Follow Slashdot blog updates by subscribing to our blog RSS feed

 


Forgot your password?
Close
typodupeerror
×
Privacy

Spyware in Kazaa, Limewire, Grokster 364

Posted by michael from the comp.risks dept.
BigMacMike writes: "The San Francisco Chronicle (via the sfgate.com website) has a story that Kazaa, LimeWire, and others have secretly hidden software in their applications that track users' browsing habits." Not the first time. The corporate response is that they literally didn't know what was in these secondary applications that they were providing to be downloaded and installed alongside their primary program. Believe it if you wish.
This discussion has been archived. No new comments can be posted.

Spyware in Kazaa, Limewire, Grokster More

Spyware in Kazaa, Limewire, Grokster

Comments Filter:

  • Hm..... (Score:2, Interesting)

    by bleckywelcky ( 518520 )


    Does it really matter all the much? Most of the stuff spyware could obtain from my uses would be pretty useless anyhow.

    • Re:Hm..... (Score:2, Interesting)

      by psxndc ( 105904 )
      Not useless to the marketing people, especially if the RIAA or MPAA say "Hey kazaa, we'll make your life hell" (like they're already trying to do, but can't, etc) and kazaa says "please don't hurt us. How about all this free data on people's downloading habits in exchange for easing a little pressure. What movies they download, what songs they listen to, etc?"

      psxndc

      • Re:Hm..... (Score:3, Interesting)

        by FFalcon ( 227404 )
        I don't know about anyone else, but anytime I install an app and I see that it has installed other crap without my permission, I dump it.

        Netscape 6 pulled the same trick, covering my desktop with AOL ads. It lasted about 5 minutes before I got fed up and unintalled (only later found out about Mozilla).

        It's time for distributors of software to be up-front about the adware/spyware/sleazeware that they bundle with their product. Until then, we'll have to vote with our disk space by not using these programs. Instead of Kazaa, check out Morpheus, which performs the same function but without the "Clicktilluwin" garbage.

        • > Netscape 6 pulled the same trick, covering my desktop with AOL ads.

          The reason I finally ditched Netscape 4.* on Linux is because I have a dialup connection and anytime I hang up with Netscape running it started complaining after a while that it can't find netscape.com and a couple of other sites. I don't have any idea why it phones home, but even if it's completely harmless I don't care for the idea of software making contacts that I didn't request. So it's out the door with Netscape, thank you very much.

          • it started complaining after a while that it can't find netscape.com and a couple of other sites.

            When DNS lookups fail, Netscape tries to lookup a couple of "well-known" hosts like netscape.com, to see if the problem is localized, or something is wrong with the network.
            At least thats what I think it does. I could be wrong, not having access to the sources....
    • If the information they collect was useless, then they would not collect the information.

  • Mac versions (Score:2, Interesting)

    by anfloga ( 139529 )
    Does anyone know if this applies to Mac versions of Limewire?
  • Take your pick. Let people know what you download, or don't download things. Free music has a price, and it's really not all that bad if your computer doesnt have anything REALLY incriminating on it. No, I'm not saying spyware is good, I'm saying that given the choices, it's not THAT bad.

    That and linux kazaa run as a restricted user would yield some interesting spyware data :)

    • Re:Double Edged Sword... (Score:5, Insightful)

      by Cheshire Cat ( 105171 ) on Saturday January 05, 2002 @06:07PM (#2791777) Homepage
      Free music has a price, and it's really not all that bad if your computer doesnt have anything REALLY incriminating on it


      This is frighteningly similar to the arguement that if you have nothing to hide, why, you won't mind the police searching your house. Its not the fact that I'm trying to hide something, I just feel that its an intrustion of my privacy when programs report my activities to a third party.

    • What makes you think they only log downloads? (Score:5, Informative)

      by Carnage4Life ( 106069 ) on Saturday January 05, 2002 @06:22PM (#2791841) Homepage Journal
      I wrote an article on Kuro5hin entitled The Spyware Invasion [kuro5hin.org] when I found out that there was a piece of Spyware(WebHancer [webhancer.com]) on my machine that was logging EVERY URL I VISITED. It turns out that this company sells these statistics that they obtain from over 16 million unsuspecting users to businesses for over $12,000 a pop.

      What bothered me in particular about this approach is that I know a few websites that log users in with their pasword in the URL (Slashdot is one of them) and I wondered exactly how many of my passwords and userIDs had been sent to webHancer over the past weeks I had it unknowingly running on my machine. Of course, I quickly ran Ad-Aware [lavasoftusa.com] on my machine and changed all my online passwords.

      PS: The offending application that installed this spyware was AudioGalaxy [audiogalaxy.com].
      • Audiogalaxy have since mended their ways. The current installer asks if you want to install any of the spyware (1 at a time) and doesn't if you say no (I checked this with adaware).

        In the past they did install webhancer without asking.

      • You installed that spyware. (Score:5, Insightful)

        by toofast ( 20646 ) on Saturday January 05, 2002 @11:54PM (#2792784)
        A friend of mine worked at webHancer for a while. Trust me, there's a nice dialog that:
        1. tells you what webHancer is
        2. tells you what webHancer does
        3. asks you if you want to install audiogalaxy with or without it.

        I've installed audiogalaxy several times, and all you have to do is uncheck the check box. But most people click "Next" without even reading the dialogs.

