Spyware Sucks

Now that a new version of Messenger Plus! Live has been released, it is appropriate to have another look at the Messenger Plus! Live installer and sponsor program. 

I installed Messenger Plus! Live and the Sponsor Program on an XP system running IE7.

You can find screenshots of the installation routine here and other bits and pieces here:
http://www.ie-vista.com/graphics3.html

The Messenger Plus! Live Sponsor Program is still being used to spread WINFIXER malware - details below. 

I also saw what seems to be a FAKE eBAY LOG-IN PAGE in a pop up window - details below.

No shortcuts were placed on my desktop, and no favorites were added.  My home page was not changed, and there was no toolbar.

My default search settings were not changed.

The Sponsor Program is still the malware commonly known as LOP aka Swizzor Trojan.

http://sarc.com/avcenter/venc/data/adware.lop.html (Symantec)
http://www3.ca.com/securityadvisor/pest/pest.aspx?id=453076024 (Computer Associates)
http://vil.mcafeesecurity.com/vil/content/v_120626.htm (McAfee)
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_SWIZZOR.AG (Trend Micro)
http://www.f-secure.com/v-descs/swizzor.shtml (F-Secure)
http://www.sophos.com/virusinfo/analyses/trojswizzorbq.html

According to the EULA (relevant sections boxed in red):

1. You must be at least 18 years of age.
   
   
2. The Sponsor will add itself to the IE pop-up blocker exclusion list:
   http://www.ie-vista.com/images/410_7.png
   
   
3. You are not allowed (and you will not allow anybody else) to use third party uninstallers or antispyware applications to remove the Sponsor Program. 
   
   
4. The Sponsor Program will edit your HOSTS file to remove any blocking of its domains.  It may bypass router or firewall alerts when accessing the internet.
   
   
5. The Sponsor may be updated, replaced or modified at any time "automatically or by other means".
   
   
6. Your IP address will be collected, and a unique software identifier assigned to you. Operating system, CPU speed, browser type and version, screen resolution, time zone selected and version numbers of "some of the software installed on your computer" is also collected.
   
   
7. A historical record of content and advertisements delivered by the software, and "the response rate associated with the content and advertisements that was delivered to you" is collected.
   
   
8. The Sponsor will not transmit URLs you visit but the Program will generate advertisements based on "keywords in the Web sites you visit".

MP!L has no age restrictions, and the MP!L EULA makes no mention of age restrictions applying to the Sponsor Program, but at the same time the Sponsor Program requires that users be at least 18 years of age.  The Messenger Plus! Live installer does not clearly state that its users must be at least 18 before they may install the Sponsor Program.  Patchou actively encourages users to install the Sponsor, irrespective of their age. 

Yes, I know that the Sponsor Program EULA states that you must be over 18 to install the Sponsor, but that part of the Sponsor Program EULA cannot be seen unless you scroll down and users have no reason to suspect that there is a conflict in age requirements between the two programs.

Subtle emotional/psychological pressure is placed on anybody who installs MP!L to also install the Sponsor via the statement "I refuse to give my support" that is part of an MP!L install dialogue window. 

The Messenger Plus! Live Sponsor Program is still spreading malware and content inappropriate to minors.

Within hours of installing Messenger Plus! Live 4.10 I saw this:


Once again, false security claims are being made about user's computers

When you close the tab or Internet Explorer you see this:

I have caught the Messenger Plus! Sponsor being used to install Winfixer on victim's machines several times before - two examples being:

April 2006
http://msmvps.com/blogs/spywaresucks/archive/2006/04/07/89692.aspx

30 June 2006
http://msmvps.com/blogs/spywaresucks/archive/2006/06/30/103407.aspx

There are more examples, but my blog's Search feature is broken at the moment thanks to an update and I'm finding it a little hard to gather the links.  It may be a while before its working again.

An eBay phish??? 

Surely the real eBay wouldn't be behind this!!  If they are, they should be damned ashamed of themselves.

A weird eBay page appeared in a pop-up: note there is no status bar, no address bar, and the window cannot be resized.  In addition, right clicking did not work making it difficult to view the page's source code without messing around with Web browser security settings in ways that no user should have to do in order to establish the verasity of a financially sensitive Web site.
http://www.ie-vista.com/images/graphi27.jpg

Clicking on the sign-in link resulted another window, this time apparently an eBay log-in screen.  Again there was no status bar, no address bar, and no way to view the page's source code, making it very difficult to establish if the page is authentic.
http://www.ie-vista.com/images/graphi29.jpg

Age inappropriate advertisements

Remembering that MP!L is very attractive to children and teenagers, the following advertising examples are inappropriate.

