StarDestroyer.Net BBS

Hi All:

Mike Healan of SpywareInfo.com and Suzi of Spyware Warrior have early word on some puzzling new developments on the anti-spyware front -- see:

Don’t Drink the WhenU Kool-Aid
»netrn.net/spywareblog/archives/2005/02..

Leading Antispyware Vendors Quietly Drop WhenU Detection
»www.spywareinfo.com/articles/spyware/w..

At the heart of this strange tale is WhenU, the well-known adware vendor that struck a controversial deal with anti-spyware maker Aluria late last year:

»WhenU Enters the Anti-Spyware Market

I should note that Mike's and Suzi's reports are based on some routine testing that I performed with the latest version of BearShare, a popular P2P file sharing application that bundles WhenU Save.

Here's what we know:

1) Lavasoft has Removed WhenU from its Detections Database

Lavasoft removed WhenU's applications from their definitions database sometime in the last month -- it looks like it was probably the Feb. 5 update, but it might have been earlier. It was certainly done after the Dec. 29th update, because WhenU's SaveNow is confirmed detected with that definitions database.

The problem is that nowhere did Lavasoft announce this significant change publicly. It certainly didn't appear in any of their recent update announcements, where removals are typically disclosed:

02-05-05
»www.lavasoftsupport.com/index.php?show..

01-25-05
»www.lavasoftsupport.com/index.php?show..

01-11-05
»www.lavasoftsupport.com/index.php?show..

This failure to disclose the removal of WhenU from the Ad-aware detections database to Lavasoft's customers is a serious matter. Whatever one thinks of the de-listing, it should have been disclosed and Lavasoft should have offered an explanation for this change in policy in a clear, public manner. It did not. Instead, it slipped the change into its detections database and failed to inform users, even after users began to complain that WhenU was not being removed, such as this Lavasoft customer did here:

»www.lavasoftsupport.com/index.php?show..

2) Pest Patrol has Removed WhenU from its Detections Database

It also appears that Pest Patrol removed WhenU from its detections database, though the situation here is a bit murkier. With the latest definitions Pest Patrol 5 does not flag any of the WhenU Save files. Strangely enough, it does flag a number of WhenU Registry keys, but erroneously labels them as BargainBuddy, Mirar Toolbar, and PurityScan. A sample chunk from a Pest Patrol 5 scan log:

said by PPv5Log.txt:2/13/2005-4:11:05 PM,29692390,-1630934736,Detected,BargainBuddy,Adware,453068324,key "hkey_local_machine \software\whenusave" value "iptomsa_url",-1,
2/13/2005-4:11:07 PM,29692390,-1607404736,Detected,NN_Bar,Toolbar,453077032,key "hkey_local_machine \software\whenusave" value "uninstalltag_rs",-1,
2/13/2005-4:11:07 PM,29692390,-1607304736,Detected,NN_Bar,Toolbar,453077032,key "hkey_local_machine \software\whenusave" value "urlchangecount",-1,
2/13/2005-4:11:07 PM,29692390,-1607304736,Detected,NN_Bar,Toolbar,453077032,key "hkey_local_machine \software\whenusave" value "timeddbupdate_rs",-1,
2/13/2005-4:11:07 PM,29692390,-1607304736,Detected,NN_Bar,Toolbar,453077032,key "hkey_local_machine \software\whenusave" value "heartbeattime",-1,
2/13/2005-4:11:07 PM,29692390,-1607204736,Detected,NN_Bar,Toolbar,453077032,key "hkey_local_machine \software\whenusave" value "msa",-1,
2/13/2005-4:11:07 PM,29692390,-1607204736,Detected,NN_Bar,Toolbar,453077032,key "hkey_local_machine \software\whenusave" value "maxpopups_rs",-1,
2/13/2005-4:11:07 PM,29692390,-1607204736,Detected,NN_Bar,Toolbar,453077032,key "hkey_local_machine \software\whenusave" value "iptomsatime_rs",-1,
2/13/2005-4:11:07 PM,29692390,-1607204736,Detected,NN_Bar,Toolbar,453077032,key "hkey_local_machine \software\whenusave" value "src_url",-1,
2/13/2005-4:11:07 PM,29692390,-1607104736,Detected,NN_Bar,Toolbar,453077032,key "hkey_local_machine \software\whenusave" value "himp_url",-1,
2/13/2005-4:11:07 PM,29692390,-1607104736,Detected,NN_Bar,Toolbar,453077032,key "hkey_local_machine \software\whenusave" value "brandskin_url",-1,
2/13/2005-4:11:07 PM,29692390,-1607104736,Detected,NN_Bar,Toolbar,453077032,key "hkey_local_machine \software\whenusave" value "brandstrip_rs",-1,
2/13/2005-4:11:07 PM,29692390,-1607004736,Detected,NN_Bar,Toolbar,453077032,key "hkey_local_machine \software\whenusave" value "brandstrip_url",-1,
2/13/2005-4:11:07 PM,29692390,-1607004736,Detected,NN_Bar,Toolbar,453077032,key "hkey_local_machine \software\whenusave" value "db_incomplete",-1,
2/13/2005-4:11:07 PM,29692390,-1607004736,Detected,NN_Bar,Toolbar,453077032,key "hkey_local_machine \software\whenusave" value "db_server_update",-1,
2/13/2005-4:11:07 PM,29692390,-1607004736,Detected,NN_Bar,Toolbar,453077032,key "hkey_local_machine \software\whenusave" value "db_stamp_rs",-1,
2/13/2005-4:11:08 PM,29692390,-1604494736,Detected,PurityScan,Adware,453073488,key "hkey_classes_root \wusn.1" value "wusn_id",-1,
2/13/2005-4:11:13 PM,29692390,-1551924736,Detected,NN_Bar,Toolbar,453077032,key "hkey_local_machine \software\whenusave" value "brandstrip_rs" data "24",-1,
2/13/2005-4:11:13 PM,29692390,-1551924736,Detected,NN_Bar,Toolbar,453077032,key "hkey_local_machine \software\whenusave" value "brandstrip_url" data "http://spweb.whenu.com/save_brand3.html",-1,
2/13/2005-4:11:13 PM,29692390,-1551824736,Detected,NN_Bar,Toolbar,453077032,key "hkey_local_machine \software\whenusave" value "src_url" data "http://spweb.whenu.com/pop_up/",-1,