        You consented to it. That doesn't make it spyware, it makes it ignorantware.
    • Free music doesn't have to have a price.. it's not like there is some kind of trade-off between free music and spyware, dictated by the laws of physics. As a user and a software developer, I think spyware is unethical and I won't support its use or use it on my computers. There's perfectly good peer to peer software that doesn't have spyware (Morpheus) so that's what I use..

    • No, I'm not saying spyware is good, I'm saying that given the choices, it's not THAT bad.

      By acting covertly, spyware acts to circumvent choice. To be a true choice, it would explicitly indicate that it would send your browsing history to a remote server, and would give you the CHOICE of accepting that or not running/installing the application.

  • ... for downloading all that pr0n...

    hope limewire doesn't sell this info to my girlfriend...

    "honey, this jenna jameson person has alot of stuff on your computer, do you work with her?"

  • morpheus (Score:2, Informative)

    by MiTEG ( 234467 )
    If you don't like spyware, try out MusicCity Morpheus. Almost the same thing as Kazaa, but on the front page [musiccity.com], they guarantee "no spyware". I'd say to vote with your $$, but since both services are free, you'll have to vote with banner-clicking.

  • A dangerous precident (Score:2, Interesting)

    by GSAlien ( 547456 )
    I was under the impression that it was illegal for companies to install this sort of spyware. Is it legal for companies to write software that reports back to the creator. If so, is it illegal under the DMCA to block those reporting mechanisms in your firewall?

  • As if We Didn't know already (Score:3, Informative)

    by justanyone ( 308934 ) on Saturday January 05, 2002 @06:12PM (#2791793) Homepage Journal
    use Ad Aware and discover what we already should have known. Bearshare and AudioGalaxy do, too. Big deal.

    Zonealarm shows it's doing funky stuff.

    The solution to this is: don't use them. Or, use a version of them that doesn't have the spyware. Limewire version 1.3 is a little slower but doens't have ads or spyware (but 1.7+ does).

    -- Kevin

  • Death Knell for Closed Source Software (Score:3, Interesting)

    by Black Parrot ( 19622 ) on Saturday January 05, 2002 @06:12PM (#2791794)

    IMO, spyware is the single issue that is going to weigh heaviest in the scales in the eventual switch of businesses (and sensible users) from CSS to OSS.

    It's a real shame, though, that most businesses can't seem to see any value in the internet beyond collecting data about consumers.

  • BearShare (Score:5, Interesting)

    by MoceanWorker ( 232487 ) on Saturday January 05, 2002 @06:12PM (#2791795) Homepage
    another program that gives a user access to the gnutella network comes with 3 spyware programs to spy on users...

    first being Onflow Media Player... it is a Flash-like browser plug-in which displays animations and transmits user behavior information (not further specified) to the Onflow central servers.

    second being SaveNow... SaveNow displays context-related shopping pop-up windows in IE... the context information seems to reside on the client side so that no information has to be transmitted to the central server

    third being New.net, which is an alternative Domain Name Service which allows you to connect to TLDs like .free , .shop, .game and .xxx, etc, etc.... also, as they have to query an alternative DNS to let you access these sites, they will be able to track every visit to new.net-"powered" sites.

    not to mention all of these programs have silent auto-updates...

    why can't we all just use FreeNet? :-\

    • FreeNet (Score:4, Funny)

      by HamNRye ( 20218 ) on Saturday January 05, 2002 @06:25PM (#2791855) Homepage
      Because if we all used FreeNet it would crash like a Microsoft built cessna flown by John Denver.
    • In BearShare's defense, installation of all these programs is optional. I skipped them all because they all looked like crap. Let's see, Yet Another Proprietary Media Format Codec -- specifically targeted for delivering ads (we all want to see more ads, don't we?), some barbie-ware ("tee-hee, let's go shopping!") and another attempt at an AlterNIC, a good idea, but I know of zero sites worth visiting that use them.

      I could see myself even putting up with spyware if it was something, well, useful.
  • Interesting that legit companies are using the kind of tactics once reserved for the more 'underground' elements... and that they're using p2p (read: illegal file sharing, regardless of the flame war that it might start) all that much moreso.
  • This past week there was an article on some other source (can't remember) that focused on the whole issue of whether it was a trojan (last paragraph of this story).

    As I recall, the spyware also sent the urls that users visited to a machine with an odd domain name (something like 2001-007.com) EVEN IF PEOPLE WANTED TO AVOID INSTALLING THE SPYWARE. This is why it was called a trojan.

    I'm not sure if it turns out the software wasn't sending the info (reporter error) or if they've glossed over that fact...

    Either way. Blah. Spyware is why I don't play Snood anymore. They use gator which does all sorts of lame stuff to hide itself on install.

    Look, if you have to trick users or hide your program, then it probably isn't a "valuable bonus program." Stupid marketing bastards...

    • Re:originally called a trojan (Score:5, Interesting)

      by H310iSe ( 249662 ) on Saturday January 05, 2002 @06:23PM (#2791846)
      It was in the register (my other regular read who scoops slashdot at least 1/2 the time BTW) - and people above seem to have been missing the point, yes, this is not gator or some other silly thing, it's spyware classified as a trojan by antivirus vendors because, it appears, no-one knows what exactly it does.
      LINKS: - the register article [theregister.co.uk]
      zdnet on the trojan [zdnet.com]
      symantec listing the file as a trojan [symantec.com]
    • Agreed, snood has not only lost out on my PC buisness but my Game Boy Advance business as well.

