SpyStopper: an anti-spyware's dirty little secret.

[IZON]

SpyStopper: one anti-spyware's dirty little secret.

Last night (26.06.04), by fluke I discovered that an anti-spyware application which I had paid for, registered and been using for the last 12 months had been committing the most heinous act of treachery against my beloved rig.

The culprit, a little known application that masquerades as an anti-spyware blocker, is called SpyStopper. If I'm correct, it's been surreptitiously installing three CWS (Cool Web Search) trojans each time my rig boots (or each time the application is activated). To understand just how notorious CWS trojans are, allow me to quote the author of the only effective defense against CWS intrusions; Merijn, who also wrote amongst other applications HijackThis and the widely respected CWShredder application:

There is one particularly bad piece of spyware that has been grouped into a family known as "coolwebsearch". CWS is an extremely well written, extremely hard to kill piece of spyware. It is so "hooked" into the system that until CWShredder came around, some people wrote it off as impossible to remove without breaking windows.

Here's a quote from InfoWorks Technology Company website, the makers of SpyStopper:

Hackers, advertisers, and corporations may use Web bugs, spyware, adware, cookies, worms, advertisements, scripts, and other intrusive devices to gain access to your information and invade your privacy. SpyStopper is designed to block those devices that are used to track and profile you..

I've been running CWSshredder for almost as long as I've been running SpyStopper, until last night I couldn't work out why the CWS trojans kept returning. I didn't know why the updater for CWShredder always went dead when other on line updaters worked perfectly fine.

During a version update of SpyStopper, I deactivated the old version and forgot to reinstall the new one. I was off line, so I ran CWShredder purely out of habit. I noticed CWShredder was running much faster than usual and it kept telling me my rig was CWS trojan free. I also noted that SpyStopper wasn't installed. That's when I went back on line and tried the CWShredder updater and it worked (for the first time ever!). I then reinstalled the updated version of SpyStopper v3.0 and to my amazement the CWS trojans had returned, while the CWShredder updater went dead again. (v3.0 now contains three CWS trojans, as appossed to the one contained in v2.75).

I know this is a pretty serious accusation so before I land myself in legal chicken soup with InfoWorks Technology Company, I am going to ask as many of you as possible to confirm or dismiss this discovery by participating in a little experimentation.

First off, go to the InfoWorks Technology Company site and download their 15 day evaluation trial of SpyStopper.v3.0 . Then surf over to Spywareinfo.com , scroll down to the fourth box and download Merijn's CWShredder the latest version is v1.59, whilst you're over there take the time to read up about CWShredder and the CWS trojans if you're not already familiar with them.

Now here's the part where you need to be diligent. Before you install SpyStopper run CWShredder to insure there are no other CWS trojans already residing on your rig (CWS is prolific with more than 40 known variants, so don't be surprised if you find at least one). Once CWShredder has done its sweep, install SpyStopper and run CWShredder again. If my suspicions are correct, you will find CWShredder will flag up three variants of CWS trojans as a result of running SpyStopper:

- CWS.Svchost32
- CWS.Smartsearch
- CWS.Jksearch

Deactivate SpyStopper & run CWShredder, you'll notice all three trojans have vanished. Reactivate SpyStopper, run CWShredder again..., and the trojans are back.

At this point I have to raise my hand and confess that I don't know if the trojans are already on my rig and are being 'triggered' inadvertently by SpyStopper's activation, which seems far fetched, but this is where I need your help (I deactivated SpyStopper from launching at boot and got a clean sweep from CWShredder every time).

It's amusing and deeply ironic that InfoWorks Technology Company see fit to ensure the trojans only run when their 'anti-spyware' programme is running, nonetheless it casts a dubious shadow over all the applications they are selling. To add, each time SpyStopper boots, ZoneAlarm flags up an attempt by SpyStopper to establish itself as a server, this reinforces my suspicion that this application is doing much more than it 'says on the box', or the license agreement for that matter; I found this nestling in the agreement:

This software [the SpyStopper app?], and all accompanying files, data and materials [the trojans?], are distributed "AS IS" and with no warranties of any kind, whether express or implied. The user must assume the entire risk of using the program. This disclaimer of warranty constitutes an essential part of the agreement.

