Spyware Warrior

Walt Rines laughs at FTC complaint

This is an interesting interview done following the FTC’s complaint against Walt Rines and his company Odysseus Marketing. The journalist states:

Some stories just keep on giving. When I called Walter Rines the other night looking for a quote, he laughed and said, “Oh really,” when I told him the Federal Trade Commission was trying to shut down his Stratham-based Internet business and had accused him of trafficking in spyware.

Later in the article Picklejar is quoted again:

“I wasn’t secretly installing anything,” Rines told me during a phone conversation while he was taking care of his children at home. “I couldn’t have been more conspicuous, and I had nothing to do with spyware.”

Uhh… yeah… right, “Walter” I don’t buy it and I don’t think the FTC or anyone else does either. Here’s comments from a friend who shall remain anonymous, sent to me after reading the article:

Walt is so full of xxxx. He’s been peddling that “I’ve turned over a new leaf” story for years now and it’s getting old. He must be the most clueless person walking the planet. He’s a criminal, always was, always will be. It’s downright ludicrous the way he struts around claiming “those days are behind me”. The fact of the matter is, he made a reputation for himself, now he has to wear it. Nothing he can do or say will earn him the right to be trusted even if he stays legit for the rest of his life. It’s all about making your bed then lying in it.

‘Nuf said.

---

180solutions Changes Faces

Or could that title could have been “Is 180solutions two-faced?” The story broke at CNET:

In an apparent attempt to shed its image as an aggressive adware pusher, 180solutions is alerting PC users whose computers run its ad-serving software and is offering tips on removing it.

The company on Monday started displaying messages on PCs to inform people that the software is installed on their system, 180solutions spokesman Sean Sundwall said. The message explains that the software displays pop-up ads and offers a link to uninstall the software, he said.

Understandably, many folks are skeptical. See the quotes by Ben Edelman and Alex Eckelberry. This is not the first time 180 has attemped to change its image.

The posters at DSLReports.com are not impressed either.

Update: Already the reactions to the 180 story are coming fast and furious. For starters, see Ben Edelman’s newest work What Passes for “Consent” at 180solutions.

This story at the Seattle Post-Intelligencer has some great 180 spin.

In a statement, 180solutions Chief Executive Keith Smith said, “Protecting consumers from bad actors and nefarious distributors is of the utmost importance to 180solutions.”

I suggest Keith Smith read Ben’s piece.

More at Sunbeltblog 180 Proposes, Edelman Disposes

Paperghost initally seemed impressed with 180’s announcement, but then changed his tune when he read Ben’s write up. Ben Edelman chews the program up and spits it out.

I think Wayne Porter got the clincher, though, with his title, 180Solutions: The Surprise Friends in Your Closet

---

Adware on a Downward Spiral?

Marketing Vox News reports that, according to new numbers from Webroot, makes of Spy Sweeper, Claria’s Gain adware was found on 2.2% of consumers’ computers in the first quarter of 2005, down from 2.6% the previous quarter. Overall, adware was down to 64% of computers scanned in the first quarter from 73% the previous quarter. Good news! Let’s hope the downward trend continues.

The most prevalent adware spyware found is—you guessed it – CoolWebSearch, found on 8.2% of scanned computers.

Adwatch also reports that 180Solutions’ 180Search Assistant was down 6% in the first quarter, too.

Speaking of 180solutions, SearchSecurity.com is calling them A wolf in sheep’s clothing.

The company 180Solutions had a huge image problem. Rather than be seen as a legitimate media company, it was labeled a spyware pusher by several security firms. To help clear its reputation, it joined the Consortium of AntiSpyware Technology vendors. But then other COAST members withdrew in protest. The consortium collapsed.

“On the Internet, spyware is as close to a four-letter word as you can get,” said 180Solutions Senior Marketing Director Todd Sawicki. As far as he’s concerned, his company has been victimized by people who hate online advertising and unfairly lump it in with what he considers true spyware. “Spyware is something used to steal information and commit fraud,” he said. “We don’t do that. We’re a media company.”

GMAFB!! Spinmeister Todd Sawicki of 180solutions is full of you-know-what. His company has been victimized—like hell. What about the thousands, tens of thousands, maybe hundreds of thousands of computers his company has victimized?? Sawicki makes me sick. This is not the first time he has whined about being victimized, either. Perhaps we should send him some cheese to go with his wine whine.

In November 26, 2004 article in the LA Times, the whiner said this:

“We’re dealing in a business with a lot of pennies,” and that his industry had been victimized, too.

“We’re not trying to be some company stomping on consumers,” he said, but acknowledged the company had not been careful enough in overseeing the vendors it hired to distribute its programs.

But I digress. (Actually everytime I read something Sawicki says, my blood pressure rises 60 points and I want to slam something with my fist.)

In the SearchSecurity article, the spimeister goes on with more:

“Sawicki defines the bad as programs that hide on your machine and monitor activity specifically to commit fraud. That’s not what 180Solutions is about, he said.

We give content away in exchange for advertising,” he said. “Those who say we’re spyware are the same zealots who freaked out when they saw that first banner ad atop a Web page in the early ‘90s. They hate having to look at any advertisement on the way to getting what they want.”

As far as he’s concerned, “This whole debate has become about whether media companies are legitimate. I see these reports that say 90% of computers are infected with spyware and that’s ridiculous. In my opinion, less than 5% of computers are infected with true spyware. I have a better chance of walking outside and getting hit by a car than getting hit with spyware.”

I guess Sawicki has forgotten about 180solutions being installed through security exploits, deceptive installations and those media files. How convenient.

---

Claria and 180solutions Misleading Installations

Have you ever scanned your computer for spyware and found Claria’s software gator, gain, or dash bar ? Did you wonder how it got there? Spyware expert Ben Edelman has an analysis of Claria’s misleading installation methods. Ben details installations at sites targeted to children and notes the lack of requirements for the user’s age. Earilier this year Ben noted how Claria’s Practices Don’t Meet Its Lawyers Claims. Apparently nothing has changed, at least not for the better.

On April 6, I noted that 180solutions topped the list for most detected malware by one software company. Today, 180 solutions remains number 1 in Emisoft’s list of most detected adware. Just how did 180solutions become number 1? Ben Edelman begins his analysis with this:

180 uses a variety of installation practices to place its advertising software on users’ PCs. For example, 180 has been shown (by me and others [1, 2, 3]) to become installed through security holes, without any notice or consent.

Indeed, I have also documented this behavior by 180 with screenshots and a video.

Ben at the end of each article notes that Claria and 180solutions are able to correct the deficiencies and points exactly how they could do so.

---

COAST Is No More

Anti-spyware group Coast hits an iceberg

The Consortium of Anti-Spyware Technology vendors, or Coast, was founded in 2003 as a nonprofit group of anti-spyware companies to help establish industry-binding guidelines defining spyware and a code of ethics surrounding the distribution of desktop software. But in February, co-founder Webroot Software dissented when, according to its vice president of research, the group sought to reform adware developers by helping them change and become certified Coast members.

Two months later, the group has been dissolved.

“Coast has ceased operations, and this Web site will be taken down permanently on April 15, 2005,” according to a notice posted to the group’s Web site.

Heh! Thank you very much.

