Forgot your password?
typodupeerror
Security

Zone Alarm Vs 180 Solutions: Zango hooks? 166

Posted by Hemos
from the deconstructing-postmodern-spyware dept.
Sub-Seven writes "Found at Vitalsecurity.org, they detail how a Microsoft MVP pulled the Zango file to pieces, and discovered some interesting facts about exactly what a "simple" fun and games application does to a machine that its running on. Hooking into Windows OneCare and Microsoft Antispyware? What's that all about? "
This discussion has been archived. No new comments can be posted.

Zone Alarm Vs 180 Solutions: Zango hooks?

Comments Filter:
  • by dtolman (688781) <dtolman@yahoo.com> on Monday December 05, 2005 @11:16AM (#14184898) Homepage
    Is it just me, or is the friggin slashdot summary got more information than the linked article?

    Thats gotta be a first...
    • The linked-to blog article is clear as mud
      • No, that's not muddy. That's the New Journalism. It's supposed to be nonsensical and unreadable.
        • Re:It's not just you (Score:2, Informative)

          by Pollardito (781263)
          just to show that it wasn't a one-time thing, here's a quote from his entry describing his blog [vitalsecurity.org] :
          If you want a full on, voice of God raging from a thunderstorm malware apocalypse complete with stupid pictures, pressure cranked up to 11 and the now obligatory sound and vision link, keep it tuned to Vitalsecurity.org.
      • by ergo98 (9391) on Monday December 05, 2005 @11:26AM (#14184975) Homepage Journal
        The linked-to blog article is clear as mud

        No kidding. The blog article has ZERO content, apart from linking to two other sites about some program that purportedly is being flagged as spyware.

        If slashdot is accepting lame "my blog entry" submissions like this (and what's with the "Microsoft MVP" comment in the submission? That's like trying to give credibility to a blog entry by purporting it to come from a "high school graduate"), then I'm going to start submitting every entry I make. Maybe I'll blog about this blog entry that blogs about a blog entry and submit that.

        Ah well, like I - esteemed high school graduate and Blockbuster cardholder - said - most blogging is bloggers talking about blogging [yafla.com]. (Yes, hypocrisy runs deep with this)

        • Ah, another fine example of Slashdot "editing".

          The link that should probably have been put in the article is: http://mvps.org/winhelp2002/temp/zango.htm [mvps.org]

          Of course, if Hemos had actually looked before posting...

    • Hi I think this text shed some lights: http://blog.180solutions.com/PermaLink,guid,5795b8 5d-feea-4656-93e1-d788a01f760a.aspx [180solutions.com] Poor people @180solutions that suddenly found their spy-ware being detected by Zone-lab's Zonealarm. Zonealarm is obviously a great piece of software. So when 180Solutions became aware of this, they saw their business-model go the way of the dinosaurs.
    • The article didn't make much sense, but I *think* someone figured out that some downloaded POS program uses the CBT windows hooks. CBT is for [C]omputer [B]ased [T]raining. If I had to guess why they would do this, it is so their program can react to content that trigger's their CBT hooks. If I recall correctly, you can imbed this type of CBT stuff in Windows media files. So their memory resident POS program sits their and reacts to video streamed off their affiliates sites?

      Of course, the problem her

    • by Bob_Villa (926342) on Monday December 05, 2005 @11:36AM (#14185061)
      On the blog, just click the link that says "Very thorough runthrough", which links to the following url: http://mvps.org/winhelp2002/temp/zango.htm [mvps.org]

      I think this link is actually pretty good. I agree, the blog wasn't the most clear.
    • Yeah, not sure why they linked to that blog. The blog does however have a link to the useful info. This [mvps.org] is it.
    • Yes. And also: (Score:4, Insightful)

      by sammy baby (14909) on Monday December 05, 2005 @11:52AM (#14185198) Journal
      The Slashdot summary has more info than the linked article, but the impressive thing is that the Slashdot summary still is only barely written in complete sentences. I mean, I'm a sysadmin with about ten years of experience, I've been reading Slashdot for years, and not only can I not understand what the article says, I'm not even sure what it's supposed to be about. Someone not flagging spyware when they should? Or tagging it as spyware when it shouldn't? Or... christ, I give up. Not worth it.
      • I clicked that "read more" link to discover by the comments what the summary was about. But after I read yours, I'm losing my expectations that anybody else understanded it.

        Did ./ start accepting random articles, like some science journals?