      The funny thing is that I used to run Gator because I needed gator for remembering my passwords for Nutscrape 4.72. Then it lingered on the machine for a year or so, then it came a parasite-ware. It just reminded me to remove it.

      These programs are trojans. No doubt about it. They exist because they are installed by users who don't know better, don't explain what they do, and then hide in the system. Ummm... That's a trojan. Would BackOrfice still be a trojan if it was required to install it when you installed Jimbo's Chicken Pluckin' game??

      The problem is that the available advertising systems are owned by companies like "Cydoor". (Formerly Auerate, formerly Radiate) And they are the kind of people who think that this kind of thing is acceptible.

      I like in the story where the "ClickTillUWin" guy is complaining about lost buisness. You are advertising with a shady group. You should expect backlash. You should have known that Cydoor was responsable for the Real Player spyware, etc., etc., etc.... If you're advertising Jeri Curl juice in the Klan Times, don't be suprised at a drop off in buisness.

      Along similar lines, advertising with DoubleClick is the easiest way to make sure your ad gets blocked. doubleclick.net has had a permanent 127.0.0.1 since before Jon Katz screwed up Slashdot.

      When you respond to annoying advertising, you get more annoying advertising.

      ~Hammy
      Nothing4Sale.org

  • get rid of all spy ware (Score:5, Informative)

    by flynt ( 248848 ) on Saturday January 05, 2002 @06:15PM (#2791812)
    Download the acclaimed Ad Aware program (link provided) here [lavasoft.de]. It searches your registry and all your drives for running and installed spyware programs. It works great.

    • Re:get rid of all spy ware (Score:4, Insightful)

      by debrain ( 29228 ) on Saturday January 05, 2002 @07:35PM (#2792087) Journal
      A point of interest: If all the intellectually affluent people know how to, and indeed do, uninstall spyware, and this margin is not taken into account by the people that are recepients of the spyware data, would this not lead to a sponsoring of a dumber internet by promoting the sites that attract, well, the less technically fortunate?

      Suppose HP (who is advertising here right now, by the looks of it) is looking to advertise on the net - if the spyware data they buy shows that Slashdot, for example, is hardly even notable on the top spyware list, would this not be detrimental to Slashdot's (or rather VA's) efforts to make a buck off advertising, and in particular directed advertising? Advertisements that are possibly better directed to Slashdot may go to PC Magazine (for lack of a more appropriate choice) or other "mainstream" service.

      Of course, when advertising a car, Slashdot is hardly well-directed advertising and is oft notably a selection of people most fortunate technically, but there is probably a clear area where the technically inclined can find better content on any topic over the internet that spyware would never reveal statistically.
      • Of course, when advertising a car, Slashdot is hardly well-directed advertising

        Slashdot is fabulous turf for car sales. Young, technical (love them gadgets), well-off, single (lots of disposable income), and male. Won't sell a lot of minivans, no, but sportscars, you betcha.

  • A few things (Score:3, Informative)

    by loraksus ( 171574 ) on Saturday January 05, 2002 @06:16PM (#2791818) Homepage
    First - the worst spyware/malware/virus.

    Fucking Bonzai Buddy
    I swear that fucker resides in the MBR it is such a pain to get rid of. Once it is gone, windows is unstable (yeah, yah troll on, 2k is damn stable before this shit is installed)

    Second, the exec lies thru his teeth.
    And the clicktilluwin "not do anything until activated" motto is pure bullshit, this thing starts sending data from the moment it is installed beside limewire.

    Of course, http://www.lavasoftusa.com/index.html is an awesome prog - ad aware lets you know what shit you have on your system and then removes it usually quite effectively. To be honest, shit like this might actually be a good arguement for open source, how many "features" are installed in popular programs that we have no idea of - i.e. they have been integrated into the program. Its also a really fucking good arguement for using opera (BTW, you know /. says that a majority of people are using ie 5.0, opera allows you to change its settings so it looks like it is ie (for the fucking sites that wont let other browers in) I switched, i dunno about others..

    One last thought: Clicktilluwin
    It was classified as a trojan horse, because that is what it is - think of this - if the av manufacuters bent over a desk for these fuckers (declassifying this "program" as a trojan), you think that they would protect you from the FBI?!?!!?
    Shit, if the threat of a lawsuit is all it takes, someone could make a virus, sue all the av companies that made solutions, and then sell "protection"...
  • I've seen the discussions on the Fasttrack forums about this problem. The creators have consistently denied knowledge that the programs were indeed spyware. My question: when the sales people from these spyware vendors were offering Kazaa et al money to include these programs in the clients, what did the Kazaa creators THINK the purpose of said programs were? It seems just a little too easy to claim total ignorance on this.

  • This is not an issue, afaik, if you're running any of these apps for linux.

    This was discussed on The Register [theregister.co.uk] a couple of days ago.

    From the article:

    "We sometimes bundle advertiser applications with our installer in order to help pay for our costs here at Grokster. We are normally given an installer from the advertiser which we run during the installation of Grokster. We have no access to the source code of these third-party installers and so we rely on what our advertisers say these programs do. To the best of our knowledge, this particular advertiser simply placed a link to a free online lottery on the desktop. We were never informed that it installed or was a Trojan."

