Repost: WhenU - How should it be tagged?

Discussion in 'other anti-malware software' started by AshleyH, Apr 10, 2006.

Thread Status:
Not open for further replies.
  1. AshleyH

    AshleyH Registered Member

    Joined:
    Mar 16, 2006
    Posts:
    16
    Hello

    I posted this originally in the General Announcements area, but suspect that wasn't the correct place for this issue. I hope this is on topic.

    I work for FBM Software, makers of ZeroSpyware. I hope this disclosure helps prevent any speculation about the bais of my post and intentions.

    In the last few weeks, we were approached by WhenU to remove them from our list of actively blocked spyware apps. Now, I know what has happened with Aluria and Ad-Aware (Lavasoft) recently, and their decision to delist WhenU. I also know how it affected each of them from a PR standpoint. The difference is that we are not getting over a million downloads a week on Download.com, or owned by one of the largest ISPs in the USA. So we really have to pick our battles carefully. I told them we would run some tests and I would get back to them.

    We performed a test on WhenU, and came back with the following general results:

    1. It was bundled with some programs and installing in a stealthy manner in a few instances.
    2. It didn't use cookies to track surfing habits - all information was used only by the client.
    3. It did cause pop-up ads, but that is the intended purpose of the software.
    4. We did not find any defensive behavior, ie. process hiding from taskmanager, disabling regedit and taskmanager and using rootkit technology. Processes from WhenU did not attach to trusted processes.
    5. There are net connecting processes but the information being transmitted and received were all encrypted
    6. If WhenU came bundled with another program (ie. Radlight, Alpha Kiwi), there were some elements of WhenU left on the users machine. When installing WhenU that was downloaded direct from their website, it was a clean uninstall.

    It was a difficult call. Obviously the whole point of this software is to display ads, so it would be an abuse of power to mark them as spyware, for doing what the user wants it to do. At the same time, their were a few elements that were suspect enough for me to not clearly ID it as "Trusted". We agreed on downloading WhenU to "Greyware", our middle setting that defaults to letting the program run, but notifies the user that the program is on their system. WhenU agreed this would be a fair compromise.

    I wanted to see if anybody here had any reason to think this was appropriate or not, and supply reasons why?

    One note: WhenU asked for the elements that were left behind in the bundled situations. I told him we could do the test a week or so later. After just running a second round of testing, it seems they have fixed the situation, so the bundles are now uninstalling clean. I see this as evidence that we can work together with some companies to improve business practices, and this cooperation is not always colluding with the enemy.

    We are keeping the Greyware identification in place, as there is enough stealthy behavior to prevent it from being a truly trusted app.

    Thanks in advance for any feedback on this.

    Regards,
    Ashley Harrison
     
  2. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    Hello Ashley,

    Would you mind clarifying and\or adding to that a bit Please. What actual programs of WhenU did ya'll test....SaveNow/Save, Weathercast, WhenUShop, etc....and do you have the results in some form for review ?
     
  3. Kye-U

    Kye-U Security Expert

    Joined:
    Jun 11, 2004
    Posts:
    481
    Personally, I think Lavasoft is mistaken in removing WhenU detection.

    I, and many other security experts, were strongly against it over at DSLReports.com

    You may read the topic:

    http://www.dslreports.com/forum/remark,12665642~mode=flat

    If you read all 40 pages, you will see how essential trust is, and how you cannot go around removing crapware (what WhenU is) without notifying your customers.

    As a result, Lavasoft was delisted from ASAP (Alliance of Security Analysis Professionals):

    http://forums.maddoktor2.com/index.php?showtopic=3841

    Personally, I believe that once a crapware company, always a crapware company.
     
  4. AshleyH

    AshleyH Registered Member

    Joined:
    Mar 16, 2006
    Posts:
    16
    Bubba - I need to talk to the head of our threat research group to get the specifics. The testing we performed was mainly on SaveNow, but aspects of of all were examined.

