for the server to check in more often. I haven't been using it log enough to get a feel for when updates come out. It seems like spyware updates are weekly. One complaint I have about updates is you cant tell what antispyware definition set a client is using! You just have to hope that they pulled it from the server correctly. That seems kind of strange.

2. It checks the memory occasionally for spyware (at least that's the way it appears to me that the Memory Shield works) in addition to having manual and scheduled scans. To me this isn't quite the same as real time protection, but its better than most. I also like that 1.1 has added the ability to "scan now" on one system or the entire enterprise from the administration console.

3. The centralized reporting is ok. I would really prefer the ability to export to CSV or have some graphs. The single canned report allows you to select the date range and thats it. It creates a report of spyware by computer.

I really like that webroot allows the end user to run scans also. This new version 1.1 changes the default to run webroot completely hidden. That can be fine depending on your userbase. I would test to prefer something like Symantec Antivirus with the SSC where I can let a user run liveupdate, but he cant change the default schedule. A user can create a scheduled scan or run one now, but he cant disable the default scan I have created.

Webroot has the makings of a fine product here. It is in its early stages, but I think it is the leader in terms of enterprise antispyware products.

Broadband Reports has a link to a list of dubious spyware products.

http://www.spywarewarrior.com/rogue_anti-spyware.htm

Some anti-spyware products actually install spyware.
Some anti-spyware products are really just bad copies of established software like adaware and spybot search and destroy.
and Some just dont work very well.

So how do you tell the difference? Its best to stay with the established leaders like spybot and adaware, but sometimes they dont offer the features we need. This list is a great resource for what to watch out for.

This is part two of a look at what we can do to keep spyware off the corporate computers. Part 1 is posted here. I'll do my best not to repeat myself.

Antivirus vendors are expanding into the area of spyware products. I think I would prefer to use them as the corporate spyware solution. You dont have to install an extra product, you dont have to pay for another product, you get to use a known administration scheme. For this reason I chose to review Symantec Antivirus Corporate Edition version 9.0 first.

SAV 9.0 CE
Normally I wouldn't go near the first build of a Symantec release, but enticed by the potential protection against spyware and some other new features, I jumped right into testing.

Pros
A Trusted company. Likely to become a leading player in anti-spyware
Single application for both antivirus and spyware
Version 9 has greatly improved real time protection (its faster and it starts earlier)
Threat source, not something to help with antivirus but cool in tracking down file share attacks.

Cons
How good is their spyware definitions set really? Its an unknown.
Only works in manual and scheduled scan modes. No realtime protection.
Only logs or deletes the files it finds. It doesn't uninstall spyware for you.
BSOD when I attempted to install 9 over 7.03. Not good
Potential problems with XP service pack 2 (need to set registry keys)
Potential error with Outlook plugin.
Problems with uninstall of previous version where install path not available (curse you MSI)

Conclusion:
Until the outlook problem is fixed, this is a no go for us. ETA for fix, late June or July.

Adaware or Spybot
I'm lumping these two together. I dont use adaware, but I believe it has the same problems
pro
Able to remove files to a quarantine and restore them if necessary.
Large established spyware database
Familiar interface for the "advanced" users
Con
No centralized reporting
No centralized update
No centralized scheduled scans

Conclusion
Not ready for the corporate world.

Pest Patrol
These guys have a new version due out on monday. I am reviewing the earlier version at this time.
Pro
Ability to run from login script, pretty cool.
When run from login script, you only need to update the server
Real time protection
Con
Their implementation guide requires a INSECURE implementation method in which all authenticated users have permissions to the files in the login script directory. This is really bad.
The database seems a bit overly broad. I think I've removed the categories, but I am worried about false positives as recovering from a false positive doesn't seem as simple as with spybot.
Alerting is email only.
If run on the local systems, my sole ability to manage it is by setting up a scheduled task to run a scan

Conclusion
Not ready for prime time. Lets see how the next version does. It looks promising based on the info I have been sent.

Webroot Spysweeper Enterprise
The corporate version is in beta. I have not been contacted after leaving my contact info on the sight. It does sound promising.

Websense
Websense would only really make sense if you already own it or if you have a project to block porn also. By adding the spyware category it prevents systems from going to sites listed as spyware in their database. This can prevent new installs and prevent old installs from phoning home. I think this is a good part of a two layer approach.

Overall Conclusion
Sometimes companies like Garter say the field is maturing...there is no perfect product...just buy now and limit the damage. The problems is you are being charged premium prices for an imperfect product. Also the "experts" will give us grief if we implement something that isn't as easy to use as their favorite product. Since NO spyware product has a perfect detection rate (from anecdotal evidence) they are bound to remind us how defective our product selection was. You can see why I might want to delay a decision for a while.

Spyware is a problem effecting enterprises more and more. I think we are at a point similar to where we were with spam a year ago. It is starting to build to the point where users will not accept it any more. It is slowing the systems and exposing companies to legal liability. I predict that by this point next year anti-spyware software will be expected by the users just as anti-spam solutions are expected now.

