February 21, 2007
Microsoft Apologizes for Serving Malware
Oops! Microsoft apologized today for serving banner ads for a well-known malware program.
Banner ads for the malware program, SystemDoctor 2006, recently began appearing on the MSN Groups website. When users clicked on the banner, a popup dialog was displayed asking the user to scan and fix system errors. Once installed, users would then be bombarded with annoying "nag-ups" encouraging them to buy the software.
A Microsoft Australia spokesperson confirmed the malware vendor had slipped through its ad booking processes.
"We have learned that Microsoft was notified of malware that was being served through ads placed in Windows Live Messenger banners. As a result of this notification Microsoft immediately investigated the reports and removed the offending ads, as this is a violation of Microsoft's ad serving policy. Microsoft can confirm that the ads are no longer being served by any Microsoft system.
"Microsoft apologizes for the inconvenience and is reviewing Microsoft's ad approval process to reduce the chance of an occurrence such as this happening again. To help customers protect their PCs from malware threats, Microsoft recommends customers follow our Protect your PC guidance at www.microsoft.com/protect."
Oops! Microsoft apologized today for serving banner ads for a well-known malware program.
February 14, 2007
Our Official Reply To StopBadware
Hello Erica,
Thank you for your response. Before addressing some of your points, let me start by announcing that as of this morning, we have been removed from Google's blacklist. This was in no small part due to the assistance of an anonymous reader who emailed us yesterday with some pointers. Had I received this kind of assistance from StopBadware or Google at the beginning, we would not be having this public discussion right now.
However, I am probably in the minority of sites who are receiving a bit of special treatment due to all of the attention being focused on this, so this is hardly a long-term solution.
This leads us to the core of the problem that I have with the current system. It punishes well-intentioned websites, while allowing blatently malicious websites to continue operating at will.
We're the first to admit that the warning system is not perfect. We do believe it's the best option we have right now to protect internet users from being victimized by badware.
"Not perfect" is an understatement - we have identified many well-known, malicious websites that Google/StopBadware have not flagged. Some of these sites are minor annoyances. Others spread dangerous and virulent forms of malware. Why aren't you focusing on them?
I believe it is fair treatment to hold StopBadware to the same standards that we would any other anti-spyware product, and right now you are receiving a very bad grade.
Our goal is to protect internet users from harmful software, not to "punish" site owners who have been victims of hacking.
This is commendable and I suppose everyone would be more sympathetic if it weren't for the hard-line "ends justify the means" attitude StopBadware employees express in your public forum. Your employees have demonstrated that they have no sympathy for innocent website owners. They have even gone so far as to label them "guilty" of spreading malicious code through neglect. You've made it perfectly clear that you aren't going to judge people by their intent. So why do you make an appeal to the internet community for sympathy based on your intent? This seems hypocritical.
As the FAQ notes, Google, not StopBadware, finds sites hosting or distributing badware and independently places the warning page in search results for the sites in question. Google sends that information to us, and we make it available through our Badware Website Clearinghouse As is noted on the Clearinghouse page for Adware Reports (http://stopbadware.org/reports/container?reportname=www.adwarereport.com%2Fmt%2Farchives), StopBadware had not yet independently reviewed that site.
It's a serious problem that a site flagged by Google doesn't get the benefit of a human review for several months. There should not be such built-in neglect. I would go so far as to say that Google should not flag a site until it has undergone a human review because we've demonstrated that their scanning algorithms suck.
Also, it is not fair to put the blame entirely on Google's shoulders. As the Google FAQ (http://www.google.com/support/webmasters/bin/answer.py?answer=45432) states, StopBadware is responsible for processing appeals. Google will not remove a site from the blacklist until this has been done. They did their job in November by flagging us. It is now February. Their FAQ says that's your fault. Please comment as to what, if anything, will be done about this in the future.
We're talking with Google about ways to notify people that their site has been flagged, but it's actually more complicated than it initially would seem. There is no standard email contact for site owners, and there is a danger that guessing on an email address could end up notifying the wrong party. If that wrong party is a hosting service, there's a possibility that the website could be shut down entirely if the hosting service so chooses. Hosting services frequently take just that route when they receive complaints about content that might infringe intellectual property, for example. We feel that accidentally notifying a hosting provider instead of a site owner would be much worse for webmasters than the warning page, which does not actually take down or block a site.
That's silly. This is a basic legal writing exercise. You could simply send an email out with the proper messaging to ensure that this does not happen. For instance, you could simply include an explicit statement that if the email is received by a hosting provider, that no action should be taken until such time as you have contacted the website owner directly.
Furthermore, a human reviewer could easily have find the "contact us" link located on most reputable websites. They could also use the email associated with a Google account, or even the verified email address associated with a Google Webmaster Tools service account (all of which applies to Adwarereport).
This raises an interesting point. Having an email address on your website is a sign of a reputable website. So sending out alerts to these email addresses is a self-policing mechanism. Reputable websites will receive them. Unreputable sites will be less likely to. It would be a significant improvement over your current processes.
Google does offer alerts about warnings to webmasters signed up through its Webmaster Tools service. You can read more in this blog post on Google's webmaster central blog: http://googlewebmastercentral.blogspot.com/2007/01/about-badware-warnings.html.
We have been regularly using the Google Webmaster Tools service since January and have never seen these alerts in the website. I have been actively looking for them since the 5th, when we discovered we were blacklisted and read this same paragraph in your FAQ. Have you ever personally seen an alert within the tool? If so, can you provide a screenshot? I have looked on every single page in the tool but have never seen it.
With regard to the specific case of Adware Report, the Google warning (and corresponding listing in our Clearinghouse) is for http://www.adwarereport.com/mt/archives, not for the full site. While the instance of badware that initially caused the site to be flagged has been removed, other instances of badware were still on the site as recently as yesterday, based on testing performed by Google.
This is true - an anonymous reader emailed us and tipped us off to the problem and provided some assistance. "Some" is the operative word. I had to manually click through 770 HTML files by hand looking for hacked javascript. This site runs on a hosted account, so I do not have access to grep or other command line tools to automate the process. Still, I am very passionate about computer security so I took the time to do this. You are telling me in the above that you had a list of files that were hacked ... and you didn't provide it to me? That's what I call a broken system.
The current system does not take into account the effort required to fix these problems and as a result is extremely unfair to less technically-sophisticated website owners. These less tech-savvy website owners are also less likely to be intentionally spreading malicious software. So again, your current system is punishing the wrong people.
Please feel free to reply directly at admin@adwarereport.com. I hope that I've come across as constructively critical here. It is my intention to point out the flaws in the system and hopefully leave you with feedback you can use to improve your service.
Official Response from StopBadware
It looks like we're finally getting somewhere. Here's the official response from StopBadware. We will reply in a follow-up post.
Hi everyone,
I work for StopBadware, and I'd like to help clear up some confusion in the Adware Report article and in the comments here about StopBadware's role in Google's malware warning system.
We're the first to admit that the warning system is not perfect. We do believe it's the best option we have right now to protect internet users from being victimized by badware. Our goal is to protect internet users from harmful software, not to "punish" site owners who have been victims of hacking. Both StopBadware and Google are working on making changes to the system, but not all changes are as simple to implement as they are to suggest. We are balancing time coding and implementing changes with time spent responding to individual webmasters that have cleaned and secured their sites and want their warnings removed.
To clear up some major misunderstandings in the original article and in this thread, I'd like to point to our FAQ about the Google warnings, and about StopBadware's role in helping websites clean up and get off the warning list. The FAQ is available here:
http://stopbadware.org/home/faq#partnerwarnings
As the FAQ notes, Google, not StopBadware, finds sites hosting or distributing badware and independently places the warning page in search results for the sites in question. Google sends that information to us, and we make it available through our Badware Website Clearinghouse (http://stopbadware.org/home/clearinghouse). As is noted on the Clearinghouse page for Adware Reports (http://stopbadware.org/reports/container?reportname=www.adwarereport.com%2Fmt%2Farchives), StopBadware had not yet independently reviewed that site.
Where Stopbadware comes in as an active player in the badware warnings process is when someone, usually a site owner or webmaster, requests that we review a site that has been flagged by Google. They can submit a Request for Review through our web form (http://www.stopbadware.org/home/review). The Request for Review form notes that requests can be processed more quickly if a site owner first locates the badware on their site, cleans it up, and - if the badware was hacked onto their site - also finds and fixes any security vulnerabilities that allowed their site to be victimized in the first place. Once a request for review has been submitted, we address each request as quickly as possible. If our testing finds a site to indeed be clean, we let Google know, and Google also tests to confirm that the site is clean. In our experience, when Google confirms a site is clean, they generally remove the warning page quite quickly, and we correspondingly remove the site from our Clearinghouse.
So, why is StopBadware involved in the Google warnings at all? We're an independent, nonprofit body associated with two major research universities (Harvard and Oxford), and as such we are well placed to serve as an impartial third party.
