The Spyware Weekly Newsletter is distributed every week to 20,000 subscribers and read online by hundreds of thousands of visitors. Click here to subscribe. Please read our Terms of Use for quoting guidelines.This edition of the Spyware Weekly Newsletter is archived permanently at http://www.spywareinfo.net/nov11,2005.

Wherever the term "adware" is used, it is referring to a category of software, not to any particular company or product.

The contents of this newsletter is commentary. It should not be mistaken for unbiased, objective journalism.

Permalink | Top

• Enternet Media Shut Down, Offices Raided
• Window Washer With Spy Sweeper
• Spyware Maker Threatens Sunbelt
• A Bad Time For Sony
• Utah Supremes: Out-of-towners Must Obey State Law
• TIP: Surf More Safely In Any Browser
• Freeware: Unlocker
• Bad News For Metalheads
• Headlines

Permalink | Top

The Federal Trade Commission has filed a complaint against Enternet Media for allegedly installing spyware in a deceptive manner. At the FTC's request, Enternet Media was ordered to halt their activity. Last week, a person who says he works across the street from Enternet Media witnessed over a dozen cops raiding their offices.

Enternet Media is responsible for the Search Miracle / Elitebar spyware programs. They are believed to be affiliated with a program called Spyware Bomber, which claims to be a spyware removal program.

For some unknown reason, I have been receiving numerous complaints from people who purchased Spyware Bomber and received invalid registration numbers. I have never sold this program, never reviewed it or recommended it. In fact, before the first complaints started coming in, I had never heard of it. Why people are sending their complaints to me remains a mystery.

The complaint filed by the FTC claims that Enternet Media and at least one affiliate use highly deceptive methods to trick people into installing software. Once installed, a rootkit hides the files involved with the spyware, disables certain competing Internet Explorer toolbars, tampers with computer settings and gathers data about the infected victim's use of their computer. The FTC claims that Enternet Media has violated Section 5 of the Federal Trade Commission Act.

Mwahahahaha. Goodbye and good riddance. Let's all of us hope they stay shut down. This definitely is a bad guy company and we are all better off without them stinking up the net.

Permalink | Top

Program: Window Washer and Spy Sweeper
Author: Webroot Software
Platform: Windows 95, 98, ME, 2000, XP
Offer: Buy a copy of Window Washer and receive a 50% discount on Spy Sweeper ($44.95 total. Expires November 17, 2005)
Purchase: Click here to purchase

Window Washer

Window Washer is a very cool, very useful program. You could spend an hour rummaging through your computer deleting your browser cache, cookies, temp files, address bar history, and even those nearly impossible to delete index.dat files. With Windows Washer, you don't have to waste all that time and energy. Window Washer makes doing these tasks quick and easy.

When I tested Window Washer for the first time, it cleared out an amazing 700MB worth of garbage files, most of it temporary files left over from programs that hadn't cleaned up after themselves. It deleted all of these files very quickly. Since then, it has deleted over 10 GB of trash files through regular cleanings.

Window Washer also deleted the index.dat file in my browser cache, a file that Windows normally refuses to let you alter. It reduced it from 1.8MB all the way down to 32KB. There is an optional setting to clean out the browser cache, address bar history, cookies and other internet usage traces every time the browser is closed.

Spy Sweeper

Webroot's Spy Sweeper is one of the best antispyware programs available today. It can do a quick scan to find spyware in the most likely locations. It also can do a very thorough full scan which looks at *everything*.

While I was test driving it, I noticed that it was looking at the modules loaded into memory. I don't mean just processes. I mean that it was scanning every file loaded as a module by every process running in memory to see if it matched a known spyware. It also scans the entire hard drive for malicious files. That full scan takes a while, so you may want to use the built-in scheduler to do that when you are sleeping or away from home.

The newest version of Spy Sweeper is extremely nice. It is easy to use and is very thorough. The protective options are very good - far better than the obligatory option of locking the Internet Explorer home page that many other programs provide. The new start up manager is a fantastic feature. I definitely recommend Spy Sweeper.

If you have any problems with the ordering page, please email Catherine http://www.spywareinfo.com/email2.php.

Permalink | Top

RetroCoder, a UK-based maker of spyware sold commercially as SpyMon, has sent a cease and desist letter to Sunbelt Software. It seems that they do not appreciate the fact that Sunbelt's Counterspy program can detect SpyMon.

