The Spyware Weekly Newsletter is distributed every week to 20,000 subscribers and read online by hundreds of thousands of visitors. Click here to subscribe. Please read our Terms of Use for quoting guidelines.This edition of the Spyware Weekly Newsletter is archived permanently at http://www.spywareinfo.net/sept23,2005.

Wherever the term "adware" is used, it is referring to a category of software, not to any particular company or product.

The contents of this newsletter is commentary. It should not be mistaken for unbiased, objective journalism.

Permalink | Top

1. Dangerous Flaw In Mozilla/Firefox - Update Immediately
2. Feature - Spyware Doctor
3. No Press Releases In The News Section
4. Misconfigured Installer Fuels Rumors of Shady Dell Tactics
5. Do-Not-Call Laws Strike Again
6. Full Contact Advertising
7. Jargon Database
8. Headlines

Permalink | Top

It was bound to happen sooner or later. Exploit code is floating around for a buffer overflow flaw in Mozilla/Firefox/Netscape. This flaw would be perfect for installing all manner of malware, so it is important to take steps to protect yourself.

I have a headache when I try to understand the exploit but the flaw itself is simple enough. By constructing an extraordinarily long internet address containing dashes, a memory buffer is overloaded. Then the browser can be made to download and execute any piece of software.

Both Firefox and Mozilla have been updated to correct the problem. Go to Mozilla's web site to download an update to whichever browser you use. If you cannot update now, or if you use Netscape, there is a very simple workaround that should prevent the flaw from being exploited. The workaround disables International Domain Name support.

Normally, problems like this are fixed by Mozilla before they are announced publicly. Apparently, the person who discovered the flaw grew frustrated with the Mozilla staff and released the details of the problem prematurely. Putting seventy or eighty million people at risk probably is not the most responsible way of expressing frustration. If this person discovers another security flaw in the future, I hope he can restrain himself a little better.

Permalink | Top

Program: Spyware Doctor
Author: PC Tools
Platform: Windows XP, Me, 98, 95 and 2000
Purchase Spyware Doctor: $19.95 (Normally $29.95. Discount applied automatically until Oct 6, 2005.) http://www.pctools.com/spyware-doctor/purchase/?ref=afl_spywareinfo

Purchase Privacy Guardian: $19.95 (Normally $29.95. Discount applied automatically until Oct 6, 2005.) http://www.pctools.com/privacy-guardian/purchase/?ref=afl_spywareinfo

Purchase both programs: $39.90 (Normally $59.90. Discount applied automatically until Oct 6, 2005.) http://www.spywareinfo.com/rd/pctools092305

Read my review of Privacy Guardian for more information about that program.

I gave Spyware Doctor a test drive on my computer a couple of months ago. After playing with it for awhile, I consider Spyware Doctor to be a very good program. On a scale from 1 to 10, I would give this program a 9 1/2.

Spyware Doctor is a very nice and very polished antispyware protection program. The interface is uncluttered and easy to navigate. A system scan is initiated with the click of a single button. The same goes for updating the program. You could give a copy of this program to your grandmother for her first computer and she would have no trouble running it with the default settings.

You may remember my marathon spyware killing experiment from a while back. I still have a copy of that infected virtual machine. On my "infected" test system, Spyware Doctor found a staggering 2,400+ infection items, kicked several processes out of memory and blocked 19 malicious start up entries. Every item found was organized by the name of the malware and included a short description, as well as a detailed listing of every file and registry entry it believed to be associated with it. Every item is labeled with a "threat level", showing how serious PC Tools considers that particular piece of software to be.

While removing malicious items, it unloaded Explorer.exe (the Windows desktop environment) several times in order to delete files. It informed me that there still were files it could not remove and automatically set itself up to run a scan after a restart. It then asked permission to reboot the machine. When the machine restarted, Spyware Doctor suppressed Explorer while it ran another full system scan and removed everything it couldn't delete the first time.

Of course, it did not detect and remove every single piece of malware on the infected machine. Sadly, I know of no single program capable of removing all of the toughest malware out there. It did, however, clobber roughly 98% of the malware and disabled all of the rest. The pop-up ads stopped. The highly annoying "alerts" from Virtual Bouncer ceased. All of the weird toolbars attached to Internet Explorer disappeared. The computer stopped crashing randomly and stopped taking 10 minutes to reboot. The CPU was no longer pegged at 100% and the memory usage dropped to less than half of what it was using while infected. Although it didn't remove everything, it certainly stopped the hijacks and disabled the ability of everything left to do any harm or to cause any annoyance. In short, my machine was back to normal.