Another issue that comes up in questions to us is notifying webmasters about the Google warnings. We're talking with Google about ways to notify people that their site has been flagged, but it's actually more complicated than it initially would seem. There is no standard email contact for site owners, and there is a danger that guessing on an email address could end up notifying the wrong party. If that wrong party is a hosting service, there's a possibility that the website could be shut down entirely if the hosting service so chooses. Hosting services frequently take just that route when they receive complaints about content that might infringe intellectual property, for example. We feel that accidentally notifying a hosting provider instead of a site owner would be much worse for webmasters than the warning page, which does not actually take down or block a site. Google does offer alerts about warnings to webmasters signed up through its Webmaster Tools service. You can read more in this blog post on Google's webmaster central blog: http://googlewebmastercentral.blogspot.com/2007/01/about-badware-warnings.html.
With regard to the specific case of Adware Report, the Google warning (and corresponding listing in our Clearinghouse) is for http://www.adwarereport.com/mt/archives, not for the full site. While the instance of badware that initially caused the site to be flagged has been removed, other instances of badware were still on the site as recently as yesterday, based on testing performed by Google. While testing by both StopBadware and Google has shown the site to be clean today, and we have informed the site owner of that finding, the owner may need to take steps to ensure that the website will be secure against hacking in the future in order to prevent repeat infections. We have some pointers for cleaning and securing websites here: http://stopbadware.org/home/security.
I'm happy to discuss concerns with any digg readers, either here, on our discussion list, or one-on-one over email. The discussion list is at http://groups.google.com/group/stopbadware, and my email is egeorge AT cyber DOT law DOT harvard DOT edu.
thanks,
Erica
February 13, 2007
Why Google Can't Be Trusted to Protect Your PC
We uncover the glaring holes in Google's malware detection algorithms
This is what you see when you come across a blacklisted site in Google. Yes, that is us (don't believe them).
Can you rely on these warnings to keep you safe? Here's proof that you can't.
SpyAxe is a notorious rogue software that took the internet by storm in December, 2005. This program downloaded itself onto countless computers, nagging the user with endless popups into buying the program to remove the spyware on their computers. The program itself did nothing except install a number of other Trojans in the background. There is speculation that over 100,000 people were affected and many of them paid SpyAxe $40 a pop to buy this bogus product.
The website is still around, and Google seems to think they are safe for you to visit. On the left is the SiteAdvisor warning and on the right is Google's search results. Notice no warning:
SiteAdvisor 1, Google 0
SpyAxe was cloned as soon as people started realizing it was a scam. There were a bunch of clones under names like SpywareStrike, SpyFalcon, and so on. These sites are still around and you can readily download their Trojan-loading malware if you stumble across their site. No warning from Google though:
Oops, missed another one. Maybe it's just a fluke.
In October, AdwareReport (us) found a cache of branded adware installers at ExactSearchBar.com. Why? Because we hate spyware and that's what we do. The funny thing is that we found it by searching on Google. They happen to think these are ok for you though. If you want to try out this at home, the URL is http://exact searchbar .com/Download/Standalone/exactSetup.exe (remove spaces). Do this only at your own risk!! FYI - there are about 2 dozen branded loaders, and you wouldn't believe the companies whose names are on them (you've heard of many of them).
Here's what SiteAdvisor and Google think about this as well:
We found a cache of adware loaders at this site and so did SiteAdvisor. Google missed all of them though.
There are countless other examples, some of which I've listed below (and I have plenty more in my back pocket in case these come down). What we've proven here is that even while Google/StopBadware are blacklisting high-quality, reputable sites that are innocent of intentionally spreading malicious software, they are doing a very poor job of finding the sites that are known malware offenders.
Think this sucks? Read how they're screwing us.
Other known malware sites that Google thinks are perfectly safe ...
Visit at your own risk (spaces inserted to prevent accidental clicking). All of these URLs were working and none were flagged as "badware" on Google when I posted this. I expect them to be removed shortly and/or Google will start flagging them.
- http://www.en browser.com/SnackMan.exe ... known adware, installs other Trojans in background.
- http://www.error guard.com ... rogue PC repair application that makes use of false positives, consumes CPU cycles, and continually spawns friggin' annoying nag popups.
- http://gogo tools.com/gogotoolsinstaller.exe ... toolbar, adware, BHO, monitors browser activity
- http://killand clean.com/KillAndCleanSetup.exe ... rogue spyware remover. Scam.
- http://kazaa.com ... the P2P file sharing service, riddled with adware. If you don't think this screws up your computer, you're nuts.
- http://www.sexy-scr een-savers.com ... tons of bundled toolbar,spyware, and adware installers, including ClickSpring and Webhancer
- http://www.purity scan.com/download-public/PuritySCAN2.exe ... installs clickspring and causes lots of nasty popups on your PC. Don't touch this with a ten foot pole.
- http://spy sheriff.com ... system hijacker. This one is so common that we have an article dedicated to it.
- http://www.123 mania.com/GIDCAI32.cab ... here's the cab install file which is used as the source of a drive-by install.
February 12, 2007
Google: Killing the Internet One Site At A Time
Update: this article has received tens of thousands of visitors in the past 24 hours, resulting in a lot of healthy debate. I am not able to respond to all of it, but I have included my response to some objections raised on the StopBadware usenet group at the end of this article.Update 2: I took down the ads from this page because I didn't want to offend all of the digg users visiting us. However, the bandwidth you guys are consuming is out of control, so I had to put them back up. I have to do something to pay the bills around here.
| Are Google and StopBadware unfairly punishing innocent website owners? Let your voice be heard by digging this article (click the icon to the left). |
StopBadware and Google have been getting a lot of bad press from both bloggers and mainstream media outlets (such as CIO magazine) lately for flagging sites as containing malicious software when in fact these sites are harmless. The people at StopBadware are unsympathetic and various posts in their forum illustrate the fact that they do not consider themselves responsible for their actions. Hopefully this article will reach someone at Google and spark a change for the better.
For those of you who are here for the first time, AdwareReport provides independent testing and reviews of many anti-spyware products and have been helping people solve their spyware-related problems since early 2004. We've broken a number of stories about spyware and rogue software scams, and most recently, we were the first site to educate people about the flooder.ake bug saving many many Grisoft AVG users from having to reformat their computers.
Sometimes we've lost a lot of money in the process of helping people (breaking the flooder.ake problem ran up several thousands dollars in advertising costs), but overall the site makes a small profit, allowing me to work from home. This is really important for my family, as my young son is a heart transplant recipient and requires his mother or I to be around at all times, in case of a sudden rejection or other medical problem. StopBadware's "false positive" has put us in serious financial distress. This site is expensive to run, and I am now forced to consider the possibility of shutting it down.
How StopBadware Is Screwing the Internet
In late November, StopBadware flagged our site as one that "hosts or distributes badware". This resulted in the following:
- Our website traffic has dropped by over over 70%
- In late November, we were ranking in the top 10 for over 50 terms on Google ... today we rank for only 4.
- We lost our DMOZ listing, which is a serious blow to our future on the web.
If you do happen to find us through Google, you are greeted with a page that looks like this:
Screenshot showing how Google has blacklisted us based on StopBadware.org's recommendation
If you click on the link, you will be presented with an ominous page that warns the user that our site "may harm your computer!" There is no way to continue on to our site unless you manually copy the link into your address bar:
This is happening to hundreds of great sites all across the internet.
Why We Were Blacklisted
We can't say exactly why StopBadware blacklisted us, because they haven't bothered to share this data with us. However, the guys at Siteadvisor did help us pin down an old archived page that contained an iframe redirect. This is an encrypted javascript snippet that embeds a hidden iframe on a page. This frame redirected visitors to a Russian malware site. I won't put the code here - if you are really interested, look up "adwarereport.com" on SiteAdvisor and you can see it there. The important thing to know about this is that we didn't put it there - it was injected by someone else through a server vulnerability that we've since closed. Furthermore, only a handful of people ever visited this page (fewer than 20).
It might have been fair if Google issued the warning only for this page, but they didn't. They issued the warning for every page on our site. We used to get thousands of visitors daily from Google. Today we average 30.
In other words, if you, the webmaster of your site happen to get victimized by a hacker, then you will also be severely punished by Google/StopBadware on top of it. Fair?
StopBadware is Broken
In another post, we compared the way that StopBadware is run today with McCarthyism. Joe McCarthy was a senator of Wisconsin from the late '40s to late 50's who was responsible for what became known as the "Second Red Scare". If you didn't hear about him in history class or missed the recent movie, "Good Night and Good Luck", Joe McCarthy accused thousands of Americans of being Communists or communist sympathizers. Many of these people suffered loss of employment, lost their careers, or were even thrown in jail. It turned out in the end that Senator McCarthy's witch hunts were little more than an abuse of power, a way to scare others for his own benefit.
Maybe this is a little extreme, maybe not. But the lessons I learned from history class was that character assassinations by those in power could happen anytime, anywhere. And those in power will deny it and find all sorts of rationalizations to defend their actions, even when those actions are clearly wrong. In their minds, the ends justify the means. Re-read that last sentence, because it's about to come up again really quickly.