RetroCoder has taken a novel approach in their threats. Most spyware companies threaten for libel and unfair competition, while claiming that their product is not spyware. RetroCoder, knowing full well that they cannot tell a jury that their product is not spyware, instead wrote an interesting clause into their End User License Agreement. The notice states that any person with any relationship to an antispyware company is forbidden to use or examine the program. RetroCoder claims that by ignoring this notice, Sunbelt has infringed upon their copyright.

It appears that RetroCoder has not consulted with an attorney. Copyright law does not allow you to enforce a clause such as that. In fact, various courts have set numerous precedents where such clauses have been thrown out as invalid.

Sunbelt's president, Alex Eckleberry, says that Sunbelt has no intention of removing the program from Counterspy's database. In his blog posting, Eckleberry seems to be more amused by the threat than worried.

As well as a legal education, the RetroCoder's spokesman seems to need a lesson in the English language as well. ZDNet quotes a company spokesman as denying that SpyMon is spyware. He says that the software is a "surveillance tool" instead.

Surveillance is spying. They should look up the word sometime. I understand they make some fine dictionaries right there in the United Kingdom.

Permalink | Top

The last two weeks have not been kind to Sony-BMG.

First, there was the revelation that certain music CDs produced by Sony-BMG install rootkits to hide DRM software.

Not only is this software hidden from view by using a method favored by criminals, removing it breaks the computer. It also allows other criminals to exploit the rootkit to hide malicious software. This software and its behavior is not disclosed adequately in the license agreement that appears when the CDs are loaded in a Windows PC.

Not long after this revelation, numerous security software vendors vowed to introduce detection and removal of this software. Typically, these companies would shy away from detecting software from a supposedly legitimate company such as Sony, especially if the intent of the software is to prevent unauthorized copying of intellectual property. However, the software that Sony installs introduces certain security issues.

The rootkit can be exploited to hide any file or folder whose name begins with certain characters. People using cheating programs already are using it to circumvent anti-cheating software created for World of Warcraft. Creators of viruses and other malware easily could use this same method to hide malicious code.

Another problem caused by the software is that, frankly, it was designed poorly. Among the files hidden by the rootkit is a device driver. Since the file is hidden, occasionally it will cause severe errors in Windows. This can cause computer crashes, loss of data and, potentially, physical damage to hard drives.

The software also contacts internet servers to download graphical art related to the music on the CD. While that is nothing malicious, the behavior is not disclosed. It is the computer owner's right to decide whether or not to download material from the internet. Sony's software violates this right.

Computer Associates makes a damning claim about the software. According to CA, Sony's software interferes with the copying of all music CDs, not just those produced by Sony-BMG. A Computer Associates vice president is quoted as saying that Sony's software inserts random noise into music files ripped from other CDs, making it difficult to listen to the files.

If that is true, then it means Sony is using hidden technology to interfere with a person's ability to listen to music sold by Sony's competitors. Sony could be on the receiving end of some nasty letters from competing music publishers.

Sony's lawyers already will be receiving letters anyway, quite a large number of them according to reports. They even might have a few visits from various police agencies.

Italy's version of America's Electronic Frontier Foundation (EFF) has filed a complaint against Sony with Italian police. They are asking for an investigation into whether or not Sony has violated Italian law.

A Los Angeles attorney has filed a class-action lawsuit against Sony on behalf of California consumers. The suit asks the court to order Sony to cease and desist all sales of any CDs that include this software. The suit also asks for monetary damages for any California consumer who may have purchased these CDs. Washingtonpost.com is hosting a copy of the filed complaint (PDF warning).

Another class-action lawsuit is expected to be filed in Federal court in New York. An attorney in San Francisco also might file a class-action lawsuit against Sony.

Declan McCullagh has written an editorial on the subject, one that makes some excellent points. The point that struck me as the most insightful is that Sony may have violated California's antispyware law. This is the relevant part of that law:

22947.4. (a) A person or entity, who is not an authorized user, as defined in Section 22947.1, shall not do any of the following with regard to the computer of a consumer in this state:

(1) Induce an authorized user to install a software component onto the computer by intentionally misrepresenting that installing software is necessary for security or privacy reasons or in order to open, view, or play a particular type of content.

Shortly before writing last week's newsletter, I posted a question to some private mailing lists. The license agreement that pops up on a Sony CD makes the following claim: "Please keep in mind, however, that if you do not agree to be bound by these terms and conditions, you will not be able to utilize the audio files or the DIGITAL CONTENT on YOUR COMPUTER."