'All accompanying files, data and materials' could mean just about anything. It might absolve InfoWorks Technology Company from a legal stand point, but it wont protect their reputation or their sales if they are genuinely bundling notorious CWS trojans with their so called 'anti-spyware' applications. I can't think of a better way to insult your customers and take their money at the same time.

However, in defense of SpyStopper, the application 'does exactly what it says on the box' in a manner of speaking, it does 'block spyware, web bugs, worms, cookies, and other intrusive devices'. I've seen the number of ads and pop-ups virtually vanish, it works by using the 127.0.0.1 localhost loop-back trick by placing its own host file in the C:/WINDOWS folder. But in return, I believe, it holds an unforgivable secret which seriously undermines its claim to be a valid tool for spyware prevention.


Many thanks in advance for your participation, please post back and let me know your results.

EDIT:
In the 48 hours since I became aware of this issue, I've uncovered a rouges' gallery of pseudo anti-spyware applications. Be prepared to be dismayed, you might find your favourite anti-spy apps listed there too. I've also learnt that another paid for application I'm using (SpyBlocs) is listed in this hall of shame. It's been a very rude awakening, now we must choose our anti-spyware application with the same care that we surf the web and download applications.

It feels like I've almost come full circle with this matter, it's now obvious that my issue with SpyStopper was just the tip of a growing iceberg. At this point my main concern is to alert those magazines and sites that are still promoting SpyStopper as safe and to force InfoWorks Technology Company to remove any promotional references to magazines from their site. I've already alerted MicroMart and I urge you to do the same wherever you come across a site that is unwittingly showering this Trojan application with undeserved ratings. Don't be taken in by the spiel or spin, if it's an anti-spy app that you haven't heard of (no matter how good or professional the website looks) don't load it! until you are sure it's been vetted, and be aware that some rave magazine & site reviews are not a guarantee of an application's legitimacy. My only advice is to stick with those anti-spy apps that have earned their reputations as safe. The following article was taken from the SpyWarrior forums

Spyware cures may cause more harm than good

By John Borland
CNET

Web surfers battling "spyware" face a new problem: so-called spyware-killing programs that install the same kind of unwanted advertising software they promise to erase.

Millions of computers have been hit in recent years by ads and PC-monitoring software that comes bundled with popular free downloads, notably music-swapping programs. The problem has attracted dozens of companies seeking to profit by promising to root out the offending software. But some software makers are exploiting the situation, critics allege, turning demand for antispyware software into a launch pad for new spyware attacks.

A small army of angry Web users has set up a network of websites where they post reports of antispyware programs said to prey on consumers by installing offending files. Some of these charges could get a hearing soon, as public-interest group The Center for Democracy & Technology plans to file complaints with the U.S. Federal Trade Commission against specific companies.

"If people feel as though their privacy has been violated by a company that claims to be protecting them, that clearly is an unfair and deceptive practice," said Ari Schwartz, an associate director of Washington-based CDT. "You would think that an antispyware company would hold itself up to the highest standards."

The boom in spyware, adware and other PC hijackers has led to increasing calls for regulation from lawmakers, including presidential candidate Sen. John Edwards, D-N.C., and from public-interest groups.

Many software makers have turned to advertising as a way to make money from consumers who are reluctant to purchase programs. The same approach has been taken by some antispyware companies, even though they promise that their products will root out unwanted advertising from others. But the failure of some to disclose their practices has raised the greatest outcry.

Like viruses, adware and spyware programs can sneak into a user's computer hard drive with little or no warning and can hide their tracks in ways that make it difficult for even the most sophisticated computer users to find and permanently delete.


As adware and spyware have spread, demand for applications that clean up infected hard drives has grown, drawing a large group of competitors eager to profit. More than 50 programs claiming to erase adware and spyware are available on-line, and many of these are offered as free downloads. Several major Internet service providers, including EarthLink and America On-line, have also moved to provide spyware-removal applications to their subscribers.

But as these programs proliferate, some software makers face mounting criticism that their products install the very things they promise to defend against. Some antispyware companies have pointed fingers at rivals and have added competing programs to their list of applications that contain adware or spyware. These lists are used to identify and sweep out offending software during antispyware scans.