As you can see from one of the attached screenshots, Pest Patrol still detects BearShare, the host application, which is an odd arrangement indeed.

The situation is just as confused on the Pest Patrol web site, where the "Most Prevalent Pests" as of 2/13/04 listed 4 WhenU applications:

»research.pestpatrol.com/Lists/MostPrev..

If you click the names on that page for more information, you'll get next to nowhere, as the most obvious pathways to Pest Patrol's write-ups on WhenU's applications are now broken. The pages can still be found, as Suzi notes -- they're just not findable using the research page search function.

There are some tantalizing hints on Google that WhenU's de-listing was disclosed on this page:

»research.pestpatrol.com/News/New_And_I..

That de-listing seems to have happened with an earlier update that is no longer detailed on the above web page. Even if it was disclosed on that page, the change certainly was not prominently announced, nor do we have a public explanation for Pest Patrol's decision to de-list WhenU.

3) Aluria Security Center 4.0 Detects WhenU as Spyware

In what is surely the strangest twist in this whole story, Aluria's recently released Security Center 4.0, which incorporates the latest version of its standard anti-spyware application Spyware Eliminator, *does* detect WhenU Save as "spyware" (see the second attached screenshot above). This comes as a surprise because Aluria recently declared WhenU to be "Spyware-SAFE":

»www.aluriasoftware.com/spyware-safe/si..

It also partnered with WhenU to offer an adware-supported anti-spyware application called UControl:

»www.whenu.com/whenu_solution.html

Why Aluria's anti-spyware application would be flagging WhenU as "spyware" at the precise moment when Lavasoft and Pest Patrol are de-listing WhenU is puzzling.

We don't know at this point why Lavasoft and Pest Patrol apparently decided to de-list WhenU from their defintions databases, though we strongly suspect that these decisions are in reaction to a new notice and disclosure screen for WhenU Save that was recently added to the BearShare installation process (see the third attached screenshot above).

Full Disclosure:

In the course of my work on spyware and adware issues I routinely talk with a number of companies, individuals, and organizations, including anti-spyware vendors of all sorts. I also have occasion to exchange views with adware and spyware vendors, as readers of this forum will be well familiar with:

»Opinions, please: eBates MoeMoneymaker

As it happens, I became familiar with the new notice/disclosure screens for WhenU that were just recently incorporated into the latest installation of BearShare from several discussions with Avi Naider of WhenU. In fact, it was in the process of reviewing this new BearShare installation that I stumbled across the anomalous behavior with Ad-aware, Pest Patrol, and Aluria reported above.