    If you run a leaky os, what do you expect?

    • If you run a leaky os, what do you expect?

      I'm sorry, but this has nothing to do with Windows' security or lack thereof. Anytime you run a binary you did not compile yourself (including a compiler), there's a chance that it will do heinous things to your computer. Like adding lines to ~/.bash_profile that run spyware.

      Posted from Mozilla on Debian GNU/Linux machine.

      • I'm sorry, but this has nothing to do with Windows' security or lack thereof. Anytime you run a binary you did not compile yourself (including a compiler), there's a chance that it will do heinous things to your computer. Like adding lines to ~/.bash_profile that run spyware.

        True 'nuff. But what are the odds that you're going to get a *nix binary that includes binaries that haven't been compiled by the distributor?

  • So how can a user tell if this tracking program has been installed on their machine? The article was awfully skimpy on details...

  • Here's an article (Score:2, Interesting)

    by alleria ( 144919 )
    from The Register [theregister.co.uk] as well about this.
  • I noticed this several weeks ago. An application called something like whagent.exe would crash during my kazaa sessions.

    My only guess was that it was not fairing well after I put in place measures to block known spyware apps.

    I simply removed the offending program and now I'm probably a little less spyware free. I have grown to expect such things from useful free service providers, but on occassion I've been known to circumvent their efforts.

  • Kazaa has it big time... (Score:5, Informative)

    by tcc ( 140386 ) on Saturday January 05, 2002 @06:29PM (#2791869) Homepage Journal
    AD-AWARE (current 5.62) is one of the BEST ad removal tools for windows computer, grab it at Lavasoft [lavasoftusa.com]. It's free, it has updates (download the latest definition file after installing the 5.62 version) and I've tracked it's every move with a filesystem scanner, and it doesn't put thrash anywhere in your system.

    It scans Registry, cookies, files, dlls, and it found the Kazaa backdoor installed in my system. Usually when you put a software you can remove it's tracking bugware and the main software will still run (I remember posting an article here over a year ago about bearshare having that same type of crap that Kazaa is using right now but it got rejected). What's interresting about Kazaa is if you remove the offending DLL (which is Cydoor bugtracking stuff), Kazaa won't start anymore, this really shows how BAD they want to track your moves.

    While I don't have anything against software companies making a buck by selling tracked info, I do have something against companies being hypocritical about it. When you install Kazaa, it offers you a lot of "free stuff" that any above average users knows that it means advertising stuff, spamming and tracking. This is okay in my book at LEAST it's part of the installer and if you don't know and say yes, well that becomes your problem. What I find really hypocritical is i've unselected EVERYTHING exept "Kazaa needed files" and it STILL installed that bugware thing, and it's not mentionned anywhere CLEARLY in the installer. People get pissed at microsoft activation process which is clear, known and way less intrusive than that, but they let that pass in exchange of leeching free MP3, vids, p0rn and warez. If one day the big suppliers of content on that services have an FBI raid at their places, they'll scream justice and claim that FBI couldn't use the informatin that Kazaa was getting from them because it's not constitutionnal. Well I'd say, make up your mind, if you want P2P and privacy, go to some other service, an example, Download winMX, run Ad-aware in case there's anything installed with the newer versions, and it will probably still run after the cleaning process (I use winMX I love it). Don't support crooks like Kazaa and bearshare that are trying to look friendly, on your side, and pro this and that, while they turn around and sell your browsing habbits without your knowledge.

    Also, notice when you're not uploading or downloading, but kazaa is running.. your drive burps every 5 seconds.... I'm still trying to figure out why.. it doesn't stop even after an hour.. it's not "windows-typical" drive burping.

    Anyways... hope that helps anyone out there.

    • Re:Kazaa has it big time... (Score:5, Informative)

      by LiENUS ( 207736 ) <slashdot@nOSPAm.vetmanage.com> on Saturday January 05, 2002 @07:14PM (#2792016) Homepage
      problem is kazaa wont run unless cd_Clint.dll exists, www.cexx.org has a cd_clint dummy dll file that will deactivate it and let kazaa continue to run.
    • Someone kindly informs us,

      What's interresting about Kazaa is if you remove the offending DLL (which is Cydoor bugtracking stuff), Kazaa won't start anymore, this really shows how BAD they want to track your moves.

      One might check said .DLL for any plaintext IP addresses, and armed with your trusty hex editor, replace any found therein with the time-honoured 127.0.0.0

      BTW having read the Kazaa bug-report forums for a while, it became clear to me this is a company that doesn't give a tinker's damn what it does to users, so long as it makes a buck.

    • Re:Kazaa has it big time... (Score:4, Informative)

      by Tackhead ( 54550 ) on Saturday January 05, 2002 @08:50PM (#2792302)
      > Also, notice when you're not uploading or downloading, but kazaa is running.. your drive burps every 5 seconds.... I'm still trying to figure out why.. it doesn't stop even after an hour.. it's not "windows-typical" drive burping.

      I don't use spyware, so I never installed Kazaa, so I can't help you. But I'm curious, too. (I hate advertisers, and anything that threatens to kick over the rocks under which they grow is k00l by me ;)

      So try a utility like this one: Sysinternals' filemon.exe [sysinternals.com]

      Could be as innocent as your swap file, 'cuz some Windoze proggies leak memory like sieves. Could be something less-than-innocent. Let us know!

