Media Discovers Spyware

Discussion in 'other anti-trojan software' started by Nancy_McAleavey, May 14, 2005.

Thread Status:
Not open for further replies.
  1. Nancy_McAleavey

    Nancy_McAleavey Expert Member

    Joined:
    Feb 10, 2002
    Posts:
    244
    Location:
    Voorheesville, NY, USA
  2. mercurie

    mercurie A Friendly Creature

    Joined:
    Nov 28, 2003
    Posts:
    2,442
    Location:
    Sky over the Wilders Forest
    Fellow Creatures,
    Got it in my personal email box yesterday. Good read everyone who does not subscribe to your letter. Real neat the part about avoiding law suites by saying subscribers are part of a club.

    All who ask for a trial or free BoClean should read this part. BoClean is not offer to general public at large you must become a member of the club. Another words you make a decision to avoid certain nasties to by joining the club and pay your dues. And remember if you do not like it I hear there is a great refund policy. I would not know about that because I liked the product and never had to test the refund system. If I have misrepresented something Nancy sorry please correct me. I read a bunch of stuff and sometimes I can get it wrong.

    Thanks Nancy and all at PSC.

    BoClean=TrojanDefense. ;) (sorry it's been a while so I had to do it). :)
     
  3. peter.ewido

    peter.ewido former ewido team

    Joined:
    Nov 10, 2003
    Posts:
    737
    Location:
    Brno, Czech Republic
    I've just had a brief look at it and can only comment on some parts but that already seems to be enough... Simply ridiculous... Looks like you need some (bad) marketing to raise your sales.

    You call the antivirus makers "amateurs and newcomers"? No more comment needed.

    Then you have a very bad file scanner. The ewido security suite for example emulates the crypters with its generic unpacking which is fare more secure than what BOClean does (letting the program run for self-decryption). It makes no difference for scanning whether you emulate or execute it. If there is something that cannot be emulated, we have a "fallback-solution", our guard with it's memory scan (which is what BOClean does but even deeper!).

    Every product with a guard does the same. You are comparing on demand solutions vs. products with a guard, very unprofessional.
    Guard that first do a file scan and then do the same as BOClean does are in fact even more powerful and secure than BOClean.

    5 out of 100? Can't stop laughing right now... And Kaspersky only 42 of 100? Even worse than what other vendors claim to be the "truth"...
    Also the ewido security suite has almost the same self protection system at kernel layer as for example KAV and Process Guard - which is proven to be the best protection.

    We don't know of ANY malware that has successfully disabled the guard of the ewido security suite, it's almost impossible.

    We never ever received these samples, simply a lie. If we get a sample, detection will be added within very few hours, we are releasing at least one update every day (also on weekends!), most of the time even 3-8!
    You also do not write which version (free/plus?) you used for testing. Were the samples packed? Have they been executed? If not, why not?
    Why didn't you contact us and the other vendors before releasing this "test" to discuss sources of error etc.? Every respectable tester and even most of the competition does!

    So you are using different dates? Normally the real dates should be written down when the product was actually tested or am I missing something?

    To summarize, this so called "test" shows who belongs really to the "amateurs".
     
    Last edited: May 14, 2005
  4. Are you steaming ....just weeeeeeeeeee bit now Fish?

    Geeeez I never new I had such bad protection......Ratz darn shucks.

    I have to admit...test seems pretty loaded...and with just the "tiniest" amount of bias.

    Its one thing to have test on their own site....but to post a link in a public forum....is in at least my eyes bad bad taste.

    It may be an excellent product...but the bashing turned me off, and I guess
    I will just have to stick with my far "inferior" lines of defense.
     
  5. quexx88

    quexx88 Registered Member

    Joined:
    Nov 26, 2004
    Posts:
    235
    Location:
    Radnor, Pennsylvania
    I find it unfortunate that PSC posts inflammatory messages such as these, and this is coming from a BOclean user.
     
