Lavasoft News - October 2006

Many of you have perhaps learned a second or third language. It's not easy is it? However, if you stick with it, the aggravation of struggling with your words one day pays off when the light switch turns on and you just get it. For those of you new to the world of spyware, all the technical terminology may seem foreign to you, but here at Lavasoft News, our goal is to skip that initial aggravation and just keep it simple. This issue is a lesson in spyware education. Find out about how spyware trends are heading in a scary direction. Cyber crime is becoming more organized and more devious. The authorities have caught up with some of these online creeps, but it's also up to you to protect yourself. Stay educated. Stay with us at Lavasoft.

News from Lavasoft

Scary Spyware Trends

It used to be that when you thought of cyber crime you imagined a teenager sitting at his computer in his basement trying to hack into some government agency. And he just wanted to make a name for himself.

Those days are gone. Cyber crime is becoming more organized, according to top U.S. officials.

"There has been a change in the people who attack computer networks, away from the 'bragging hacker' toward those driven by monetary motives," Christopher Painter, with the Department of Justice Computer Crime section, told Reuters. "There are still instances of these 'lone-gunman' hackers but more and more we are seeing organized criminal groups, groups that are often organized online targeting victims via the Internet."

The real danger today lies in what are called "anonymous virtual interlopers". They focus on identification theft, illegal use of bank and credit cards and creating Botnet armies that can hijack hundreds or thousands of computers in an effort to infect other systems.

Profiting from these scams seems to be the name of the game now. Several recently released industry reports have found that malware creators are making money from their code and are therefore creating increasing numbers of sophisticated Trojans and bots.

One recent criminal indictment alleged a convicted bot-herder, Jeanson James Ancheta, received $150 for each of 1,000 infected computers.

Cyber crime is a big business. The FBI (American Federal Bureau of Investigation) estimates that computer crime in general in the U.S. costs industry about $400 billion. In Britain the Department of Trade and Industry said computer crime had jumped by 50 percent in the last two years alone.

And industry analysts expect the problem to only get worse. Gartner researchers expect spyware to infect up to 50 percent of companies in the next two years.

The question is no longer if you'll be affected, but when.

Home  arrow

FTC Closes the Book on Spyware Op

The people behind an operation that allegedly installed illegal spyware on computers, which according to federal regulators affected 18 million users worldwide, will have to dig deep in their pockets to settle a complaint filed by U.S. Federal Trade Commission.

In the fall of 2005, at the FTC’s request, the operation had its assets frozen and was ordered to shutdown.

This fall, the commission disclosed that a settlement had been reached, requiring two companies and three individuals to give up just over $2 million of their “ill-gotten gains,” along with a suspended judgment of $8.5 million for alleged violations of the FTC Act.

The settlement is said to be the second biggest ever made by the agency, that has been involved in more than a dozen settlements, totalling around $8 million in the past two years.

The California-based defendants, Enternet Media Inc., Conspy & Co. Inc., Lida Rohbani, Nima Hakimi, and Baback Hakimi, have been distributing software under the names Search Miracle, Miracle Search, EM Toolbar, EliteBar, and Elite Toolbar.

The ruling by the U.S. District Court for Central California permanently prohibits the defendants from interfering with consumer computer use, including distributing software that collects information concerning a consumer’s Internet use and personal information, installing advertising software code, hijacking homepages or browsers, or installing dialers.

 The defendants are also prohibited from making “misleading representations” about the performance, features, and cost of any type of software, including misrepresenting that code is an Internet browser upgrade, online security software, music, lyrics, or a cell phone ring tone, the FTC said.

The FTC charges that the defendants caused installation boxes to pop up on users’ computer screens, offering a variety of freeware, or security patches and upgrades to fix supposedly defective browsers. Instead of getting freeware or security upgrades, once consumers downloaded the software, their computers were infected with spyware that interfered with computer use and was difficult to uninstall.

The defendants also allegedly used software code to track consumer Internet activities, change home page settings, insert new toolbars, and manipulate browser windows, the agency said.

Click here to view a PDF of the original FTC complaint.

Home  arrow

Jail Time for Worm Creators

Two students behind a pesky worm that wreaked havoc at more than 100 American companies, including media outlets CNN and the New York Times, are doing time behind bars.

Farid Essebar, 19, a science student from Morocco , was sentenced to two years in prison by a Moroccan court in mid-September. An accomplice, 22-year-old Achraf Bahloul, received a one year sentence.

A third man from Turkey has been charged with financing the attack, which disrupted more than a quarter of a million PCs in August of 2005.

"The court convicted the two men for conspiracy, theft, using forged credit cards and illegal access to computer systems," a court official said.

The Zotob worm mostly affected Windows 2000 systems, taking advantage of a bug in the operating system’s Plug and Play service that had been patched by Microsoft days earlier.

Home  arrow

Privacy Issues Surround Emerging Google Software

A software prototype that Google is developing will allow the company to listen in on the “ambient sound emitted from a TV,” in order to simultaneously send tailored information and advertising to your computer.