---

Oh, what a tangled web we weave…

On Friday CNET reporter John Borland revealed that 180solutions had bought CDT, Inc. of Mont-Royal, Quebec. 180solutions, you’ll recall, has been claiming for some time that it has cleaned up its act. It’s even been crowing about its admission in the now defunct Coalition of Anti-Spyware Technology vendors (COAST). True to form, 180 is spinning its latest acquisition as an opportunity to clean up its distribution channels, which are notorious for stealth-installing 180’s Search Assistant software on users’ computers without notifying them and getting their permission. Spinmeister Todd Sawicki of 180solutions told CNET:

“One of the challenges with the business model in our space, where we work with distributors and affiliates, is that we don’t have as much control as we like,” said Todd Sawicki, director of marketing for 180Solutions. “This will give us more direct control over how our software will be downloaded.”

As readers of this blog will know, I’ve been extremely skeptical of 180’s claims for self-reform. Just last week 180 gave Wayne Porter of XBlock an interview in which they made a number of demonstrably false and misleading claims to Wayne, all of which I pointed out in my own response. So, the question is… will 180’s purchase of CDT, Inc. really make that much of a difference? Will 180 finally clean up its distribution channels?

To answer that question, we need to look at some relevant facts.

Let’s also watch a movie. My movie doesn’t have any big name stars and it certainly won’t break any records at the box office, but I think you’ll find it most interesting nonetheless. Trust me.

What is CDT, Inc.?

First, there’s the matter of CDT, Inc., which itself is notorious for browser hijacking and stealth installs of its BlazeFind, SearchRelevancy, WinAdClient, and WindUpdates software. See Andrew Clover’s excellent write-ups on some of CDT’s software at doxdesk.com:

SearchRelevancy
ISTBar

CDT has been bundling and installing 180’s Search Assistant software for some time, as these several CDT license agreements disclose:

BlazeFind EULA
WinAdClient EULA
WindUpdates EULA

If you look closely at the bottom of the WinAdClient EULA, you’ll notice that 180 has already started re-badging some of CDT’s content.

So, 180solutions has been using CDT, Inc. to distribute its software. But CDT, Inc. has its own network of distributors, which it solicits through its LoudCash & SearchBarCash affiliate programs:

LoudCash
SearchBarCash

As you can see from the above pages, CDT pays webmasters and other software vendors to distribute its software. They are paid either on a “pay-per-install” basis or a “pay-per-impression” basis.

LoudCash has actively recruited porn webmasters to distribute CDT’s software—read these two discussion threads at porn webmaster forums to see CDT’s reps in action:

Need a toolbar sponsor?
New Sponsor!

And because CDT distributes 180’s software, those porn webmasters could very well end up distributing the 180search Assistant. Thus we have the first few layers of the multi-level affiliate/distributor network, which Ari Schwartz of the Center for Democracy & Technology described in his recent testimony before a House sub-committee (Note: the Center for Democracy & Technology has no relationship with CDT, Inc.)

To sum it all up, this is the very kind of distribution arrangement that got 180solutions in trouble in the first place, because these pay-per-install deals effectively incentivize rogue distributors to stealth-install software on users’ PCs so that they can get paid for those installs. The shrieks of users screaming at their broken, adware-infested PCs may be the sound of anguish to most people, but for CDT’s LoudCash adware distributors it’s “The Sound of Money.”

But if that’s the “sound of money,” what does the “sight of money” look like? Grab some pretzels and a few cold ones, because I’m about to show you.

At Home with 180solutions & CDT, Inc.

While looking into CDT, Inc. yesterday following the announcement of its acquisition by 180solutions, I encountered a most curious web site (spazbox.net). I was surfing with the Mozilla 1.7 browser, so I wasn’t that worried about getting hit with spyware or adware. Boy, did I get a surprise.

When I landed on the spazbox.net home page I immediately saw a Sun Java dialog box for a Java applet that the web site was attempting to load:

Since I see Java applets all the time at some of my favorite sites, I don’t worry too much about them. I even see plenty of Java applets that have expired digital certificates, as this one at spazbox.net did. So clicked through the Java applet just as I normally do.

I should have looked more carefully at that Sun Java applet “Warning” box: the applet was from Integrated Search Technologies (IST), a well known adware vendor. Once I clicked through that “Warning” box, a whole load of adware installed without ever even offering to show me a EULA or Privacy Policy. Among the programs installed were ISTBar/XXXToolbar, PowerScan, and SideFind. All of those are programs from Integrated Search Technologies, a company which is often confused with CDT, perhaps because their programs are often installed together.

But there was another program that installed—again, without showing me so much as a EULA or Privacy Policy: the 180search Assistant. What was more surprising, it turned out that the version of the 180search Assistant installed was the new version 6, which was “certified” by COAST and which is supposed to display a notice/disclosure screen (known as the “CBC Force prompt”) to users. In fact, 180solutions has been telling people, such as it did in its interview with Wayne Porter last week, that this “CBC Force prompt” screen should effectively thwart rogue distributors who attempt to stealth install its software. So what happened? Why didn’t I get any warning that the 180search Assistant was being installed?

As I explained in my blog entry from last week 180solutions was caught bypassing its own notice/disclosure screen when it updates old versions of its software. The technical details of how this is being done are, I admit, a bit tedious—it’s all explained in last week’s blog entry, though.

Rather than rehash all the boring technical details, I thought it might be more entertaining to show you how 180’s software is being stealth-installed on PCs without displaying that CBC Force prompt. So, I went back to the spazbox.net site today. This time I took a video of the whole affair. You can download that video here:

Spazbox video

It’s Showtime! 180 Stealth-Installs in Living Color!

When you watch that video, you might be overwhelmed by everything’s that happening—all the boxes that pop up, all the web pages that open, etc. To help you make sense of what you’re seeing, let me explain a few things.

First, most of the boxes that you see are from the firewall I was using on my test PC, Agnitum Outpost. The Outpost firewall pops up warning boxes whenever it detects “hidden processes,” and you’ll see boxes for a few of those. Outpost also warns when a new program on the PC is trying to access the internet, and you’ll see plenty of warnings for those as well, including the 180search Assistant (named simply “Search Assistant”). Outpost also warns when an installed program with access to the internet changes in some way—perhaps as the result of an upgrade. You’ll see a few of those as well, including one for the 180search Assistant, which upgrades itself from 180’s servers about a third of the way through the video.

I should tell you that I specifically used the Outpost firewall so that you could see visible evidence of all the programs running and connecting out to the internet. Most users don’t have firewalls, so they wouldn’t see all the firewall warning boxes that I did. In fact, they wouldn’t see much at all until it was far too late.

Second, let me give you a short summary of the key events in the video, so you can be watching for them.

1. As the video starts I surf to the spazbox.net web site and immediately hit a Sun Java “Warning” box for an applet from Integrated Search Technologies, which I click through. Notice that at no time am I ever told about all the programs to be installed, nor am I ever shown a EULA or Privacy Policy for any of them. There isn’t even a link for me to click to get to a EULA or Privacy Policy.

Most users won’t know what Integrated Search Technologies is, and they won’t understand the business about the expired digital certificate either. They’ll just click through the Java applet prompt as I do in the video, because there’s no indication that anything’s seriously wrong.

2. Very soon thereafter Agnitum Outpost begins warning that new programs are requesting access to the Internet. After a short bit, most of the adware has been installed—most of these newly installed adware programs simply want to grab more data and updates from their controlling servers. The “Search Assistant” from 180solutions is one of those programs requesting access to the internet.