  • by Crizzam (749336) on Monday December 05, 2005 @11:16AM (#14184904)
    Zango dango bo-bango, banana fana fo-fango fe-fi mo-mango, Zaaaango.
    • That should, of course, read 'banananana', and the whole thing is intended to be sung as per the middle section of Bohemian Rhapsody.
  • by dada21 (163177) * <adam.dada@gmail.com> on Monday December 05, 2005 @11:17AM (#14184914) Homepage Journal
    It wouldn't surprise me if 30% of my IT company's income came from user stupidity combined with software such as the XCP, spywared games, and other fun entertainment products. Yet this is just the market at work. Loopholes are found, usually because of click-through-licensing. Companies will always attempt to build their markets and consumers will always find the bad seeds.

    It is very important to realize that as long as end users continue to install these programs, marketing companies will feed their needs. You could ague for laws against these backdoor programs, but it wouldn't solve anything and in fact might make the problem worse as companies find sneakier ways to get into your desktop.

    The only way to make a smart consumer is to inform them of the bad things. This means getting the word out, telling others to be careful, and even offering training for groups. My company makes a good profit on spyware, but we offer completely free training days for companies that want to save money by training their employees in safe web browsing. I don't think the answer is "Install Linux and Firefox and the problem will go away!" If Linux/Firefox occupied 90% of desktops, the marketing companies would find a way to take advantage of that platform.

    Smart users are informed users are users who won't continue making the same mistakes. Finding band-aids through legislation or discrete installation of anti-spyware software isn't going to solve the problem.

    As a sidenote -- the reason for training my customers in smart browsing techniques is a selfish one. As we reduce a company's cost of doing business, our referral rate skyrockets. The less we work/bill, the more work we have to bill. If you're a consultant and you're not seeing a decent increase in your customer base every year, you're not doing a good enough job. There is more work in the U.S. than is being tapped, and it is usually because companies aren't seeing things getting better.
    • I agree that education is important in fighting these scams. And yes, I've done my part, telling everyone that I know that billing info/passwords should never be sent through e-mail, that applications should be examined before they are installed, etc. However, I often find that the increasing sophistication of spyware and phishing scams often overcomes whatever training I give (i.e.: "I know you told me not to send my billing information over e-mail but it was so convincing...). Heck, I've seen phishing

      • You're right -- just training someone in proper use isn't enough. It is also important to train people in questioning every action before performing it. Phishing is getting harder to detect, yet it is causing the banks to take better security measures (they end up paying for the phishing in the end). This is the market at work -- government is coming along to draw the chalk-line and collect evidence, the banks are working to prevent the crime from ever happening.
    • by aquarian (134728) on Monday December 05, 2005 @11:39AM (#14185082)

      I agree with everything you said, but especially this:

      As a sidenote -- the reason for training my customers in smart browsing techniques is a selfish one. As we reduce a company's cost of doing business, our referral rate skyrockets. The less we work/bill, the more work we have to bill. If you're a consultant and you're not seeing a decent increase in your customer base every year, you're not doing a good enough job. There is more work in the U.S. than is being tapped, and it is usually because companies aren't seeing things getting better.

      I've found this applies to whatever business you're in. I've started, grown, and sold 4 different companies, in completely unrelated industries. The more we were able to make ourselves unnecessary, the more work we got.
      • I've found this applies to whatever business you're in. I've started, grown, and sold 4 different companies, in completely unrelated industries. The more we were able to make ourselves unnecessary, the more work we got.

        Indeed, nothing gets you more good business than word of mouth. At one of the companies I work for, a locksmith, my boss constantly turns away work. I was talking to an employee of one of our competitors and apparently they spend a lot of time waiting for the phone to ring. It's not adverti

      • I've found this applies to whatever business you're in. I've started, grown, and sold 4 different companies, in completely unrelated industries. The more we were able to make ourselves unnecessary, the more work we got.

        Succinctly put. What you just said is about 1/3rd the reason I became a libertarian and then became an anarchocapitalist. I realized that businesses that exist to grow and tread new markets are what makes this world wonderful. I saw how some corporations (not businesses) fought to stay the
  • Clever (rolleyes) (Score:4, Insightful)

    by Pope (17780) on Monday December 05, 2005 @11:22AM (#14184947)
    Put a link to the article on the same page as itself, thereby upping your Google ranking.

    Blogs are awesome.

  • by HexaByte (817350) on Monday December 05, 2005 @11:23AM (#14184948)
    From the article:

    180Solutions was complaining that "ZoneAlarm was advising that our 180search Assistant "is trying to monitor your mouse movements and keyboard strokes" well let's see after reading the above ... that description looks right to me.

    This is worse than spyware. This could be used to transmit your account codes and PINs, passwords, etc.

    Sounds like stealware(TM) to me!