Although I, like Mike Healan, regard the new notice/disclosure screens incorporated into BearShare to be a significant improvement on the installation process previously used in BearShare, I cannot recommend that anti-spyware vendors de-target WhenU's applications at this time for a number of reasons.

More importantly, though, I am very disappointed that anti-spyware vendors might have de-listed WhenU's applications without publicly and forthrightly announcing and explaining those changes to their users. Anti-spyware vendors are in a business that places a premium on trust, and it is critical that they be forthright with their customers -- many of them the victims of unscrupulous commercial behavior -- at every step of the way. When anti-spyware vendors de-list an adware application like WhenU from their detections, they have a duty to report that change in policy to their users. At the present point in time, it appears that Lavasoft and Pest Patrol did not fulfill this obligation to their users, and that is unfortunate.

Conclusion

In closing I should also note that I have asked Lavasoft about its removal of WhenU from the Ad-aware detections database -- see:

»www.lavasoftsupport.com/index.php?show..

At this time I have received no response from Lavasoft, though I look forward to both Lavasoft and Pest Patrol providing users a forthright explanation of their targeting policies for WhenU and any recent changes they might have implemented in those policies.

Best,

Eric L. Howes

Lavasoft does not cooperate with WhenU!
As a result of recent rumours and speculation by members of the privacy community and the public at large, Lavasoft wants to make clear that it has not and would not collaborate with any companies that have produced content detected by Ad-Aware. Ad-Aware products are designed purely for scanning and removing of suspicious content (at the user’s discretion) and Lavasoft would not ally with adversaries under any circumstances.

WhenU was indeed removed from the database by research in the last definition file. This however was due to WhenU not scoring more than 2 TAC points at the time, 3 points being the minimum score to be included in the database. More information on the Threat Assessment Chart can be found at http://www.lavasoftnews.com/ms/tac_main.htm
The TAC report will be reviewed in more detail by our R&D department and in case it turns out that the removal was incorrect, WhenU will naturally be reintroduced to the database.


For further information, please contact press@lavasoft.de

Mange the Swede wrote:BTW, what is WhenU?

Sharpshooter wrote:

Mange the Swede wrote:BTW, what is WhenU?

They're the sons of bitches who make and distribute certain adware systems.

Faram wrote:Lavasofts defence:

http://www.lavasoft.com/news/press/

Lavasoft does not cooperate with WhenU!
As a result of recent rumours and speculation by members of the privacy community and the public at large, Lavasoft wants to make clear that it has not and would not collaborate with any companies that have produced content detected by Ad-Aware. Ad-Aware products are designed purely for scanning and removing of suspicious content (at the user’s discretion) and Lavasoft would not ally with adversaries under any circumstances.

WhenU was indeed removed from the database by research in the last definition file. This however was due to WhenU not scoring more than 2 TAC points at the time, 3 points being the minimum score to be included in the database. More information on the Threat Assessment Chart can be found at http://www.lavasoftnews.com/ms/tac_main.htm
The TAC report will be reviewed in more detail by our R&D department and in case it turns out that the removal was incorrect, WhenU will naturally be reintroduced to the database.


For further information, please contact press@lavasoft.de

Sorry BULLSHIT!

If you remove a product from the detection base and do not inform anyone untill you are caught. That smells like BS to me.

Sorry but all your hard earned trust over years just flew out the door.

Stormbringer wrote:I'm inclined to at least accept it for now. It would have been nice if they made it know but I could see why they wouldn't make notice of it. Untill otherwise proven or it becomes a pattern, I'm inclined to accept their explanation for the time being.

Stormbringer wrote:

Sharpshooter wrote:

Mange the Swede wrote:BTW, what is WhenU?

They're the sons of bitches who make and distribute certain adware systems.

Which is as helpful as saying that water is wet. I think he's looking for something a bit more substantive than "its adware."

White Haven wrote:...people still use any one single cleaner?

Adaware, Spybot, Spysweeper, and CWShredder, followed by a HijackThis enema, then we get serious.

Faram wrote:

Stormbringer wrote:I'm inclined to at least accept it for now. It would have been nice if they made it know but I could see why they wouldn't make notice of it. Untill otherwise proven or it becomes a pattern, I'm inclined to accept their explanation for the time being.

In this case I hope you are right.

But they lost a hell of a lot of goodwill and I am not reinstalling aaw anytime soon.