How can community software developers stop their software being scammed?

By Joseph Farthing
www.methlabs.org


While the existence of spyware is now something many Internet users have grown to expect, it is hard to imagine the shock when you realise that a community-built program that you are a part of has been hijacked.
Somehow we want to believe that all software made for the Internet is pure, that every on-line application is equivalent to upstanding efforts such as Mozilla or Linux. These groups create and publish their software with a very singular aim: make good software.

However, there is a darker side to the Internet, that of spyware. While we are used to the trials of useless applications designed to entice new users and then lock them into the hateful world of on screen advertising and agreements that tell you “your Internet browsing activity may be monitored”. Most users with a few months experience can learn to avoid these pitfalls – and many realise that the “features” provided by the application are often spurious or non-existant.

Nevertheless, we may often become apathetic to the software we install – we may choose to retrieve it from websites we trust, or try applications we know to be open source or well-received.
Now, what happens when a program you trust can be modified to become untrustworthy?

This is precisely what happened to Methlabs, the community of developers, users and beta testers behind the acclaimed PeerGuardian application.

PeerGuardian is an open source application designed to deny connections from Internet (IP) addresses owned by groups, such as the RIAA, utilising a database updated regularly in collaboration with other websites. The Kazaa Lite application also used to use this database, and is also included in the SafePeer plug-in for the Azerus peer-to-peer (p2p) network.

The program was originally developed by Tim Leonard, a 25-year-old English developer who created the program as “revenge” after Audiogalaxy was shut down. In late 2003 he released the program under the open source GNU General Public Licence, which allows free distribution and modification of the source code (the 'blueprint' that describes how software works).

For many people PeerGuardian is a simple tool to help protect their on-line anonymity, but a small group called “Openwares” have begun to publish versions of the PeerGuardian application, as well other programs by Methlabs. This version contains subtly modified versions of the program, and is packaged with software that observes the users browsing activities and displays adverts – exactly the things that PeerGuardian is meant to help protect against!

“Openwares are a perversion of the meaning of open source,” says Ken McClelland, the Chief Technical Officer of the Methlabs community.

He is now leading the fight against the spyware distributor, using public awareness campaigns and verification technology to warn users of the threat.

“The actual process of signing our products is very easy,” explained a Methlabs staff member.
“Since most p2p programs today generate a checksum based link, we may publish the links of our releases so you can actually use your p2p application of choice to verify your version of a Methlabs program like PeerGuardian or DeepDelete.” It would also be possible for users to download stand-alone programs to check the applications.

This method of “digitally signing” files is generally very hard to spoof, and would be a foolproof method to identify both real and versions of the software which contain spyware. The true difficulty is to convince users to run these tests.

Following this lead, a large-scale public awareness campaign has been started by the group, hoping to draw more than one hundred thousand people who have downloaded the spyware version of PeerGuardian. They intend to apply warning messages to automatic updates, banners on both their own and friendly sites – indeed anything to stop people from using an application that provides a more than false sense of security.

“Boycott Openwares” messages are now available, and other forums are beginning to carry the message, as well as information about Openwares' activities.

The process may be difficult, however, since Methlabs is a non-profit organisation who would find achieving the same level of publicity as Openwares incredibly difficult. While Methlabs must desperately attempt to meet their own hosting costs, Openwares can afford to market their distribution on websites such as download.com which charge fees for a products entry.
Certainly Openwares are making a significant profit from the Methlabs applications.

It is not just Methlabs who are affected, however (although PeerGuardian is among their most downloaded applications), since many other popular programs are released on Openwares' website and then onto Cnet and Zdnet, as well as other sites in multiple countries. Programs affected by Openwares include TorrentSearch, eMule++, Protowall and many other free and open source applications.

Even recent Microsoft security patches are not immune from coverage at Openwares! That is, of course, if the “patch” advertised on their site is a real patch and not simply a spyware installer.

Popular websites such as Suprnova.org are now targeted by organisations hoping to make money from the service. Recently the popular peer-to-peer application Shareaza has been promoted in spyware form.

The question that must now be asked is “Is any community, developer or website safe from the exploitation of free things from spyware developers?”

Spyware is getting to be a real pain. The run of the mill spywares from reasonable legitimate companies is bad enough, though easy to remove and find.

However there is a russian group out there selling to unscrulpous companies that is not so nice. Called coolwebsearch, it is a nightmare to remove.

It comes in many varients and among other things is a browser hijacker.

I am having my troubles with this particular spyware now, it having infected three computers and to make it worse, it has downloaded a worm into each computer.

This one is insidious. The coolwebsearch or cws it known to randomly insert registry values, the one I have at present has 1200 hidden browser toolbars and 1100 sites to d/l from. It will fill your computer with spyware. Worse, it actively filters for its name, blocking any attempt to get help from the net or a file that contains its name. If that isn't enough, it looks for spybot, most popular antivirus hunters, trojan hunters, and most spyware hunters.

It has been a nightmare to get out and have finally resorted to low level formats to remove it from all drives. The cws prevents id of the worm but bios reports it jumping when doing a partiton in trying to remove it. No matter how good the spyware, it doesn't jump from partition to memory to partition again. This one is a bad combo.

wet1:
This is why Internet Explorer should not be used anymore, FireFox, Mozilla and Opera are great alternatives not subjected to the problems of IE and it's Active-X controls (cause of the problem).

Those browsers respect standards are faster and more practical than IE. Trying them is loving them.