    I can paste into a post the report that I got back and used to help determine how we would classify WhenU if you like. It is a little rough, and not a formal review, but it might provide some insights. I'll look at it again to see if there is anything I shouldn't be posting, and if not, I'll put it up.


    Kye-U - I understand the sentiments, but think it is unfair to blacklist a company forever, without at least reviewing how the company works on occasion. In this case, the company approached us, told us how they changed, and asked to be delisted. I said we would have to review the software before any decision could be made. We performed thorough testing, and I discussed the issue with the group manager. It seemed clear that even though the app causes pop-ups, this was the intended and clearly stated purpose of the software. But, there were some elements of stealthy behavior that caused us to think it should be marked in some way. We decided that downgrading it to our "greyware" classification made the most sense. This lets users know it is running on their computer, but defaults to letting it run.

    I will try to compile the results of our test in an easily readable form so the group can see the criteria for our decision.

    AshleyH
     
  5. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,054
    Ashley

    To me testing aside, the key is: Is it very plain to the user what he is getting, and giving him the optioin to decline. If so I'd agree with you. But if it isn't obvious the user, or if he has to read thru pages of an EULA to realize what he's getting, then nope. It's crapware.

    Pete
     
  6. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    My 2 eurocents opinion. You can't allow any Adware/Spyware on computers.
    Don't give these adware-makers an inch, because that's the beginning of something worse.
    Users don't want any Adware/Spyware on their computers and that makes any classification superfluous. Bad is bad.
    Adverts belong on websites only and without dirty tricks.
     
  7. AshleyH

    AshleyH Registered Member

    Joined:
    Mar 16, 2006
    Posts:
    16
    ErikAlbert wrote:
    "My 2 eurocents opinion. You can't allow any Adware/Spyware on computers.
    Don't give these adware-makers an inch, because that's the beginning of something worse. Users don't want any Adware/Spyware on their computers and that makes any classification superfluous. Bad is bad. Adverts belong on websites only and without dirty tricks."

    Erik - I think the operative words in your post are about your "European opinion." The sad fact is that there are a lot of people in the United States who want to receive advertising. There are TV channels devoted to it! (The Home Shoppig Network, QVC, etc.), and informercials, in addition to the usual commercials that must be suffered on non-pay TV. I don't like it, but would it be fair if this type of television was banned just because of my dislike of it?

    Sure, it is different with software, as it can be installed on computers without the user knowing. This is why we performed the test, and this is why we still classify it as greyware - there are a few stealthy elements that make it advisable to inform the user of the app.

    The program is very clear about how it works (not buried in a complex EULA either), so it's a tough call. Ultimately I feel it was a fair one.

    Thanks
    Ashley Harrison
     
  8. Kye-U

    Kye-U Security Expert

    Joined:
    Jun 11, 2004
    Posts:
    481
    I feel that this fact devalues the authenticity of their good intentions.

    Why encrypt the packets?

    Is there something to hide?
     
  9. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    AshleyH,
    I have a problem with that classification "greyware", because I have a black/white vision on Adware/Spyware.
    Grey means partial black and white and that is unacceptable in Adware/Spyware. It's black OR white and NOT black-white.
    Grey starts with alot of white, after that more and more black until it's dark grey.
    WhenU wants your approval and once the approval is there, they can change their programs gradually from light grey to dark grey.
    WhenU is an adware-maker and always will be an adware-maker, that's what they do and that's how they make money. WhenU is a wolf in the shape of a sheep.
     
    Last edited: Apr 11, 2006
  10. AshleyH

    AshleyH Registered Member

    Joined:
    Mar 16, 2006
    Posts:
    16
    Erik,

    I don't deny that WhenU is adware - they are very clear about it. But it is the way it is used that is relevant. I just cannot see things in the binary terms you describe.

