Re: Rootkit For Spyware? Hide your adware from all Adware removers and Anti-viruses

[James Tucker <jftucker () gmail com>]

Spam or not, truth or not, the whole situation with adware is getting
out of hand.

I suspect the quickest way of dealing with the registry entries is to
use Unicode keys (unreadable by any outer ring processes).

Worrying that they are getting into the kernel, although I would be
very interested to hear Microsoft's stance on these programs attacking
system integrity. Microsoft have resources massively outweighing many
of the adware companies summed together; they still code badly. I
don't want adware code in the core of my OS period.

The last trojan I saw to successfully fully "hide" files did so by
falsely marking corrupt areas of the disk. The result of such action
is major performance hits on IDE controllers and pop-up messages all
over the XP system tray.

Does anyone actually analyse the adware protocols for anything other
than client side exploits? Have these tools been actually identified
as sending private information? Are there privacy laws which can
therefore be invoked? How difficult would it really be to build a
honey net and prove the lack of user side approval to the install of
such applications? If the software has been developed on an XP system
are they in breach of the EULA? Should they be if they are not?

I have seen GAIN Publishing adware install in many places and it
fulfils all of the required criteria. Moreover GAIN is easy to
uninstall. I can understand the concern that companies like GAIN have
when the user has accepted an agreement not to remove their software
as long as they use the bundled application; and yet their Ad-Aware
install comes along and rips it out. At least many of the GAIN
supported apps don't work without GAIN running.

I hate adware as much as the next sysadmin, but some reality checks I
think are long overdue in this department. Firstly, applications like
GAIN use bandwidth which pales insignificant after you hit the first
website using flash in any given day. The processor time required for
this is also minimal. A average end user spends most of their time
searching for keys on the keyboard rather than running some high
demand application. Not many users care when winamp asks for anonymous
usage statistics, nor the google bar. So why all this fuss?

We can't trust all of the adware applications. Of course you never
trust code on a system until you have reason to believe there is
nothing wrong with it; but the world of closed source is a hard one to
crack unless your feeling ambitious and want to start reading poorly
disassembled code. The reason the fight begun in the first place was
because these apps were not honest about their output. They
implemented protocols which were not secure and provided attackers
with more holes onto the system. They installed themselves without
making it clear to the user what was being installed. The more
products we saw of this nature the more likely it was we were going to
see a response. Well now the response is causing business troubles to
the Adware companies and they want justice.

There must be some kind of honest balance available. Anonymous usage
statistics is not something which we should be concerned about.
Unknown applications getting installed on client workstations without
warning, hidden files, hidden processes, hidden registry keys, poor
system performance due to too many badly written over sized
applications on the machine; these are the things that really concern
me.

I would say that talks need to begin fast, otherwise the result of
this battle is only going to end up somewhere underneath the OS, which
is not a place I fancy spending most of my life working and debugging.

Maybe the time really has come for a hardware coprocessor to deal with
this CRAP.


On Wed, 22 Sep 2004 20:10:28 -0700 (PDT), Will Image
<xillwillx () yahoo com> wrote:
> I recieved this in my inbox today:
> how long do you think this company will last?
>
> > Date: Wed, 22 Sep 2004 19:02:44 -0400
> > From: Jacques Tremblay <jacques.tremblay () gmail com>
> > To: xillwillx () yahoo com
> > Subject: Hide your adware from all Adware removers
> > and Anti-viruses
> >
> > To: Business development manager
> >
> > Subject: Hide your adware from all Adware removers
> > and  Anti-viruses
> >
> >
> >
> > Hi,
> >        Adware removers are gaining in popularity and
> > they cause a big
> > revenue threat to adware based businesses, as we see
> > our software
> > installations get desinstalled after a period of
> > time that is shorter
> > and shorter, we see our revenues get smaller and
> > smaller.
> >
> >        Why would an honest adware based business
> > lose revenue just because
> > some adware remover has identifyed it as being
> > something to remove ?
> >
> >        We beleive we have the right to hide from
> > these adware removers as
> > long as we provide a way for the user to uninstall
> > and that he agrees
> > that the software will be uninstalled only with the
> > provided
> > uninstaller.
> >
> >        It is in that spirit that we created the
> > solution to the problem :
> >
> >
> > AdProtector 1.2
> >
> >
> >        We have developed software capable of hiding
> > your software from all
> > adware removers and anti-viruses on a Windows
> > NT/2000/2003/XP machine.
> >
> >        Basically we have filtered the windows kernel
> > so that we could mofify
> > the behavior of the system itself. So now we can
> > hide anything we want
> > from windows.
> >
> >                            It can :   - Hide Registry Keys
> >                                       - Hide Files
> >                                               - Hide Processes
> >
> >        By hiding these 3 key elements from windows,
> > your application won't
> > ever be detected by any adware removers.
> >
> >        Interesting ?
> >
> >        For more information or to resquest a Demo :
> >   email :
> > hexa () randexsoft com
> >
> > Business is moving fast, keep ahead of the
> > competition!
>
> __________________________________________________
> Do You Yahoo!?
> Tired of spam?  Yahoo! Mail has the best spam protection around
> http://mail.yahoo.com
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html