    • by Red Flayer (890720) on Monday December 05, 2005 @11:45AM (#14185133) Journal
      "Sounds like stealware(TM) to me!"

      Whose side are you on, the **AA?

      It's not theft, since they are only making a copy, and you are not deprived of the use of your account codes, PINs, etc.

    • Just out of curiousity, can anyone see any possible legimate/non-fraudulant use at all for a 3rd-party company to have keyloggers installed in their software?
      • Well, an FBI warrant would fall into that category. Of course, under the Patriot Act it could be ILLEGAL for Zone Alarms to notify you of such an intrusion to your privacy.
  • related info (Score:4, Informative)

    by rd4tech (711615) * <emilijan&cpuedge,com> on Monday December 05, 2005 @11:25AM (#14184967) Homepage
    searching arroung I was able to find
    http://www.benedelman.org/spyware/180-affiliates/ [benedelman.org], and http://www.spywareguide.com/product_show.php?id=50 7 [spywareguide.com]
  • by ZachPruckowski (918562) <zachary.pruckowski@gmail.com> on Monday December 05, 2005 @11:27AM (#14184980)
    The whole reason for the lawsuit wasn't because 180 was pissed with misleading statements, it was because a potential business partner of 180solutions had concerns about associating their company which Zone Labs had tagged as a high security risk.

    Well, if legitimate companies are afraid to associate with spyware companies, then I'd call that a good side-effect of the Sony malware mess.
  • Why the blog? (Score:5, Informative)

    by imroy (755) <imroykun@gmail.com> on Monday December 05, 2005 @11:30AM (#14185005) Homepage Journal

    Why link to some guys blog with inane comments, when you can link to the page he refers to [mvps.org]? Lots more information there.

    What is it with blog pages that link to another blog, which links to another blog, and so on? If this is how things are done in the blogosphere, then my already low opinion of bloggers just slipped a little. Just provide a link to the original f**king information!</rant>

    • Re:Why the blog? (Score:5, Insightful)

      by Billosaur (927319) * <wgrother@NOsPAm.optonline.net> on Monday December 05, 2005 @11:54AM (#14185214) Journal
      What is it with blog pages that link to another blog, which links to another blog, and so on?

      This is the principle of the "Möbius [wikipedia.org] blog", whereby the information is wholly one-sided and is repeated so often that it is taken for fact by anoyone reading it. As they move from link to link, their indoctrination in the rhetoric increases, with the theoretical maximum value being reached when they return to the original "source" blog. Once a "Möbius blog" is entered, the ability of the reader to avoid reading the next blog in the series decreases proportionately.

      The "Möbius blog" is also know as "Internet journalism".

  • by kawika (87069) on Monday December 05, 2005 @11:32AM (#14185020)
    180 is suing ZoneLabs for a very specific and narrow statement [180solutions.com] as far as I can tell. ZoneLabs says 180 is monitoring key and mouse info, 180 says it is not.
    The analysis [mvps.org] linked from TFA explains that he found evidence of setting a windows hook. The question is, does Zango use that hook to collect mouse and key info, even for a short time, or are they using the hook for other purposes? What would those purposes be?
    • by Ytsejam-03 (720340) on Monday December 05, 2005 @12:12PM (#14185345)
      The question is, does Zango use that hook to collect mouse and key info, even for a short time, or are they using the hook for other purposes? What would those purposes be?
      Yes, my thoughts exactly. The longer 180 fails to disclose this information, the more it looks like they are doing something nasty.

      That said, I see no evidence that Zango is specifically targeting Windows OneCare or Microsoft Antispyware as TFA implies. The fact that zangohook.dll is being loaded into these processes is *NOT* evidence of this. Zango is setting a system-wide hook, which means that their hook DLL (zangohook.dll) will be automatically loaded into every process in the system that generates one of the events they are trying to hook.

      There are legitimate uses for system-wide hooks. Many Single Sign-On products use them, for instance. The real question is, why exactly does Zango need to set a system-wide hook in the first place? I can't think of any legitimate reasons.
    • by arkanes (521690) <[moc.liamg] [ta] [senakra]> on Monday December 05, 2005 @12:18PM (#14185397) Homepage
      There are a number of things you might install a CBT hook for, even legitimate ones, but with the hook installed it absolutely is "monitoring" all keypresses and mouse moves. This is going to hinge on the definition of monitoring - Windows is calling a hook within the Zango code and notifying it of all the events it registered the hook for (which looks like system wide mouse and key events), however, Zango is quite likely ignoring everything except very specific events. Personally, I'd still call that monitoring.
      • There are a number of things you might install a CBT hook for, even legitimate ones, but with the hook installed it absolutely is "monitoring" all keypresses and mouse moves.

