Zone Alarm Vs 180 Solutions: Zango hooks? 166
Sub-Seven writes "Found at Vitalsecurity.org, they detail how a Microsoft MVP pulled the Zango file to pieces, and discovered some interesting facts about exactly what a "simple" fun and games application does to a machine that its running on. Hooking into Windows OneCare and Microsoft Antispyware? What's that all about? "
First Time I've ever seen that... (Score:5, Informative)
Thats gotta be a first...
It's not just you (Score:3, Funny)
Re:It's not just you (Score:3, Funny)
Re:It's not just you (Score:2, Informative)
Re:It's not just you (Score:5, Insightful)
No kidding. The blog article has ZERO content, apart from linking to two other sites about some program that purportedly is being flagged as spyware.
If slashdot is accepting lame "my blog entry" submissions like this (and what's with the "Microsoft MVP" comment in the submission? That's like trying to give credibility to a blog entry by purporting it to come from a "high school graduate"), then I'm going to start submitting every entry I make. Maybe I'll blog about this blog entry that blogs about a blog entry and submit that.
Ah well, like I - esteemed high school graduate and Blockbuster cardholder - said - most blogging is bloggers talking about blogging [yafla.com]. (Yes, hypocrisy runs deep with this)
Re:It's not just you (Score:2)
The link that should probably have been put in the article is: http://mvps.org/winhelp2002/temp/zango.htm [mvps.org]
Of course, if Hemos had actually looked before posting...
Re:It's not just you (Score:2, Informative)
I didn't intend to make a shot at MVPs (and I'm sure there are a lot of kick-ass, very talented people with the designation. Usually it's one of their many designations). All I was doing was questioning whether it really gives any additional weight to the submission (most of the people who are linked have a BSc - how many times do submissions say "BSc holder John Topley says that...". A BSc is a much greater accomplishment than a MVP).
There are any number of
Here is the background (Score:3, Informative)
Re:First Time I've ever seen that... (Score:2)
Of course, the problem her
Re:First Time I've ever seen that... (Score:5, Informative)
I think this link is actually pretty good. I agree, the blog wasn't the most clear.
Re:First Time I've ever seen that... (Score:2)
Yes. And also: (Score:4, Insightful)
Re:Yes. And also: (Score:2)
I clicked that "read more" link to discover by the comments what the summary was about. But after I read yours, I'm losing my expectations that anybody else understanded it.
Did ./ start accepting random articles, like some science journals?
I'll paraphrase the article for clarity: (Score:5, Funny)
Minor corrections (Score:2)
Removing spyware in applications (Score:5, Informative)
It is very important to realize that as long as end users continue to install these programs, marketing companies will feed their needs. You could ague for laws against these backdoor programs, but it wouldn't solve anything and in fact might make the problem worse as companies find sneakier ways to get into your desktop.
The only way to make a smart consumer is to inform them of the bad things. This means getting the word out, telling others to be careful, and even offering training for groups. My company makes a good profit on spyware, but we offer completely free training days for companies that want to save money by training their employees in safe web browsing. I don't think the answer is "Install Linux and Firefox and the problem will go away!" If Linux/Firefox occupied 90% of desktops, the marketing companies would find a way to take advantage of that platform.
Smart users are informed users are users who won't continue making the same mistakes. Finding band-aids through legislation or discrete installation of anti-spyware software isn't going to solve the problem.
As a sidenote -- the reason for training my customers in smart browsing techniques is a selfish one. As we reduce a company's cost of doing business, our referral rate skyrockets. The less we work/bill, the more work we have to bill. If you're a consultant and you're not seeing a decent increase in your customer base every year, you're not doing a good enough job. There is more work in the U.S. than is being tapped, and it is usually because companies aren't seeing things getting better.