      • >So try a utility like this one: Sysinternals' filemon.exe [sysinternals.com]

        That's what I was using for Ad-Aware scanning... there's a lot of tools at sysinternals to track the software that tracks you. Theres also Regmon for monitoring changes made to the registry that is interresting.

        One last thing you might want to check is a tcpmonitor process (there's one at sysinternal as well I think) to check where it's communicating (if you want to go that far)

        For you linux people there's also a flavor of filemon (file access tracking discussed above) for linux, you can grab it Here [sysinternals.com]
    • Morpheus [musiccity.com] is a windows app that works on the FastTrak network(same as Kazaa), claims not to install spyware and still works after I did the ad-aware thing. It pops up ads in IE every once in a while if you leave it running but other than that it gives you access to all the ill-gotten gain out there.
    • Regarding your drive burps, the Fasttrack clients (Kazaa, Morpheus) by default act as 'super-nodes', which maintain lists of shared files not only on themselves, but on 'nearby' peers as well. They then respond to search requests not only with their hits, but also with hits from other nearby nodes. The idea behind this is that people with fast connections and processors take some of the burden off the lesser-endowed. It seems to me that making this be the default behavior in every client sort of defeats the purpose, but they didn't ask me. I suspect that this behavior (indexing and searching file lists from other hosts) is probably at least partially responsible for your drive activity. You might try going into the options and disabling Super-Node behavior and see if that stops it. I'm too lazy to install one of the clients on this box just to check :)
  • It would appear that the stuff bundled with LimeWire is flagged up by antivirus software [limewire.com] - oops... bit of a mistake there :-)

    I quote:

    It has come to Lime Wire's attention over the past 24 hours that one of the bundled software installers included with LimeWire 2.0.2 for the PC is now considered a SpyWare/Trojan by various anti-virus software packages. We have received complaints from our users and we have worked quickly to resolve this issue by putting out a new beta immediately yesterday and rolling LimeWire 2.0.3 for the PC into production at 3:30PM EST today (Jan 1. Note that this did not affect LimeWire 2.0.2 P (LimeWire PRO) users.. We will be communicating further with LimeWire 2.0.2 PC users as information becomes available.

    Workaround for all of this nonsense: don't download the Windows-specific version, get one of the ones without an installer (such as the Linux or Solaris versions) from here [limewire.com] and use that instead. It removes one layer of laziness as you have to install the JRE [sun.com] and make the icon yourself, but it does mean that the ONLY code that LimeWire can install and execute on your system is a) visible and b) written in Java, which means it can't do anything too evil (read: anything platform-specific).

    Hope this helps...

    • No, running the packaged Linux version of limewire on Windows still gets you Windows components. I just tried this and it extracted a "CBanner2.dll" and "LimeWire20.dll" into the install directory. So maybe you're not getting all the stuff packaged into the standard PC install, but there's still a bunch of wacky code there. Maybe it's time to go find a *truly* weird architecture. Bet there's no spyware for the OS/400 JVM...
      [...] one of the bundled software installers included with LimeWire 2.0.2 for the PC is now considered a SpyWare/Trojan by various anti-virus software packages. We have received complaints from our users and we have worked quickly to resolve this issue by putting out a new beta immediately yesterday[...]
      So the question is, did they remove the SpyWare/Trojan, or did they just hide it better?

  • It's ClickTillUWin (Score:5, Informative)

    by Kman_xth ( 529883 ) on Saturday January 05, 2002 @06:31PM (#2791879)
    Here's a (dutch :P) site about this thing, with more details http://www.zdnet.nl/News.cfm?id=14504 The article says that LimeWire 2.0.2 and Grokster ask on installation if you want to install a certain 'service' or program called 'ClickTillUWin'. Whether or not you confirm or deny this request, it secretly DOES install it on your pc. This so-called online lottery game contains the trojan. If you go to clicktilUwin.com you'll see that there are possibly more programs 'infected' by this trojan (check the partners section). What is basically does (according to the above article) is install a file called Dlder.exe. When you start the p2p program it came with, dlder.exe will automatically start too and download a second piece, called explorer.exe (and no, not the same one windows users normally have). This program then does some things to the windows registry and sends usernames and your ip adress to http://www.2001-007.com. Symantec (the guys of Norton Antivirus) have called this thing a trojan horse and all of their antivirus applications will regognize it as one. The above article also states that other antiviruscompanies have also already updated their software (waiting for you to press the 'update button' that is :)
    • http://www.2001-007.com immediately redirects to clicktilluwin.com. Which caused Netscape (3.04, js off, images off, NO plugins) to complain "This page contains data of the type 'octet/stream'. Do you want to get the plug-in?"

      WTF does that mean??

      • The server is misconfigured, it is sending a Flash 5 animation with "Content-Type: application/octet-stream".

        Unlike other, more popular software companies which try to hide that they are spying on their users, ClickTillUWin is open about its business [clicktilluwin.com].

        If you install such software, it is simply your own fault.

  • One important question is the value of the data they collect. Will advertisers buy such 'black market' data? Or is the data collected by the developers 'just because they can?'

    It is really in these companies' best interest to risk losing the faith of their users for this data which probably won't make them any money?

  • Limewire is GNU licensed [limewire.org], and therefore open source [limewire.org]. If you have a problem with spyware, then roll your own version. I don't even think the source code has the spyware, so all you have to do is compile. Now as for other closed source software that doesn't tell the user of it's misdeeds - I can't defend that.