During installation, it asks if you want to load protection when Windows starts. After installation, it runs a full system scan, then asks if you want to activate the "OnGuard" real-time protection.

In the settings, it offers "Quick Scan", "Full System Scan" and "Custom Scan". "Quick Scan" will search those areas most likely to reveal an infection, while "Full Scan" will search the entire system. "Custom Scan" lets you decide which parts of the registry it will scan, whether or not it scans the HOSTS file, memory and other locations. It also lets you decide which drives and folders will be searched.

OnGuard, the real-time protection module, protects against several methods used by browser hijackers and other malware. All of these components optionally will pop up an alert if something is detected. Note: Internet Explorer is the only web browser installed on my test machine, so I don't know if any of these protections apply to other browsers.

1) Startup Guard
Watches for malware being set to load when Windows starts up. Also monitors the Windows task scheduler.

2) Browser Guard
Watches for changes made to Internet Explorer's home page and for new Browser Helper Objects (BHOs). Also it keeps an eye on other browser extensions, such as buttons and toolbars.

3) Immunizer
Sets a registry "kill bit" for certain CLSID identifiers known to be used by malicious ActiveX programs. This prevents those ActiveX programs from being loaded by Internet Explorer.

4) Keylogger Guard
Watches for running programs which seem to be logging keystrokes and blocks them.

5) Network Guard
Detects changes made to the HOSTS file, restricts the Messenger service exploited by spammers and detects changes made to the LSP settings (a Windows networking component altered by many malwares).

6) Popup Blocker
Blocks pop-ups from being opened in Internet Explorer. It includes a whitelist and lets you decide whether it shows an alert, plays a sound or does nothing at all when a pop-up is blocked.

7) Process Guard
Watches for known malware being loaded and forcibly removes them from memory, if one is loaded.

8) Scheduler
Allows you to set up automated scans, both full and quick scans, as well as automatic program updates.

9) Site Guard
This blocks access to certain web sites which are known to cause trouble. The options are to block suspected phishing web sites, block downloads from suspicious sites and to block access to suspected spyware web sites.

This is a good program and well worth the discounted price for Spywareinfo readers. Spyware Doctor has our recommendation - it is that good.

The discount should be applied automatically when using the links above. You will see the discount applied when you click the green purchase button. If this is not the case, try using the coupon code SPYWAREINFO. If you have any problems with the ordering page or with the coupon code (SPYWAREINFO), please email Catherine http://www.spywareinfo.com/email2.php.

Anyone buying as a corporate customer and needing many copies of this program, please contact Catherine.

Permalink | Top

As many of you know, Spywareinfo has started a 'daily news' section. There is an announcement that has been placed on the main page of the site and on the newsletters. This section remains in its 'beta' phase. The contributions of the readers are greatly appreciated - and you are encouraged to contribute by using this form.

One thing that I would like to mention to software companies is that this is not a section that will highlight your press releases. The news section would be inundated with business press releases about products, if that were allowed. That is not the intent of the news section. If the Spywareinfo readers are interested in following the developments of a specific product, then there are certainly sources to do so. However, it will not be on Spywareinfo pages.

The Spywareinfo News Section will focus on news items that are pertinent to the general readership - and I have instructed Catherine to ignore any press releases from companies that wish access to that space and consider them as marketing spam.

Permalink | Top

A misconfigured installer for the Myway Search Assistant, which is preinstalled into most new Dell PCs and laptops, is fueling some disturbing rumors about Dell.

On computer tech support message boards all over the web, people have been posting stories of trying unsuccessfully to remove the Myway Search Assistant from Dell computers. When they attempt removal, the uninstaller link in Windows' Add/Remove applet suddenly becomes disabled. This has led many people to suspect that Dell is trying to prevent people from removing the software.

Some time ago, Dell began to bundle the Myway Search Assistant into consumer PCs and latptops. They also set the Internet Explorer home page to a customized Dell web portal hosted on myway.com.

This was controversial, as many people dislike software from Myway. The software is a very close cousin to certain adware programs, which are written by the same company that owns Myway. The Myway Search Assistant is not itself adware or spyware. It is bundled with some other products, non-optionally in many cases, so it qualifies as foistware. It is this latter practice that led eventually to Myway software becoming targeted by antispyware programs.

To make matters worse, when many people see the Myway Search Assistant in the Windows Add/Remove list, they begin to remove the software. In most cases, they are told that, after a reboot, the software will be gone. After they reboot, the entry still is listed in Add/Remove. The entry no longer has any option to remove the software.

This has led to many angry postings on several message boards. Upon seeing that the software still is listed and that there seems to be no way to remove it, people begin to suspect Dell of trying deliberately to prevent users from removing the software. Understandably, people were pretty ticked off about this.