Re:Removing spyware in applications (Score:2)
I agree that education is important in fighting these scams. And yes, I've done my part, telling everyone that I know that billing info/passwords should never be sent through e-mail, that applications should be examined before they are installed, etc. However, I often find that the increasing sophistication of spyware and phishing scams often overcomes whatever training I give (i.e.: "I know you told me not to send my billing information over e-mail but it was so convincing...). Heck, I've seen phishing
Re:Removing spyware in applications (Score:2)
Re:Removing spyware in applications (Score:4, Insightful)
I agree with everything you said, but especially this:
As a sidenote -- the reason for training my customers in smart browsing techniques is a selfish one. As we reduce a company's cost of doing business, our referral rate skyrockets. The less we work/bill, the more work we have to bill. If you're a consultant and you're not seeing a decent increase in your customer base every year, you're not doing a good enough job. There is more work in the U.S. than is being tapped, and it is usually because companies aren't seeing things getting better.
I've found this applies to whatever business you're in. I've started, grown, and sold 4 different companies, in completely unrelated industries. The more we were able to make ourselves unnecessary, the more work we got.
Re:Removing spyware in applications (Score:2)
Indeed, nothing gets you more good business than word of mouth. At one of the companies I work for, a locksmith, my boss constantly turns away work. I was talking to an employee of one of our competitors and apparently they spend a lot of time waiting for the phone to ring. It's not adverti
Re:Removing spyware in applications (Score:3, Interesting)
Succinctly put. What you just said is about 1/3rd the reason I became a libertarian and then became an anarchocapitalist. I realized that businesses that exist to grow and tread new markets are what makes this world wonderful. I saw how some corporations (not businesses) fought to stay the
Re:Removing spyware in applications (Score:2)
Educating on an issue doesn't happen overnight and doesn't have to happen from your employer. If you tell family and friends about the problems out there, the word will get out. The spammers and spywarers will be ahead of the game in the beginning, but Bad Things eventually lose out as more and more people become educated about those Bad Things. Maybe we can perf
Clever (rolleyes) (Score:4, Insightful)
Blogs are awesome.
This is worse than Spyware (Score:5, Interesting)
180Solutions was complaining that "ZoneAlarm was advising that our 180search Assistant "is trying to monitor your mouse movements and keyboard strokes" well let's see after reading the above ... that description looks right to me.
This is worse than spyware. This could be used to transmit your account codes and PINs, passwords, etc.
Sounds like stealware(TM) to me!
Re:This is worse than Spyware (Score:5, Funny)
Whose side are you on, the **AA?
It's not theft, since they are only making a copy, and you are not deprived of the use of your account codes, PINs, etc.
Legit uses? (Score:2)
Re:Legit uses? (Score:2)
Re:This is worse than Spyware (Score:2)
Re:This is worse than Spyware (Score:2)
Re:This is worse than Spyware (Score:2)
Let's say you're making an instant messenger type of application, and you want it to show when the user has walked away from his computer. Now if you just use keystrokes in your application, that won't work cause most of the time an IM application isn't used. So you got to hook into the entire computer's keyboard and mouse motion handler, so you can see when neither the mouse nor the keyboard have been touched for five or so minutes and then you can
Re:This is worse than Spyware (Score:2)
related info (Score:4, Informative)
http://www.benedelman.org/spyware/180-affiliates/ [benedelman.org]
Interesting little side not (Score:5, Insightful)
Well, if legitimate companies are afraid to associate with spyware companies, then I'd call that a good side-effect of the Sony malware mess.
Why the blog? (Score:5, Informative)
Why link to some guys blog with inane comments, when you can link to the page he refers to [mvps.org]? Lots more information there.
What is it with blog pages that link to another blog, which links to another blog, and so on? If this is how things are done in the blogosphere, then my already low opinion of bloggers just slipped a little. Just provide a link to the original f**king information!</rant>
Re:Why the blog? (Score:5, Insightful)
This is the principle of the "Möbius [wikipedia.org] blog", whereby the information is wholly one-sided and is repeated so often that it is taken for fact by anoyone reading it. As they move from link to link, their indoctrination in the rhetoric increases, with the theoretical maximum value being reached when they return to the original "source" blog. Once a "Möbius blog" is entered, the ability of the reader to avoid reading the next blog in the series decreases proportionately.
The "Möbius blog" is also know as "Internet journalism".
Re:Why the blog? (Score:2)
What's the hook being used for? (Score:5, Informative)
The analysis [mvps.org] linked from TFA explains that he found evidence of setting a windows hook. The question is, does Zango use that hook to collect mouse and key info, even for a short time, or are they using the hook for other purposes? What would those purposes be?