    LS

  • Some Good Advice, Again.... (Score:3, Informative)

    by thumbtack ( 445103 ) <thumbtack@FREEBSDjuno.com minus bsd> on Saturday January 05, 2002 @06:39PM (#2791910)
    It's been put up here lord knows how many times, but here goes again. I use the Lavasoft [lavasoftusa.com] software Ad-Aware to check and clean my system on a regular basis. Not only do I use it, if I have a friend who is having problems with their system, I usually will run it there as well. nine times out of ten they have a program that is running in the background, that Adware classifies as "Spyware". Removing the "spyware" components my the friends system often fixes the problems they are having. It always finds things that shouldn't be on their system. We can debate cookies forever, but I'm talking about software that serves ads, sends information, or otherwise takes control of your system or partially takes control.

    The old sage about not installing software from unknown sources applies more than ever, I don't know who these people are, but from reports I've seen and heard I wouldn't even consider installing them.

    . If I do download software and install it (it inevitable) I scan the download for viruses and trojans, backup my registry, install it and then run Ad-Aware [lavasoftusa.com]. If Ad-Aware detects anything from the program, i uninstall the sucker. Then I reboot and run the old registry as well.

  • SaveNow Must Die! (Score:5, Insightful)

    by fm6 ( 162816 ) on Saturday January 05, 2002 @06:41PM (#2791923) Homepage Journal
    There's all kinds of nasty spyware and adware [cexx.org] out there, but the one that raises my blood pressure is SaveNow/WhenUShop [whenu.com]. This is supposedly a voluntary opt-in system, but some program (probably BearShare) installed it covertly on my system and didn't remove it when I uninstalled.

    The lost of privacy was bad enough, but SaveNow seems to work by hooking into Windows Explorer and intercepting a great many application events. For a long time I blammed the resulting performance hit on a combination of my own excessive system tweaking, buggy Explorer plugins, and MS software bloat. It wasn't until Explorer froze up totally that I realized some background process was interfering with it, and found the culprit by process of elimination.

    It strikes me that this is not very different from activities that have gotten people sued [slashdot.org] or even arrested [slashdot.org]. It's all there -- unauthorized access, theft of services, malicious action. Perhaps it's time we gave Mister Ashcroft [slashdot.org] a call!

  • I'm not totally positive this is entirely true but I've noticed an anomoly whilst running LimeWire on Windows. When it launches a little 2x2 pixel entity pops up in the top left corner of the screen. It can be clicked and moved around the screen but doesn't respond to anything else I've tried except Alt+F4 which makes it go away (I assume closes it). It also doesn't shot up in task manager as an individual process so I'm further assuming it is a thread in the LimeWire process contained in the JVM. I haven't cared enough to further try to figure out what it is. Is it mentioned in LimeWire's literature and has anybody else seen it?

  • More information. (Score:3, Informative)

    by milkman1 ( 139222 ) on Saturday January 05, 2002 @06:57PM (#2791967)
    This was originally noted on the vuln-dev list in late december. For your amusement here are some links:

    Grokster and possible trojan [securityfocus.com]

    Clicktilluwin DLDER Trojan" [securityfocus.com]

  • I wonder if they'll try to sneak it into Gnapster... Oh wait... I could read the sourcecode and see it there....

    another example that Open source is better.

    (Besides, Gnapster on OpenNAP servers is useful (would be more useful if people would get a clue and open the ports on their firewall to actually share those files.)

    and the only thing I would love to see changed... if you disconnect, the server erases that you existed and all your shares instead of listing them... that is a pain in the butt.
    • But there's the irony. LimeWire is open source!

      The thing is that the binary that they distribute for Windows is not the same thing you'd get from compiling the source...

  • SpyWare (Score:2, Informative)

    by NetNinja ( 469346 )
    As the previous post mentioned above "Ad-aware" is a great program to snif your winblows boxes for spyware.
    The January issue of "Smart Computing" has a great article describing which programs are spying on you and some other recommended programs to protect your machine.

  • A friend of mine keeps getting CometCursor installed on her laptop without her permission. She runs AdAware every so often to find and remove it, but it keeps reappearing.

    She suspects it's being installed covertly by some Web sites she visits (though we haven't yet isolated which ones). She surfs with IE, but even so, it seems highly improbable to me that something like CometCursor could be downloaded and installed behind the user's back.

    I know CometCursor is spyware, but does anyone have more details about this particular behavior?

    Schwab

  • Use Morpheus. I have known about Kazaa and it's spyware built-in for quite some time now, yet Morpheus is better as it doesn't have spyware and it also allows you to download MP3s larger than 128 kbit.

    Getting older versions of Limewire also allows you to defeat the spyware.

  • AudioGalaxy & VX2 (Score:2, Informative)

    by Tony.Tang ( 164961 )
    AudioGalaxy's [audiogalaxy.com] software unfortunately now installs VX2 by default. We didn't know this when we installed AG, and were subject to a pop-up ad so frequently, it was unbelievable. At first, I suspected the sites we were visiting, but they were even coming up on Google!

    The big throw was that the ads that were being served up always seemed to come from different places. One day, I decided to look into it, and discovered that all the ads were being downloaded from VX2 [vx2.cc].