3. After you see the 180search Assistant contact 180solutions’ servers, start watching the system tray (next to the clock in the lower-right hand corner). If you look carefully, you’ll see a new icon appear that looks like this:

That’s the tray icon for the new COAST-certified version 6 of the 180search Assistant, which earlier versions didn’t have. What has happened is that the version of 180search Assistant that was originally installed was version 5. It called out to 180’s servers and requested any updates that were available. 180solutions’ servers responded by updating the installed software to the new version 6. Once the new version 6 was installed, it added its tray icon to the system tray next to the clock.

4. Almost immediately after the tray icon appears, you’ll notice that Outpost warns me that the “Search Assistant” program (sais.exe) has changed. That’s because it has been updated from version 5 to version 6. I approve the change, allowing the new version 6 of the “Search Assistant” to contact 180’s servers and begin downloading data files that the “Search Assistant” uses to display advertising.

So where was this “CBC Force prompt”? I don’t know. It simply didn’t display, even after the COAST-certified 180search Assistant was clearly installed and running on my PC. The force prompt is supposed to look something like this:

In its interview with Wayne Porter last week, 180 showed another version of the “CBC Force prompt”.

So let’s dig a little deeper and see what happened. I looked in the log file (sais.log) that the 180search Assistant keeps in its installation directory. This log file records all key program events as well as the user’s surfing history. Below is what I found in the log file:

Notice that the log file records that the CBC Force prompt checking process was started (“CBC initialize request detected – performing CBC check”). You can also see the results of that “check”: “user has already seen cbc dialog.”

Did you see a “CBC Force prompt” in that installation of the 180search Assistant? No? I certainly didn’t either. So the log file is just plain wrong. It says I saw the “CBC dialog” when in fact I didn’t.

So, let’s dig a little deeper. I checked the Registry and found the Registry flag that Sunbelt describes in its white paper (which was yanked from public view at 180’s insistence.

Notice that the “cbc” Registry value is set to “1,” which means that the user has already seen the “CBC Force prompt.” But, again, I didn’t. I got no notice that 180’s software was installed on my computer, either when the original version 5 installed or when the updated version 6 installed. (And please don’t tell me that the tray icon notified me—I only saw that tray icon because I knew to look for it.)

So, what we have here is a stealth-install of the 180search Assistant that works just like the Sunbelt white paper says it does. A rogue web site stealth-installed an older version of the 180search Assistant on my PC. That version “phoned home” to 180’s servers and updated itself to the new version 6, which is supposed to notify the user that 180’s software is installed. It didn’t because 180’s software set the Registry flag to “1,” falsely indicating that I had seen the “CBC Force prompt” and allowing 180 to go on serving up advertising on a PC where it should never have been installed in the first place.

Call me old fashioned, but that’s just plain sleazy and underhanded. No wonder 180solutions dodged Wayne’s 8th question in its interview last week. In that question Wayne directly and specifically asked whether that “CBC Force prompt” would display when older versions of the “Search Assistant” updated to the new version 6.

And remember: this all is happening over 1 month after Sunbelt told 180 that it had figured out that 180 was bypassing its own notice/disclosure screen. One month after Sunbelt blew the whistle, 180 is still doing it—still bypassing its own notice/disclosure screen, allowing its software to be stealth-installed, and still lying about it.

...when first we practice to deceive.

So what are we to make of all this? Todd Sawicki claims that 180 is serious about cleaning its distribution channels, but how serious can they be if they’re bypassing their own “CBC Force prompt” and telling big fat whoppers to people like Wayne Porter?

When 180 announced its admission into COAST on January 14, it promised that it would “transition to distributing only these COAST reviewed versions of its software within the next 90 days”.

Well, folks, 180’s 90 days are up come this Thursday (14 April). That’s four days away. And still 180’s software is being stealth-installed on people’s PCs. Four days away, and still 180 is bypassing its own notice/disclosure screen when updating older versions of the 180search Assistant. Four days away, and 180 has just bought one of the most notorious hijackers and “pay-per-install” adware distributors in the business.

To top it all off, 180 says that it’s buying CDT, Inc. so that it can clean up its distribution channels. I’m sorry, folks, but that just doesn’t wash. The idea that 180 is cleaning up its distribution channels by acquiring CDT is a bit like believing that a drunk who buys a liquor store is solving his drinking problem because he can just order the store clerks not to sell him any more booze.

You know that won’t work and I know that won’t work, because ultimately it all comes down to willpower. Does 180 have the willpower? I certainly haven’t seen any evidence of it. Maybe 180 thinks they’re fooling people, and maybe they really have managed to fool themselves. But they haven’t fooled anyone else with eyes to see what’s going on.

Addendum

For the installation I reported on above, I visited spazbox.net using Mozilla 1.7. If you visit Spazbox.net with Internet Explorer, however, you’ll encounter a somewhat different installation process. Instead of a Java applet from Integrated Search Technologies, you’ll get hit with an ActiveX installer from CDT, Inc. that’s deceptively labeled in the ActiveX “Security Warning” box as a “Website Access” program from “6247971 Canada Inc.”:

If you click the link for the EULA, though, you’re taken to a CDT EULA at Winadclient.com:

Although this IE-based installation process also installs the 180search Assistant, it installs a much older 5.x version than the Java-based installation process reported above does. Strangely, when that older 5.x version (from August 2004) of the “Search Assistant” updates from 180’s servers, it updates only to a later 5.x version (from October 2004), not to the latest 6.x version. Why it does this is anyone’s guess.

Update: Paperghost has also written about his experience with 180solutions and Java applets.
http://www.vitalsecurity.org/2005/04/180-solutions-playing-with-fireand.html

Update 04-10-05: A few people mentioned it would be good to see the video of the installs from spazbox.net without the firewall alerts. Here’s a second video of the installs with no interference from the firewall.

Spazbox video # 2

On a side note, in case anyone was wondering if you need a software firewall (in addition to a router), the answer is a resounding YES. The reasons should be obvious after watching both videos.

Update on 4-11-05: Many if not most of the install methods summarized here in Ben Edelman’s write up Spyware Installation Methods involve 180solutions and CDT, Inc. On this page Ben specifically focuses on the involvement of 180 and CDT (Blazefind) in this deceptive, substandard installation.

---

Scratch a Lie, Find a Thief

A few days ago I published an interview with Jay Cross, former researcher for the Consortium of Anti-Spyware Technology Vendors, which got into hot water with the anti-spyware community and eventually collapsed after is granted membership to 180solutions. It seems that Jay Cross isn’t the only one giving interviews these days. Wayne Porter just published an interview with 180solutions on his ReveNews blog. Wayne prefaces that interview with some thoughts of his own.

I strongly encourage everyone to read both pieces.

As I noted in an earlier blog entry, we’ve been waiting for 180’s responses to Wayne’s questions. It’s particularly interesting now to get answers to Wayne’s questions because 180 was recently put on the hot seat by Sunbelt Software, which published a white paper on 180’s software and business practices. The white paper was later taken down at 180solutions request.

Now that we have 180’s answers, let’s take a good hard look at them and see how well they reflect what we already know about the reality of 180solutions and how its software behaves.

Before diving in, let me point out that there is already quite a bit of information about 180 that’s readily accessible on the web. Much of this valuable information comes from Ben Edelman, who has written several times on 180solutions:

180solutions Installation Methods and License Agreement

180 Talks a Big Talk, but Doesn’t Deliver

The Effect of 180solutions on Affiliate Commissions and Merchants

Media Files that Spread Spyware

Who Profits from Security Holes?

Ben refuted a number of erroneous or misleading claims made by a 180 representative about its advertising in this discussion last summer at the ABestWeb forum.