Re:What's the hook being used for? (Score:4, Interesting)
That said, I see no evidence that Zango is specifically targeting Windows OneCare or Microsoft Antispyware as TFA implies. The fact that zangohook.dll is being loaded into these processes is *NOT* evidence of this. Zango is setting a system-wide hook, which means that their hook DLL (zangohook.dll) will be automatically loaded into every process in the system that generates one of the events they are trying to hook.
There are legitimate uses for system-wide hooks. Many Single Sign-On products use them, for instance. The real question is, why exactly does Zango need to set a system-wide hook in the first place? I can't think of any legitimate reasons.
Re:What's the hook being used for? (Score:4, Interesting)
Re:What's the hook being used for? (Score:2)
Microsoft seems to disagree. From the documentation of CBTProc in the MSDN Library:
Why would you trust what the proprietor said? (Score:2)
The Sony-BMG copy prevention threads should teach modern-day /. readers that asking the proprietor what they do with the information they gather is not enough freedom for the user. According to freedom-to-tinker.com [freedom-to-tinker.com], Sony lied about their software saying they didn't track information on the user's usage, then they admitted they did and said this was okay because they didn't do anything with the information that they collected. Sony-BMG and First4Internet's uninstaller doesn't actually uninstall [freedom-to-tinker.com] the softwa
Then again, how about anti-cheat mechanisms? (Score:5, Insightful)
Don't get me wrong, cheating is a major (if not: the worst) problem in online games, but the lengths to which game providers go to assure (a) that you are using a legally bought version of the game (most important) and (b) that you are not using modified drivers, game libraries etc. in order to cheat (game company couldn't care less, but it costs them customers so they have to care..), could certainly make some of them be rated as 'spyware'. Then again, so can Windows XP itself. After users accepted that activation crap from Microsoft, where else could you expect this thing to go? If Microsoft is allowed to do it, then why not $small_corp_with_questionable_ethics?
(obviously, the answer is that Microsoft should not be allowed to do it in the first place, either. But as it is, this company might actually have a point - if Sony can do it and not be detected for over half a year, why can't they? The idea is ridiculous ofcourse, but hey...)
Re:Then again, how about anti-cheat mechanisms? (Score:2)
If that is the case, then it's almost impossible to gather anything from your computer that they're not specificly looking for.
I think the problem with VAC isn't that it's invasive, it's that it's not effective enough to keep up with month's-old exploits, and the problem I hear with Punkbu
Re:Then again, how about anti-cheat mechanisms? (Score:2)
The database is also downloaded to your machine to do the comparison, so even the hashes aren't transmitted back to Blizzard unless one of them matches.
Re:Then again, how about anti-cheat mechanisms? (Score:3, Interesting)
I suppose they can send back a hash of the database to the server or something, but it just seems to me that if what you're describing really is the system, then i's inherently possible to compromis
Give players the choice (Score:3, Interesting)
Re:Then again, how about anti-cheat mechanisms? (Score:2)
The lesson? Never trust a company... (Score:4, Insightful)
It will only lead to great suffering.
Re:The lesson? Never trust a company... (Score:3, Funny)
The article blog just got updated. (Score:2)
180 Solutions and Sony do not respect (Score:3, Insightful)
Sony has displayed for all to see that they do not respect their users or their computer systems. 180 Solutions, as much as they have tried to deny their intent, have been shown to write code that does things that... well, it "shouldn't." Again, more than a casual or accidental display of disrespect or even contempt for the user.
"Tarred and feathered" would be the treatment they'd recieve not too many decades ago -- their leaders would be grabbed by anonymous people, put on public display and humiliated. Now that we are somehow beyond this horrible behavior in today's more civilized society, I guess these fraudsters have a lot less to fear from the anonymous public at large.
In my view, there will probably always be these types of people. I truly fail to understand where these people come from, what they are thinking and why they think it's okay. These types of people are truly troubling to me and to my conscience somehow -- perhaps I don't feel as if I am personally doing enough... perhaps my own vigilante drive not being acted upon has something to do with it -- I suspect so. I wish and hope and dream all of the worst for these types of people since it seems these types never quite reap what they sew.