  6. BlueZannetti

    BlueZannetti Administrator

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    To all:

    A couple of points so this thread doesn't veer completely off the road:
    • As has been discussed endlessly on the Other AV forum - tests involving small sample sets tell you very little. You can either accept or reject my own estimates of the test statistics, but no matter how you stack it, a test bed of 100 samples will test you next to nothing of relative performance. Even if you take pains to be objective, the test has too much noise to be useful for even qualitative rankings.
    • As in the case of test results which are occassionally posted in the Other AV forum, there's too little detail included to assess what the results mean - even if you ignore the simple sampling issues.
    • Let's keep the language under control. No personal bashing. No product bashing.
    • I own both BOClean and Ewido. From personal experience, the results of this small test do not reflect in-field performance for a potential user. Just so my own preferences are clear, I use BOClean as my realtime AT coverage. It is quite good, as is Ewido.
    Thanks,

    Blue
     
  7. Grumble

    Grumble Registered Member

    Joined:
    Apr 25, 2004
    Posts:
    185
    Location:
    the sunshine state
    With caveats such as "HEAVILY BIASED TESTING" "This really isn't fair.." "..and obviously the results are not reliable.." one questions why it is published at all.

    Caveat venditor.
     
  8. Nancy_McAleavey

    Nancy_McAleavey Expert Member

    Joined:
    Feb 10, 2002
    Posts:
    244
    Location:
    Voorheesville, NY, USA
    Sad to see you didn't take the time to thoroughly read it, but felt that you could comment on half the story.

    You quoted the text above. You are confusing a reference to a lab tool with the commercial product.

    It's done time and again. Just now you stated we "have a very bad file scanner". The commercial product has no file scanner.

    To the best of my knowledge, you did. I have emails which include your submission address in the To: stack. The malware attached to those emails are the source of the test samples.

    AFAIK, they were executed, as a real-world nasty would be upon reaching a victim's system.

    As to contact WRT testing, I haven't been contacted about any testing and results in over 2 years (with one exception, remarked upon below), not by any independent lab, vendor or hustler. If it's being done, it's news to me, and we've been at this much longer than most.

    Above all, we were very straightforward about the how, when, what and whys of this little exercise. Every vendor test is a stacked deck, complete with contrived parameters and chosen specifications to best suit the testing vendor.

    After years of vendor drivebys described above, universities testing "zoo trojans" that never saw a moment in the wild so they'd be a waste of time for a commercial product to detect, and hustlers with "pay to win" scenarios it's become time to illustrate just what these "tests" involve. We came right out and said it was "Heavily Biased Testing". Doesn't anybody get it?

    Another thought- Even in this forum, there are threads where people are expressing doubt regarding vendor attention to malware submissions. This test was done by an associate in the wee hours since *he* was tired of seeing his work ignored by largely everyone. He was tired of the slow and non-reponses by so many to the hundreds of samples he sends to a long list of vendors. Collecting and submitting as many as he typically does, lately several hundred daily, is a lot of work, only to see it ignored. He did it to make a point.

    Wilders is among the handful of organizations that does perform testing and analysis is a controlled, scientific and professional manner. They are not, and never have been, suspect. If there were more like them we probably wouldn't be having this conversation.
     
  9. Infinity

    Infinity Registered Member

    Joined:
    May 31, 2004
    Posts:
    2,651
    the only respected test was done by Nautilus and the results can be viewed on their forum :)

    It is funny that the two memoryscanner can be compared, the only difference is an extra layer named "on demand scanner" .. everybody knows that on demand is still very much needed (like TDS it is an extra-ordinary scanner) and up to the job. It's just an extra layer and afaik and some personal experiences :D it isn't the baddest around :cool:
     