Readers should also have a look at Andrew Clover’s detailed write-up at doxdesk.com about nCase

With all the information out there about 180, it doesn’t take a rocket scientist to figure out that the answers that 180 gave to Wayne’s questions are deceptive, evasive, and full of spin. In many cases 180 doesn’t even bother to answer the question that was actually asked. Instead, they go onto some pleasant-sounding PR tangent, probably hoping that no one will notice that they’re not answering the questions. Even when they do answer, their language is so full of meaningless euphemisms and jargon that you practically need a knife to cut through all the B.S.

So, let’s take Wayne’s twelve questions one-by-one and see what we’ve got from 180…

Questions 1 & 2: COAST

Question 1 asks what promises 180 made to COAST to get admitted. 180 responds by making some noises about improving “user notification, consent, and uninstall capabilities” and making “changes to both the application and distribution channel.” That’s fine as far it goes, but they never do provide the specific details of their promises.

In Question 2, though, the heavy spin begins. Wayne asked why 180 is still publicly touting its membership in COAST when that organization collapsed, is no longer in operation, and has no credibility among experts and researchers in the anti-spyware community. 180 simply evades the whole point of the question, neither denying that it continues to brag about its COAST membership, yet never explaining why it’s doing that.

It’s quite clear at this point that 180 has always seen a public relations bonanza in the COAST admission, and has been eagerly flacking that membership ever since, even to other software vendors and advertisers who might not know that COAST collapsed. As Wayne noted in his question, Duane Jeffers reported that 180 was doing this at the “Game Developer’s Conference” in San Francisco just a few weeks ago.

And until very, very recently, 180 had a banner on their web site announcing its admission into COAST (they took it down after Wayne submitted his questions to them). But it gets worse. Apparently 180 was bragging on its COAST membership in November, 2004 to a representative of the “Homepage-Host Group”—that’s a full 2 months BEFORE it was actually actually admitted to COAST.

What’s so funny about that communication with “Homepage-Host Group” is that the 180 rep goes out of his way to distance Zango from the 180search Assistant, pretty much admitting that the 180search Assistant (which is essentially the same application as Zango) is bad news.

As you can see, sometimes its takes a lot to cut through 180’s spin.

Questions 3 & 4: nCase

Question 3 is fairly innocuous: it simply asked 180 to explain what happened to its old nCase software, which operated very similarly to the newer 180search Assistant and Zango Search Assistant.

Question 4, though, is a revealing followup to Question 3. It asks whether 180 notified users with the nCase software on their computers that the software was being upgraded to the 180search Assistant. It also asks how 180 notified those users that the software on their PCs was being upgraded.

The answer to this question is important because a lot of those nCase users might not have been willing users at all. The older nCase software was known to be stealth-installed on users computers, as Ben Edelman noted when he told the Seattle Post-Intelligencer last summer “N-Case is definitely installed without consumers’ informed consent in many or most instances”. Even Todd Sawicki of 180solutions admitted to the same Seattle PI reporter that stealth installs of 180’s nCase software were going on.

[Sawicki] said n-Case could get bundled with other free software programs without the company’s knowledge. And that could lead to the n-Case software fastening to individual’s computers without their knowledge, he said.

If the nCase software was being stealth-installed on people’s PCs, 180 should have at least notified them when it “upgraded” the nCase software to the 180search Assistant. In fact, if 180solutions wanted to be completely ethical, it shouldn’t have even “upgraded” the nCase installs at all – it simply should have abandoned them, knowing that a lot of them could have come from illegal force-installs.

So what did 180 do with those older nCase installs? Did it notify users? 180 pointedly refuses to address the critical questions put to them by Wayne. It simply provides this terse one line response to Wayne’s excellent questions:

We upgraded the users at the same time we introduced the new, easier uninstall process.

In other words, they did NOT notify users—they simply “upgraded” the software on users’ computers without telling them. Why would 180 do that? Oh, maybe, because if 180 told users that annoying advertising software had been installed on their computers behind their backs, the users might get pissed off and remove it? Could that be the reason?

What 180 did with the old nCase installations is most revealing, as we shall see in just a bit, because 180 is currently engaged in very similar shenanigans—“upgrading” older versions of the 180search Assistant to the new “COAST-certified” versions without notifying users, despite trying to give the mistaken impression that it’s doing everything above-board. The leopard never really changes its spots, does it?

Questions 5-8: Stealth-Installs

180’s responses to Question 5-8 are so full of deceptive, misleading B.S., you’d need to write a Ph.D dissertation to fully refute them. I’ll try to keep this simple and straightforward.

In question 5, Wayne asked about the stealth-installs of 180’s software, whether those are still happening, and what 180 is doing to stop them. Instead of answering the questions in a straightforward manner, 180 attempts to give the impression that it is vigorously policing its distributors. It even mentions the “industry-wide distribution monitoring service as in part envisioned by Jay Cross,” which Jay discussed in his interview with me a few days ago. (One question for Jay and 180: why was 180 admitted to COAST before this “monitoring service” was created to actually verify the changes that 180 promised to COAST? Why wasn’t 180’s behavior actually verified before it was admitted to COAST and before 180 started bragging to the world about its admission into COAST?)

What 180 never does, though, is answer the meat of the question: are stealth installs still happening? As anyone in the anti-spyware community can tell you, they are still going on. (Note this comment from yesterday on Sunbelt’s blog.) Sunbelt Software reports that it told 180solutions that those stealth installs are still going on. (I know this from reading the Sunbelt white paper while it was still available from the Sunbelt blog.) So why doesn’t 180solutions admit that? Perhaps because it would cast doubt on the effectiveness of 180’s efforts to police distributors?

180 also tries to give the impression that it is scrupulous in recruiting distributors, but this just isn’t so. As Ben Edelman has reported, 180 has been reckless in soliciting distributors through unsolicited commercial email (UCE, “spam”). Even Todd Sawicki of 180 admitted that 180 isn’t completely familiar with or in control of all the people and web sites distributing its software when he attempted to distance 180 from those rogue distributors and claim 180 wasn’t responsible for their actions. Sawicki told the Los Angeles Times last year that those distributors are “guys in Bermuda, offshore. They’re the online equivalent of spammers”. Just how scrupulous could 180 be in recruiting distributors if this is the result?

Wayne’s question 6 continues asking more about stealth-installs and what 180 is doing to stop rogue distributors. 180 again tries to give the impression of being pro-active in policing its distributors, but there are huge problems with that, as I just noted.

The more important part of 180’s response comes when it claims that users of its new software are always given clear notice before installation. 180 says:

First, we only distribute an installation file whose purpose is to verify a user’s intent to install. Then once that consent has been confirmed through a prompt like the one below, the installer file will call to our servers and download the application. This will solve any going forward issues of old code circulating in various distribution channels as well as allow us to more tightly control our distributors.

Below that response is a screenshot of a “Example Prompt” displayed to users during installation.

For the moment, let’s set aside the question of whether that prompt is always displayed when it should be and look at the actual language of the prompt itself. Let’s see what kind of notice and disclosure that prompt actually provides. It reads:

Easy Messenger lets you combine your AIM, MSN, Yahoo, and ICQ buddies into one convenient IM!

Easy Messenger is powered by 180search Assistant, a program that helps conduct faster, more productive searches and helps keep online entertainment and downloads free and safe. When running, 180search Assistant can be accessed from an icon in your system tray. This program shows you an average of 2-3 keyword-based advertiser web pages daily.