Some extra info at gripe2ed.com (Score:4, Interesting)
False-positives (Score:3, Interesting)
But, we can't tell if it actually *is* our component or if they just have a file with the same name (not very likely) - because our anti-virus and anti-spyware apps freak out when we open the TrueActive installer to see what their version of the file actually is. Either way, SpySweeper says our component is an "activity monitor" and this is freaking out both our customers and our customers' customers.
We're talking with the people who write SpySweeper, to get this fixed, and they've been helpful so far. So hopefully, this will be resolved soon.
Re:False-positives (Score:2)
Seems like it would be relatively easy to verify if the component is identical to yours of the same name, just by running a hash or something. In fac
Lawsuit will lead to discovery (Score:3, Insightful)
First, of course, they'll want to see all of 180 Solutions' source code, so the objective validity of the "trade libel" claim can be tested. (Truth is an absolute defense to libel under US law.) Then, they'll want to depose key programmers under oath. 180 Solutions has some unpleasant disclosures coming up.
Zone Labs is owned by Check Point Software, which had income of $280 millon on revenues of $500 million last year. They can afford litigation.
Subscribe to Ed Foster's Griplog... (Score:2)
Case Against Zone Labs (ZoneAlarm) is 180 Degrees Off [gripe2ed.com]
I'm not normally a MS basher or anything.. (Score:3, Interesting)
Perhaps we could, hmm, motivate MS by publishing this ability as a vulnerability in the OS.
In fact, maybe we should stop allowing the OS Manufacturers to specify what a vulnerability is and come out with a list of requirements/standards that we can validate consistently against all OSes to qualify and rate their security against each other.
Not that everyone wants to be bothered with every little app, but we should be able to turn off the ability to install dangerous hooks just like we can turn off the ability to set cookies.
Either that or just make M$ financially responsible for every time a keylogger steals a bank password.
Further research and logging should ensue (Score:3, Insightful)
It seems that it might be valuable research to take the logging to the next level. Speficically, he should setup a packet sniffer, either on the host itself or on the host's subnet and monitor the payload of the spyware packets as it calls home.
Not only would it prove interesting information to write about on his blog, but couldn't this, then, be definate proof that malevolent monitoring is actually taking place? It also seems to me that he should be called as a technical witness in the civil case against ZA.
In addition, armed with with this information it might be fun if someone in the community wrote a distributed application that would poison 180Solutions (non existant) databases with bogus data.
*grumblecakes*
Re:Wow first post? (Score:2, Funny)
One word: Duh.
Software firewalls?! (Score:4, Interesting)
My conspiracy theory is that they have big investments in the software firewall companies...and in existing non-router cablemodems.
SO we suffer.
Hey - _I_ need a software firewall (Score:2)
Nothing wrong with software firewalls... (Score:3, Informative)
Done and done [multitech.com]. Other types of "dial-up routers" exist, but this is the one I re-found first. Again, nothing wrong with software firewalls, as I like knowing when programs try to use the network, but they aren't a magic bullet.
Re:Hey - _I_ need a software firewall (Score:2)
As another person already pointed out, there are a multitude of dial-up capable routers on the market today. Most of them have been phased out in favour of broadband-only variants but some are still produced. Many models have both dial-up and broadband capabilities, some even go to the extent of using dial-up as a failover i
Re:Software firewalls?! (Score:2, Informative)
Just because you don't have a use for them doesn't mean they don't serve a purpose.
Re:Software firewalls?! (Score:5, Informative)
Errr... because quality software firewalls (like ZoneAlarm) and home hardware firewalls/routers protect against two entirely different problems?
Home Routers/Firewalls protect your machine against INBOUND, unsolicited connection requests. This makes you immune to attemts to exploit server-type services, like file-sharing, IIS holes, etc. This lets me run VNC, Apache, whatever on my home machine and not have to worry about keeping patches up to date (or even setting a password, for that matter.)
Software firewalls protect you against OUTBOUND connections you did not authorize. Port-blocking does nothing to stop this because a nefarious software vendor can't be stopped from sending an outbound request on port 80 by an external firewall.