    VX2 is a very devious piece of sofwtare, logging every one of the sites you visit, and then popping an ad every once in a while. If you surf quickly, throttles itself; surf slowly, and it pops for every site. Quite devious, really.

    • VX2's site [vx2.cc] - fairly informative
    • Cexx's site [cexx.org] - VERY informative -- tells you everything you need to know about vx2

    I recommend downloading some of the software that's already been mentioned (e.g. adaware) -- they do a very good job of getting rid of all sorts of garbage.

  • Google Toolbar is spyware (Score:3)

    by BrookHarty ( 9119 ) on Saturday January 05, 2002 @09:56PM (#2792491) Journal
    I run proxomitron at work, I noticed that i kept hitting google when I was working on a company website. Later I noticed Google was already indexing my website. Like most users I trusted google wouldnt bounce my URLs off google, but they did.

    Also, I started using Tiny [tinysoftware.com] firewall and started to block alot of software. Couple things I noticed, alot of m$ software trys to talk to the net. Office, Explorer, Windows Networking (not plain tcp/ip), m$ hardware drivers for mouse and keyboard, media player.

    Also using a firewall stopped alot of freeware programs that grabs ad's worked great, they just couldnt get the banner ads or talk to the net.

    We also use firewall software on our Sun production boxes we use EFS, encyrpted firewall software. It has a nice ACL list you can really lock down traffic. Only open port 80 for web traffic, and only to the load balancers, only allow SSH on the control network. Sometimes while your putting in a new network, the firewall ruleset is very basic, locking down the boxes help add a some security, and everything is logged to a logging server.

    -
    I was so naive as a kid I used to sneak behind the barn and do nothing. - Johnny Carson
    • Yes, the Google Toolbar _IS_ spyware, and they tell you in no uncertain terms that it is.
      If you read the description of it before happily clicking OK, OK, OK, you would know exactly what information is transmitted back to Google, and why.
      That groovy little "Page Rank" bar you have on the toolbar, needs to know what URL you are on, so it can give you the pagerank.
      If you chose to install without the advanced features, then it wouldn't report anything back to google at all.
      -- kai
  • Kazaa and Morpheus both use the same P2P network, notably the one made by FastTrack, a company based in the Netherlands. So, if you want to use the network without spyware, give Kazaa a miss and grab Morpheus instead. Also, I think Morpheus has a Linux client available (I may be wrong on that though).
  • There are lots of software programs like Ad-Aware that will clean these up for you, but my goal is to have LESS software on my PC, not MORE.

    I found an nice free website [doxdesk.com] that will run a JavaScript in your browser that detects various kinds of spyware and directs you to instructions on how to remove it. He also offers the source up for free so webmasters can help combat this scourge by hosting the script on their own pages. (That way all your site visitors will be warned about they spyware as they visit your site). It doesn't seem to detect this one though.

    I dug this up when I discovered a few months back that AudioGalaxy [audiogalaxy.com] had secretly installed a similar application called VX2 on my PC. The odd thing was that Audio Galaxy wanted to install BonziBuddy too, but it let me choose. But no choice with this other one. Fortunately it was easy to remove and AG runs fine without it.

  • What address do these trojans contact? (Score:3, Informative)

    by EMIce ( 30092 ) on Saturday January 05, 2002 @11:12PM (#2792699) Homepage
    I'd like to set my private dns server to resolve them to 127.0.0.1 - I am especially interested in the kazaa one, since I use morpheus. I've already redirected sites like auto.search.msn.com, since every incorrectly url typed into IE is sent there.

  • Here is a comprehensive Hosts File that blocks em (Score:5, Informative)

    by sh0rtie ( 455432 ) on Saturday January 05, 2002 @11:37PM (#2792747)
    here is a really comprehensive hosts file [remember.mine.nu] that blocks morpheus,bearshare,hotline and 10,000 advert servers, daily updates, instructions and works on all platforms including Linux/beos/macs ;)

  • Double standard (Score:2, Interesting)

    by Random Feature ( 84958 )
    What I find most disconcerting about this entire situation is that if I do something like this I'm a "bad girl" and face possible charges under vague federal law but when a company does it nothing happens to them - they issue an "apology" and it's over.

    -------

  • There _IS_ a opensource gnutella client for win32 (Score:3, Informative)

    by Ilgaz ( 86384 ) on Sunday January 06, 2002 @12:33AM (#2792844) Homepage
    First of all I wonder how people get shocked about those companies making evil things...

    Second is, I sure wonder how Gnucleus ( http://www.gnucleus.com ) which is a full open source program works perfectly on win32 platform isn't mentioned on messages.

    The coder guy(s) say now it has even multi-source downloading, just like fasttrack.

    There is also another problem, as those programs are closed source, how come they won't have _native_ spying? e.g. Morpheus sending current URL of IE easily from urlmon.dll to that dutch company? I mean, anyone checked it yet?

  • How it works (the real facts) (Score:5, Informative)

    by DABANSHEE ( 154661 ) on Sunday January 06, 2002 @01:02AM (#2792895)
    1st a quote..

    "F-Secure Virus Descriptions

    NAME: DlDer
    ALIAS: Trojan.Win32.DlDer, Troj_DlDer

    This two-component trojan was discovered in the end of December 2001. The trojan being installed on a user's system constantly upgrades its main component that connects to 2001-007.com website and reports user's ID, web browser a user is using and all URLs that a web browser and all its child windows open. The trojan violates user's privacy and opens a security hole in a system by downloading and activating executable files.