By selecting ‘Finish’ you agree to the Terms and Conditions of the end user license agreement.

Download Easy Messenger for FREE now!

This is not much notice or disclosure. In fact, it’s downright deceptive. “Powered by 180search Assistant” makes it sound like the chat software itself relies on 180search Assistant to actually connect users and allow them to chat. That’s not true—180search Assistant is a separate advertising program, not part of the chat software itself.

In fact, 180 goes out of its way to avoid telling users what they really need to know—namely, that the 180search Assistant is an advertising program that will track their online surfing, transmit that information to 180, and pop up advertising on their desktops. But 180 never says that. Instead it relies on meaningless, misleading euphemisms like “program that helps conduct faster, more productive searches” and “2-3 keyword-based advertiser web pages daily”.

It’s easy to realize that most people simply wouldn’t know what they are agreeing to by clicking through this kind of “prompt.” How could they when 180 doesn’t tell them in plain, straightforward language what they need to know?

I’m also struck by the assertion that 180search Assistant displays only 2-3 ads daily (a claim they repeat later in their answer to question 12). I’ve had 180search Assistant on my test computers—I certainly saw many more ads than that, and I only had it installed for a few hours. Maybe if you don’t surf the web very much that might be true, but if you’re browsing normally, you’re going to get more than 2-3 ads a day.

Question 7 is important, because it returns to the issue of what 180 is doing about existing installations of its software. As I noted earlier, 180 essentially admitted to Wayne that it had “upgraded” the older nCase software on people’s PCs without notifying them, even though many of those people might have gotten the software through illegal stealth-installs. Now the question becomes what is 180 doing with old versions of its 180search Assistant—pre-COAST versions, in other words, that are still being distributed by 180’s distributors.

180 leads off its answer with a claim that I find absolutely blood-boiling:

The notion that many of our users came from improper installs is an urban legend started in the anti-spyware community. Unfortunately there is a fair amount of public hysteria in the press these days about malicious software. The reality is that 80% of so-called spyware are harmless cookies.

I literally screamed when I read that. For the next few hours, this phrase kept going through my mind, “LIAR! LIAR! PANTS ON FIRE!” Now that I’ve calmed down a bit, let me debunk this claim as simply as possible.

Ben Edelman has documented many such stealth installations and describes them on his web pages:

180solutions Installation Methods and License Agreement

180 Talks a Big Talk, but Doesn’t Deliver

Who Profits from Security Holes?

The last page above even includes a video of one stealth-install. In its white paper, Sunbelt reports that it told 180solutions that it had encountered stealth-installs of the 180search Assistant well AFTER 180 asked Sunbelt to review its software and well AFTER 180 had argued that it had cleaned up its act. One of those stealth-installs reported by Sunbelt was through a Windows Media file, an installation method that was reported on back in January:

Adware Installed through WMA Files

WMP Adware: A Case Study in Deception

Media Files that Spread Spyware

I can now report researchers at Spyware Warrior have just documented yet another stealth-install of the 180search Assistant by Wallpapers4u.com, which uses security exploits and deceptive pop-ups to install a boatload of spyware and adware on users’ computers, including the 180search Assistant. This stealth-install was thoroughly documented just yesterday by Webhelper, the watcher who sees and knows all about adware and spyware vendors.

Sorry, 180. Stealth-installs of your software aren’t an “urban legend.” They’re real, they’re happening right NOW, and you know it.

180 goes further in its response to question 7, though, again attempting to give the impression that users are always clearly notified of the presence of 180’s software:

We are currently upgrading all versions of our application to reflect the changes recommended by COAST. If, after the upgrades are made, we find new installs of our older product being distributed we will turn off those applications and pursue the distributor for violation of the Code of Conduct.

180solutions provides toll-free customer support so users can contact us directly with questions and concerns about our software, installation and uninstall methods. 180solutions doesn’t intend to be installed on a computer where we are unwanted, and encourage any user who feels they received our software by mistake to follow uninstall instructions.

180 then offers yet another example screenshot of a prompt window that’s supposed to notify users of the presence of 180’s software.

It would be nice if 180 actually displayed that notice when it’s supposed to—when, say, it’s upgrading older versions of its software that are still being stealth-installed by rogue distributors. But it isn’t, despite the impression 180 is trying to create in this answer to Wayne’s question. As it did with the “upgrades” of nCase to 180search Assistant, 180 is silently updating the software installed on people’s PCs without notifying them.

“But wait!” you ask. “Shouldn’t that notice prompt display when the old 180search Assistant versions update to the new COAST-certified versions from 180’s servers?”

You’re right. That prompt (known technically as the “CBC Force prompt”) should display. But it doesn’t. How is that happening? This is all explained in the Sunbelt white paper, which was yanked at 180’s request. Rather than try to explain this myself, let me quote Alex Eckelberry, who still has a good description on the Sunbelt blog of what’s going on:

Here’s the quick and dirty:

As part of 180’s COAST certification, 180 agreed to a ‘CBC Force Prompt’. This feature is designed to alert users to the installation of 180’s software.

This prompt is shown when a certain registry key is set to ‘0’. If it’s set to ‘1’, there is no prompt.

This is a serious weakness in the 180 installer. It is trivially easy for a rogue affiliate to simply set the value to 1, and the 180 install sails through, with the end-user none the wiser.

However, it appears that 180solutions is itself electing to bypass the ‘CBC Force prompt’ in order to avoid alerting users to the installation of 180’s software, and the implications of this are serious.

Sunbelt observed several installations of older versions of the 180search Assistant in which that software was updated to the latest version. After older versions of the 180search Assistant were ‘stealth-installed’ via a Windows Media Player file and via a Java applet at lyricsdomain.com, that software called out to 180’s servers, and downloaded and installed the latest, COAST-certified version of the 180search Assistant.

This behavior is especially disturbing because many of the installations that 180solutions is silently updating through this method are the possible products of “force-installs” of 180’s software of users’ PCs, where those users received no notice or warning whatsoever of the 180search Assistant.

Instead of alerting users to the presence of 180’s software on their systems, 180 is updating those older software installations and versions to the latest 180search Assistant, allowing 180 to continue deriving economic benefit from those installations, entirely contrary to its publicly stated intention to clean up its distribution channels.

So, rather than display the force prompt when it updates old versions of the 180search Assistant, 180 is NOT displaying the force prompt and not alerting users to the presence of 180’s software on their computers, just as it did when it silently updated the old nCase software to the newer 180search Assistant.

“Is this really still happening?” you ask, incredulous. “Even after Sunbelt alerted 180 that it had found out what 180 was doing?”

The sad answer is yes, it is still happening. The same researchers at Spyware Warrior who documented the stealth-install of 180search Assistant at Wallpapers4u.com report that during that stealth-install, the version of 180search Assistant originally installed is version 5—the pre-COAST version. That old version contacts 180’s servers and downloads and installs the new version 6, which should display the force prompt. But it doesn’t. The version 6 just installs and continues running as before, not alerting users to the installation of 180’s software.

What’s especially damning is how 180 handles Wayne’s question 8, which directly asks whether that force prompt is displayed when old versions of the 180search Assistant are updated to the new COAST-certified version. Wayne asked:

8. There are reports the new 180search Assistant has a prompt screen that displays when the software installs for the first time. But what happens when an older version of the 180search Assistant calls the 180 servers to check for updates? Will those older versions be allowed to update to the new versions? If they are allowed to update, will the new prompt screen display?