I can't count how many programs (even legit ones) that shouldn't be talking to the internet keep requesting outbound connections. (This is all caught by ZoneAlarm.)
SirWired
Re:Software firewalls?! (Score:3, Insightful)
That is not correct. Typical home routers are Network Address Port Translation (NAPT) devices that translate private internal addres to a singel public external address. Stopping unsolicited external connections is a beneficial side-effect of NAPT because there is no translation rule for the NAPT router to pass traffic inward. Now, many NAPT routers can't properly handle dynamic protocols like gaming protocoals
Re:Software firewalls?! (Score:4, Informative)
A NAT box does indeed protect from incoming connections (provided that you do not use DMZ and port forwarding). This may indeed be considered to be a side-effect, but that does not mean that it does not work. How well these routers work for gaming is another matter entirely. And as far as gaming goes, I am certainly not an expert as I am not into on-line games, but each game should specify which ports it uses so that you can open those ports in your NAT box. Having to use DMZ for a game is silly and dangerous.
As what the GP post said is correct. Software firewalls offer outbound protections. You are right that their first purpose is to protect from inbound threats, but if you have a NAT, you have NO inbound threats (except perhaps for those ports used for games when your game software is not running). Filtering outbound connections is the only reason that I use a software firewall. In fact, my software firewall has NEVER had to block an incoming connection since I built my present computer over a year ago, thanks to my NAT box.
Re:Software firewalls?! (Score:2)
As far as the DMZ goes... Anybody that sets up the DMZ on a router better know exactly what they are doing, and the two routers I have dealt with have thrown up warning boxes that setting up a DMZ was a bad idea. Personally, I think that any protocol designer for the last couple of years that can't decide on a single inbound port, knowing how common home routers are,
Re:Software firewalls?! (Score:2, Informative)
We need a hybrid (Score:2)
Now one way would be to have a piece of software running on the client boxes whic
Re:We need a hybrid (Score:3, Interesting)
Oh wait, we just described identd...
Re:Software firewalls?! (Score:3, Informative)
I can't count how many programs (even legit ones) that shouldn't be talking to the internet keep requesting outbound connections. (This is all caught by ZoneAlarm.)
For OS X users, try A href="http://www.obdev.at/products/littlesnitch/in dex.html">Little Snitch for the same functionality. Some of the outbound connections Adobe software attempts to make (weird out of country IP addresses) are scary.
Re:Software firewalls?! (Score:3, Informative)
I think it's actually superior to ZoneAlarm on the PC, because it provides more flexible options for blocking outbound connections. When an application that's not on the whitelist tries to initiate a connection, you get the option of allowing it to connect to any server on any port, any server but only on on
Re:Software firewalls?! (Score:2)
What we really need is a cheap, standalone appliance with an application-level firewall that can determine what application is sending requests by looking at packet contents (I know this is difficult). This
Impossible (Score:2)
What you are suggesting is not just difficult - it is impossible (for well designed malware). For example, malware could just talk http with ssl with some server and you'd never know which application was doing it.
You really need applications to not require Admin access to install (e.g. OS X) and than yo
Re:Impossible (Score:2)
Re:Impossible (Score:3, Interesting)
Huh? Sure it is possible. Application proxies have been around for a long, long time. Secure Computing has one, as does Cyberguard, and Symantec. Now in thier cases, "application level" enforces the layer 7 and downward protocols for some services, not all. For example, they all have HTTP, FTP, SMTP, IMAP, and POP3 application level proxies. Some support Oracle's SQL*Net V1 or V2. Others support H.323 but not SI
Check again (Score:3, Insightful)
Your suggestion was:
How does t
Re:Check again (Score:2)
The point about SSL is that the data is encrypted and an application layer firewall can't look into the payload. So I probably wasn't clear about why I reccomended an SSL Proxy. Try it this way. The SSL Proxy decrypts and re-encrypts traffic between the client and the server. Prior to passing the now unencrypted traffic to the other side, i
Re:Check again (Score:2)
Re:Software firewalls?! (Score:2)
I understand the objections: it probably would be a lot less effective against malware that encrypts its transmissions and masquerades as a legitimate HTTPS session or something, but it would at least give a greatly increased amount of control to home network operators, control which is currently limited to enterprise networks.