One such tool facing allegations of abuse is SpyBan, an antispyware program that has been downloaded some 44,000 times in the last four months, according to Download.com, a software download site owned by CNET Networks. Download.com removed the software this week, noting that SpyBan had failed to disclose and explain all the software components included in its installation, a violation of the website's policies.

Numerous competing antispyware companies, including Spybot-Search & Destroy parent PepiMK Software and Sweden-based Kephyr.com, have identified SpyBan as a potential source of unwanted spyware — notably a program listed by many spyware cleaners as Look2Me. Download.com had also independently warned that Look2Me might be installed along with SpyBan.

"I classified SpyBan as a Trojan Horse, since it gives the impression that it will protect your privacy, but does the opposite — installs spyware," alleged Kephyr's Roger Karlsson in an e-mail interview.

A CNET test of SpyBan on Jan. 29 found that the software did remove some adware components but also confirmed that it led to the installation of a file that Spybot and security firm Symantec identified as Look2Me. Symantec lists Look2Me as a spyware application, while its rival PestPatrol defines the same application as an adware program.

"Look2Me is a spyware program that monitors visited websites and submits the logged information to a server," Symantec reports on its website. According to PestPatrol, Look2Me is categorized as "software that brings ads to your computer. Such ads may or may not be targeted."

Information and links on SpyBan's website disappeared late on Monday, following inquiries from a CNET reporter. An e-mail to a generic "info" address at the SpyBan website elicited an initial reply, but the company did not reply to questions about its software.

Prior to going dark, the SpyBan website contained no information about its corporate parent, and the domain name database — Whois — that typically contains contact information for companies contained none for SpyBan.

A Look2Me license agreement found on a cached Google Web page identified Minneapolis-based NicTech Networks as the software's "owners/authors."

A trace of SpyBan.net's Web domain name late on Tuesday showed that the site was hosted at the same Internet address as NicTech Networks. The SpyBan e-mail also originated from that IP address. Repeated calls to NicTech were not returned.

The effects of spyware and adware programs vary. Some spyware programs run quietly in the background, sometimes capturing what a computer user types or what websites are visited. Some of these applications, which are called keystroke loggers, are so potent that they can record user names and passwords for the most closely guarded websites, including on-line banks.

Far more common are "adware" programs, which can operate unseen in the background. These periodically pop up windows with advertisements, change a Web browser's home page, install unwanted search toolbars or add bookmarks to a browser. Many of these software programs track Web surfers' habits on-line and send the data to their parent companies.

Security experts say it is difficult to keep up with spyware programs, which constantly shift their way of working inside a computer to evade detection and which generally contain many times more programming instructions than an average virus. The confusion is underscored by differences in how security firms describe specific programs.

"I doubt anyone knows precisely what these things do, apart from the authors," PestPatrol researcher Roger Thompson said. "They are really complex. Viruses are easy compared to these things."

There is little doubt that millions of PCs have been infected with spyware and adware programs.

A recent unscientific EarthLink survey gives some indication of the spread of the problems. The company offered its subscribers a free on-line spyware-scanning tool, similar to an antivirus scan program. In the course of 426,500 scans, EarthLink found more than 2 million adware files installed and more than 9 million "adware cookies" — a type of cookie that tracks people's surfing habits.

A few independent antispyware companies, such as Lavasoft's Ad-Aware and Spybot, have been around long enough and have been used by enough people to have gained a reputation as safe.

For the most part, Net experts warn consumers simply to be careful, to make sure that they trust the source of any software they install on their computers and to contact authorities such as the Federal Trade Commission if they think that their privacy has been violated.

"My first advice, if you get spam advertising a piece of software: You should really think twice before downloading that program," the CDT's Mr. Schwartz said.

 

[Honest_Bob]

I have had customers come in with spy stopper on their computers (I work at a computer repair shop). I allways had a suspision that spy stopper contained spyware but never really went to look for hard evidence. I allways uninstalled it if I saw it. It just seemed like one of those shady programs.

Thanks for the info.

 

[L337 M33P]

I'm game. Downloading now.