You do not need to install this software in order to play CD music. All current operating systems include at least one media player. In fact, the only way that this statement can be true is if you do install Sony's software. At that point, the software prevents a person from using the music with any software not approved by Sony. If the software is not installed, you can play the music or rip it to your hard drive with any software you like.

The agreement contains a blatantly deceptive statement, put there to trick people into agreeing to it. I asked if this constituted "bad faith" and, if it did, if that means the entire agreement is void? I never received an answer one way or the other, so I didn't mention the license. It never occurred to me that putting that false statement in the agreement could be a criminal act.

Wired News also has written an editorial about the situation. In their opinion, Sony may have violated the US Computer Fraud and Abuse Act.

Sony is facing a PR disaster, boycotts, class-action lawsuits and criminal investigations around the world. All of this because of an idiotic decision to tamper with their customers' computers in order to prevent them from exercising their legal fair use rights.

Some things are so boneheaded that the word "stupidity" simply does not do it justice. I will not EVER buy a CD from Sony because of this. I'm sure I am not alone in that.

EFF has published a list of CDs believed to contain Sony's rootkit software. I urge you to compare that list against the CDs you have purchased in the last year. If you have one of them, you should download Rootkit Revealer. If it reports numerous hidden files and folders whose names begin with "$sys$", then you probably have been infected by Sony's rootkit software.

If you decide to try to remove the software, be extremely careful and make absolutely certain that you make a full backup of your system first. Removing the software incorrectly WILL damage your computer.

Permalink | Top

If your company is located in Florida and does business in Utah, you don't have to obey Utah's laws. . . right? Well, actually, you do. The Utah Supreme Court says so.

A telemarketing company in Florida found out the hard way that they can be punished for committing crimes in Utah. State law forbids the use of automatic dialing devices when a company calls Utah residents. Integrated Credit Solutions of Florida broke that law and Utah's government caught them at it. Utah's Division of Consumer Protection fined the company $2,000.

The telemarketers felt that they did not have to obey the law, so they appealed the fine. They lost.

Integrated Credit had the amusing idea that breaking the law was not a crime because certain federal telemarketing laws do not forbid the use of automatic dialing equipment. Sorry, but, sovereign governments will enforce their own laws, regardless of what other governments may do. I can't imagine why this company thought they could break the law without punishment.

This is yet another victory against the telemarketers. So many rules, laws and regulations have been put into place in the last few years that I wonder why telemarketers still bother. Many telemarketing shops have been forced completely out of business because of the Do-Not-Call law. I look forward to the day when all of them are gone and we can all eat our dinner in peace.

Permalink | Top

This is one of those ideas that make you want to slap your forehead and wonder why it never occurred to you before. I don't remember what prompted it, but I decided to do a little experiment with my virtual test PC. I created a low-level user account and then went surfing some of the most spyware-infested web sites I could find.

Guess what? Nothing happened. Not only did I fail to pick up a single hijacker, I never once saw as much as a single ActiveX prompt. As far as I could determine, I was immune to spyware infection. Why? Because in limited mode, Windows doesn't allow you to do very much. You are not allowed to make the changes necessary for malware to install and hide itself.

That is not much of a revelation. Many people already realize that if you surf the web in limited mode, not as "root" or "Administrator", then you are much safer. The reason why people, myself included, do not tell internet newcomers to do that is because using a Windows computer in limited mode is nearly impossible.

Don't believe me? If you have Windows 2000 or XP, try it right now. Go to Control Panel > User Accounts and create a new limited user. Now spend a few days in it and see what happens. Numerous programs that you use, if you are able to install them at all, simply will not work. You will have an unending series of "permission denied" errors as you try to use your computer normally. Because of this problem, very few people use Windows in limited mode.

The main culprit is software developers. Many of these developers create their programs in such a way that a limited user cannot use them. I remember trying to install a copy of PaintShopPro 7 once. First, I couldn't install it. When I circumvented that by using the "Run As" feature and did install it, I couldn't use it. That is just boneheaded design right there.

Microsoft is partly to blame. I mentioned the "Run As" feature. What that does is allow you to load a program as a different user. Basically, you provide the log-in password for an administrator account while logged in as a limited user.