Games:
http://www.ie-vista.com/images/graphi25.jpg

Gambling (with a requirement to install software):
http://www.ie-vista.com/images/graphi31.jpg

If you click on the red window close button to prevent installation of the gambling software you see:
http://www.ie-vista.com/images/graphi33.jpg

Online dating complete with gratuitous close-up breast shot:
http://www.ie-vista.com/images/graphi23.jpg

Passion.Com:
http://www.ie-vista.com/images/graphi38.jpg

In short, there is no improvement in disclosure and users of the MP!L Sponsor Program are still put at direct risk of malware infection.  Even worse, they may be being exposed to a potential phishing site.

Patchou - is he an MVP with "revoked privileges" or an "inactive" MVP? 

Patchou said on his news site on 8 November 2006 that "... many people seem to think that my MVP award was revoked which isn’t what actually happened. What did happen was that my active MVP status was revoked (for reasons you may or may not agree on) and yes, there is a big difference there. To quote Microsoft, the award itself was given to me “on the basis of his technical expertise and strong community contribution” and that’s just not something that you can take back. I have now received my MVP certificate as well as all the associated gifts like every other MVP, I’m still very proud of it, and I’m happily continuing my relationship with the Windows Live Messenger team. So, what does this revocation mean? Just that I won’t be able to log-in into MVP-only newsgroups anymore this year, or display the MVP logo every time I write a blog somewhere. So as you can see, that’s no big deal, no big deal at all, the recognition itself is what matters :)."

I was very surprised at Patchou's comment that it was only his "active MVP status" that was revoked.  As far as I knew there was no such thing.  You're either an MVP or not.  It is true that MVPs can be denied access to some MVP facilities and benefits, but that is dependent on whether or not you are willing to sign various NDAs or licence agreements, not any sort of active or inactive status.  As for the award packages themselves, they are printed, packaged and often posted before or as soon as, or very shortly after, Awards are announced.

Back in 2004 Patchou announced he was an MVP - it turned out he wasn't, but it was never publicly acknowledged that his claim of MVP status back in 2004 was incorrect.  This had resulted in a long standing, and incorrect, belief that Patchou's statement, and those by his supporters about the issue, were true.  Even today I get the occasional email from people believing, incorrectly, that Patchou was an MVP in 2004.  Patchou's latest statement about the events of this year should be clarified to ensure that there is not another misunderstanding.

I referred MVP Program Management to Patchou's statement on his news site, and the comment at Wikipedia (now deleted, but you can still see it in the page history) that "Despite the fact that his MVP award privileges were later revoked to stop the controversy, the award itself was still delivered to Patchou and remains a proof of his accomplishments.".  

The question I asked of MVP Program Management was:

"No beating around the bushes about "only his privileges were revoked", or "the award itself was delivered", or "it's only his active status that was changed".  Is he [Patchou], or is he not, a Microsoft MVP.  Was his MVP award revoked, or just his 'privileges'?". 

The response I received from MVP Program Management is that Patchou is not an MVP.

I can understand why Patchou would want to present the facts around the revoking of his MVP Award in the best light possible - I think most people would do the same thing in the same or similar circumstances.  But, that being said, it should be understood that Patchou did not just have his "active MVP status" revoked, nor was it just his "privileges" that were removed.

I think it was very fair and reasonable that Patchou was able to keep his award package and the printed certificate, but that is all it was - being able to keep his gifts - it does not signify any sort of half or pseudo or inactive MVP status.  I also think it is fair and reasonable to acknowledge that Patchou was recognised for "technical expertise and strong community contribution", but that technical expertise and strong community contribution was, and is not, enough to cancel out the fact of his ongoing close relationship with C2Media aka Lop aka Circle Development Ltd, or the malware risk that his Sponsor Program continues to expose his users to.

I continue to hope that one day Patchou will sever ties with C2Media/Lop/Circle Development Limited and find a different way to make money.  Nobody's right to earn an income is greater than another's right to be safe from malware, or the right to expect that when we "support" somebody our computers will not be placed at risk of malware infection as a result of that support.