  10. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    Reading through this article brought up a number of glaring inaccuracies in my mind:
    Care to substantiate this allegation with some figures? This seems to be the general tone of other PSC articles, that of the "It's freeloading users that are responsible for malware" and, to be blunt, this argument stinks. Malware relies on deceptive EULAs and misdescription to fool potential users into thinking they are getting a program for free - if you are offered a free solution then why try a chargeable one? This is not down to "greedy users" but "lying publishers" offering wares that are not what they seem and is the equivalent of the "free" products offered by mail that you have to spend $$$ for in delivery/packing/administration and turn out to be utter cr*p. Do we blame those that fall for such scams for their existence? No, we blame the crooks that come up with these schemes, and PSC should be taking the same view with malware/adware.
    I will not claim expertise in United States law here, but I very much doubt that visiting a website can constitue a "contract" of any description. If that site relies on advertising which I filter with an ad blocker, then that is my choice and privilege - there are other means of seeking finance that don't involve bombarding visitors with intrusive (and potentially privacy-violating) content. As for shareware/freeware, the generally accepted definition of these is that they do not include adware.
    Reverse connections (by which I presume you mean having the malware create an outbound connection) does not elude firewalls - it can work against those not offering application-filtering (which therefore have to assume that connections originating from the PC are legitimate) but almost every personal firewall will detect outgoing connection attempts. There are leaktests which attempt to fool firewalls into thinking that such connections come from trusted software, but they are not discussed in this article.
    The "criminal mind" will seek to rip off everyone it can - this sentence however seems to be further confirmation of the PSC worldview of Internet users (file sharers specifically here) being thieves and scoundrels and presumably deserving a malware-administered spanking.
    Most people here would argue that 7/10 computers being infected is due to users not using firewalls or updated anti-virus scanners. As for malware removal being "no longer a job for shareware", shareware is simply a distribution method where users can trial software first and shareware authors therefore can have as much (if not more) resources and motivation as retail. Considering that products like Kaspersky AV, TDS-3 or TrojanHunter are effectively shareware, this statement seems like self-serving arrogance, perhaps seeking to justify not offering a trial version of BOClean.
    "We think this methodology sucks, but we're going to try it anyway..." o_O

    While companies that release good software should feel entitled to blow their own trumpet, this article seemed to be as much about sour grapes, blaming users for the situation we have today. I can only presume that PSC have had some seriously bad experiences in the past with dealing with us hoi-polloi, but that does not merit articles slapping everyone with the "you deserve this" brush nor ones with inaccuracies as mentioned above. PSC would be doing itself a service by taking this page down...
     
  11. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
    The article does offer some great information, and I would hate to see it dissapear. However if I had written the article, I probably would have included notes about the product in it's own section, essentially a "this is how we have chosen to handle the situation", etc. I agree that the tone of the writing did seem a bit bitter in places, but the historical perspective is very much appreciated.

    I do wonder about the test at the end, however, it does seem a little out of place.. it doesn't really add to the message of the rest of the article, other than to advertise BOClean. A bit of advertising is fair enough, I suppose, but it might make more sense to include a link to the results, with perhaps a bit more information, rather than include it all in the article. I personally take pretty much all amateur tests with a small siberian salt mine (especially ntl's, since it was mentioned), and rely more on real-world experience.
     
  12. Nancy_McAleavey

    Nancy_McAleavey Expert Member

    Joined:
    Feb 10, 2002
    Posts:
    244
    Location:
    Voorheesville, NY, USA
    The bulk of the malware is wrapped in cracks for commercial software available on peer to peer networks, cracked software, porn viewers and free games for kids on children's sites. If people weren't looking for something for free, effectively stealing, they wouldn't download the stuff and get infected, along with the advertising and worse that comes along with it. Look at the globally famous site, Download.com. This is the rationale stated by those who are distributing this stuff.

    On a daily basis, we are working to protect our customers from this.

    Legally, any site with a ToS does. "By using the site and its features, the user agrees to....." Think about a gaming site that downloads an Active X control to function.....it too *is* software.

    A process-injecting trojan that injects into IE and connects out through port 80 will.

    We think that users should protect themselves with well supported, frequently updated (due to the MO of malware distributors) software. The fact remains that the article explains that this is the mindset of the people who are pereptrating these driveby malware installs, etc.

    Nobody is blaming the users, certainly not us. The people behind this think it justifies their actions. They prey upon the gullible. We're working to educate and protect those who understand the issues and the need for protection that will handle the problem instantly should it happen to them.
     
  13. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
    Are you seriously implying that looking for freeware (not cracks) is akin to stealing? That's nuts. It should also be noted that Download.com has adopted a zero tolerance policy for adware/spyware.
     
  14. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    If people didn't download full stop, they wouldn't get infected arguably. However the example you include of free games suggests that the fixation on warez shown elsewhere in the article is inappropriate.
    A contract by its nature has to involve user choice with regard to its acceptance. Visiting a site does not involve such choice (being akin to looking through a shop window - the owner cannot then insist you purchase something). Registering and subsequently posting on a forum like this would be a separate matter. As for ActiveX controls, the same criteria apply - if users are not given a choice (and in the case of drive-by downloads they usually aren't) then contracts are a non-issue.
    Most current firewalls will detect this and alert the user and/or block the modified program (e.g. Outpost, Look'n'Stop, Sygate, Tiny, Jetico, etc). Some will flag attempts to even gain write access over a process, prior to any modification (e.g. Jetico, Outpost).
    No argument with this point, but the general tone of the article has been to imply that this problem arose as a result of publishers driven to desperation by the non-paying general public. With certain publishers trying to bundle adware with the most trivial of programs, this is not a sustainable viewpoint.
     