Not Only Are They Broken, They Don't Care What You Think
This attitude is demonstrated in post after post at the StopBadware forums. They make some good points over there, such as this one made by Michael Buckley:
Next, I'd like to go through a few of the arguments point-by-point:
1. StopBadware/Google are not differentiating between the good guys and the bad guys.
Unfortunately, intent doesn't come into play here. Whether or not you intended your site to infect customer machines is irrelevant to the end result. (emphasis mine)
Applying this logic to StopBadware, we can conclude that while StopBadware may have good intentions, it simply doesn't matter ... the end result does. To them, they are fighting the spread of malicious software on the net. But to us innocent website owners who have been victimized by them, the end result is that they are taking away our livelihood and harming our families.
Another favorite argument of theirs is that website owners are responsible for ensuring the safety of their site. A reasonable enough statement, but consider for a second that a site such as this one has hundreds of pages and thousands of links, many of which I haven't visited in years. StopBadware expects me to check every page and every link daily to ensure that they haven't been hacked and that they don't lead to possibly dangerous sites. Guys, I would love to - but I'm trying to stay focused on fighting the spyware problem. I can't do that if you expect me to constantly monitor every nook and cranny of my website, most of which are never visited (except by your spiders).
I won't go into picking apart the rest of the erroneous arguments that are put forth on their forum, as it would be boring for our readers. I will simply describe the situation as it is:
- StopBadware flags whatever websites it wants as being potentially harmful and reports these findings to Google, resulting in a nearly complete shut-off of all internet traffic. Those of us who run good sites depend on this traffic for their livelihood - it's usually impossible to run a quality site simply as a hobby, especially if that site runs up expensive hardware and software bills like this one does.
- They do not inform the website owner that they have been flagged. For instance, they flagged us two months ago ... we just found out a few days ago.
- They do not work with website owners in any way to help them identify or fix any problems. The StopBadware Clearinghouse is meant to do this, but it's a joke ... they don't provide any useful data at all.
- If a flagged website wants to resolve the problems brought about by all this, they have to first figure out what the problem areas are (which is like finding a needle in a haystack), and then send in an appeal to a blind email address. Appeals are supposed to be answered within 10 days, but there are reports of people waiting two months or longer to hear back (we've been waiting 5 days so far).
A Wake-Up Call To Google: "Don't Be Evil"
Those in power have the responsibility to wield it properly. Any organization running a blacklist has a duty to inform those they put on the list of their actions, the reasons why they were blacklisted, and to provide acceptable feedback mechanisms, including a grace period within which to correct the problems. There must be sufficient steps taken to ensure a 100% transparency into this process.
You took it upon yourselves to become the internet policeman. I did not appoint you. Nobody held a gun to your head and made you do this, therefore you have a moral obligation to do it properly.
This is what you must do to fix this:
- Inform websites of their inclusion on the blacklist. This should be done via WHOIS email or through contact information on the website (this can be easily found through the same automated agents that StopBadware uses today).
- Provide sufficient information to webmasters of any problems identified by StopBadware's automated agents.
- Allow sufficient grace period for webmasters to fix any problems that have been identified on their sites.
Other Innocent Sites Screwed By Google Has your site been blacklisted? Post a comment and we'll add you to the list. We also welcome comments from StopBadware and Google.
Update: My response to objections raised on the StopBadware forum
CometCom1,
I am the owner of AdwareReport and I wrote the article. It seems that you've put some serious thought into this, and I felt this was worth replying to.
1. You mention that I blame StopBadware and not Google, and then make the claim that this was an instance of social engineering.
Actually I placed the blame squarely on StopBadware *and* Google in several places, and I've done so on other articles on my site as well. Someone pointed out that it was Google who flagged the site and then submitted it to StopBadware. I have no reason not to believe them, but take into account this quote from Google's Webmaster Help Center (http://www.google.com/support/webmasters/bin/answer.py?answer=45432):
"All appeals and reviews are handled by StopBadware.org. Please send an email to appeals@stopbadware.org explaining why you think your site was mistakenly identified or how you have modified your site. They will investigate and contact you with their findings. If they determine that your site does not spread malicious software, they will inform Google, who will remove the identification from the search results."
Let's be clear - both parties share the responsibility. Google is responsible for flagging the site, placing an ominous warning on my search results, removing the direct link to my site, and not informing me nor giving me any grace period. StopBadware is responsible for listing my site in their clearinghouse, not providing any helpful data to resolve the problem, not informing me that they've put me in the clearinghouse, and not responding to my appeals email in a timely manner.
Corporations often use policies and buck-passing to avoid taking responsibility for their actions. This is not conjecture. I have an MBA from Kellogg with a concentration in management psychology, but it doesn't take an masters degree to recognize that these two organizations are hurting people through their neglect and inefficiency.
2. You criticize the fact that I mention my family's medical problems in this post:
>This is really important for my family, as my young son is a heart
>transplant recipient and requires his mother or I to be around at all
>times, in case of a sudden rejection or other medical problem.
Ah ok, if you have a prescription from your doctor, it's ok?
I am exercising considerable restraint in replying to this, but I'm going to assume that you didn't mean to come off as callous as you did.
I mentioned this fact in the article as a direct response to the laissez-faire attitude that most of those who defend StopBadware's and Google's actions to date. They want you to think that it's just a bunch of bits-and-bytes, or perhaps a little money that is at stake. It's way more than that - many people depend on the internet to support their families, and Google/StopBadware is vicitimizing them through their lack of attention and carelessness.
3. "McCarthyism also does not cover quite, as 1. It has nothing to do with the government, 2. there is proof. "
To answer your first point, the use of the term McCarthyism is no longer limited to government activities. From wikipedia (http://en.wikipedia.org/wiki/Mccarthyism#Current_use_of_the_term):
Current use of the term
Since the time of McCarthy, the word "McCarthyism" has entered American speech as a general term for a variety of distasteful practices: aggressively questioning a person's patriotism, making poorly supported accusations, using accusations of disloyalty to pressure a person to adhere to conformist politics or to discredit an opponent, subverting civil rights in the name of national security and the use of demagoguery are all often referred to as McCarthyism.
In regards to your second, neither StopBadware nor Google has come up with any proof. They have not responded to my appeals email, they have not listed any helpful data in their Clearinghouse. There is nothing but a vague description that says we "host or distribute badware" and a URL to a directory listing on our site. We've searched that directory and there is absolutely nothing in it that would constitute "badware". Wouldn't you agree that this is an unfounded accusation?
If you are referring to the iframe redirect that we found on our site, the URL of that code is not listed in the clearinghouse, and this problem was identified by SiteAdvisor. And to their credit, they contacted me via email several weeks before the problem report was uploaded to their site.
4. You critique my suggestion to get in touch with the webmaster of a site to inform them of inclusion on the blacklist:
Fact - There doesnt exists provisions on the internet to get in contact with a webmaster.
This is not fact. Any programmer can write code in a matter of minutes to mine all of the email addresses found on a website. Then it's a simple matter to match the URL. In our case, In our case, there is a spider-friendly link in our top navigation bar with our email address ("Everything Else" -> "Contact Us"). Most reputable sites have contact information. Most unreputable websites (ie: those with malicious intent), do not. Implementing this procedure would actually reward the good guys and punish the villains.
Not only is this easy to do, it is likely that Google already has this information in their search index. For instance, it is widely conjectured that Google has technology that looks for common indicators of trust, such as privacy policies and "contact us" links, and uses the presence of these factors in calculating their search rankings.
5. Your parting guesses about why I wrote about this:
I do expect Richard to follow up on this, and work with stopbadware to improve this - otherwise why all the fuzz - a damage control and free advertising campaign ?
Actually, it was to fight back against this injustice being pushed upon innocent webmasters all over the internet. It was a response to the condescension and antipathy shown towards webmasters by certain posters in this group. Or to be less abstract about it, the attitude some of you have of "fuck you, so what if this process is broken, you have no right to complain because you are a guilty badware distributing motherfucker. Now shut up and comply."
Why should I work with StopBadware any more than I have? I didn't appoint them to be the internet's policeman. They took this on themselves, so they can fix their own damn problems. I've given them a crystal-clear checklist of improvements, fixed all known problems, and filed my appeal, so now they can stop penalizing my site and let me get back to what I like doing - helping people fight spyware.
Tells the story about how StopBadware.org libels innocent websites by falsely accusing them of distributing badware.
February 11, 2007
StopBadware victimizes another site
StopBadware recently blacklisted Mister Poll, an internet polling site. This comment captures the frustration experienced by their webmaster:
Wow. My head is spinning with that one. I can’t even express how amazingly unreasonable it is to expect sites to police every single link that’s placed within their content. Not only would you have to review each link when it’s first posted, but you would have to continually re-visit them forever, to make sure every site linked to is still clean. Impossible.So some spammer posts a link to a questionable site in your message forums, and wham, you’re out of Google. Even worse, somebody posts a link to a legitimate site, and that site is later hacked in some way. Not only do they get blacklisted, so do you and everybody else on the web who links to them.
