Ad-aware 6 False Positive

[Lance Delacroix]

On 28 Jun 2003 07:23:59 GMT, Sarge <GiveMeTwenty@bootcamp.invalid>
prounounced a fatwah thus:

>Lance Delacroix <lance_delacroix@fastmail.fm> wrote in
>news:edaqfvk4j0se2rg51k6rk6s1561hkgiqo9@4ax.com :
>
>> Ad hominem attacks are the last refuge of those defending an untenable
>> position, sport.
>>
>
>Great! You've mastered the fine art of copy and paste. Such a momentous
>accomplishment merits the awarding of the much coveted gold star and the
>privilege of cleaning the erasers after class. Now, for extra credit try to
>add something of substance to the discussion.

Would I be at risk of attacking you ad hominem if I were to venture to
say that you are a dickhead?

[Aaron]

Sarge <GiveMeTwenty@bootcamp.invalid> wrote in
news:Xns93A5EA7A4F110u5zfr99pyqf7dwz@bootcamp.inva lid:

> siljaline <siljaline@invalid.com> wrote in
> news:vbgkfvoodu1mfllet12ca595um0pev2as4@4ax.com:
>
>> That clicks through to the "i-won" domain - perhaps not a false-flag.
>
> How can a .gif be spyware? And how does iwon.com figure into it?
> Nowhere on http://my.myway.com can I find a link, redirect or embedded
> object pointing to iwon.com. But that's beside the point anyway --
> Ad-aware is flagging the *image*. There are plenty of ways for
> scumware authors to screw with you, but a .gif ain't one of them.

I've seen a false positives by Adaware,but it doesn't borther me really.
It flags txt files named engine.txt or comet for example as marketscore
and comet cursor for example. It also doesn't like the fact that I set up
a pac file for IE etc.

Still I use it, as a backup to Spybot S&D which i think is superior to
ad-aware




Aaron
--
Want to learn how to use Winboard and the 150+ free Winboard
Chess engines?Visit http://www.aarontay.per.sg/Winboard/

[siljaline]

On Sat, 28 Jun 2003 15:59:28 GMT, Randall Bart <Barticus@att.spam.net> wrote:

>This newsgroup has enough ego for ten newsgroups.

We could use some chill around these parts...


--
siljaline

"Arguing with anonymous strangers on the Internet is a sucker's game
because they almost always turn out to be -- or to be indistinguishable from
-- self-righteous sixteen-year-olds possessing infinite amounts of free time."
- Neil Stephenson, _Cryptonomicon_

[Sarge]

Lance Delacroix <lance_delacroix@fastmail.fm> wrote in
news:b9rqfv0v3vpm212ks7c90b54mpaot3c3ok@4ax.com:

> Would I be at risk of attacking you ad hominem if I were to venture to
> say that you are a dickhead?
>

That's the best you could come up with? <Yawn>

[sponge]

On 26 Jun 2003 03:03:03 GMT, Sarge <GiveMeTwenty@bootcamp.invalid>
wrote:

>siljaline <siljaline@invalid.com> wrote in
>news:vbgkfvoodu1mfllet12ca595um0pev2as4@4ax.com :
>
>> That clicks through to the "i-won" domain - perhaps not a
false-flag.
>
>How can a .gif be spyware? And how does iwon.com figure into it?
Nowhere on
>http://my.myway.com can I find a link, redirect or embedded object
pointing
>to iwon.com. But that's beside the point anyway -- Ad-aware is
flagging the
>*image*. There are plenty of ways for scumware authors to screw with
you,
>but a .gif ain't one of them.

A gif can be symptomatic of spyware or a spyware infection attempt.
Consider two scenarios. One is that a gif with a certain name is known
ot be packaged with brand X spyware. So, logically, the anti-spyware
program *SHOULD* flag it as a possible sign of the presence of the
spyware.
The other thing is what happens in operation. When you visit a site,
you usually are, in fact, "visiting" several sites. You may be visitng
Yaoho.com, but you are also getting redirected to ad.doubleclick.com,
images.atdmt.com, and whatever else. Since you are "visiting" those
sites they can load in whatever the heck they please. Usually, they
just drop cookies, but sometimes they may drop malicious JavaScript,
VBScript, Java Applets, and, the worst of all, inject ActiveX
Controls. Usually, these links come as an image link, where the image
is an ad or web bug.