Edit:

I can confirm and vouch for the above stated facts. SpyStopper installed 2 CWS trojans, CWS.Svchost32 and CWS.JKsearch each time it ran. It also prevented the CWShredder program from connecting to the internet.

In short: Do NOT Download This Program!

Also, wth is it doing replacing files in C:\Windows\System32??

 

[ggo]

wait a minute, this software costs money? and its installing a trojan? wtf, i think we need to let more people know. ill try this out, and ill put the news on my website. maybe the issue can get more exposure this way. if anyone wants a link, pm me in about a day or so. or now, but you will have to wait.

 

[radium]

You know, this is lawsuit material. This could put the company out of business for either negligence, or maliciousness towards end users.

 

[Honest_Bob]

Probably nothing you can do to them legaly. Its probably in the ULA somewhere.

 

[IZON]

I'm game. Downloading now.

Edit:

I can confirm and vouch for the above stated facts. SpyStopper installed 2 CWS trojans, CWS.Svchost32 and CWS.JKsearch each time it ran. It also prevented the CWShredder program from connecting to the internet.

In short: Do NOT Download This Program!

Thanks L337 M33P, the more folks we get to confirm the better. I've sent a copy of this post to one of the Editors of Micro Mart Magazine (the Magazine that InfoWorks Technology Company is quoting in its promotional material links)

 

[IZON]

wait a minute, this software costs money? and its installing a trojan? wtf, i think we need to let more people know. ill try this out, and ill put the news on my website. maybe the issue can get more exposure this way. if anyone wants a link, pm me in about a day or so. or now, but you will have to wait.

Thanks ggo, let me know what your findings are.

 

[twump]

nice detective work. i tested and had the same results. 2 cws trojans found after installing spystopper.

CWS.Svchost32 and CWS.JKsearch

i can see how they could get sued. they are pulling a bait and switch. their program does the exact opposite of what it is advertised to do. i also checked their liscense agreement before installing and they make no mention of anything regarding this so they didn't cover their *** as far as i can tell.

 

[Vento1]

I have been using spystopper for over a year now ran the tests & got the same results CWS.JKSEARCH & CWS.SVCHOST32. I bought this program & have recomended it to freinds. WHAT A RIPOFF I will be emailing uk pc mags to see if they will check into it.

 

[teezer]

figured i should link these 2 threads up ~~~ i had this and finally got rid of it

http://www.ocforums.com/showthread.php?p=2880378#post2880378

 

[Aslan]

Ouch, this is very disturbing, especially considering that I went to many websites that did reviews of anti-spyware programs after I saw this thread, and I found that all of them put SpyStopper on their 'approved list'.

You did some very good detective work IZON; it appears that no one who used this programs figured out that it was installing CWS on their machines as far as I can tell.
I'll test this program out once I get the chance as well, but I'm pretty sure of what to expect.

I think a good idea would be to PM SilverSinkSam concerning this as well.

Edit: Also, if you wish, I can start emailing different websites that recommend this program as well concerning this.

 

[Disputant]

Wow, it is all starting to make sense now. I went on a week long business trip a while back and when I came back 3 of the computers that I support were screwed up and showing trojans. I don't know why I didn't put it together at the time, guess I was busy and in a hurry.

In any case, when the people I work with screw up their computers, I strip them down completely to their original state which included deleting Spystopper and problem went away.

I am almost to the point now that I am going to knock my co-workers down to user level so they can't botch their systems like this. I did that last year on one of my interns computer and it was problem free for nearly a year.

 

[SK8]

Thats stupid that a company would include cws trojan. Ive had cws and wow that is a pain in the arse! Adaware isnt working good enougn for me tho nor is spybot, its usualy programs people make instead of companys that work. Browser hijacks make me grab my winxp disk

 

[Enablingwolf]

I may be wrong, but dont some programs install dummy files to stop the install of items <viruses spy/adware>?
I know that in Firefox you can insert a "dummy" copy of Netscape to trick sites into beliving a pc is running it (Netscape). Also I have run across a virus patch/technique that you install a dummy copy of a virus file. This will thrwart offending code from installing. It then detects the code is already running on the machine.
It can be effective, and that might be the route they(Spystopper) has taken to stop the install of the offending or unwanted code. You can write the producer of software and ask if that is thier strategy. Well thats my two cents....

