Adware Makers Threaten Critics

Adware makers threaten critics

February 24, 2005

By Brian Livingston

It's bad enough that adware, which can have negative effects on our PCs, has already infected an astonishing number of machines — 80% in one U.S. study. Now, on top of everything else, adware makers are pressuring anti-adware advocates to stop listing their programs as candidates for removal.

In the newest development, iDownload.com has sent cease-and-desist letters to several anti-adware sites. Some of the Webmasters I've spoken with say they received the letters on Feb. 15 or 16. Sites that have confirmed to me that they've received the letters include Castle Cops, Spyware Warrior, Spyware Guide, and Sunbelt Software, the maker of the CounterSpy adware removal program.

The letters, copies of which have been sent to me by some of the recipients, object to the descriptions of iSearch on these sites and demand that the references be removed.

One iDownload letter, from attorney Mark D. Hopkins, a partner in the Austin, Texas, office of Savrick Schumann Johnson McGarr Kaminsky & Shirley, says in part:

"Specifically, a recent review of materials disseminated by your company, via the Internet, revealed that your company is falsely disparaging iDowload's [sic] product, iSearch...

"As we all know, Malware is a phrase within the public conscience [He means 'consciousness.' —Ed.] that has a specific meaning. ....

"Continuing, unlike Malware, iSearch does not gather any personally identifiable information about end users, does not collect data about the user's web usage, does not collect any information entered into web forms, does not share information with third parties, does not send or cause to be sent unsolicited e-mail, and does not install items such as dialers on the end user's computer. ...

"To the extent you fail to remedy your improper disparagement of the iDownload brand on or before February 15, 2005, we will take all necessary action against your company to protect iDownload from your continuing tortuous conduct [He means 'tortious' or injurious conduct. —Ed.]."

Why adware is bad

At this point in our story, I'd like to stop for a moment. Let's be clear why I prefer to use the term "adware," not "spyware," for the class of products we're talking about.

As I wrote in the Jan. 27 newsletter, adware doesn't need to "phone home" in order to slow down a PC, conflict with other software, or pose security risks. For this reason, I believe it's pointless to try to divide adware into subcategories, such as "malware" and "spyware."

I define adware as: A secondary computer program (1) that is installed as a result of a person using a primary, sought-out program or Web site, or the Internet in general, and (2) that generates revenue or other benefits for the promoter of the secondary program.

It's the "revenue or other benefits" part that causes problems for PC users. A secondary program — one that users didn't seek out — can only generate benefits for its promoter if the secondary program becomes installed. Such programs, therefore, have no financial incentive to tell users about potential downsides.

These programs have a powerful financial incentive to disclose only possible benefits — or to not say anything at all before installing — in order to run on as many machines as possible. Such programs, therefore, can never be said to have gained fully informed consent from computer users.

Please note that the above definition of adware doesn't cover a legitimate category of programs: "ad-supported software." This includes the free Opera browser, which displays ads within its window, or Google ads, which are also displayed within the primary window. Only when such ads become divorced from the primary program is there a breakdown of responsibility. This disconnect leads to a high potential for PC users' machines to be slowed down or exposed to other risks.

If I thought "spyware" was a meaningful term, I'd use it regardless of any legal threats. But it's a vague and imprecise term, and I urge the computer industry to abandon it.

Cease-and-desist as a software feature

Having said that, I strongly defend the right of anyone to call a computer program "crapware" or any other term that may be the writer's own personal opinion.

My own investigation of the situation reveals that some people who received letters from iDownload haven't written anything that could remotely be considered defamatory.

Suzi Turner, the owner and Webmaster of Spyware Warrior, said in a telephone interview that one of her sites that received a cease-and-desist letter, NetRN.net, had never even written an article about the iSearch Toolbar before now.

A search of her site that I conducted using the Google index confirmed this. Turner has periodically reprinted in her postings an updated listing of software programs identified by Ad-Aware, a well-known anti-adware utility from Lavasoft. Over several months, the words "iSearch Toolbar" were included a few times in these lists. But Turner herself had never even written as much as a complete sentence about the software.

iDownload's CEO responds

The iDownload.com site provided me with conflicting information about iSearch when I inquired. The company, which is based in New York City, doesn't publish a telephone number on its site. I submitted the following question, therefore, to iDownload's Live Help service: "Letters regarding the iSearch Toolbar?"

This cryptic query was apparently enough to trigger a standard response. Within a few moments, a tech identified as Mark provided the following reply in the Live Help window:

"iSearch is its own independent company that markets many affiliate programs. I believe they have removal instructions and an automatic removal tool on their FAQ page at isearch.com. I don't know any other info about their company or software."

He quickly terminated the Live Help session after sending this message.

Mark's statement obviously conflicted with attorney Hopkins' letters, in which he stated that iSearch was "iDownload's software product." So I sent an overnight letter to iDownload's headquarters, requesting a telephone interview.