        Microsoft seems to disagree. From the documentation of CBTProc in the MSDN Library:

        The HCBT_CLICKSKIPPED value is sent to a CBTProc hook procedure only if a WH_MOUSE hook is installed. For a list of hit-test codes, see WM_NCHITTEST.

        The HCBT_KEYSKIPPED value is sent to a CBTProc hook procedure only if a WH_KEYBOARD hook is ins

    • The Sony-BMG copy prevention threads should teach modern-day /. readers that asking the proprietor what they do with the information they gather is not enough freedom for the user. According to freedom-to-tinker.com [freedom-to-tinker.com], Sony lied about their software saying they didn't track information on the user's usage, then they admitted they did and said this was okay because they didn't do anything with the information that they collected. Sony-BMG and First4Internet's uninstaller doesn't actually uninstall [freedom-to-tinker.com] the softwa

  • by Idaho (12907) on Monday December 05, 2005 @11:32AM (#14185022)
    This is IMO becoming a problem in a lot of games. Counterstrike, World of Warcraft, Valve with its Steam engine, crap like punkbuster that scans your entire drive, registry and who knows what else, just to make sure you aren't cheating. And we are not talking about minor game companies here.

    Don't get me wrong, cheating is a major (if not: the worst) problem in online games, but the lengths to which game providers go to assure (a) that you are using a legally bought version of the game (most important) and (b) that you are not using modified drivers, game libraries etc. in order to cheat (game company couldn't care less, but it costs them customers so they have to care..), could certainly make some of them be rated as 'spyware'. Then again, so can Windows XP itself. After users accepted that activation crap from Microsoft, where else could you expect this thing to go? If Microsoft is allowed to do it, then why not $small_corp_with_questionable_ethics?

    (obviously, the answer is that Microsoft should not be allowed to do it in the first place, either. But as it is, this company might actually have a point - if Sony can do it and not be detected for over half a year, why can't they? The idea is ridiculous ofcourse, but hey...)
    • I'm unclear about VAC and Punkbuster, but doesn't World of Warcraft one way hash everything it scans on your computer, and compares the one way hashes to a central database of one-way hashes of known cheating software?

      If that is the case, then it's almost impossible to gather anything from your computer that they're not specificly looking for.

      I think the problem with VAC isn't that it's invasive, it's that it's not effective enough to keep up with month's-old exploits, and the problem I hear with Punkbu

      • and compares the one way hashes to a central database of one-way hashes of known cheating software?

        The database is also downloaded to your machine to do the comparison, so even the hashes aren't transmitted back to Blizzard unless one of them matches.

        • How does it keep you from modifying the local database and replacing the "legitimate" hashes with the hashes for the compromised (cheater) software? It would seem that in order to be secure, the comparison has to be run on a trusted machine, which by definition the machine you're scanning for cheats shouldn't be.

          I suppose they can send back a hash of the database to the server or something, but it just seems to me that if what you're describing really is the system, then i's inherently possible to compromis
    • by giafly (926567)
      1. Provide one set of servers where players can compete if they submit to anti-cheat scanning.
      2. And different server(s) for the libertarians, script kiddies and cheaters.
    • y only experience with the anti-cheating programs is WoW, so I'll just limit myself to that. I don't mind their anti-cheat software for three reasons:
      1. It's doing something to help me out. Other people cheating ruins my gaming experience, this helps to stop people cheating. Compare this to "traditional" spyware, whose only "feature" is (search assistant, IE toolbar, etc) is a tagged-on feature that is not in any way dependant on it's "spying" functionality.
      2. It only runs when the game is running. This is a b
  • by digitaldc (879047) * on Monday December 05, 2005 @11:43AM (#14185112)
    ...with a name like 'Zango' that offers free games.

    It will only lead to great suffering.
  • Now he says that clicking on the popup in question installs an Apropos spyware [symantec.com].
  • by erroneus (253617) on Monday December 05, 2005 @12:38PM (#14185593) Homepage
    I think that's the most simple way to put it. These companies and companies like these simply value their own interests over that of their users in way that breaches respect for their users/customers. In addition to any legal action that is going on or should be going on, there are other actions that I think should be going on as well. Such actions should include protests and any other way that can be used to raise public awareness.

    Sony has displayed for all to see that they do not respect their users or their computer systems. 180 Solutions, as much as they have tried to deny their intent, have been shown to write code that does things that... well, it "shouldn't." Again, more than a casual or accidental display of disrespect or even contempt for the user.

