No response to virus sample submission- Win32/Adware.AnchorFree application

Discussion in 'ESET NOD32 Antivirus' started by Hollowstriker, Apr 1, 2010.

Thread Status:
Not open for further replies.
  1. Hollowstriker

    Hollowstriker Registered Member

    Joined:
    Mar 28, 2010
    Posts:
    50
    Hi,

    I've sent a few emails to samples@eset.com as per the instructions in SOLN141 regarding versions of the Hotspot Shield software floating around on the Internet which are not detected by Eset NOD32, but have not heard from ESET since, nor have any detections been added.


    As of Virus Signature Database 4993 (20100401), only version 1.37 of the software is detected as Win32/Adware.AnchorFree application, whereas older/newer or even Macintosh versions of the same software (which might contain similar adware components to the Windows version though I haven't tested it out personally on a Mac) remain undetected.


    Referring to the post by Marcos at this thread, I've gathered a number of versions/variants of the software (same version but different filename) and am hosting a 7ZIP archive (40MB~) of the files here (standard 7-ZIP archive, password is 'infected' [without quotes]): https://dl.dropbox.com/u/5492449/hss-020410-installers.7z


    Many other versions of the software can be found here:
    http://www.rosoftdownload.com/download/Windows/Hotspot-Shield


    I do hope that detection of these other versions can be added soon, as from its behaviour of injecting adverts into browsers when running, it is clearly adware (or potentially even cause other damage to our computers?)
    Internet Explorer
    Firefox

    Thanks!
     
  2. GAN

    GAN Registered Member

    Joined:
    Mar 3, 2007
    Posts:
    355
    When you submit samples Eset give you no feedback as far as i know so basically you don't know if they even received the samples or if they received the samples, but decided it's not a threat. Also my experience with Eset is that everything goes pretty much slower during holidays so if you submitted the samples yesterday it might take a bit longer than usual since it's holiday now.
    For Eset i would recommend a better way to handle the submitting of samples. One example is Avira where you submit a sample and you can follow the progress using a link you get when the sample is submitted. That way you know if they received the sample, what they did and when they checked the sample as well as if they decided it's a real threat or not without having to ask them about the result.

    I'm not sure what the files you posted contains, but i think it's a violation of the rules of this board to post links to real threats.
     
    Last edited: Apr 1, 2010
  3. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    It is often questionable whether or not to detect something as adware. For instance, in the versions you've submitted the creator removed statements indicating adware behavior from EULA and thus it will need to be analysed in details whether or not it still behaves as adware which will take some time. Adware as such is not dangerous, otherwise such pieces of software would be classified as Trojans.
     
  4. Hollowstriker

    Hollowstriker Registered Member

    Joined:
    Mar 28, 2010
    Posts:
    50
    1. I'm not exactly sure what you mean, but based on ESET's definition of 'Adware' in the latest NOD32 User Guide, it reads: 'Adware is a short for advertising‑supported software. Programs displaying advertising material fall under this category.' So for something to qualify as 'Adware', it has to either say it explictly in the EULA or behaves as adware when the program is installed?

    Summary of EULA of HSS installers:
    - 1.10/1.13/1.17/1.19/1.22- Not possible to obtain; redirects to 1.37/1.40 installer
    - 1.30*/1.31*/1.33/1.34/1.35/1.36- Adware behaviour not mentioned in EULA
    - 1.37/1.39/1.40- Adware behaviour is mentioned in EULA^


    2. Continuing on the section from the NOD32 User Guide, a worrying statement 'Adware itself is not dangerous – users will only be bothered with advertisements. Its danger lies in the fact that adware may also perform tracking functions (as spyware does)'

    - Can ESET confirm if the Hotspot Shield software merely injects advertisements or does it perform additional tracking functions/malware functions?
    - When the Hotspot Shield software is installed, there is a red tray icon which appears in the (Windows XP) taskbar. Upon exiting it, it closes but only to automatically reappear after some random time, at times prompting the user that their connection is 'unsecured'. Would this be considered a PUA? (It seems to have to do with an openvpn service which is displayed in the task manager as running as 'System' level.)
    - Would it be safe then to use an older or even newer version (e.g. v1.40) of the software which is not detected by ESET?


    3. In any case, I would presume that ESET has received the 40MB package as referenced in my original post and is/will be analyzing it (Windows and Mac versions) and getting back to me?
    [Two additional files (v1.30/v1.31) not in original submitted archive above, download from https://dl.dropbox.com/u/5492449/hss-130-131-installers.7z (standard 7-ZIP archive (6.5MB~), password is 'infected' [without quotes])]


    ^ 9.1 Advertisements. AnchorFree may deliver third-party advertisements (“Advertisements”) within the content of any web page accessed. Advertisements may be injected into the top of the page, inserted directly into the page content, or even displayed to overlay the page. You hereby acknowledge and consent that AnchorFree may alter the content of any web page accessed for the purpose of displaying Advertisements.
     
  5. Hollowstriker

    Hollowstriker Registered Member

    Joined:
    Mar 28, 2010
    Posts:
    50
    Could someone at ESET respond to my questions as per my previous post?
     
Thread Status:
Not open for further replies.