You’d think this would be the opportunity for 180 to come clean on just what is happening with that force prompt. But no. 180 completely evades the question, saying only:

See Response to Question 7

But as we just saw, the answer to question 7 doesn’t directly address the issue—it merely tries to give the roundabout, mistaken impression that the force prompt is displayed without ever directly saying it is. That’s a lie by omission. The net effect of these answers is that 180solutions has lied to Wayne, lied to Sunbelt, and lied to the world about what it’s doing with that force prompt.

The leopard hasn’t changed its spots at all. It’s still “upgrading” unwitting “users” of its software, just like it did with the old nCase installations. Only now it’s trying to use those upgrades to give the impression that everything’s kosher when, in fact, everything is not kosher.

Question 9: Advertising & Privacy

At times 180’s answers become so tortured that it’s difficult even to make sense of them. For example, in question 9 Wayne asked about 180’s advertising—which 180 doesn’t like to talk about, preferring instead to talk about helping users “conduct faster, more productive searches” and other such misleading nonsense. 180 responds with this:

All advertisements displayed by 180solutions software are opened in a second browser window and presented as a Web site, rather than an advertisement.

Huh? I defy anyone to make sense of that statement. All advertisements displayed by 180solutions software are not displayed as advertisements? What is 180 trying to say here? That they don’t display advertising? But that’s nonsense. And so is their answer.

180 goes on to claim that its advertising is clearly labeled, when in fact its advertising is almost indistinguishable from normal web browser windows. And, as Ben Edelman pointed out to 180solutions last summer, even the branding in the title bar that does exist may be replaced by other text if the ad page that opens is redirected. See the full discussion at ABestWeb for still more debunking by Ben of false claims made by 180 for its advertising practices.

Strangely, in its answer 180 makes a claim that its own End User License Agreement and Privacy Policy refute. 180 tells Wayne:

There is no profiling and no capture of any browsing history.

That’s just plain false. The 180search Assistant EULA flatly contradicts this statement:

180search Assistant will periodically direct you to our sponsors’ websites. 180search Assistant will collect information about the websites you visit, but will not collect any information that will be used by 180solutions to identify you personally. The information that 180search Assistant collects and transmits to 180solutions will be used to provide you with access to comparative shopping opportunities at times when we consider them most relevant. [...]

5. Display of Advertising. The Software will collect information about you and the websites you visit (“Usage Data”), but will not collect information that will be used to identify you personally. This information will be used to provide you with comparative shopping opportunities when they are most relevant. By installing and/or using the Software you grant permission for 180solutions to periodically display sponsors’ websites to you, and to collect, use and disclose the Usage Data The frequency of the advertisements will vary depending on your use of the Internet. You acknowledge that the Software includes an anonymous user ID and an electronic cookie that enables 180solutions to collect such information and to display advertising targeted to you. A “cookie” is a small amount of data that 180solutions’ servers transfer to your browser and that only 180solutions’ servers can read. You understand that 180solutions does not control your interaction with the web sites and advertisements displayed to you and we assume no responsibility for their content or privacy practices and policies. [...]

8. Collection of Information. 180solutions collects and uses certain information about you from your use of the Software. By installing the Software, you grant permission for 180solutions to collect this information, including the websites you visit while connected to the Internet.

180’s answer to Wayne is also flatly contradicted by its own Privacy Policy:

By installing 180search Assistant, you grant permission for 180solutions to periodically display targeted websites, to collect certain information, including the websites you visit while connected to the Internet, and to use that information as described herein. 180solutions will not use any of the information 180search Assistant collects to identify you personally.

180search Assistant. The 180search Assistant software (“180search Assistant”) is a permission based search assistant application that provides access to a wide range of websites, applications and information. 180search Assistant will periodically direct you to our sponsors’ websites. The information that 180solutions collects under this privacy policy allows 180search Assistant to provide you with content and advertising that is targeted to your interests.

What We Collect. When the 180search Assistant software is actively running on your computer, it generates logs of your web browsing activity, including web pages you have visited and the order in which you visited these pages. These logs are then uploaded to 180solutions’ servers, along with an anonymous user ID assigned to the 180search Assistant software installed on your computer (your “Anonymous User ID”). We use these logs for market research purposes and to allow 180search Assistant to provide you with content specifically targeted to your interests at the time when the content is relevant. 180solutions stores these logs on our servers, for our use. We may aggregate information from these logs and share the aggregate data with third parties. The 180search Assistant software will also put a “cookie” on your machine so that we are able to recognize you and display appropriate targeted websites. A Cookie is a small amount of data that 180solutions’ servers transfer to your browser and that only 180solutions’ servers can read.

The profiling may be anonymous, but it is happening, and the user’s browsing history is certainly being captured and uploaded to 180. Why does 180 lie like this when it has to know that its own EULA and Privacy Policy contradict what it’s trying to tell people?

Questions 10-12: Wrap-up

Rather than go through the rest of 180’s responses, which are mostly PR puffery and blatant nonsense, let me pick out a few claims that are demonstrably false.

In its response to Wayne’s last question, 180 claims:

It’s important to note that 180solutions exceeds all standards either proposed in pending legislation or in enacted laws for downloadable applications/Internet advertising.

Wrong. HR29 (the Spy Act sponsored by Rep. Mary Bono), which was recently sent to the floor of the House and was actually passed on the floor of the House last year, has certain requirements for the notice and disclosure offered by “information collection programs” such as the 180search Assistant. Section 3.c.1.B specifies that programs like 180’s software display a notice during installation:

The notice contains one of the following statements, as applicable, or a substantially similar statement:

(i) With respect to an information collection program described in subsection b.1.A: ‘This program will collect and transmit information about you. Do you accept?.

(ii) With respect to an information collection program described in subsection .b.1.B: ‘This program will collect information about Web pages you access and will use that information to display advertising on your computer. Do you accept?

(iii) With respect to an information collection program that performs the actions described in both subparagraphs (A) and (B) of subsection b.1.: ‘This program will collect and transmit information about you and will collect information about Web pages you access and use that information to display advertising on your computer. Do you accept?

Take a look at 180’s own screenshot of the notice screen for “Easy Messenger”. That notice clearly doesn’t fulfill HR 29’s requirements, because it doesn’t fully disclose all the information it needs to and uses misleading euphemisms (as I discussed earlier). If and when HR 29 does pass the full House and is enacted into law, 180solutions will be out of compliance with the federal law of the land regarding notice and disclosure for installations of spyware and adware programs.

In the same answer 180 also claims:

The company was the first keyword search advertising provider to put an icon on the users desktop and system tray, clearly label each add, list our application in system processes, and make it simple for users to uninstall.

Again, I have to wonder why 180 makes statements that are so easily refuted. 180 is hardly the first contextual advertising company to display a tray icon for its software. Several other contextual advertising companies do this, including Claria/Gator, which has used tray icons for its applications since at least June 2002, when Ben Edelman captured the screenshot on page 1 of this PDF document.

Conclusion

Just what was 180 smoking when it compiled these responses to Wayne’s straightforward questions? Who did it think it was going to deceive?

Sadly, it could very well be that 180 has successfully bamboozled some anti-spyware vendors. In response to question 11, which asked whether 180 was getting removed from anti-spyware detections, 180 claims:

So far a handful has removed the latest versions of our applications.

Oh, really? Who might that be? Inquiring minds want to know! We know it wasn’t Sunbelt. Whoever did remove these newer COAST-certified versions of 180’s software simply got taken to the cleaners, that’s for sure.