After exchanging hundreds of emails with readers who own, sell, manage or repair Dell computers, I believe I know what is going on now.

The problem is that either Dell or Myway misconfigured the installer program. The installer for the Myway Search Assistant, as used by Dell, was compiled with the Microsoft Software Installer. When the Myway software is removed by way of Add/Remove, the installer suddenly begins to use the ARNOREMOVE option. What that does, in Windows 2000 and XP, is to disable the "remove" button in an Add/Remove listing. The purpose of the ARNOREMOVE option suddenly becoming activated is something known only to Dell and/or Myway.

This appears to be the cause of all the confusion. The software is removed, or at least disabled. Since it remains listed in Add/Remove, people believe that the software still is installed. The fact that suddenly the "Remove" function is disabled makes the whole thing look nefarious. It is very easy to see why people would think that Dell is trying to prevent removal of the Myway software.

In fact, the Myway Search Assistant is uninstalled when the Add/Remove uninstaller is used. That can be verified afterward by clicking the "Search" button in Internet Explorer. Before removal, the "Search" button will show a Dell/Myway Search Assistant. After removal, the "Search" button uses the default Windows Search Companion. That means that the software no longer is active.

To remove the Myway listing from Add/Remove, download a tool called Windows Installer CleanUp Utility from Microsoft. Install the program, then start it. Look for the Myway Search Assistant entry, highlight it and click the "Remove" button. That should remove the entry. Make certain you do this only after you have used the entry to remove the Search Assistant.

This all may be a moot point soon. I've heard a number of reports, all concerning Dell computers only a few days old, that the add/remove listing uninstalls the Myway software cleanly. Maybe Dell heard the same rumors I did, drew the same conclusions and decided to fix the problem.

Many thanks to the numerous readers who helped me research this story. Special thanks to Steve Wechsler of MVPS.org for explaining about the ARNOREMOVE flag in the Windows Installer.

Permalink | Top

I am happy to report two more victories in the effort to rid the US of some of our more annoying inhabitants: telemarketers.

The restrictions imposed upon telemarketers by the various state and federal Do-Not-Call laws have led to the closure of yet another telemarketing call center. DialAmerica recently informed workers in their Warwick, Rhode Island call center to pack up and find new employment. That is 160 fewer people who might dial your number some night.

In related news...

A federal court has upheld an Indiana law which bars telemarketers from calling telephone numbers registered on the state's Do-Not-Call list. A group of telemarketers filed a lawsuit against Indiana's Do-Not-Call law. Their bizarre claim was that they had a constitutional right to disturb people at dinner with telemarketing calls and that Indiana's law violated that right. Thankfully, the court recognized that this claim was nonsense and ruled against them.

To the telemarketers who seem to be confused as to why people sign up for the Do-Not-Call lists, allow me to explain. It is very simple. We are tired of advertisements. We see them on television. We hear them on the radio. We read them in newspapers. They pop out at us on web sites. They fill up our both our electronic and postal mailboxes.

When we are at home, we want peace. We want to watch TV, read a book, eat dinner or talk to our families. While we are doing that, we do not to answer your phone call to discuss long-distance telephone service, vacation sweepstakes or hear your fraudulent claims of having silver dollars for sale made from silver recovered from "Ground Zero".

WE DO NOT WANT YOU TO CALL US!

I pay an exorbitant price each month for telephone and DSL service. I do not pay that bill just to provide you with a billboard inside of my house. The number is registered on both the Georiga and Federal Do-Not-Call lists. That means "Leave Me Alone!".

Permalink | Top

If most traditional advertising is somewhat annoying, internet advertising can be downright hostile.

The following was written by Chris Pirillo of Lockergnome nearly three years ago in his newsletter. It was a great rant then and it still is now.

Thanks to Chris for allowing this article to be reprinted here.

*********

I should have spent most of my afternoon in the hospital. It all started when I went to the grocery store to pick up some low-carb bread (which is really tasty, although it doesn't have much of a shelf life). As I was walking down the soup aisle, a can of tomato soup flew off of the shelf and beaned me in the side of the face. As blood started trickling down my cheek and onto my lips, I was able to read the label on the container (which was rolling around on the floor): "Save money if you buy me today!" Fair enough. I kicked it to the side and continued on my journey.

By the time I reached the fruit aisle, the bleeding had stopped. I started to search for some spaghetti squash (another low carb treat) when I found myself sailing backwards onto the cold, hard floor. A stupid cantaloupe had rolled 'neath my boot. It, too, had a sticker on its shell: "Buy me and get another one free!" I didn't ask for the cantaloupe, so I pushed it away and headed to the checkout counter. I'll never shop there again, I swear.