That’s unreal. That’s the death of the hyperlink and essentially the death of the web. What kind of a web are we left with if the strands don’t interconnect? It’s no longer a web, but a massive stretch of lonlely islands. Somebody stop these StopBadware.org folks. Please.
On a good note, John Palfrey of StopBadware and Matt Cutts of Google both stepped up to help fix the problem.
An Update on Google Blacklisting / Any DMOZ editors out there?
Still no word yet from StopBadware regarding their blacklisting of our site, but we did get some feedback from SiteAdvisor which helped us to identify what was likely the problem. The first popup image on our PestPatrol review page was hacked with a nasty little piece of javascript that opened a hidden iframe and redirected IE6 users to a Russian website. This site would then reportedly install a piece of malware.
Fortunately, very few people ever clicked on that image. We fixed the problem and have upgraded our movabletype installation so these types of hacks shouldn't be possible anymore. However, that doesn't fix the problems caused by StopBadware:
* We've lost most of our rankings on Google
* We've lost our DMOZ listing - this was a huge setback. Being listed in the ODP lets Google know that we are a relevant, trustworthy site.
* Our links on Google (for those keywords in which we are still ranking) are being blocked, making it very difficult for people to actually click through.
I still find it incredibly frustrating that I could spend three years building a website that has been visited by over a million people (and presumably has helped many of them), and StopBadware can take all of that away overnight.
Emails, diggs, comments, and links to the original article are appreciated. And if you happen to be a DMOZ editor (or know one), can you help us get reinstated in the directory?
Huge props to SiteAdvisor for helping us to find the problem.
February 7, 2007
Microsoft's Vista A/V Fails Certification
Microsoft's much-hyped anti-virus solution, Live OneCare along with three other Vista AV products failed to achieve the Virus Bulletin's VB100 certification. The other products are McAfee's VirusScan Enterprise, G DATA's AntiVirusKit 2007, and Norman's VirusControl. All failed to pass a series of tests that are required to display the VB100 badge. 'With the number of delays that we've seen in Vista's release, there's no excuse for security vendors not to have got their products right by now,' said John Hawes, technical consultant at Virus Bulletin.
The VB100 Certification is an important component of the AdwareReport Antivirus rankings.
February 5, 2007
StopBadware.org - Incompetence or McCarthyism 2.0?
| Urgent call for help to our readers: We are one of many innocent sites that have been blacklisted by Google/StopBadware. You can help us out by giving us a digg (click the icon to the left). Digg is a really cool social networking news site that lets people vote for interesting sites on the web. If you aren't already using it, you should - it takes just two minutes or so to register. |
Joe McCarthy was a senator of Wisconsin form the late '40s to late 50's who was responsible for what became known as the "Second Red Scare". If you didn't hear about him in history class or missed the recent movie, "Good Night and Good Luck", Joe McCarthy accused thousands of Americans of being Communists or communist sympathizers. Many of these people suffered loss of employment, lost their careers, or were even thrown in jail. It turned out in the end that Senator McCarthy's witch hunts were little more than an abuse of power, a way to scare others for his own benefit.
One of the lessons we were supposed to learn from that period was that character assassinations by those in power could happen anytime, anywhere.
We've been following the progress of a couple of sites designed to help people avoid badware for about a year now: SiteAdvisor and StopBadware.org. SiteAdvisor was a small startup that used automated tools to find spyware, adware, and trojans on the web and report their findings to anyone for free. They were later sold to McAfee, who has integrated it into their security products. StopBadware was formed from a coalition of companies including Google, Harvard Law School, and Sun Microsystems for the similar purpose of both identifying harmful websites and educating web users about these sites.
Their motivation is commendable, but are they really achieving what they claim to?
The answer may surprise you. In short, we've found SiteAdvisor's data to be perhaps incomplete at times, but certainly top-notch. It's so reliable that we've been able to use it to source some of the newest spyware for use in our product tests.
In contrast, we can say with certainty that StopBadware's list of rogue websites needs some serious quality control. We've identified a number of sites that StopBadware claims may "harm your computer", but do not...
Including Us
We were shocked to pull this screenshot just a few minutes ago which shows Google has blacklisted us:
Screenshot showing how Google has blacklisted us based on StopBadware.org's recommendation
So, we've been blacklisted. Using a few common internet tools, we've been able to discern that Google also dropped all of our search engine rankings around the same time that StopBadware mistakenly identified us as being a "badware" site.
We admit it, we're not happy about it. But is it unfair of us to compare StopBadware to McCarthyism? You decide when you see their report on us below:
StopBadware's report on us. Notice no details about their testing results.
Notice that Google/StopBadware claims that we are hosting or distributing badware. The URL itself points to a directory listing (which we should and will close off when the dust settles), but inspection of this directory shows only two binary files: lspfix.exe and an old version of cwshredder... both tools designed to fix spyware problems.
So the analogy stands - Joe McCarthy (Google/StopBadware) accuses someone (us) of being communists (distributing spyware) without any evidence to support their claim.
In contrast, SiteAdvisor, a reputable anti-spyware scan technology, shows exactly what they found and what their basis is for any claims they make about a site. You can check out their analysis of us here: http://www.siteadvisor.com/sites/adwarereport.com.
Let's put forth a few facts in our defense:
- We were one of the first sites to report SpyAxe and its clones, the scamware programs that bilked $40 each from thousands (maybe tens of thousands) of innocent victims. This was way back in December, 2005.
- We are one of the leading sites which over the past several years has educated people about ineffective products such as Spyware Cleaner, Spy Hunter, and others ... some of which were later shut down by the FTC.
- We were the FIRST site on the net to publicize a fix for the Flooder.AKE bug that caused many AVG users to reformat their computers. Our fix was widely copied and spread over the internet, without credit, on such places as Yahoo Answers and other security sites. During the first 24 hours, there were no search results on Google or Yahoo for "flooder.ake", so we spent several thousand dollars to purchase advertising on the search engines in order to help people with this. Check out the comments on that article to read the feedback from those we helped.
- This should go without saying, but we have never distributed or promoted any type of badware, including: spyware, rogue products, popups, popunders, adware, viruses, trojans, etc. In fact, we've never distributed any software from our website at all. Our content has been limited to text and photos only. You are and always have been 100% safe here.
For you webmasters out there, here was how this false accusation by StopBadware affected us. Be warned, it could happen to you:
- We dropped off of nearly every one of the 50 keywords for which we were ranked in the top 10 on Google.
- DMOZ dropped our directory listing.
- Our web traffic has declined by 70%
How You Can Help
If this site has helped you in the past, or if it's helping you right now, you can support us by doing the following:
- Email StopBadware at appeals@stopbadware.org and let them know about their mistake. Ask them to correct it immediately.
- Perform a search for us on Google for appropriate terms such as "spyware reviews" or "adwarereport". Submit a poor quality report to Google. Let them know that they are basing their search results on poor data coming from StopBadware.org.
- If you are an editor on DMOZ, please look into why we were deleted from your directory and help us correct the problem. If you aren't an editor, contact DMOZ and ask them to reinstate us.
- Link to us from your website. Spread the word about StopBadware or simply let others know about us.
Finally, for a better site that does a much better job of identifying badware sites, check out McAfee's Site Advisor. Their results are top-notch and they even have a browser plugin which can save your butt from time to time.
Don't be evil, Google!
More Good Articles on StopBadware / Google badness:
- StopBadware blacklists cartoon book site
- What to Do When Google Tells People Your Website is Dangerous?
January 31, 2007
FBI turns to broad new wiretap method
Editor's Note: This article describes the latest in a long series of assaults on civil liberties by the federal government. After reading this, you may want to install privacy software on your PC and start using a good anonymizer service.
By Declan McCullagh, CNET News.com
The FBI appears to have adopted an invasive Internet surveillance technique that collects far more data on innocent Americans than previously has been disclosed.
Instead of recording only what a particular suspect is doing, agents conducting investigations appear to be assembling the activities of thousands of Internet users at a time into massive databases, according to current and former officials. That database can subsequently be queried for names, e-mail addresses or keywords.
Such a technique is broader and potentially more intrusive than the FBI's Carnivore surveillance system, later renamed DCS1000. It raises concerns similar to those stirred by widespread Internet monitoring that the National Security Agency is said to have done, according to documents that have surfaced in one federal lawsuit, and may stretch the bounds of what's legally permissible.
Call it the vacuum-cleaner approach. It's employed when police have obtained a court order and an Internet service provider can't "isolate the particular person or IP address" because of technical constraints, says Paul Ohm, a former trial attorney at the Justice Department's Computer Crime and Intellectual Property Section. (An Internet Protocol address is a series of digits that can identify an individual computer.)
That kind of full-pipe surveillance can record all Internet traffic, including Web browsing--or, optionally, only certain subsets such as all e-mail messages flowing through the network. Interception typically takes place inside an Internet provider's network at the junction point of a router or network switch.
The technique came to light at the Search & Seizure in the Digital Age symposium held at Stanford University's law school on Friday. Ohm, who is now a law professor at the University of Colorado at Boulder, and Richard Downing, a CCIPS assistant deputy chief, discussed it during the symposium.