 

[Aslan]

I may be wrong, but dont some programs install dummy files to stop the install of items <viruses spy/adware>?
I know that in Firefox you can insert a "dummy" copy of Netscape to trick sites into beliving a pc is running it (Netscape). Also I have run across a virus patch/technique that you install a dummy copy of a virus file. This will thrwart offending code from installing. It then detects the code is already running on the machine.
It can be effective, and that might be the route they(Spystopper) has taken to stop the install of the offending or unwanted code. You can write the producer of software and ask if that is thier strategy. Well thats my two cents....

This is an interesting thought, and something that I had completely forgotten about. It is possible that this program does that, as I've seen others do similar things (Kazaa Lite) and your suggestion of asking the developer about this is a decent idea. However, as IZON could not run the CWShredder Updater with SpyStopper installed, my suspicions are still raised greatly.

 

[Enablingwolf]

Another option is to monitor your firewall logs to see if there is any traffic due to the code.
It helps to monitor what is installed on the machine. When in doubt I go to the logs. If there is a snafu, I know were it happened, and the culprit. If the thoughts are correct on the silent install, it is good thing to spread the word.

 

[L337 M33P]

I didn't see any traffic with it installed, but then I only had it on my machine for a whole 5 minutes

 

[Runner30]

I'm pretty much newbie inthis field but I have some thought/slash/questions.

*Are those trojans actually INSTALLED (into \windir\system ) or it's just the copy if .exe somewhere in the spystopper folder.?
*What's the meaning of "installed" - files extracted from the original .exe or .zip and being launched upon startup, or the thing is triggered to launch by some process, from random location?
*Is the trojan running/taking memory/cpu cycles ?

What of the mentioned can be taken as happening when a program screams "a SWC trojan has been found on your computer!!11!!"

Perhaps clarifying those thought may help me and others.

 

[IZON]

I may be wrong, but dont some programs install dummy files to stop the install of items <viruses spy/adware>?
I know that in Firefox you can insert a "dummy" copy of Netscape to trick sites into beliving a pc is running it (Netscape). Also I have run across a virus patch/technique that you install a dummy copy of a virus file. This will thrwart offending code from installing. It then detects the code is already running on the machine.
It can be effective, and that might be the route they(Spystopper) has taken to stop the install of the offending or unwanted code. You can write the producer of software and ask if that is thier strategy. Well thats my two cents....

Good point, I was not aware this was a possible tactic. Is there a way to test or compare real CWS trojans against dummy CWS trojans? I have my doubts because of the updater issue with CWShredder and the server request by SpyStopper. I'd like to test this but wouldn't know how to go about it, and I'd feel better if it were tested independently rather than flag up the issue for InfoWorks Technology Company to spin (if they are guilty) the issue in their favour.

figured i should link these 2 threads up ~~~ i had this and finally got rid of it

http://www.ocforums.com/showthread....378#post2880378

Looks the like the thread starter had a similar problem with a back door opened by another so called anti spyware app. It seems like we're witnessing the emergence of an new and insidious form of trojan wrapped up as anti-spyware. Actually, this is a trojan in the truest sense of the term, because it's one we positively invite into our systems without any preconceived fears about security.

I'll test this program out once I get the chance as well, but I'm pretty sure of what to expect.

I think a good idea would be to PM SilverSinkSam concerning this as well.

Edit: Also, if you wish, I can start emailing different websites that recommend this program as well concerning this.

Thanks Aslan, the more folks that are aware of this issue the better, please email as many appropriate sites as possible, also flag up the issue concerning teezer's comments. I feel It would be much better to check this independently rather than than rely on InfoWorks Technology Company to verify it (because we can all guess what they're going to say).

I have been using spystopper for over a year now ran the tests & got the same results CWS.JKSEARCH & CWS.SVCHOST32. I bought this program & have recomended it to freinds. WHAT A RIPOFF I will be emailing uk pc mags to see if they will check into it.

I've emailed MicroMart (UK) too, seeing as InfoWorks Technology Company have been using them in their promotional links.