Currently, there is an ad hoc approach. The smart users don't get spyware installed or they are able to install adaware or spybot and take care of the problem for themselves. Other users are left calling the helpdesk and you've now got downtime for the user as the anti-spyware software is installed, updated and run. Most of the products aren't even able to remove all threats.

If you push out the antispyware software on all users, and provide instructions on updating and running the software monthly or as they have problems, that is a solution destined for failure. It reminds me of antivirus software pre 1999ish.

A corporate network demands a centralized antispyware solution. Not because your companies computer guy wants to stay in control (well that too). Rather it is important to make sure that the software is consistently run and updated. If there is a problem it should report back to a centralized point so that the helpdesk can be dispatched.

Over at myitforum.com we've been talking about various ways of preventing spyware.
1. User Education. Users should be aware that "free" applications often come at a price. Also when they are surfing they need to be careful about what they say yes or ok to. Often its better to just close the windows on a popup
2. Browser configuration - While user education might help with the adware that gums up machines, much spyware is installed serupticiously (I need to install IEspell on the computer I'm at) on computers via poor configuration of the IE security levels.
3. Vulnerability Patching - Even fully patched, Internet Explorer is a sieve for letting malicious websites mess with you. (wait, was that a mixed metaphor?) Its best to make sure everything on your system is well patched.
4. Personal firewalls that manage outbound activity can be helpful in letting you know what programs on your system are doing. They are also one humongous pain in the rear.
5. Install antispyware applications.

After reviewing non-software protections, I decided it was time to look at anti-spyware software. The antivirus companies are getting into the antispyware game. Symantec has it in 2004, and possibly 2003 consumer versions. SAV 9 corporate edition has spyware protection also. McAfee is known to have spyware definitions as well.

The question is how well do they fare?
I cant speak to McAfee since I'm a Symantec customer, but my cohorts at myitforum tell me that it isn't that great. Its difficult to separate the virus reports from the spyware reports. And often detection is ok, but removal is nonexistant.

That matches my experience thus far with Symantec. I was surprised to find that I could only scan for spyware during manual scans and scheduled scans. That was rather disappointing. The good news is that scanning for spyware isn't all or nothing. I can choose to scan for spyware and adware, but not jokes and hacking tools. This is important because it may be completely normal in your company to be running l0phtcrack or even more innocent things like samspade or netcat which some spyware vendors detect as hacking tools.

Important Features for Corporate Antispyware
1. Mechanism to control updates
2. Real-time scaning capabilities, not just scheduled scan
3. Centralized reporting

Thus far the anti-spyware software reviews I have seen are all about software designed for the end user. I'm currently looking at Symantec Antivirus 9, Pest Patrol Corporate Edition, and if they get back to me there is a beta of a enterprise version of Webroot Software's Spysweeper. I plan to continue this in a part two as I look more closely at specific solutions.

There seems to be a lot of controversy lately surrounding didtheyreadit.com. This company adds a webbug to your outgoing messages so that when the message is opened the web browser will open the webbug and signal the message as read. This is much more powerful than the standard return receipt because the return receipt requires the mail server or the mail client software to cooperate and return the receipt. Often by default the user is told of the return receipt request and they can say yes or no. Didtheyreadit.com attempts to signal back without the user being aware.

The can fail to work for a number of reasons.
1. Perhaps you have a personal firewall that blocks http connections from the email client.
2. Perhaps you are running a text based mail client that will not load images.
3. Perhaps you are running Outlook 2003 which does not load images from non-trusted users by default.

Also who really wants to run all their mail through a untrusted server just to have them add the webbug in? If its important enough to get a return receipt, why trust it to a unknown third party.

But I didn't really write this article to discuss the features and drawbacks of didtheyreadit.com. That really isn't important to me.

I am amazed by the flurry of articles surrounding this product. The privacy nuts are out in full force. Imagine, a sender knowing when their email was read. What an outrage. Also the Linux zealots are also printing articles about how their text mail reader of choice doesn't rat out when your email was read. I

This is nothing new, and its getting way to much press. If this continues a couple more days, I suspect congress will pass a law against it. Probably in CAN-SPAM part 2. That is if they haven't already recessed for the summer.

http://www.usatoday.com/tech/news/techinnovations/2004-05-20-email_x.htm
http://arstechnica.com/news/posts/1085359926.html
http://slashdot.org/article.pl?sid=04/05/23/2146200

Ronald Scelson is upset. He says he complies with CAN-SPAM yet ISPs wont let him spam at will. Oh the humanity! You mean to say that CAN-SPAM wasn't meant to be the spammers enablement act? Both pro and anti spammers have said that this is the likely outcome of the federal legislation. As long as the spammer has legit headers and contact information he is in the clear.

Was this legislation really meant to dictate whether an ISP can enforce their Acceptable Use Policy? Richard Scelson seems to think so. I suppose someday some wrongheaded judge will agree with him.