One final note: I have relied in part for my information on the Sunbelt white paper, which I downloaded when it was still available from the Sunbelt blog. At 180’s request, Sunbelt has temporarily removed that white paper from its site. Hopefully, Sunbelt will restore that white paper, which includes plenty of information that 180 doesn’t want you to know about. Now that I’ve seen 180’s interview with Wayne Porter, I think I know why.

Update on March 5: Wayne Porter has posted a fascinating interview with the CTO of a large marketing company—about 180solutions and why many companies won’t go near them now.

180solutions An Economic Interview

---

Another View of 180solutions and COAST

Readers may recall I’ve written several times about 180solutions and COAST in the past. I recently received an email from Jay Cross, formerly of the The Internet Privacy Conservation Council (IPCC), which I also wrote about previously. Jay very generously offered an interview regarding 180solutions and their certification process with COAST. I emailed Jay a list of questions, which he answered. Here is the interview:

Q. I’ve wondered what happened to the IPCC. For a long time I had a link on my blog but eventually removed it since the site essentially disappeared It looked like there was a lot of potential. Can you tell me what happened?

Jay. Early on, as indicated by the Wired article, our focus as an organization was on bringing down the creators of the Xupiter spyware. Our own infections with Xupiter sparked our interest in the spyware issue, and we set out to find examples of objectively provable fraud on the part of the software’s authors. We worked with a legal team from St. Louis after compiling substantial research on Xupiter’s creators, including their business relationships and ventures, distribution partners, corporate records, and more. The problem lied in providing examples of fraudulent installations, because ActiveX is sometimes presented to the user and sometimes not presented depending entirely on security settings on indiivdual machines. We had documented proof of faulty uninstallers, bogus WHOIS data, recorded telephone contact with the dummy company in Hungary, and other information but we lacked certain key specifics. When success with legal action was deemed improbable, we shifted our efforts to creating desktop anti-spyware software, which seemed very promising prior to financial constraints putting the brakes on that project.

—> Read more

---

The Sh** Hits the Fan for 180solutions

I’ve written several times about 180solutions, the adware company that essentially was the downfall of COAST (the antispyware consortium).

180solutions recently claimed (pop-up warning for that link) to have changed its practices, but the question is exactly what did they change? I believe we may have the answer now. Today Alex, CEO of Sunbelt Software, posted on their blog the following:

180 Solutions has been trying to become legitimate (see, for example, Wayne Cunningham’s post on his blog). Their joining COAST (the antispyware consortium) was the primary reason COAST recently fell apart.

As a result of 180 Solutions contacting us, we followed up with our usual extensive analysis of their practices. You can see our analysis here.

Their analysis is a PDF document detailing the results of their research on 180solutions.

To facilitate your understanding of the PDF file, note that it actually contains two different documents. The first portion is “Alleged Improvements to 180solutions’ Software” (pp. 1-28 ), which includes screenshots, and the second portion is the actual write-up on 180solutions (pp. 29-55). The second portion was actually written first and is a bit more thorough. Since the first document is based on the second, you’ll see quite a bit of overlap. Also note the second document contains quotes from 180 itself that aren’t included in the first.

If you want to jump to the juicy tidbits, see pp. 9-10, 18-26 in the first paper and pp. 35-36, 45-50 in the second. To see how 180 gets assessed under Sunbelt’s listing criteria, see pp. 50-53. (Sunbelt’s listing criteria link)

I couldn’t even come close to summarizing this unprecedented analysis, so I won’t try. It speaks for itself and, in my opinion, blows all of 180solutions’ claims of having turned to the sunny side of the street right out of the water. 180’s deepest, darkest practices are outlined in detail and in no uncertain terms. The analysis shows their practices are utterly deceptive and cannot be denied. Indeed, I believe their day of reckoning has arrived.

Update 3-15-05: I received notice that the PDF document has been edited and the second portion removed due to the duplicative information.

Update again: Alex has included some additional information in his blog.

---

COAST Crumbles

Pest Patrol has announced that they will withdraw from COAST this week, according to this article from eWEEK’s Ryan Naraine. I find the statements from Sam Curry of CA’s eTrust very troubling, however.

Sam Curry, vice president of product management for CA’s eTrust brand, told eWEEK.com that PestPatrol also would pull out of the consortium, but he pinned the blame for the breakup squarely on the shoulders of Webroot and Aluria.

“I find it odd that 180solutions is the source of the conflict. The goal [of COAST] was to certify vendors that reformed their product. 180solutions went to great pains to make major changes. The new versions of their software conform to scorecards and standards,” Curry said.

“It’s sad that some ill-informed and hasty moves are drawing such attention. COAST really was doing something valuable and getting developers to change their questionable tactics,” he added.

First of all, I think Webroot and Aluria did the right thing. Secondly, I have yet to see evidence that 180solutions has changed their tactics.

And this, from Richard Stiennon, vice president of threat research at Webroot, is the most troubling:

He said Webroot abstained from the vote to include 180solutions and hinted that at least two other adware vendors with questionable installation and tracking techniques are in the queue for COAST membership.

Two more adware companies?? Damn! COAST might as well just die and roll over dead right now. No one, and I mean no one in the anti-spyware community will have any faith in them, (not that anyone does now even). COAST ought to just change their name to “Consortium of Adware & Spyware Traders”. Or “Consortium of Anti-Spyware Traitors”. Take your pick.

Do read the rest of the article where Ben Edelman talks about 180solutions’ business practices and the problems with certification.

---

The Decline of COAST?

I previously wrote about COAST and its history of questionable practices. Today one of the founding members of COAST withdrew from the organization.

Webroot Resigns From Consortium of Anti-Spyware Technology Vendors (COAST)

BOULDER, Colo., Feb. 4 /PRNewswire/—Webroot Software announced today that after careful consideration, the company has decided to withdraw its membership from the Consortium of Anti Spyware Technology Vendors (COAST). The company issued the following statement:

“Webroot has always considered our obligations to our customers as our most important mission as a company. We believe their protection, privacy and peace of mind are paramount and have developed products and supported public policies that reflect that view. Our founding of the Consortium of Anti-Spyware Technology Vendors, or COAST, also reflected that position. Of late, we have become concerned that COAST is moving in a direction with which we cannot agree. We have long championed an open dialog among anti-spyware solutions on standards criteria for defining spyware. However, we are not comfortable with the idea of COAST as a certification body or as a marketing tool for member companies. These concerns required Webroot to re-assess our affiliation with COAST and after careful consideration, Webroot is resigning from COAST, effective immediately. The company will continue to play an active part in public dialogues about these issues, and will continue to participate in alliances and organizations that share our views and goals.”

I can tell you one thing – the anti-spyware community is almost jumping for joy on the news. Wayne Porter of ReveNews started the blog fires burning with his question Could COAST be Toast? I couldn’t top his title, darn it.

Paul at CastleCops is asking questions too. Will COAST Be Eliminated? His write up has a good summary of the problems with COAST and lots of links for reference.

There is a very odd and long history about COAST. COAST was founded by other companies including Aluria Software. Aluria Software last year gave “Spyware Safe” status to WhenU. COAST recently added 180solutions to its membership. And now Webroot has left this organization.

Who is left at COAST now? Here’s the list of members. Aluria Software (remember them and their communion with adware company WhenU?), NoAdware.net, New.Net, WeatherBug and Pest Patrol (now Computer Associates). Of the remaining COAST members, Pest Patrol is the only one that is (still) highly regarded, IMO.