When iDownload's CEO, Arlo Gilbert, called me, I asked which companies had received a cease-and-desist letter from iDownload's attorney. "It would not be in our best interest to share that list," Gilbert said.

He did assert that the letter was having the desired effect. "The majority of sites we've contacted have taken down or properly classified iSearch," Gilbert stated.

When asked to name some of the sites that had complied, Gilbert answered, "I'm not going to share that information. It would be shooting a gift horse in the mouth."

Gilbert added, "The people who are profiting off this information and have not reclassified the information will be sued." When asked for the names of some companies that iDownload has filed suits against, Gilbert said, "We're not going to reveal it," but added that the suits were a matter of public record that could be looked up.

Two telephone messages seeking the names of the companies being sued were left with Mark Hopkins' office, including one left with an assistant. These calls were not returned within two days' time.

Expert opinions on iSearch

The iSearch Toolbar has received a lot of interest from experts on adware, who have a lot to say about it and iDownload.

Eric Howes, a noted anti-adware program tester (see the Jan. 27 newsletter), has written extensively about iDownload in the DSLReports forum. In a Feb. 21 posting, Howes says iDownload last year distributed an add-in program known as the HotSearchBar. This program displayed a dialog box, according to Howes, that represented itself as "Required: Media Player Version 9 Browser Update." A screen shot of this dialog box, provided by Howes, is shown below:

According to Howes, clicking Yes did not install a Media Player upgrade but instead loaded HotSearchBar. Many PC users would be likely to click Yes when presented with such a dialog box, because media files often require updated codecs or Media Player versions. The fact that the signature of the program was "verified" by Thawte, a certificate authority, provided additional assurance to users.

Regarding the iSearch Toolbar specifically, Howes points to an analysis by Andrew Clover at his Doxdesk.com anti-adware site. Clover states in that analysis that iSearch is a variant of Pugi, which he calls "a family of customised toolbars/browser hijackers." He adds, "Pugi/iSearch is installed by ActiveX drive-by-downloads triggered by Windows Media DRM licensing... and also through exploitation of IE security holes."

Additionally, Symantec's Security Response database lists the iSearch Toolbar. It says of iSearch, "It is a search hijacker and also tracks user activity on a remote server at isearch.com."

Finally, PC users should take note of the End User License Agreement posted by iSearch at Toolbar.iSearch.com/terms.html. In addition to agreeing to numerous other conditions merely by installing iSearch, you agree that the program may "without any further prior notice to you... install software from iSearch affiliates; and install Third Party Software."

When you install adware, you never know what you're really going to get.

Anti-adware apps reverse course on WhenU

This one cease-and-desist outbreak might not be so important if it weren't for the fact that a few anti-adware programs mysteriously removed some other adware programs from their detection lists recently.

Ad-Aware and Pest Patrol, an anti-adware program from Computer Associates, raised security experts' hackles this month when the two utilities quietly delisted WhenU software. WhenU distributes, among other things, Save.exe, which PC PitStop and other rating systems report to be adware.

Eric Howes reports that WhenU was inexplicably missing from Ad-Aware's Feb. 5 update file. According to Howes, Pest Patrol also stopped identifying WhenU around the same time. Both companies, furthermore, stopped listing WhenU in their online databases of adware.

As if this didn't anger security experts enough, the two anti-adware companies said nothing about the changes in their regular user notifications of additions and deletions to their databases. Howes says users received no notice of the shifts, causing all sorts of suspicions to fly.

In a statement on a Lavasoft forum, employee Chris Fry confirmed on Feb. 15, "WhenU was indeed removed from our database by research in the last definition file. This was due to WhenU not scoring more than 2 TAC points at the time. In case it turns out that the removal was incorrect, WhenU will naturally be reintroduced to the database."

"TAC points" are behaviors listed in Lavasoft's so-called Threat Assessment Chart. The company considers a program that exhibits three or more of these behaviors to be a risk to PC users and eligible to be removed by Ad-Aware.

Surprisingly, an adware program can both display ads as its primary function (gaining one TAC point) and have no apparent way to uninstall it (another point) and still fall below Ad-Aware's three-point threshold. In my opinion, any one "TAC point" should be enough to empower a PC user to remove such a program.

The uproar among Ad-Aware users over the change grew so furious that Lavasoft has been forced to post a separate uninstaller for WhenU. Michael Wood, a Lavasoft forum administrator, has also announced that the company is going to re-evaluate its entire threat-assessment scoring system.

For its part, PestPatrol restored seven variants of WhenU software, including Save.exe, to its detection database on Feb. 17, according to the company's New and Improved Detections page. (This page may soon be updated, making the listing for update 05021721 inaccessible, when the next Pest Patrol update comes out.)

All this activity is enough to make your head spin. What's obvious is that there's big money at stake now for companies who think it's fine to install software on users' PCs to display ads. The anti-adware battles are only beginning.

To send us more information about adware, or to send us a tip on any other subject, visit WindowsSecrets.com/contact. You'll receive a gift certificate for a book, CD, or DVD of your choice if you send us a comment that we print.