    "Tarred and feathered" would be the treatment they'd recieve not too many decades ago -- their leaders would be grabbed by anonymous people, put on public display and humiliated. Now that we are somehow beyond this horrible behavior in today's more civilized society, I guess these fraudsters have a lot less to fear from the anonymous public at large.

    In my view, there will probably always be these types of people. I truly fail to understand where these people come from, what they are thinking and why they think it's okay. These types of people are truly troubling to me and to my conscience somehow -- perhaps I don't feel as if I am personally doing enough... perhaps my own vigilante drive not being acted upon has something to do with it -- I suspect so. I wish and hope and dream all of the worst for these types of people since it seems these types never quite reap what they sew.
  • by Rob the Bold (788862) on Monday December 05, 2005 @01:44PM (#14186231)
    Ed Foster's Gripe Log is following the Zone Alarm v. 180 story, and he has a much more readable summary at his site: http://www.gripe2ed.com/scoop/story/2005/12/5/8255 5/7508 [gripe2ed.com]
  • False-positives (Score:3, Interesting)

    by Smallest (26153) on Monday December 05, 2005 @02:41PM (#14186716)
    We just discovered (last Friday, at 4:00pm of course) that "SpySweeper" is labelling one of our components (a general-purpose image processing library) as spyware. After a little digging, it turns out that a program called TrueActive Activity Monitor installs a file with the same name as our component.

    But, we can't tell if it actually *is* our component or if they just have a file with the same name (not very likely) - because our anti-virus and anti-spyware apps freak out when we open the TrueActive installer to see what their version of the file actually is. Either way, SpySweeper says our component is an "activity monitor" and this is freaking out both our customers and our customers' customers.

    We're talking with the people who write SpySweeper, to get this fixed, and they've been helpful so far. So hopefully, this will be resolved soon.
    • Shouldn't you really be "working with" the makers of TrueActive Activity Monitor -- whatever it is -- to uncover why they're installing one of your components as part of their software? Or at least verify that it's a completely different thing going by the same name as your component? (And by "working with" I mean 'ask politely first, and then sic lawyers at'.)

      Seems like it would be relatively easy to verify if the component is identical to yours of the same name, just by running a hash or something. In fac
  • by Animats (122034) on Monday December 05, 2005 @02:48PM (#14186797) Homepage
    Sueing Zone Labs was a really dumb move for 180 Solutions. Now Zone Labs can start discovery.

    First, of course, they'll want to see all of 180 Solutions' source code, so the objective validity of the "trade libel" claim can be tested. (Truth is an absolute defense to libel under US law.) Then, they'll want to depose key programmers under oath. 180 Solutions has some unpleasant disclosures coming up.

    Zone Labs is owned by Check Point Software, which had income of $280 millon on revenues of $500 million last year. They can afford litigation.

  • Subscribe to Ed Foster's Griplog for good stories about computer industry abuses. For example:

    Case Against Zone Labs (ZoneAlarm) is 180 Degrees Off [gripe2ed.com]
  • by bill_kress (99356) on Monday December 05, 2005 @06:24PM (#14188981)
    I'm starting to wonder how it's physically possible that an OS would allow ANY app to install a hook into something as important as a keyboard driver or monitor without catching it and asking the user (at least).

    Perhaps we could, hmm, motivate MS by publishing this ability as a vulnerability in the OS.

    In fact, maybe we should stop allowing the OS Manufacturers to specify what a vulnerability is and come out with a list of requirements/standards that we can validate consistently against all OSes to qualify and rate their security against each other.

    Not that everyone wants to be bothered with every little app, but we should be able to turn off the ability to install dangerous hooks just like we can turn off the ability to set cookies.

    Either that or just make M$ financially responsible for every time a keylogger steals a bank password.
  • by merc (115854) <slashdot@upt.org> on Monday December 05, 2005 @06:45PM (#14189165) Homepage
    Notably, attempts to connect to 180Solutions' servers were made while performing a sign-on to the blogger's hotmail account.

    It seems that it might be valuable research to take the logging to the next level. Speficically, he should setup a packet sniffer, either on the host itself or on the host's subnet and monitor the payload of the spyware packets as it calls home.

    Not only would it prove interesting information to write about on his blog, but couldn't this, then, be definate proof that malevolent monitoring is actually taking place? It also seems to me that he should be called as a technical witness in the civil case against ZA.

    In addition, armed with with this information it might be fun if someone in the community wrote a distributed application that would poison 180Solutions (non existant) databases with bogus data.

    *grumblecakes*

Never put off till run-time what you can do at compile-time. -- D. Gries

Working...