  15. Nancy_McAleavey

    Nancy_McAleavey Expert Member

    Joined:
    Feb 10, 2002
    Posts:
    244
    Location:
    Voorheesville, NY, USA
    No.

    IIRC, that only happened two weeks ago. That's good to see. It took them years to come to that decision.
     
  16. Nancy_McAleavey

    Nancy_McAleavey Expert Member

    Joined:
    Feb 10, 2002
    Posts:
    244
    Location:
    Voorheesville, NY, USA
    I don't figure how you came to that conclusion. Twisting words is making this discussion counterproductive and is serving no purpose.
     
  17. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
    Lol, ok, the mention of adware and download.com made the paragraph a little akward is all :)



    Indeed, I had stopped going there because of that, but have been going back since they instated that policy. Hopefully this will encourage more download sites to do the same, which could potentially put a large dent in the adware/spyware industry. I'm glad to know that your product also detects that kind of crap as well.

    Again, despite the previously mentioned issues, thanks for the perspective offered in the article.
     
  18. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
    I have to admit that I was left with a bit of the same impression, although not quite as much as Paranoid2k is speaking of. Unfortuantely these things can be read in more than one way at times.
     
  19. StevieO

    StevieO Guest

    I found the article very interesting, including the history of malware parts, and read all of it.

    I also sympathise with the individual who apparently has/does spend many unpaid hours submitting samples to vendors, with very little recognition it appears ? Without such persons vendors jobs and lifes would be that much difficult. Their products would be less effective at least in the short term, if not long term too. Also they would no doubt have to employ more personnel, which would probably push up the cost of the product.

    I wouldn't expect Any vendor to automatically recommend anothers product but their own. I have seen many other articles/reviews/ by other vendors pushing/praising their products. Including very regular/daily statements/posts in these forums especially by someone called happybytes. And i don't mean just replys to general questions about people having problems etc with the product in one way or another. This seems to be not just tolerated, but actually encouraged by others even apart from members and guests !

    People searching for copyrighted material of Any description which should be paid for to download for free, are attempting to break laws. Those that actually do most definately are !

    That doesn't mean they deserve to be infected with malware of course, but not many people would sympathise with them i don't think.

    It's interesting to hear about download.com very recently saying they will adopt a zero tolerance policy for adware/spyware. But that doesn't seem to include Trojans as i remember a very good thread right here on wilders about someone who downloaded a program from there infected with one. And how he was alert enough to spot it and was able to remove it and the lessons learnt.

    I was asking in another thread on here about the lightest AT, and mentioned BOClean as a potential possibility. I now feel more inclined to actually try it out.


    StevieO
     
  20. mercurie

    mercurie A Friendly Creature

    Joined:
    Nov 28, 2003
    Posts:
    2,442
    Location:
    Sky over the Wilders Forest
    Well, I am attempting to formulate some comments, it might be best for me to say nothing at all. Certainly I should cool down first. :mad:

    But I will certainly be watching this thread. :(
     
  21. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    The newsletter includes phrases like:

    ...people became unwilling to PAY for shareware and even commercial software sales fell flat...
    ...As a result, "adware" (commonly called "spyware") was installed as part of these programs. And people got PAID for their work after all...
    ...people tried to get "free software" without paying the "price."...

    which do make the point "free software user = thief". Given the increasing amount of good quality free (often open-source) software for common tasks, it makes sense for anyone to check for free alternatives first rather than just forking out for whichever commercial product with the most advertising. Of course, there are publishers who bundle ad/spyware with supposedly "free" software, but blaming users for this is rather placing the cart before the horse.
    I would agree that this has been dealt with enough and this thread should be left to cover other issues. The historical perspective is interesting and hopefully disparaging comments will be dropped from future issues.
     
  22. Kevin McAleavey

    Kevin McAleavey Security Expert

    Joined:
    Dec 8, 2003
    Posts:
    376
    Location:
    Upstate New York
    Since I'm the one who wrote most of those words, perhaps I can explain what I meant (I never thought folks would be as confused by it as it appears) with respect to "free software=thief" ... those weren't MY thoughts, I was explaining the motivation of many of those who are making a VERY good living these days writing worms for spammers, spyware for scammers, and in general the majority of the nasties many of us do battle against.