The problem with this is that Windows treats that situation as if you are logged into that administrator's account. Files saved from the program, if launched this way, cannot be stored in "your" My Documents folder. They have to be stored in the My Documents folder associated with the administrator account. Occasionally, a program won't operate correctly even if you use the "Run As" feature.

Microsoft could learn from Linux on this one. With Linux, you operate normally as a limited user. If you need to do something to the system, you can open a command terminal, give the "root" password and Linux will temporarily give you the same permission as the root-level user. The problems you run into with a limited Windows account simply do not occur with Linux.

So, although it is much safer to surf the web in limited mode, people refuse to do it because of the permission problems they run into. No one wants to run Windows in limited mode.

Well, there is a simple fix for this problem. It is so simple that I wonder why it never occurred to me before now.

Use Windows normally in your admin-level account to avoid the problems caused by bad software design. However, any time you plan to surf the web, log out of that admin-level account and into a limited account. When you are through surfing the web, log back into your admin-level account. If you have any version of XP, you don't even have to log out of your normal account. Just use Fast User Switching to go back and forth.

I won't claim that you will be immune to a spyware infection if you do this. I will say that the chances of it happening are very slim.

There is one thing that I want to point out. Windows XP has a really stupid bug. If you create an additional account, the default "Administrator" account will disappear from the Welcome screen. Since quite a few people use that default account, that leaves them unable to log-in from the Welcome screen after they create a new account. This bug is present in XP Gold, XP SP1 and XP SP2.

Unbelievably, Microsoft considers that to be a feature, not a bug. So the chances of it ever being fixed are low. There is a registry hack that will put the account back on the Welcome screen. Do not attempt to edit your registry if you don't know what you are doing. You could cause some serious problems with Windows.

Don't worry, there is an easy way around this bug if you don't feel comfortable hacking at your registry. At the Welcome screen, simply press the CTRL ALT DEL buttons at the same time and a new log-in prompt will pop up. Just type "Administrator" for the user and give your normal password and it will log you in.

If you are one of those people whose computer is infected repeatedly by malware (you know who you are), you should give this a try. I'll bet that, if you do this, you will not have nearly as much trouble with spyware as you do now.

Permalink | Top

Last week, I mentioned a program called WhoLockMe that I thought was pretty cool. WhoLockMe will show you what program is preventing you from opening, changing, renaming or deleting a file or folder.

Robin Taylor wrote to point me to an even better program, called Unlocker. Unlocker not only shows you what program has locked a file, it also allows you to unlock it or kill the program out of memory. Definitely very cool. The program is free, though the author asks for a Paypal donation.

Just be careful how you use it. I run a gaming server on my PC and used it to unlock the log file so I could see something. By unlocking it, the server stopped writing to the log file and I had to restart it.

One more warning, one that I wish I had been able to mention last week. When I went to uninstall WhoLockMe, I discovered that it didn't have an uninstaller. I had to edit the registry to remove it from the right-click menu.

Sorry about that. I didn't even realize it at the time. Unlocker does have an uninstaller, so feel free to try it out without worrying that you'll be stuck with it.

Update:

Okay, it turns out WhoLockMe did have an uninstaller. It was a small batch file included in the downloaded zip file, which I promptly deleted after installing the program.

Permalink | Top

I have some disturbing news to report. Tin foil beanies will not block government mind control rays. In fact, according to a recent MIT study, they may make it easier for the rays to penetrate into your head.

Using sophisticated equipment in an MIT laboratory, the researchers found that, rather than deflecting them, a hat made of tin foil will amplify radio signals. The researchers experimented with three popular styles of tin foil headgear.

All of the tested hats amplified radio signals, particularly in the range of frequencies reserved for government use. The researchers wonder if the government may be responsible for a misinformation campaign touting the effectiveness of tin foil hats.

I intended to write a longer article about this. Unfortunately, a black helicopter just landed in the driveway and I need to go see what they want.

Permalink | Top

SpywareInfo has a new(ish) feature, listing news headlines relevant to spyware, privacy and safely using the computer. There is a saying that "all politics are local". It seems that this also applies to the internet. It is a close community in that problems can spread from anywhere. If you see a local story that you think deserves attention, please let us know. Use this mail form, tell us some details and we will follow the story.

This Spywareinfo News Section is updated every day - and several times during the day. It is a section of Spywareinfo that we hope will keep you informed on a daily basis - and keep your internet time a bit safer. Go have a look.