In a telephone conversation afterward, Ohm said that full-pipe recording has become federal agents' default method for Internet surveillance. "You collect wherever you can on the (network) segment," he said. "If it happens to be the segment that has a lot of IP addresses, you don't throw away the other IP addresses. You do that after the fact."
"You intercept first and you use whatever filtering, data mining to get at the information about the person you're trying to monitor," he added.
On Monday, a Justice Department representative would not immediately answer questions about this kind of surveillance technique.
"What they're doing is even worse than Carnivore," said Kevin Bankston, a staff attorney at the Electronic Frontier Foundation who attended the Stanford event. "What they're doing is intercepting everyone and then choosing their targets."
When the FBI announced two years ago it had abandoned Carnivore, news reports said that the bureau would increasingly rely on Internet providers to conduct the surveillance and reimburse them for costs. While Carnivore was the subject of congressional scrutiny and outside audits, the FBI's current Internet eavesdropping techniques have received little attention.
Carnivore apparently did not perform full-pipe recording. A technical report (PDF: "Independent Technical Review of the Carnivore System") from December 2000 prepared for the Justice Department said that Carnivore "accumulates no data other than that which passes its filters" and that it saves packets "for later analysis only after they are positively linked by the filter settings to a target."
One reason why the full-pipe technique raises novel legal questions is that under federal law, the FBI must perform what's called "minimization."
Federal law says that agents must "minimize the interception of communications not otherwise subject to interception" and keep the supervising judge informed of what's happening. Minimization is designed to provide at least a modicum of privacy by limiting police eavesdropping on innocuous conversations.
Prosecutors routinely hold presurveillance "minimization meetings" with investigators to discuss ground rules. Common investigatory rules permit agents to listen in on a phone call for two minutes at a time, with at least one minute elapsing between the spot-monitoring sessions.
That section of federal law mentions only real-time interception--and does not explicitly authorize the creation of a database with information on thousands of innocent targets.
But a nearby sentence adds: "In the event the intercepted communication is in a code or foreign language, and an expert in that foreign language or code is not reasonably available during the interception period, minimization may be accomplished as soon as practicable after such interception."
Downing, the assistant deputy chief at the Justice Department's computer crime section, pointed to that language on Friday. Because digital communications amount to a foreign language or code, he said, federal agents are legally permitted to record everything and sort through it later. (Downing stressed that he was not speaking on behalf of the Justice Department.)
"Take a look at the legislative history from the mid '90s," Downing said. "It's pretty clear from that that Congress very much intended it to apply to electronic types of wiretapping."
EFF's Bankston disagrees. He said that the FBI is "collecting and apparently storing indefinitely the communications of thousands--if not hundreds of thousands--of innocent Americans in violation of the Wiretap Act and the 4th Amendment to the Constitution."
Marc Rotenberg, director of the Electronic Privacy Information Center in Washington, D.C., said a reasonable approach would be to require that federal agents only receive information that's explicitly permitted by the court order. "The obligation should be on both the (Internet provider) and the government to make sure that only the information responsive to the warrant is disclosed to the government," he said.
Courts have been wrestling with minimization requirements for over a generation. In a 1978 Supreme Court decision, Scott v. United States, the justices upheld police wiretaps of people suspected of selling illegal drugs.
But in his majority opinion, Justice William Rehnquist said that broad monitoring to nab one suspect might go too far. "If the agents are permitted to tap a public telephone because one individual is thought to be placing bets over the phone, substantial doubts as to minimization may arise if the agents listen to every call which goes out over that phone regardless of who places the call," he wrote.
Another unanswered question is whether a database of recorded Internet communications can legally be mined for information about unrelated criminal offenses such as drug use, copyright infringement or tax crimes. One 1978 case, U.S. v. Pine, said that investigators could continue to listen in on a telephone line when other illegal activities--not specified in the original wiretap order--were being discussed. Those discussions could then be used against a defendant in a criminal prosecution.
Ohm, the former Justice Department attorney who presented a paper on the Fourth Amendment, said he has doubts about the constitutionality of full-pipe recording. "The question that's interesting, although I don't know whether it's so clear, is whether this is illegal, whether it's constitutional," he said. "Is Congress even aware they're doing this? I don't know the answers."
With the Carnivore project shut down, the FBI has turned to a new mass surveillance technique that can monitor the activities of thousands of internet users at a time. With this data in hand, they can now pick and choose targets without having prior probable cause.
January 30, 2007
SpeedUpMyPC Review Online
SpeedUpMyPC is a well-known product that is designed to improve the performance of your PC. We're heavy laptop users and are constantly installing and uninstalling software, so we were interested to see if this program lives up to its marketing claims...
SpeedUpMyPC is a well-known product that is designed to improve the performance of your PC. We're heavy laptop users and are constantly installing and uninstalling software, so we were interested to see if this program lives up to its marketing claims...
January 28, 2007
Windows Defender Fails to Protect Microsoft Vista from Spyware
Users who put their faith in Vista’s new security features and Microsoft’s Windows Defender antispyware product may find themselves under attack from spyware all the same, according to the results of a study by Webroot, a leading antispyware vendor and Microsoft competitor.
On Thursday, the company released the results of what it claimed was a two-week study of Windows Defender that showed the product missed 84 percent of a sample set of 25 spyware and malicious code samples. The programs that slipped by were a mix of spyware, Trojan horse programs and keyloggers. While many were not Vista compatible and simply crashed, others were able to install on Vista systems, said Gerhard Eschelbeck, chief technology officer at Webroot.
Technical staff in Microsoft’s security business unit weren’t able to respond to requests for comment on Webroot’s claims.
Eschelbeck identified variants of common malware programs like DollarRevenue Trojan, PeperTrojan and Playboydialler that made it by Windows Defender. Some of the variants were recently released, though others dated back to 2006, he said. Of the four programs Windows Defender did stop, most were non-malicious adware, he added.
"We wanted to validate the strong claims out of the industry that Vista was going to be a security solution for everybody and everything," Eschelbeck said.
Webroot picked the malicious code samples from tens of thousands of samples collected on its Phileas spyware scanning network. Webroot’s Spy Sweeper product spotted all of the samples.
When asked, Eschelbeck acknowledged that 25 samples was a tiny fraction of Webroot’s database of tens of thousands of malicious code samples. He also acknowledged that it may be possible for Microsoft or other competitors to pick samples of malicious code that would evade Webroot’s Spy Sweeper product, given advanced knowledge of how Spy Sweeper’s detection features worked.
"Nothing’s impossible," Eschelbeck said.
The purpose of the study wasn’t to make invidious comparisons between the two products, Eschelbeck said, but to raise questions about the detection capabilities and management of the Windows Defender product as Microsoft expands its profile as an enterprise and consumer security software vendor. "It’s important to leave the interpretation up to individuals," he said. "People need to make their own conclusions about it."
Eschelbeck said Microsoft updates Windows Defender’s spyware definitions weekly—far too infrequently for the fast-moving malicious code scene.
Webroot, which is venture-funded, was an early pioneer in the antispyware software space and is one of the leading sellers of antispyware software to consumers. However, the company’s prospects have been hurt by Microsoft’s entry into the desktop and enterprise security business and the company’s decision to offer Windows Defender as a free download.
The Webroot study is just the latest in a salvo of company-sponsored studies that seek to undermine the credibility of competing security products.
In September, a Microsoft-sponsored study by 3Sharp compared antiphishing toolbars by Google/Firefox, AOL, EarthLink, Geotrust, McAfee and others and found the Internet Explorer antiphishing technology the most accurate. The Mozilla Foundation fired back in November with a competing study by SmartWare that found the Firefox antiphishing technology better than that of Internet Explorer. A subsequent independent study by Carnegie Mellon concluded that few of the available antiphishing products are very reliable.
-Paul F. Roberts, InfoWorld
Vista's new security features already appear not to be living up to Microsoft's claims...
January 24, 2007
2006 Malware Statistics
Panda Software released some data about malware activity in 2006. According to them, Trojans and spyware topped the threat list:
Adware/Spyware - 40%
Trojans - 17%
Dialers - 7.5%
Backdoor trojans - 5.6%
Bots - 3.8%
Worms - 3.8%
Takeaway: You should be most worried about spyware, so make sure your definitions are up-to-date. A good antivirus program should take care of the rest.
No surprise, spyware and adware topped the list of threats in 2006...
January 20, 2007
SecureMac Releases Update to Anti-Spyware Product for Mac Users
Although Mac users have been under spyware companies' radar for the past couple of years, there are some malware threats which are specifically targeted at the OS X platform. The problem is relatively small in comparison to that faced by PC users and so there have been few commercial products designed to protect against these threats.
Yesterday, SecureMac announced the release of MacScan 2.3. Although we do not test Mac antispyware programs, SecureMac is reportedly one of the better ones out there.
Have you used this product? Please let us post your comments here!
Yesterday, SecureMac announced the release of MacScan 2.3. Although we do not test Mac antispyware programs, SecureMac is reportedly one of the better ones out there.