The new technology will gather background sounds, like those coming from shows on the TV, through a PC’s built-in microphone. The software breaks the audio sample into five second snippets, creating a digital fingerprint.

The fingerprint is matched to a similar one in a database, and then shows online content related to what it found. The personalized software could include advertising, search results, or a chat room on the subject.

Two research scientists on Google’s Research Blog explained the benefits of the software, saying, “The system could keep up with users while they channel surf, presenting them with a real-time forum about a live political debate one minute and an ad-hoc chat room for a sporting event in the next.”

In a recent Technology Review article, Google’s director of research, Peter Norvig, said that the software will eventually showup in Google products. According to Google’s Research Blog, company researchers presented a paper detailing the software prototype at the Euro Interactive Television Conference (ITC), which took place in Athens this past June.

Due to issues of privacy invasion, it seems that civil liberties activists could have strong arguments against putting this technology into practice.

However, according to researchers, the fingerprinting technology in the prototype makes it impossible for the company to eavesdrop on other sounds in the room, such as personal conversations; the only personal information revealed, Google says, is TV-watching preferences.

"Some people did get the impression that we had an open microphone that was going to listen in on them. Clearly, that was not what we were doing. We are transmitting a key that can be matched but not reversed.” Norvig said, in the same Technology Review article.

According to their paper on the subject, which was presented at the Euro ITC, Google researchers contend that their goal is, “to combine the best of both worlds: integrating the relaxing and effortless experience of mass-media content with the interactive and personalized potential of the Web, providing mass personalization.”

Home  arrow

Industry Questions Consumer Reports' Testing Practices

Security vendors are up in arms over Consumer Reports' "State of the Net 2006". Just days after the September issue hit newsstands, the magazine's anti-virus testing procedures were raising eyebrows.

Lavasoft's CEO, Ann-Christine Åkerlund, finds the testing practices of Consumer Reports "highly suspicious. We're keenly aware of the reputable anti-spyware programs and how they detect spyware. That is why we question how one program receives top ranking while Ad-Aware SE anti-spyware is ranked fifth, according to this Consumer Reports analysis."

Industry analyst, Mary Landesman, agrees. She takes on the Consumer Reports methods in her article, Testing Hocus Pocus, and also refers to the 5,500 new viruses created in order to support the tests.

McAfee AVERT's Igor Muttik posted a blog on the security company's website taking the publication to task for hiring a lab to design new virus variants. "Creating new viruses for the purpose of testing and education is generally not considered a good idea& Viruses can leak and cause real trouble," Muttik wrote.

Adware Report online also criticized the technique, "Basing test results on fabricated viruses is misleading. The testers claim that viruses are the "kind you'd most likely encounter in real life". However, they have no way of knowing this. There is no substitute for real-world conditions."

To rate anti-spyware software capabilities, CR used the public suite of Spycar scripts, whose own website states the product uses "tools designed to mimic spyware-like behavior, but in a benign form."

"It's not a serious testing tool," said Alex Eckelberry, chief executive of Sunbelt Software, whose product CounterSpy rated seventh on the list. "It (Spycar) is specifically designed to test how well anti-spyware programs block unknown applications, not (how they) scan and remove."

Consumer Reports defended its testing methods to Eckelberry in a letter, "We chose this approach because we felt it best captured the flexibility of the software."

Lavasoft did contact CR for a comment, but nothing had been received at publication time.

Home  arrow

Lavasoft Questions PC World's "Spyware Fighters"

Dear PC World:

First off, we fully understand why you chose to review Lavasoft's Ad-Aware SE Personal in your August 25th article, "Spyware Fighters."

You're right: it is popular software! In fact, Ad-Aware SE is trusted by more than 200 million computer users worldwide.

But, what we don't quite comprehend is why your article ranked all of the reviewed anti-spyware software, both paid and free, together in the same group.

Not all software is created equally, but it's not like we have to remind you of that. Users, of course, can expect enhanced capabilities to be available in software that they pay for, when compared with freeware.

In keeping with our mission, we're proud of the fact that we're able to provide free anti-spyware software to our consumers. And we know that even our free software tests in the same top range as some software that you have to pay for.

In the performance rating listed in your own article, Ad-Aware SE detected 5% more adware and spyware than the product ranked ahead of it, CounterSpy. Not only that, but Ad-Aware SE disinfected 10% more adware, and 25% more spyware than CounterSpy. It also did the best job, out of all of the software reviewed, of detecting malware samples.

In the full review, Ad-Aware SE Personal was called a "crippled program", because it doesn't have real time scanning. We don't market our Ad-Aware SE Personal freeware as having real-time scanning, and never have. If you want a fair competition, why not test our paid product, Ad-Aware SE Plus, which, by the way, has real-time scanning?

Sorry PC World, we just don't understand.

Ranking and Price List, according to "Spyware Fighters":

  1. WebRoot Spy Sweeper 5.0 Beta:   $30
  2. PC Tools Spyware Doctor 3.8:   $30
  3. Sunbelt Software CounterSpy 2.0 Beta:   $26
  4. Lavasoft Ad-Aware Personal 1.06:   Free
  5. Safer Networking Spybot- Search & Destroy 1.4:   Free

*Ad-Aware SE Plus, which offers real-time protection, is available for $26.95.