    We (FBM/ZeroSpyware) try to keep a very current understanding of security threats, and if WhenU started to move to the dark side, we would have no problem upgrading them to a full "spyware" classification (default to block and suspend). It is a simple thing to change how an app is identified, and from a business perspective would be necessary to protect users of ZeroSpyware.

    I hope you can see that this decision is not written in stone and irrevocable. I know that WhenU was made aware of this.

    Kye-U - This is why we made sure users were still aware that the program was running on their system.

    AshleyH
     
  11. AshleyH

    AshleyH Registered Member

    Joined:
    Mar 16, 2006
    Posts:
    16
    Bubba,

    After looking over the report that I received from the researcher, I don't feel comfortable posting it on-line. I hope you can understand my hesitation.

    The summary that I posted in my first message summarized all the important issues, and why we made the decision we did. I think there is enough detail in that post for group members to understand how we came to the conclusion we did.

    However, if anybody wants a more detailed explanation (which won't really have that much extra detail), you can send me a private message, and I will get back to you.

    Thanks,
    Ashley Harrison
     
  12. ellison64

    ellison64 Registered Member

    Joined:
    Oct 5, 2003
    Posts:
    2,499
    My own opinion is that it should not be defaulted to run ,and a much better warning should be given to those that dont mind it running using your software ,for these reasons.
    1.It comes bundled with other software (usually freeware),and novices may not even notice it being installed (especially if its an older programe)
    2.Maybe whenu doesnt use cookies but thier own privacy policy says that third party vendors (as a result of using when u) may well do so.
    "The Software does not place any cookies on your desktop. It is possible that a third-party might place a cookie on your desktop. If you wish to opt-out from third-party cookies, please click on the following link and follow the instructions: http://www.networkadvertising.org/optout_nonppii.asp."
    3.Popups and ads displayed stealthily through your browser uses valuable bandwidth and can also lull users into clicking whenu ads rather than the ads placed on a vendors site ,therfore diverting commission to whenu rather than the site owner.Also as you must be aware that newbies would probably think the popups are a part of thier browser rather than a third party programme making it happen.
    4.Isnt pretending to be part of your browser defensive and rather sly?
    5.When u sending encrypted packets seems very suspicious to me.Seeing as it connects to its own servers ,it also can update or alter itself without any user intervention.This could cause unforseen stability problems in my view.
    6.It may very well uninstall cleanly ,but as i say..the novice with popups and ads all over his browser probably doesnt even know its installed or even in add/remove programes.
    Maybe its not spyware and if its just spyware that you detect then your greyware is warranted.But if you purport to detect adware/suspectware too..then id be very disappointed if i used your software and it allowed this to run by default.A far greater and in depth warning and the choice would be preferable to me.
    ellison
     
  13. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    AshleyH,
    In that case you have to guard these greywares like a hawk, which means more work. Having a black/white vision is much easier to accomplish.

    On the other hand, I also believe that advertising on computers will be a fact within 50 years and generally accepted by people.
    This generation doesn't want Adware/Spyware on their computers, but the next generations will.
    In the sixties any advertising on TV was forbidden in Belgium and now every TV station has advertising and that happened in less than 57 years (my age).
    So this bad attitude towards Adware on computers will change too.
    Greyware is just the beginning and too early for most people of this generation, I'm one of them.
    The actual adware-makers treat users like dirt, so I expect that the next generation of adware-makers will develop more human methods for advertising on computers.
     
  14. AshleyH

    AshleyH Registered Member

    Joined:
    Mar 16, 2006
    Posts:
    16
    Ellison,

    Thank you very much for the detailed response! This was the kind of feedback I was hoping to get on the issue. You have made the best arguments so far as to why it should still be listed as adware.

    I am going to take this to the manager of our threat research group to discuss at greater length. Obviously we want to do the right thing, and participation like yours really helps to that end.

    Regards,
    AshleyH
     
Loading...
Thread Status:
Not open for further replies.