December 19, 2006
New Menu System Installed
We've been suffering from information overload here at AdwareReport (we're at 350 articles and counting!). Judging from our server logs, it appears that you think so, too. Many people are simply not finding the article that they've been looking for.
We've decided to try and make things a little easier to find, so yesterday we've added a new navigation menu along the top of every page. Is this helpful? Not helpful? Let us know what you think.
We've been suffering from information overload here at AdwareReport (we're at 350 articles and counting!). Judging from our server logs, it appears that you think so, too. Many people are simply not finding the article that they've been looking for.
December 18, 2006
New AntiVirus Reviews Uploaded
New reviews of ZoneAlarm AntiVirus and Avira AntiVir have been uploaded. BitDefender is still on top!
Have an antivirus product you'd like to see us review? Email us your suggestion.
New reviews of ZoneAlarm AntiVirus and Avira AntiVir have been uploaded. BitDefender is still on top!
Have an antivirus product you'd like to see us review? Email us your suggestion.
December 12, 2006
Fresh Firewall Reviews
We've just updated our firewall reviews.
Not sure what a firewall is or why you need one? Read our introduction here, and it could save you many headaches later.
McAfee AntiVirus Review Now Available
We've just completed our review of McAfee VirusScan. If you're in the market for a new antivirus product, don't forget to check out our reviews of BitDefender and AVG as well.
Have an AntiVirus product you'd like us to review? Send your suggestion to admin@adwarereport.com.
December 11, 2006
Internet criminals to step up "cyberwar"
By Peter Griffiths
LONDON (Reuters) - Computer hackers will open a new front in the multi-billion pound "cyberwar" in 2007, targeting mobile phones, instant messaging and community websites such as MySpace, security experts predict.
As people grow wise to email scams, criminal gangs will exploit new ways to commit online fraud, sell fake goods or steal corporate secrets.
"The attacks are becoming more sophisticated," said Dave Rand, of Internet security firm Trend Micro. "It's all about making money. And they're making a lot of it," he told Reuters.
In 2007, hackers will be scouring social networking sites such as MySpace to gather information for more targeted attacks on people's computers.
"It is definitely an area that is ripe for more exploitation by malware (malicious software)," said Ed English, Trend Micro's Chief Technology Officer for anti-spyware.
People could find their computers infected with viruses that secretly record all their keystrokes or send out millions of spam email messages.
Identity theft fraudsters will trawl through sites which allow people to leave their pictures and personal details.
Their research will help them to target "phishing" attacks, where people are sent fraudulent emails to trick them into revealing credit card numbers.
"It is way too easy for the spyware guys to put together a puzzle of who you are," English said.
Hackers will also target people using instant messaging services or making telephone calls over the Internet in 2007, Trend Micro said.
Powerful new mobile phones and portable computers will also be a target as thieves try to bypass tight security to steal emails, documents or contacts, security firm McAfee said.
"Modern mobile phones are in essence miniature portable computers," the company said in its annual crime report. "Mobile devices present a serious challenge."
A new version of the popular Web browser Internet Explorer released in November and Microsoft's new Vista operating system will also attract hackers, Trend Micro said.
McAfee warns that spying on businesses will become more sophisticated. Criminals are hiring undergraduates to plant as sleepers in companies and huge amounts of data can be removed on small, portable memory sticks.
"Corporate espionage is big business," its report says. "Data is often priceless property. Stealing trade secrets, information or contacts is a lucrative money-spinner for cybercriminals."
Security firms say Internet crime can be hard to combat because it takes place across different continents and time zones.
Criminals are attracted by the relative ease of making money, the speed and anonymity offered by the Internet.
"It beats taking a gun and walking into a 7-Eleven store," English said.
December 7, 2006
Please Help! Flooder.Ake is bankrupting us!
Yesterday, AdwareReport broke the flooder.ake issue and has provided a page with a solution. Google and Yahoo have so far yet to index the page, so all of our traffic has been coming from PPC ads that we've placed for this keyword. Unfortunately, the amount of traffic we're now getting has led to a very expensive (4 digit) advertising bill.
If you find this site helpful, please help us to continue to research and publicize breaking issues like this by doing one of the following:
* Use the links we provide to purchase PC security (antispyware, antivirus, etc) software from our vendors. We receive a small commission when you do so, which helps us to pay for advertising and hosting costs.
-or-
* Post links to us on your site. This encourages the search engines to rank us higher, and will greatly help to offset our advertising costs.
-or-
* If you are so inclined, send a paypal donation in proportion to the value of this site to rich@adgooroo.com.
Thank you!
December 6, 2006
AdwareReport Introduces AntiVirus Reviews!
We asked and you responded! Readers overwhelmingly requested that we add AntiVirus reviews to our site and so our reviewers are now at work testing a variety of products.
Once we have at least 5 products, we'll upload a side-by-side comparison page for easier analysis, but in the meantime you can find our first review (of BitDefender AntiVirus 10) here.
Flooder.ake
Flooder.Ake is a brand new threat that began to appear on people's computers on December 6th, 2006.
The symptoms of infection are an alert window which pops up reading "threat found, trojan horse, heal now". Clicking this popup quarantines a system file, which then restarts the computer and pops up the alert again. The computer is then stuck in an infinite loop. There are several solutions which have been reported to work (see below).
This problem only seems to be impacting users of the antivirus program, AVG. Initial indications are that this not a true virus, but rather a bug in AVG that results in damage to system critical files.
If you are experiencing problems associated with flooder.ake, please post any pertinent information below. If you have a screenshot that we may share with our readers, please post a URL where we may find it. Thank you!
Urgent Note: Yesterday, AdwareReport broke the flooder.ake issue and has provided this page to help people affected by this issue. Google and Yahoo have so far yet to index the page, so all of our traffic has been coming from PPC ads that we've placed for this keyword. Unfortunately, the amount of traffic we're now getting has led to a very expensive (4 digit) advertising bill. If you find this page useful, you can help us continue to research and publicize solutions for emergency computer problems by: 1. Purchasing security software products via the links on our review pages. Thank you for your kind comments and for allowing us to be of service to you! |
Solutions for fixing Flooder.ake
Solution #1:
1. Boot your computer to Safe mode. Power on (or restart) your computer, keep pressing F8 key until the Startup menu appears and choose "Windows in Safe Mode".
2. Uninstall AVG through the control panel "Add or Remove Programs" applet.
3. Reboot.
Solution #2:
1. Boot your computer to Safe mode. Power on (or restart) your computer, keep pressing F8 key until the Startup menu appears and choose "Windows in Safe Mode".
2. In the Windows Safe mode, navigate to following folder:
C:\WINDOWS\system32\drivers\
3. Rename rename the following files to avoid furhter deleting of "winlogon.exe".
AVGCLEAN.SYS -> AVGCLEAN.SY_
AVGRSXP.SYS -> AVGRSXP.SY_
4. Launch Registry Editor (regedit.exe) and remove the "__delete" value in the right pane from this key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AvgClean
5. Restart the computer back to Windows normal mode
6. Update your AVG program to latest virus base version. Launch AVG or open AVG Control Center and press F9 key to update your AVG.
7. Then rename the SYS files back to their original names
AVGCLEAN.SY_ -> AVGCLEAN.SYS
AVGRSXP.SY_ -> AVGRSXP.SYS
8. Restart your computer for to get AVG Resident shield loaded again
Solution #3:
If either of the above solutions do not work, you will have to reinstall your Windows operating system.
AntivirusGolden
AntivirusGolden is a rogue anti-spyware program that can be installed manually or downloaded silently in the background by a trojan or through a security hole. The program generates repeated popup alerts warning the user of fake security risks and encourages the user to purchase the full version to "fix" the problems.
The program is distributed on the website antivirusgolden.com. This domain was registered through estdomains.com, the same registrar which was used to purchase domain names for a number of other rogue spyware programs (including SpyAxe and SpywareStrike) and were likely written by the same person.
You should not purchase this program. AntivirusGolden can not be completely removed through the "Uninstall Applications" control panel. Doing so may remove obvious traces of the software, but it will likely continue to leave trojans running on the computer. Once installed, you can only remove the program through the use of a reputable anti-spyware product (manual removal is possible, but will leave trojans running in the background).
We have tested the following programs and have confirmed that they successfully remove AntivirusGolden:
* Spyware Doctor
* Counterspy
* Webroot Spy Sweeper
* Paretologic AntiSpyware
* MaxSecure Spyware Detector
AntivirusGolden scan screen. You should not purchase this program. It will not fix your computer and will in fact infect you with other threats.
December 3, 2006
ErrorSafe / Error Safe
ErrorSafe is a rogue registry repair application that repeatedly pops up alert windows warning the user that threats have been detected on their computer. The user is then prompted to purchase ErrorSafe to remove the detected threats.
You should not purchase this program. The threats that ErrorSafe reportedly detects are almost always "false positives". Purchasing and running this program is unlikely to improve the performance of your computer in any way.
We have only found a few anti-spyware programs which remove this threat:
MaxSecure Spyware Detector
PC Tools Spyware Doctor 4.0
CounterSpy
ErrorSafe can be installed directly, but is often bundled in with other freeware or adware programs.