Home  arrow

Spyware Newsbits

New Targets in Detection [September 2006]

Name Description
Adware.AdwarefilterToolbar May be installed by a Trojan downloader/dropper and provides no uninstaller. It advertises the AdwareFilter client, which is rogue anti-spyware.
Adware.Agent a family of uncategorized generic adware applications. The generic adware may cause pop-ups and/or other types of advertisements to appear on the computer where installed.
Adware.Allsum May expose the user on an infected computer for pop-ups and advertisements. Search queries may be logged.
Adware.Baidubar Adware.Baidu is an Asian toolbar that force installs a BHO. It does not have an uninstaller and it is very hard to remove. May advertise random products.
Adware.CasClient Operates in stealth and causes pop-ups to spawn on the host computer. May also record queries entered into Internet Explorer.
Adware.FunWeb Installs a toolbar on all user accounts. Its uninstaller is hidden and it may cause advertisements to appear on the host system.
Adware.Koolbar Installs and operates in stealth on the host system. It may cause pop-ups to appear and other advertisements to appear. No EULA provided.
Adware.LetsCool Changes the wallpaper and installs a hidden BHO. The uninstaller provided does not remove the hidden BHO. It may cause pop-ups or other kinds of advertisements.
Adware.LinkOptimizer Operates in stealth and does not provide a functional uninstaller. It may cause advertisements to pop-up, and it also may redirect search queries.
Adware.LoopAd May cause pop-ups or other advertisements to spawn on the computer where installed.
Adware.MyToolbar Performs automatic updates and installs on all user accounts. May cause pop-ups or other forms of advertisements to spawn on the computer where installed
Adware.Podcast Installs itself using downloaders that in stealth downloads and installs Podcast. It then, pretty frequently, causes pop-ups and other advertisements to spawn.
AdWare.Safety Bar May be installed from a Trojan downloader. It advertises other scam products and tries to get the user to buy these.
Adware.Soso May cause pop-ups or other advertisements to spawn.
Adware.WeirWeb Installs and operates in stealth. May expose the user of an infected system to adware and pop-ups. No uninstaller is provided.
Diaremover Rogue anti-spyware that attempts to scam the user into buying the product. Diaremover installs false positives that it finds and claims they are very critical hits. Uses downloaders and droppers to install itself in stealth on a compromised system. The uninstaller only works partially, and may even reinstall the software later on.
Win32.Backdoor.Hackarmy A backdoor tool that allows for a remote user to exploit the infected system. Known ports include (but are not limited to) 6667
Win32.Backdoor.Sality Has two modules: one keylogger and one backdoor. The backdoor may be used to control an infected system from a remote computer.
Win32.Hacktool.Craagle A tool that searches for illegal serials on sites that are potentially harmful to the system that visits them.
Win32.Keylogger.Skin A commercial keylogger. It records all keystrokes and active windows to C:\sessions.log (unless of course that has been changed).
Win32.Trojan.IZD A Trojan that installs a backdoor on the compromised system.


TAI - Threat Assessment Index
The Lavasoft Threat Analysis Index (TAI) system is based on a 10-point scale, with 1 representing the lowest threat and 10 representing the highest. The behavior of the program has more influence when assigning TAI points than the actual technical aspects of the malware. In other words, if the malware secretly attaches without the computer user's full understanding and approval, then it will automatically be given higher TAI points. A minimum TAI value of 3 is required before the malware is put into detection. Read more on the Lavasoft Research site here.


Threat Analysis (TA) Index

Home  arrow

Home  arrow

Spyware infections prompted almost one million U.S. households to replace their computers in the first half of 2006.
-Consumer Reports, State of the Net 2006

The total loss from all cases of fraud referred to the FBI's Internet Crime Complaint Center in 2005 was $183.12 million, with an average loss of $424 per complaint. This is up from $68 million in total losses a year earlier.

This month's issue of Lavasoft News is being read by... drum roll please... 872,054 people.
Worm Graphic
Term of the Month
WORM - Did you know that WORM is an acronym for "write once, read many"? A computer worm is a self-replicating computer program, similar to a computer virus. Unlike viruses, however, worms self-propagate and so do not require other programs or documents to spread. Worms typically spread through e-mail or other file transmission capabilities found on networked computers.
Real Testimonial
Thanks for removing "VirusBurst" on my PC. I tried several ways to get rid of that low-down nag. Spybot had detected it, but wasn't able to kill it. HijackThis removed it - and it was still there. The next day there was an update for Ad-Aware. After this it was that easy!! No spyware, no virus. Good work. I appreciate your reliability.
R. Busch, Berlin, Germany, 25/09/06
Adware Trends
A new report by an online security vendor shows that in August 2006, there were roughly 450 "adware families", with more than 4,000 variants.
    Industry experts say that as the amount of new viruses and worms drop off, criminal malware is given room to rise. Spyware, Trojans and phishing are the cyber-crime of choice in 2006.
Lavasoft AB
Lilla Bommen 1
411 04 Gothenburg
Page footer