    The main component of the trojan is Explorer.exe file that is located in Windows folder in \Explorer\ subfolder (do not mix with the original Windows' Explorer.exe). This component is constantly upgraded by the second trojan component that has the name 'DlDer.exe' and is located in Windows folder.

    The DlDer.exe file is most likely dropped to user's system by ActiveX applet or Javascript code that a user doesn't notice when he is browsing Internet. The exact way how this file is dropped is not yet known. The case is under investigation.

    The DlDer.exe file when it is started downloads Explorer.exe file from a website and puts it to \Windows\Explorer\ folder. Then the trojan creates a startup key for Explorer.exe file. On next System restart the Explorer.exe file is activated and it creates a startup key for DlDer.exe file and starts to connect to 2001-007.com website and report user's ID, web browser and all URLs that a user visits to there.

    We recommend to delete both trojan components from an infected system. If these components can't be deleted (locked files) they should be deleted from pure DOS (in case of Windows 9x system) or renamed with different extensions (EXA for example) with immediate system restart (in case of Windows NT/2000/XP system).

    [F-Secure Anti-Virus Research Team, December 28th, 2001]"

    Now some links

    Astechnica Forum - "Is download.com infected with a virus???" [infopop.net]

    Arstechnica Forum - "explorer.exe and Explorer.exe" [infopop.net]

    Computing.Net Forum - "How to delete trojan in explorer.exe" [computing.net]

    Gnutella Forum - "p2p Trojan info" [gnutelliums.com]
  • I called him to ask what the fsck his executable was running on my machine for and how it got there. He denied it did any spying and said it only worked when you were on the ClickTillUWin site. (Basically a complete load of shit.)

    If this sort of crap pisses you off too, drop him a line.

    Registrant:
    Preference Marketing Services
    8170 S. Eastern Avenue, Suite 4613
    Las Vegas, Nevada 89123
    US

    Registrar: Dotster (http://www.dotster.com)
    Domain Name: MYTRAFFICTRADER.COM
    Created on: 15-JUN-01
    Expires on: 15-JUN-02
    Last Updated on: 27-JUN-01

    Administrative Contact:
    Calderone, Michael michaelcalderone@hotmail.com
    Preference Marketing
    8170 S. Eastern Avenue, Suite 4613
    Las Vegas, Nevada 89123
    US
    702-243-8714
    702-207-6682

    Technical Contact:
    Callahan, Heather fred@aafunnypictures.com
    Preference Marketing Services
    8170 S. Eastern Avenue, Suite 4613
    Las Vegas, Nevada 89123
    US
    208-664-3804
    702-207-6682

    Domain servers in listed order:
    NS.BANNERHOSTS.COM
    NS2.BANNERHOSTS.COM

  • The Slimeball Shuffle (Score:2, Informative)

    by BillX ( 307153 )
    Just finished reading the SFGate article [sfgate.com] on the subject. What particularly struck my interest was the interview with Robert Regular--the name sounded familiar as I got into it [cexx.org] with this very same marketing stiff last year, when his company's (Conducent Technologies at that time) TSADBOT spyware somehow got onto my system. (I must admit, as the webmaster of a semi-popular spyware information site, having one go undetected on my own system for nearly a month was rather embarassing.) At any rate, Mr. Regular's answers to my "clueless user" inquiries--not letting on that I had already dissected Conducent's app with a fine-toothed hex editor--led me to almost suggest that he drop the spyware biz in favor of a more lucrative position speechwriting for a certain ex-President.

    Rather than redefining "is", it seems that our old friend has found a new home at Cydoor Technologies, makers of another KaZaA-transmitted disease [cexx.org], who are now pushing the ClickTilUWin trojan to spyware-friendly companies.

    To quote the article:

    • Greg Bildson, chief technology officer of Lime Wire LLC, said the company was led to believe the program did no more than link to a game, making the permission request unnecessary.

    • Robert Regular of Cydoor Technologies Inc., which distributed the ClickTillUWin software to the file-sharing companies, said the program wasn't supposed to collect information until users activated it -- and had an opportunity to be notified and decline if they so choosed.

      Regular said he did not believe deception was intended by any of the parties.


    I guess some things never change.

  • Spyware in Mozilla (Score:2, Interesting)

    by rasilon ( 18267 )

    Although it hides as the "What's Related" feature, Mozilla does exactly the same thing. Every URL you visit is sent to xslt.alexa.com. Just try it: add "127.0.0.1 xslt.alexa.com" to your /etc/hosts, fire up apache and Mozilla and tail the logfile...

    127.0.0.1 - - [06/Jan/2002:10:58:03 +0000] "GET /data?cli=17&dat=nsacdt=t%3D1%26pane%3Dnswr6%26wid %3D4832&url=http://www.google.com HTTP/1.1" 404 276 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:0.9.5) Gecko/20011012"
    127.0.0.1 - - [06/Jan/2002:10:58:08 +0000] "GET /data?cli=17&dat=nsacdt=t%3D0%26pane%3Dnswr6%26wid %3D4832&url=http://www.google.com/search HTTP/1.1" 404 276 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:0.9.5) Gecko/20011012"

Slashdot Top Deals

How many hardware guys does it take to change a light bulb? "Well the diagnostics say it's fine buddy, so it's a software problem."

Close