About:Blank
About:Blank is another name for the CoolWebSearch morphing spyware. As mentioned in the CoolWebSearch article, this is one of the most insidious and prevalent spyware programs currently on the net, largely because it is nearly impossible to remove. This particular spyware has been one of the most active malware threats since October, 2004.
About:Blank displays the following characteristics:
1. Replaces your home page with a new one titled "about:blank". This page contains a pseudo-search engine with various subjects like "art", "cars", and "shopping".
2. Installs a Browser Helper Object into Internet Explorer. This BHO consumes system resources and slows down your internet connection.
3. Restores itself after its file directory is deleted.
4. Restores its registry settings once they have been deleted.
5. Is difficult to remove from memory.
6. Starts with the operating system. If you remove it from the auto-start settings, it will restore itself there.
7. Later versions change their executable to avoid detection by the simple hash recognition algorithms that most anti-spyware products use.
8. May also store executable code in your temporary internet explorer files.
Effective Removal Tools
CWShredder will remove older variants, but because it is no longer being updated, it generally doesn't work anymore.
PCTools Spyware Doctor, Webroot Spy Sweeper, and MaxSecure Spyware Detector detect About:Blank and we have seen these products remove different variants of this threat.
Finally, here is another page with extended About:Blank / CWS removal procedures. Use at your own risk!
Manual Removal Instructions
Manual removal of this threat is very difficult and usually will not be successful. You also run the risk of permanently disrupting your internet connection, however in most cases the worst that will happen is that the program will immediately return. You should only attempt these steps if you are a computer expert. Use at your own risk!
To remove this program, follow these steps:
1. Click on "Start" menu, then "Run...".
2. Type "regsvr32.exe"
3. Navigate to the following registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
4. If this key contains an entry called AppInit_DLLs, you may be in luck. This is the name of a hidden dll file that is allowing About:Blank to run. Record the name of this file.
5. You must now remove this .dll. The easist way to do it is to reboot the computer in safe mode, however this may not work depending on the version you are infected with. If it doesn't work, proceed to step 6.
A. Reboot the computer in safe mode (press Shift-F8 when booting).
B. Select "Safe Mode with Command Prompt"
C. Navigate to the folder containing the file.
D. Rename it by typing "Rename [badfilename].dll AboutBlank.dll
E. Reboot
6. If step 5 didn't work, you will need to boot into Windows Recovery Console to rename the file.
A. Restart the computer in Recovery Console mode using the Windows XP or Windows 2000 CD
B. Type cd \windows\system32 and press Enter
C. Type the following line to remove the read-only setting:
ATTRIB -R [badfilename].dll
D: Rename the hidden.dll file by typing the following command (replacing the word hidden.dll with the actual filename)
E. Rename it by typing "Rename [badfilename].dll AboutBlank.dll
F. Type "Exit" to reboot
Also Known As: About:Blank, CoolWebSearch, HomeOldSP.
Spyware.CyberLog-X
Steve S. writes in that he was infected with a new scamware program during a recent trip to China. The program inserts a new icon in the taskbar (yellow warning triangle with black exclamation mark). A system alert balloon will appear with one of the following four messages (notice misspelling of word "baloon" in each message):
"Security Alert: Networm-i.Virus@fp
Type: Virus/Network worm
Damage Level: High
Description: Virus that infects executable files.
Recommendation: Delete/quarantine immediately.
Protection: Click this baloon to download certified Antivirus software."
-or-
"Critical System Warning!" in a Win-XP type window which states:
"Your system is probably infected with latest version of Spyware.CyberLog-X.
Type: Spyware
Infection Length: 266,129 bytes
Risk: High
Systems affected: Win 95,98,200,NT, 2003 Server, XP
Behaviour: Spyware.CyberLog-X is a spyware program that monitors user activity, logs keystrokes and tracks websites visited.
Symptoms: Low Internet connection speed, Low system performance, Security center alerts, Strange pop-up windows
-or-
"Critical System Error!
System detected virus activities. They may cause critical
system failure. Please, use antimalware software to clean and
protect your system from parasite programs.
Click this baloon to get all available software."
-or-
"System Alert: Trojan-Spy.Win32@mx
Type: Spyware/Trojan
Vulnerable: Windows 95/98/ME/NT/2003/Windows XP
Description: Spyware program that sends condidential information to a remote attacker
Protection: Click this baloon to download official security software."
Image:
The program then suggests that the user purchase one of the following anti-spyware programs:
1. WinAntiSpyware
2. AntiVirusGolden
3. SpyHeal
4. VirusBlast
Do NOT purchase any of these programs as they are bogus. It is recommended that you download a reputable spyware detector to eliminate this threat.
Also known as: Spyware.CyberLog-X, Trojan-Spy.win32@mx, VirusBurst
Source Country: China
November 13, 2006
Online Holiday Shopping Tips
It's that time of year again! This holiday season, shoppers are expected to spend well over $10 billion online. With that much money exchanging hands, online predators will be certain to turn a tidy profit.
Don't be a victim - remember to take the following steps to protect yourself:
* Check to ensure that any page you enter credit card information into is protected with an SSL certificate. Look for the padlock icon in the toolbar of your browser. Also, the web page address should start with "https:", not "http:"
* Make sure to run one or two reputable anti-spyware tools. You may be entering your credit card into a secure session, but that won't help if you have a hidden keylogger recording everything you type.
* Watch out for "phishing" attacks. These are predatory emails that attempt to get you to enter your username and password into a fake login page. When you do so, nothing happens on your screen but the bad guys now have your account information.
* Finally, if you are running your computer from a home network, you should be sure to run a good firewall product (click here for our top recommendation). This will protect you against recurring malware infections caused by random internet attacks.
Online shopping is surprisingly safe, assuming you take these simple precautions. Have an enjoyable online shopping experience!
October 17, 2006
Exclusive: AdwareReport Uncovers Exact Advertising Distribution Partners
Spyware Researchers at AdwareReport today uncovered a cache of installer programs designed to place spyware and adware on consumers computers. These programs are ostensibly meant to be distributed by partners of eXact Advertising, which include such well known companies as TuCows, Shareware.com, and PartyPoker.com. The programs also include explicit pornography clips which install the eXact Advertising family of spyware and adware.
We advise readers to be very wary of these sites.
A partial list of distribution partners follows:
* www.5star-shareware.com/
* Alpha Media
* Click Diario (Spanish advertising company)
* Download.com
* DownloadShareware.com
* Gorilla Media
* InstantNavigation.com
* PartyPoker
* Shareware.com
* SoftPile.com
* TuCows
October 10, 2006
Reader Feedback Needed
We are about to expand our coverage into other PC security related software categories, so we'd like to ask our readers what types of software (or software products) that you are interested in seeing added to our site. Choose one or more of the following and email your suggestions to us at admin@adwarereport.com.
* Registry Cleaners
* AntiVirus
* PC Optimizers
* Internet accelerators
* Memory optimizers
* Other...?
October 8, 2006
New Comments System Installed
Reader Comments are a valuable and helpful way to share information about the various antispyware products and threats out there. Unfortunately, for the past year we've had to close our comment system because of the high volume of spam we receive. This spam not only resulted in bloated pages and off-topic pages, it also typically contained a large amount of questionable material that we did not feel our readers would appreciate.
Fortunately we've gotten our hands on a new comment system that includes anti-spam features, so we will be selectively opening up the comment functionality on a trial basis. If you have something to share with the rest of our audience, please share!
September 28, 2006
Spyware Researchers Wanted
We currently are seeking part-time spyware researchers to work from home on a contract basis. You will be asked to locate and identify emerging spyware threats, but will not need to perform any reverse-engineering. You should have a good understanding of the Windows operating system and spyware terminology, as well as proficiency in Excel and Virtual PC.
If you feel you meet these requirements, please email us at admin@adwarereport for detailed information.
September 25, 2006
Windows Defender Latest Review Posted
While there's been some improvement in this product, it remains largely a piece of junk. Read the full Windows Defender review here.
September 19, 2006
Breaking News: IE, Downloads Scores Of Spyware, Adware
The exploit has so far shown up on hard-core porn sites, which are serving up a buffet of badware to visitors. It's thought to be related to WebAttacker, a multi-exploit attack "kit" created by a Russian group that sells for as little as $15 to $20.
By Gregg Keizer
TechWeb
Sep 19, 2006 02:42 PM
An unpatched vulnerability in all editions of Microsoft's Internet Explorer browser is being exploited, security researchers said Tuesday, with the attack dumping a broad range of adware, spyware, and Trojans onto PCs whose users simply surf to an infected or malicious site.
First reported by Sunbelt Software -- although rival Internet Security Systems claimed it was the first to discover the bug -- the vulnerability is in how IE renders VML (Vector Mark-up Language), an extension of XML that defines on-the-Web images in vector graphics format. The previously unknown -- and thus unpatched -- bug inside IE is already being used by attackers.