Now people are asking – what will Pest Patrol do? The anti-spyware community is breathlessly awaiting the answer.

OMG - Update – hot off the news wire:

Aluria Announces Departure from Consortium of Anti-Spyware Technology Vendors (COAST)

LAKE MARY , FLA. —(Feb. 4, 2005)

Aluria Software, developer of anti-spyware and security technology, announced it has withdrawn its membership from the Consortium of Anti-Spyware Technology Vendors (COAST).

“As a founding member of COAST, Aluria has consistently tried to move the organization into the direction of defining a clear and comprehensive set of spyware standards and code of ethics by which all software developers should abide,” said Jamie Garrison, chief executive officer of Aluria. “Despite our best efforts, however, COAST was slow moving in setting standards. We have tried, but COAST is no longer a viable organization that fits with our commitment of protecting computer users and developing a high quality response system to the threat of spyware.”

Ok, Pest Patrol!! One more defection and maybe we can pronounce the patient deceased!!

Update again – from CastleCops. Hot on the trails of Webroot, Aluria runs from COAST

Once again – Mike Healan of SpywareInfo predicts:

I don’t think anyone will miss COAST and I don’t imagine that very many will attend the funeral.

DSLReports.com has a good discussion going.

---

180 & COAST

From Wayne Porter of ReveNews: 180 Solutions Round-Up

Wayne has a link fest on the 180solutions and COAST story.

180 Solutions is sort of like a broken tail pipe, leaving behind a trail of smoke and sparks everywhere they travel.

Gotta love that intro.

---

180solutions & COAST- What Are They Really?

In light of 180solutions’ announcement of their COAST membership, many are asking questions. Ben Edelman writes 180 talks big, but…

Ben’s concerns include conflict of commitment, outrageous and unethical installation practices and advertising practices, COAST’s credibility. See Ben’s article for the details on each one. I have personally witnessed 180solutions being downloaded through exploits and afflicted WMA files.

Click images for larger view.

salm.exe is 180’s search assistant executable and, according to WinTasks Process Library,

This process monitors your browsing habits and distributes the data back to the author’s servers for analysis. This also prompts advertising popups. This program is a registered security risk and should be removed immediately.

Andew Clover has details on nCase, which continues to plague many who have no idea how it got on their computers.

Wayne Porter of XBlock is asking To Coast or not To Coast.

Recently I wrote a piece called “Why We Don’t Do Adware” and now I find myself compelled to write again about “Why We Don’t Do COAST”. A few months ago we had the opportunity to join the group but after reading an article by Nicholas Stark, from LavaSoft and after reviewing the conduct of some of the members we decided to take a pass. It pained us to do so because we feel that the grass roots security movement really needs a collaborative organization sans dues to get together to discuss the complicated trends occurring in the malware space.

Wayne discusses COAST and its so-called code of ethics. This is an outstanding article and a must read if you are at all concerned about this sorry state of affairs.

---

New Outrage: Spyware/Adware Company Joins COAST

I just about came unglued when I read this article.

180solutions Joins Consortium of Anti-Spyware Technology Vendors

BELLEVUE, Wash., Jan. 14 /PRNewswire/—180solutions, a provider of search marketing solutions, today announced it has become a developer member of the Consortium of Anti-Spyware Technology vendors (COAST).

COAST (http://www.coast-info.org/) is a non-profit organization comprised of anti-spyware vendors, software developers and researchers who have come together in an effort to educate and protect consumers and businesses from the Internet’s burgeoning spyware problem. By working with COAST and complying with its strict Code of Ethics, standards and guidelines, 180solutions aligns itself with the organization’s governing companies, Aluria Software LLC, PestPatrol, Inc. (recently acquired by Computer Associates), Webroot, Inc., and NoAdware.net.

WTF is COAST thinking??? I don’t get it, I really don’t. 180solutions is one of the most notorious and obnoxious adware/spyware companies out there. Read about nCase, installation problems, installation through security holes, with no EULA or prompts to install, difficulty with uninstalling, recruiting affiliates to bundle the software for payoffs per installation and recruiting advertisers by spam. (most links via Ben Edelman)

I have a question for Pest Patrol, (Computer Associates), Webroot Software (makers of Spy Sweeper), both highly regarded anti-spyware programs and recommended by Spyware Warrior’s Eric Howes. How can you justify admitting 180solutions into COAST when your very own software targets and removes it?

CastleCops is asking questions too. “Have they (180solutions) cleaned up their act?” “Is COAST creating a double standard?”

Something is VERY wrong with this picture.

---

Questions for Sanford Wallace

There are dozens of news articles on the web now about the FTC’s complaint against Spy Wiper, Spy Deleter and Sanford Wallace. A couple of stories from New Hamphire newspaper and TV sites caught my eye because of Sanford’s statements.

Man accused of infecting computers with “spyware” says he’s innocent

ROCHESTER, N.H. – A man accused of infecting computers with intrusive “spyware” and then trying to sell people the solution has denied any wrongdoing.

Wallace, of Barrington, told Foster’s Daily Democrat on Friday that had done nothing wrong and was being painted as the “poster boy” for new Internet spyware laws.

“We plan to defend ourselves,” he said in a phone interview from Las Vegas. “This is not a criminal charge, this is a civil complaint. The only thing they are accusing me of is unfair business practices,” Wallace said.

He started SmartBot, which he described as permission-based system where marketers and consumers would agree to be sent spam e-mail, similar to the check boxes found on most online registration pages. Wallace told Foster’s that SmartBot, although still in existence today, is not active, following the “dot-com” crash of 2000.

“We really haven’t done much business at all,” he said.

(Emphasis mine.)

N.H. Man Denies Involvement In Spyware Scam

The FTC on Wednesday filed a civil complaint in U.S. District Court in Concord against Wallace and two companies, SmartBot.net Inc., of Richboro, Pa., and Rochester-based Seismic Entertainment Productions, Inc. SmartBot’s principal business base is in Barrington.

Wallace clarified the functions of SmartBot and Seismic Entertainment. He said SmartBot offered business-to-business “permission-based” e-mail services like those offered on Web sites with online registration services, while Seismic operated a defunct Rochester night club, Plum Crazy. He said marketers and consumers would agree to be sent e-mail through SmartBot’s service.

Wallace said neither company is actively engaged in business now. Seismic filed for Chapter 7 bankruptcy protection this week. Records show Seismic had 54 creditors at the time of the filing. Wallace said he never operated his Internet business from the Rochester nightclub, but believes it’s being targeted for having some domain names registered to it some time ago.

Wallace said SmartBot has long been dormant.

“It’s still technically in business. It hasn’t been active for several years,” he said.

(emphasis mine)

On my spyware removal forum with the same name as this blog, I just did a search for “smartbotpro” which turned up many forum posts with that domain, along with default-homepage-network, also owned by Sanford) in the HijackThis logs.

And here is one on Spywareinfo.com’s forum dated October 6, 2004.

R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Search Bar = hxxp://server224.smartbotpro.net/7search/?new-hklm
R0 – HKLMSoftwareMicrosoftInternet ExplorerMain,Start Page = hxxp://default-homepage-network.com/start.cgi?new-hklm
(links disabled to prevent accidental infection)

So my question to Sanford Wallace is this – WTF are you talking about saying that smartbotpro.net is “dormant” and “inactive”??? There is a LOT Of evidence on the web that directly contradicts those statements. But then, why should I expect a spammer and scammer like Sanford to tell the truth. What was I thinking?

---