Things really started to get interesting on my way home. I was no less than a twenty feet away from the store when a huge freakin' billboard came crashing into my windshield. I wasn't sure what was going on until I was able to make out the large lettering: "Learn how to drive carefully by taking this course."

Ah, fair enough - it had my best interests in mind. I wish more signs would bother to be as invasive. The damage to my car was minimal, but I was still quite shaken (not stirred in the slightest).

Trying to conserve energy, I rolled down the window and let the breeze pass through my vehicle. Someone was grilling out tonight - I could smell the charcoal. Steak started to sound good, so I found myself turning around and heading back to the store.

That's when a t-bone flew in through the other window and landed on my lap. I was able to brush it off quickly, but now I have this horrible stain on my pants that I won't be able to get out - even if I send it through the washer a few times.

In a blink, I was back in the same place that had abused me just ten minutes before. The store's name? The Internet.

Web marketers and advertisers who think they're actually getting better results with their intrusive tactics are deluding themselves, destroying the vehicles which could potentially bring them an audience, and generally making life not worth living online. I used to be dead-set against any type of advertisement blocker, but I'm having to reconsider that position.

I understand supporting yourself with sponsors is sometimes a necessity - that's how Lockergnome keeps rolling along. But the day you see a pop-up or pop-under on our site is the day I quit. GnomeTomes have been keeping our head above water during these tougher times, but we still won't crack and force you to fall victim to one of the most heinous business practices of our time. Unsolicited e-mail is just as bad, and if that doesn't stop soon, then opting in to anybody's Inbox will become the norm - not just for newsletters.

What I can't understand is why it's still happening? I shouldn't have to carry a shield with me if I'm just walking down the street. This isn't supposed to be a battle. This isn't supposed to be annoying.

I'm working on a dummy invoice which I'm going to mail to every Internet company who refuses to play by MY rules. They'll get charged $100 per incident; all checks are payable to ME. If more people did this, perhaps they'd get the picture?

Yours Digitally,
Chris Pirillo

Permalink | Top

I have started a project which I am sure will cause some controversy. While writing the Dell story above, I needed to find a web page that adequately defined the term "foistware". I looked and I looked and I looked and I never found a page that defined it correctly or that didn't also contain numerous other definitions. So I wrote one myself and linked to that instead.

After defining "foistware" very carefully, I asked myself "why stop there?". So I decided that I would write definitions for the various other terms used to describe malicious software. I call it my "Jargon Database".

Someone needs to do this. People use a large number of terms to describe various sorts of malicious software. Some of them are made up on the spot, such as "annoyanceware" or "sneakware". Some are used incorrectly, such as when people point to a browser hijacker and call it "spyware". In many cases, that causes trouble when a piece of adware is referred to as "spyware" and legal threats are thrown around.

I say it will cause controversy because many people are going to disagree with my definitions. For example, some people believe any software that is installed without disclosure should be called "spyware", even if the software does not monitor the user in any way. That is not my definition of "spyware". In my definitions, I will show where I believe it is proper to use the term and where it is not proper.

There is an obvious risk in doing this. The makers of certain adware or browser hijackers might take my definitions, point to the fact their software does not meet the definition of a certain term and use that in legal threats or even lawsuits against other web sites. Something similar has happened before with things I have written.

In an effort to prevent antispyware web sites or vendors from being threatened by a company pointing to my definitions, each definition features a prominent "Copyright and Terms of Use" notice. The TOS for each definition specifically forbids one party from using it to threaten another.

I don't know if the notice will hold water in court but it might scare off anyone who considers doing it. Any adware company referring to my definitions in a "cease and desist" letter will find themselves on the wrong side of a "C&D" and, possibly, a DMCA "take down" notice. If you ever notice that my definitions are being used in such a way, be sure to let me know.

At the moment, only two words are defined. I will continue to expand this database over time. I also will be cross-referencing each definition so that when I mention a word that I have defined already, it will link to that definition. Most likely I will wait until I have that Wordpress section of the site out of "beta" and running on the main site before I do any cross-referencing.

Permalink | Top

SpywareInfo has a new(ish) feature, listing news headlines relevant to spyware, privacy and safely using the computer. There is a saying that "all politics are local". It seems that this also applies to the internet. It is a close community in that problems can spread from anywhere. If you see a local story that you think deserves attention, please let us know. Use this mail form, tell us some details and we will follow the story.

This Spywareinfo News Section is updated every day - and several times during the day. It is a section of Spywareinfo that we hope will keep you informed on a daily basis - and keep your internet time a bit safer. Go have a look.