So far, said Eric Sites, vice president of research and development at Sunbelt, the exploit has shown up on hardcore porn sites, which are serving a buffet of badware to users who visit those sites.
"First they were pushing Virtumondo adware," said Sites, "but by late afternoon yesterday, these sites were distributing more than 40 different types of malware, including keyloggers, adware, and backdoors."
The new exploit seems to have a connection to WebAttacker, an multi-exploit attack "kit" created by a Russian group that sells for as little as $15 to $20. "We think that this new exploit is inside a new [version of the] kit," said Sites. "If that's true, then it will end up all over the place."
Sites said he expects that the exploit will migrate to one of the so-called "iframe cash" sites -- the term comes from the iframecash.biz site -- which use affiliates to push unpatched exploits to a large number of other Web sites, some of which are legitimate addresses whose servers have been previously compromised.
"This could end up being in lots and lots of places," said Sites.
Other researchers spotted the exploit on popular shared hosting distribution sites. The current in-the-wild exploit generates a stack overflow as soon as the user views an HTML page; once that happens, the attacker can push whatever code he wants onto the PC. "We're seeing this on dozens of different sites," said Gunter Ollmann, the director of Internet Security Systems' X-force research lab.
Both Sunbelt and ISS have confirmed that the exploit works against a fully-patched version of IE 6 running on Windows XP SP2. Ollmann also said that earlier editions, including 5.01, can be successfully breached, and that IE 7, Microsoft's under-construction next-generation browser, is "likely" at risk.
Late Tuesday morning, Microsoft acknowledged the bug, and said it was working on a fix. "The security update is now being finalized through testing to ensure quality and application compatibility and is on schedule to be released as part of the October security updates on October 10, 2006, or sooner as warranted," a spokesman said.
Shortly after that, Microsoft posted a security advisory that offered several workarounds in lieu of a patch, including setting the kill bit for the vulnerable .dll and disabling scripting behaviors in the browser.
Virtually every security organization raised the alarm, including US-CERT, the federal cyber-alert agency, which issued a warning just before noon EDT.
And that's a good idea, said Ollmann of ISS. "This vulnerability lies within code that's shared by a large number of Microsoft products, so it has a much wider footprint of attack than other recent zero-day vulnerabilities.
"This is the kind of exploit that we see in IE only once every two or three months."
In fact, the last time that an unpatched bug in IE was widely used to distribute a broad range of malware was in March, when the CreateTextRange bug was used by scores of malicious sites to seed PCs with spyware and adware.
The attacks could also get worse. "With the nature of VML, attackers could embed this exploit inside e-mail," Ollmann said. A user who only viewed an HTML-based message would succumb to the attack, he added.
Microsoft's only advice to users was to keep their anti-virus software up to date, and not to surf to "untrusted" sites or open suspicious e-mail messages. Sunbelt, ISS, and other security vendors suggested that users could protect themselves against the current exploit by disabling JavaScript.
But even that might not work for long. "JavaScript isn't required for this exploit to work," said Ollmann. "It would be a trivial change to make it work without Java."
The VML vulnerability is the second unpatched flaw in IE that has been disclosed in the last five days. On Friday, researchers warned of a bug in IE's handling of an ActiveX control included with Windows.
September 9, 2006
Updated Reviews Now Available
The latest testing results are now available for PCTools Spyware Doctor and Webroot's Spy Sweeper. Both performed much better than they did during the last test, indicating to us that both companies are hard at work improving their products.
September 8, 2006
Class Action Lawsuit Against Zango Spyware Dismissed
A federal lawsuit filed against spyware company, Zango, was dismissed with prejudice this past Wednesday, Sept 6th 2006. The suit alleged that Zango, a merger of notorious spyware companies 180solutions and Hotbar, is spyware. The dismissed case was not the result of a settlement indicating that the court ruled in favor of the company.
Today, Zango claims that over 200,000 people are downloading their adware software daily.
In our opinion, this was a huge step backwards in the spyware fight. While the courts may disagree, just a few minutes ago we removed Zango from a computer whose owner had no idea how the software was installed. The program was slowing the computer down signficantly and displaying annoying pop-up ads every minute or two. Furthermore, although Zango was prominently displayed in the system tray, there was no menu item to disable or turn it off, nor was there an uninstall program provided with it. If it smells like spyware, it probably is spyware...
September 6, 2006
FTC Shuts Down Spyware Company
An operation that placed spyware on consumers’ computers in violation of federal laws will give up more than $2 million to settle Federal Trade Commission charges.
Under a stipulated final judgment and order, the defendants are permanently prohibited from interfering with a consumer’s computer use, including but not limited to distributing software code that tracks consumers’ Internet activity or collects other personal information, changes their preferred homepage or other browser settings, inserts new advertising toolbars or other frames onto their browsers, installs dialer programs, inserts advertising hyperlinks into third-party Web pages, or installs other advertising software code, file, or content on consumers’ computers.
The defendants also are permanently prohibited from making misleading representations regarding the performance, benefits, features, cost, or nature or effect of any type of software code, file, or content, including misrepresenting that the code is an Internet browser upgrade or other computer security software, music, song, lyric, or cell phone ring tone.
The order names Enternet Media Inc., Conspy & Co. Inc., Lida Rohbani, Nima Hakimi, and Baback (Babak) Hakimi, all based in California, whose software codes were “Search Miracle,” “Miracle Search,” “EM Toolbar,” “EliteBar,” and “Elite Toolbar.”
According to the FTC’s complaint, the Web sites of the defendants and their affiliates caused “installation boxes” to pop up on consumers’ computer screens. In one variation of the scheme, the boxes offered a variety of “freeware,” including music files, cell phone ring tones, photographs, wallpaper, and song lyrics. In another, the boxes warned that consumers’ Internet browsers were defective, and offered free browser upgrades or security patches. Consumers who downloaded the supposed freeware or security upgrades did not receive what they were promised; instead, their computers were infected with spyware that interferes with the functioning of the computer and is difficult for consumers to uninstall or remove.
The agency’s complaint also alleges that the defendants’ software code tracks consumers’ Internet activity, changes their home page settings, inserts new toolbars onto their browsers, inserts a large side “frame”or “window” onto browser windows that in turn displays ads, and displays pop-up ads, even when consumers’ Internet browsers are not activated.
At the FTC’s request, a federal judge froze the operation’s assets last fall and ordered it shut down. The settlement requires the defendants to give up $2.045 million of their ill-gotten gains and includes a suspended judgment of $8.5 million for alleged violations of the FTC Act. The Commission vote to approve the settlement was 5-0.
The FTC’s case was brought with the assistance of the Microsoft Corporation, Webroot Software, Inc., and Google Incorporated.
September 1, 2006
Consumer Reports Tests of Anti-Virus Products Raises Controversy
Consumer Reports magazine recently started a major controversy in the PC security world when they created over 5,000 new viruses to test computer security products.
Industry experts have slammed Consumer Reports for creating these new viruses and have raised objections to the testing methodology in general.
We have read the testing methodology and felt there were two things wrong with this study:
1. Creating new viruses for testing purposes seems to be a dangerous and unnecessary practice. Nobody accuses Consumer Reports of having malevolent intentions, but viruses could be released into the wild by accident, causing damage to outside computers.
2. Basing test results on fabricated viruses is misleading. The testers claim that viruses are the "kind you'd most likely encounter in real life". However, they have no way of knowing this. There is no substitute for real-world conditions.
There are two reliable ways to test the efficacy of computer security products. One is to run the products on a test bed of PCs that have been connected to the internet (unprotected) for a long period (months). This technique ensures testing against real-world conditions, but it is not necessarily very thorough.
The second technique is to manually infect computers based upon statistically accurate historical infection rates. This ensures that new and major threats are represented in the test and is generally far more thorough (it may miss little known threats however).
The second approach is the method of choice at this website, a technique that we have used since the beginning of the spyware scourge in April, 2004.
Shameless self-promotion: AdwareReport was the first website to perform objective tests of anti-spyware tests and we continue to perform exhaustive tests of many computer security products each month.
August 24, 2006
"Spyware" added to the dictionary
The eleventh edition of the Merriam-Webster Collegiate Dictionary has officially recognized over 100 new terms, most notably the term "spyware". Other terms to be added include "Google", "bling", and "supersize".
August 21, 2006
Spyware Infection Rates at highest levels since 2004
MySpace, new spyware technologies, and reliance on free anti-spyware tools cited as primary causes
Leading anti-spyware software creator, Webroot, reports that spyware infection levels are again at the highest levels since 2004, when the internet security scourge was at its peak.
According to our tests and user feedback, 2005 was a much better year for internet surfers. The number of new spyware infections was declining and innovation in spyware was relatively stagnant. January of 2006 marked a turnaround in this trend with the introduction of new dangerous threats such as SpyAxe, SpywareStrike, and Spy Sheriff. These spyware programs were difficult to remove and encouraged users to purchase bogus remedies, resulting in perhaps millions of dollars in fraudulent sales.
Webroot claims that PC infections are now at 89% (they were at 90% in 2004). The new infections can be attributed to dangerous we