The product I'd love to see a free alternative to is the Packeeter Packetshaper. It's a hardware device that inspects packets individually and compa
Are you kidding? (Score:2, Informative)
If your PC is compromised enough that you have un-wanted programs sending data to third parties...you've got much bigger problems. If that malicious code is already running on your machine, your 'software firewall' is just as vulnerable as any other program.
Re:Are you kidding? (Score:2)
Err... what do you do about software sending outbound connection requests on port 80? I certainly hope you aren't going to plan on blocking that one.
SirWired
Re:Are you kidding? (Score:2)
Actually, many or most are. But they aren't necessarily as easily modded as the WRT54G, or have the same community.
Re:Software firewalls?! (Score:2)
Re:Software firewalls?! (Score:3, Insightful)
Sorry, good idea, but there's no real standard between OS's on reserved ports in the sub 1024 range. Ports which you may not want exposed to the world on a windows box could run a perfectly secure service on a
Re:Software firewalls?! (Score:2)
The last thing I need is them installing some overprotective, nannying firewall at the head end and limiting what I can do with my connection. What I do on my end, as long as it's not damaging to the network in some way (relaying spam or something) isn't their business or their problem.
Maybe I want to leave my system open to the public net for some reason; perhaps so I can access my iTunes
Re:Software firewalls?! (Score:2)
Re:Software firewalls?! (Score:2)
Re:Software firewalls?! (Score:2)
What so many people on this venerable forum tend to forget is that the OTHER 98% of Internet users probably don't even know what a firewall is, letalone how to configure same.
If you're using SOHO broadband service, you are not paying for an SLA. You ar
Re:Oh my - A Microsoft MVP! (Score:5, Insightful)
What about all those people providing support on Linux/MySQL/Apache mailing lists/forums etc - what
are they? Unemployed losers or OSS champions?
Re:Oh my - A Microsoft MVP! (Score:2, Funny)
Re:Oh my - A Microsoft MVP! (Score:2)
Re:Oh my - A Microsoft MVP! (Score:2)
Yes.
Re:Oh my - A Microsoft MVP! (Score:5, Insightful)
Those active in other communities (ie Linux) are not told that they are unemployed losers for helping people out. So what if a bunch of us want to actually help people by making use of our expertise?
Not every MVP is an expert in every area, but they are an expert in the area that they were awarded in. For example, my award is in Mobile Devices, but I'm far from being an expert in FoxPro.
Re:Oh my - A Microsoft MVP! (Score:2)
Do I bring it up in everyday conversation? No. Just like I don't bring up any of my other certifications or educational qualifications either (like my MCP, or even my BSc).
Re:Oh my - A Microsoft MVP! (Score:3, Informative)
You're right that it's a participation award, however - it's definitely people who are helpful to the community rather than *necessarily* the brightest stars. You don't necessarily have to be a genius to help a lot of people. That doesn't mean there aren't plenty of
Re:Oh my - A Microsoft MVP! (Score:5, Interesting)
The MCSE jokes on
Perhaps the next time you send a question off to debian-users, for example, hoping for an answer from one of the "regulars", you avoid suggesting that any of them must be an unemployed loser for bothering to respond. Unless playing the part of a troll is somehow more rewarding.
If it sounds like I'm pissed off, yeah, I am. Having to defend something Microsoft related on
As for anyone else using Windows and is unfamiliar with usenet, I'd suggest exploring the ms.public hierarchy with whatever news client you have available, and get into the habit of reading a few of them before applying the latest patch or service pack, or are otherwise trying to resolve an issue or trying to learn something. The top posting is murder, but the information is free and unlikely to be available to the same extent anywhere else.
Re:Oh my - A Microsoft MVP! (Score:2)
Thanks,
Leabre
Re:Hmm (Score:2)
180 complaining is in the same league with Sadam complaining that he is being prosecuted. These are the kind of people for whom cruel and inhuman torture are just too lenient. If I had any say in it, anyone who works for 180 would be battered to death with a spam can, then hung at Tyburn, and very publicly drawn and quartered. To an accompanyment specially compos