    It is THESE people who have that opinion, and that is ultimately THEIR motivation for doing these things. I spend hours upon hours lurking in their groups, watching their comments to each other, and dissecting the "comments" in their code. A good number of those who are writing these nasties are former network administrators, shareware authors, and people who wrote the old "classic trojans" and they have tremendous disdain for their "victims" ... and REVENGE is often their prime motivation. People who thought they'd get rich fast writing and selling software, making a name for themselves and felt that they got burned.

    When I wrote the lines that seem to have people bristling, I was speaking in a "third party" mode, not first party. If you read it as a whole, hopefully the "stream of consciousness" that I wrote that in might become a bit more apparent. Those whose background in coding came into being during the "boom years" of the 90's often expected a free BMW and stock options. Those of us who trace our coding back to the 1970's knew it was a McJob and didn't have such high expectations. And a number of those casualties of the "internet bust" felt that the world owed them something, they didn't get their Beamer and found their way to the "dark side" where they do get paid handsomely for keeping the likes of IST, spammers with those proxies and relays, and others going today. And yes, that is how the majority of them think when they "score a home run" for their "employers," "getting even with those who "stole" from them. But that's what was MEANT in those words. There's an awful lot of disgruntled former webmasters and programmers out there, and they're getting paid. :(
     
  23. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    Thanks for taking the time to clarify this Kevin - the wording did just seem rather "first person". :)
     
  24. Kevin McAleavey

    Kevin McAleavey Security Expert

    Joined:
    Dec 8, 2003
    Posts:
    376
    Location:
    Upstate New York
    MY apologies ... shows you what can happen when you're overloaded with workload and a read, a re-read and a re-re-read failed to reveal any ambiguities to the author. There was just so much to all this, I left out a lot of things that I wanted to add, but I was already well on my way to need to talk to a bookbinder as it was. :)

    But like I said, the RIAA has planted nasties in peer-to-peer groups to "sour the milk," you've got shareware authors planting "cracks and keygens" that will wipe the machine entirely if run (trojan TRASHSYS ["crack.exe"] will wipe a drive in 50 seconds, even "emulators" and "virtual machines") because they didn't get paid for their file utilities on a "trial basis" and big corporations like VIACOM that look the other way while kids get scrood on "Nick.com" ... and the common denominator is a lot of disgruntled people who feel they got ripped off by the public and now "YOU" are going to pay for it. They really DO believe this - it motivates many of them to write this stuff. That was where I was going with all that.

    I wasn't kidding when I said things have become a "toilet" ... and yet there's people who have never gotten infected. Perhaps if I *had* written a book instead, I could have gone into more and better detail. But it had already become a book as it was, and I was trying to keep it as short as I could. Authors get in trouble when they're told "500 words or less." :)
     
  25. Wayne - DiamondCS

    Wayne - DiamondCS Security Expert

    Joined:
    Jul 19, 2002
    Posts:
    1,533
    Location:
    Perth, Oz
    Kevin mate come on, you've got more integrity than to release blindingly bias useless comparisons like this, and you don't need to stoop to their level, your software speaks for itself. (I normally wouldn't come into this sort of a thread, but seeing as you've included my scanner in your results I'm sure you don't mind me fielding my view)

    You know that people here are smart enough to realise why your scanner would detect 100% of the samples that you chose (of course it would), as they do when any other vendor makes a bias comparison ... so what's the point? Any other vendor could easily choose 100 samples your scanner wouldn't detect, and you know that, so why are you doing this? Why only 100? Why only those 100? Why not do it the credible way and let an independent 3rd party do the same test and let them choose the samples?

    Sorry mate, can't find any such bias comparisons on our site, nor will you find any in the future. Actually there's only one reference to BOClean on our site, which I don't think you'd mind - "Has the scanner been around since the first RATs were released? Unless the scanner is TDS, Lockdown, The Cleaner or BOClean, the answer is no."

    Pretty disappointing mate, I hope this is a one-off brain explosion. (We all get them in this crazy industry, heh ...)

    Anyway that aside I hope all is well over in your neck of the woods.

    Regards,
    Wayne
     
Thread Status:
Not open for further replies.