Also you'll have to uninstall Microsoft JavaVM to install Sun's which is newer and more secure.

How do I say this? I was using firefox9 at the time. Suns java was long ago installed. Even uninstalled ie, media, msn, from the computer right after the os was installed as I care for none of them.

However, you can not get rid of all of ie. To do so means no icons, no start button, no taskbar. To add to it, you can not get the updates with firefox, you must use ie. Further, ie reinstalls without so much as a blink to get those updates.

I agree with FrDakota... I´m actually posting this from my own mozilla. But what makes them more secure is the fact that whenever a bug for them is produced, there are HUNDREDS of ppl working enthusiastically to patch them. THAT is the power of sharing, sharing ideas, sharing skills, working towards a common goal.
Lawyers, lobbysts and ppl who sold their sould for a couple of extra bucks are turning the internet into a digital battleground to ban freedom(in the form of excessive controls, digital laws, and such, that have the ultimate goal to give THEM the control of the information flow). No matter what happens, as long as groups of ppl are willing to work together, scums and ridiculaws(as i call em) will be short-lived.

Even if all our efforts fail, and tomorrow spyware runs rampant in the net, and u can´t even send an email without paying the government for aproval, remember, it is the nature of the curious mind to escape from any dogma or paradigm that enslaves it. Or... if u´ve seen Jurasic Park: "Nature always find the way"(of being free and boundless).

And about your "Coolwebsearch" problem, I´m gonna SHARE a solution with you wet1. I found this tool that helped me to uninstall most of it, and it also removes about 80% of the variants out there.

http://www.soft32.com/download_19014.html

It´s name is CWS Shredder, give it a try...

Wake up news mod!

No seriously. I submitted an important news item yesterday on copyright and US congress and it was ignored. I posted it in the forums and have also resubmitted it to news.

News submissions need to be checked more regularly (At least every few hours).

Thank you Werewolf, already tried that and buster and several others. They are unforetunately not effective.

wet1 -

I'm curious how you found this spyware. I had trouble with coolwebsearch before but I got it cleared up (I think) and you're right, it was a bitch to remove. what I found was that after I got it cleared up I could go into the advanced settings on Spybot and uncheck the ignore box then I could immunize so it didn't re-install. What I'm wondering is if it has found a new way to hide from me.

spyware sucks almost as much as DRM.

Hey wake up deadman2003! What is the source link for the CBO article?

You may know that awher spanked me publicly because I posted the CBO report. I read the report and found it remarkable. (still do.)

This article you want to post says the following:

"It is more nuanced than the takeaway suggests. However it is remarkable in its own way."

The news item was from theregister.

http://www.theregister.co.uk/2004/08/14/cbo_copyright_report/

They have an interesting take on it all.

I hate spyware. even though it has improved my computer business and kept me working it's a pain in the neck. I'd rather build systems and fix real problems, not man made ones

I installed the latest version of Ad-Aware and it found the CoolWebSearch on my computer and deleted it. I didn't even know I had it.

The way I see it, once a spyware variant becomes unremovable, then it's no longer spyware, but a virus and knowingly installing a virus on someones computer is illegal last time I checked.

I want to change browsers but will it work with my HP printer?

Doesn't HP products have their own spyware built in? I know they sure like DRM in keeping you from refilling the cartriges with ink you made yourself from environmentally friendly resources. )

First off, I apologise to the submitter of this article. I never meant to hijack it but you hit this one at a senstive time.

To answer how I found it, I monitor my home network and cpu traffic often enough to become really familar with its operating characteristics, including what is being run in task manager. How else would I know something was wrong unless there are symptoms?

Didn't find out about the worm till later, but being security concious I always run spyware hunters after an internet session. To go from none to 216 entries over night and 420 the day after tells you that you have a problem. At the time of the 216, the spybot didn't work for removal. It would find them, just wouldn't delete them. I did those manually.

I can appreciate what you are saying, I didn't really want to hijack the article here either but here's the thing. I had exactly the problem he's talking about here. someone bundled some crapware in with a program I installed. I had a tough time finding it because it was hiding in that software (norton systemworks) and spybot was reading it as legit. I only found it because I noticed my sytem slowing down really badly. I had to remove all of the rules on my firewall then recreate them one at a time to find out what was connecting out. coolwwwsearch and new.net were the worst but there was also some common client crap that installed itself with a norton update.

Now I've had really good luck with peerguardian and spybot and a couple of others but luck is a subjective thing - unaware doesn't translate to uninfected. Especially since Methlabs is warning us about this very problem. that's why I was wondering if you did something out of the ordinary to find them.

hey

Thanks for support against the people who are transmitting this spyware and ruining our reputations.

The problem is that many *new* users may not know to search google (which correctly finds us) or typing in a URL of an address - clicking links are easier, and they can be spoofed etc.

We've already seen some sites that are using the correct version information to submit our software, but are actually providing the spyware version - only by downloading and testing the file could this be proven, and most download site administrators would not do this.

The problem is that we must be vigilant to identify the software immediately and stop its spread by warning people.

Thats why methlabs started a public awareness campaign and are trying to help its users to help other people - by explaining the threat that people like this can cause.

shmoo yes they do. one is backweb. I don't mess with those because many HP customers are buffaloed into thinking these spplications are good

i use mozilla, and am currently about to install another hd with two differnet linux's on it..got them from teacher. wanna play around and see how badly microsucks sucks. hate ie, leave it in the grave. get firefox, and uninstall ie