Contributed by: filbert Tuesday, August 23 2005 @ 09:54 AM CST
On those who complain about advice offered free of charge:
When I was but a wee lad (I really was young once, and did not, despite popular legend, spring fully formed from the head of Zeus) my Grandmother always told me, “If you can’t say something nice, just keep your mouth shut, you stupid little jackass.”
Note: The irony of that was lost on me (amid deep psychological scars) until recently.
Therefore, to the bitter, ungrateful (and fearful – did you really need to use an anonymous remailer?) folks out there, and in the spirit of my grandmother’s advice, I’ve decided that I will personally fund the following offer:
If you find that you’re displeased in any way with the serviceprovided by the Internet Storm Center, we will cheerfully refund double the amount of money that you pay us… you stupid little jackass.
You may now return to your drab, wretched lives.
After having gotten that out of his system, Tom turns to business. He delights (possibly not the right word) in analyzing “malware” — otherwise known as “spyware” or just as “@#$@#$@$!!!! My $@#$ computer’s slow as molasses!”
AntivirusGold showed up on Joe’s machine as avg.exe, 2,663,231 bytes of NullSoft installer goodness. (Note: AntivirusGold should not be confused with AVG Antivirus by Grisoft. Through an unfortunate coincidence of naming, they sound a whole lot alike. They aren’t. The folks at Grisoft are good people, and I don’t want any confusion about names to lead anyone to think otherwise.)
When an installer weighs in anywhere over 2MB, you gotta figure that what’s going to come out the other side may not be too pretty. AntivirusGold certainly doesn’t disappoint. The programmer in me could spend quite a few paragraphs enumerating the slipshod results of unintelligent software engineering, but let’s just leave it at this: I have about as much respect for their programming talent as I have for their taste in color.
“So it’s another poorly written piece of software,” I hear you cry. “If that was a crime, Redmond would be a penitentiary.”
“True,” I reply, “and if these folks stopped there, then I would only make fun of them behind their backs, like I do to Microsoft.”
The problem is, they don’t stop there.
You see, AntivirusGold is a nasty little lying piece of software.
What did you say, Tom?
“A nasty little lying piece of software.”
Got it now?
AntivirusGold does indeed act something like antivirus software. It scans through registry entries and cookies looking for the likes of Gator, Bonzi Buddy, et al. It looks through the filesystem and tries to find programs that match up (by filename only, not any type of signature) with a list of “known bad” files.
If it stopped there, then it would simply be a poorly written, ineffective spyware/virus scanner.
But there’s more.
When it gets all done doing its scan, it tells you what it found and offers to remove it for you. Just like every other spyware/virus scanner…
But this one does it for a price.
Yes, you see, AntivirusGold pops up a window telling you “You are infected!”, and offers to remove the “spyware” that it found. But when you click on the “Remove spyware” button, rather than removing something, it only offers you the option to register the program to the tune of $29.95.
The implication is obvious: “I found something bad on your machine, and it’ll cost you three sawbucks to get it gone.”
And what, pray tell, did AntivirusGold find that required removal and made it worth my hard-earned $29.95?
Nothing.
Absolutely nothing.
Using monitoring software, I watched as AntivirusGold scanned my machine.
I watched it looking for registry entries.
I watched it looking for cookies.
I watched it looking for files.
It didn’t find a thing. Every query that it made for a cookie, a registry entry, or a file came back empty.
Now it’s not exactly surprising that it didn’t find anything. You see, AntivirusGold was running on a fresh, clean, brand-spankin’ new install of Windows XP Home Edition that had never been used and never connected to the Internet.
Doh!
The only non-default software on the machine was AntivirusGold itself.
And yet, I was “infected” with “spyware.”
The astute reader may draw their own conclusions. [*1] http://isc.sans.org/diary.php?date=2005-08-22