As far as Myway goes, it is a part of Imagefarm, a major ad server
service. Siljaline is absolutely correct that it is owned, and
probably the same service, as IWON. Note that they have the same
postal address and reside on the same Class C. Read below.


06/29/03 16:45:54 whois my.myway.com
..com is a domain of USA & International Commercial
Searches for .com can be run at http://www.crsnic.net/

whois -h whois.crsnic.net myway.com ...
Redirecting to NETWORK SOLUTIONS, INC.

whois -h whois.networksolutions.com myway.com ...


Registrant:
My Way, . (MYWAY8-DOM)
One Bridge Street
Suite 42
Irvington, NY 10533
US

Domain Name: MYWAY.COM

Administrative Contact:
Admins, Domain (XMELACOFBI) domain@staff.myway.com
One Bridge Street, Suite 42
Irvington, NY 10533
US
914-591-2000 fax: 123 123 1234
Technical Contact:
Network Solutions, Inc. (HOST-ORG) namehost@WORLDNIC.NET
21355 Ridgetop Circle
Dulles, VA 20166
US
1-888-642-9675 fax: 123 123 1234

Record expires on 22-Nov-2007.
Record created on 20-Sep-2002.
Database last updated on 29-Jun-2003 02:51:04 EDT.

Domain servers in listed order:

DNS4.IMGFARM.COM 208.45.133.230
DNS5.IMGFARM.COM 208.45.133.231


06/29/03 02:48:32 dns MYWAY.COM
Mail for MYWAY.COM is handled by mprdmxin.MYWAY.COM
Canonical name: MYWAY.COM
Addresses:
208.45.133.133


06/29/03 16:46:42 whois iwon.com
..com is a domain of USA & International Commercial
Searches for .com can be run at http://www.crsnic.net/

whois -h whois.crsnic.net iwon.com ...
Redirecting to BULKREGISTER, LLC.

whois -h whois.bulkregister.com iwon.com ...


iWon.com, Inc.
One Bridge Street, Suite 42
Irvington, NY 10533
US

Domain Name: IWON.COM

Administrative Contact
Domain Owners-> domain@staff.iwon.com
iWon, Inc.
One Bridge Street, Suite 42
Irvington,, NY 10533
US
Phone (914) 591-2000
Fax
Technical Contact
Domain Technical-> abusemail@staff.iwon.com
iWon, Inc.
One Bridge Street, Suite 42
Irvington, NY 10533
US
Phone (914) 591-2000
Fax

Record updated on-> 2001-06-12 18:22:09
Record created on-> 1999-02-04
Record expiring date-> 2007-02-04
Database last updated on-> 2003-06-29 02:50:41 EST

Domain servers in listed order:

DNS4.IMGFARM.COM 208.45.133.230
DNS5.IMGFARM.COM 208.45.133.231


06/29/03 02:48:27 dns iwon.com
Mail for iwon.com is handled by mxpita.iwon.com
Canonical name: iwon.com
Addresses:
208.45.133.25


Sponge
Sponge's Anti-Spyware Source
www.geocities.com/yosponge

[Sarge]

yosponge@yahoo.com (sponge) wrote in
news:8d76ec03.0306282258.35c13cec@posting.google.c om:

> A gif can be symptomatic of spyware or a spyware infection attempt.
> Consider two scenarios. One is that a gif with a certain name is known
> ot be packaged with brand X spyware. So, logically, the anti-spyware
> program *SHOULD* flag it as a possible sign of the presence of the
> spyware.

Thank you for your reasoned response, but I couldn't disagree more. A
competent spyware detection program should be able to differentiate
between actual spyware and a simple image. False positives are no virtue
for any security software. Indeed, prior to the updated signature in
referencefile 0R148 Ad-aware did not exhibit this bug. I'd be *very*
surprised if a Lavasoft developer were to state this behavior was by
design.



> The other thing is what happens in operation. When you visit a site,
> you usually are, in fact, "visiting" several sites. You may be
> visitng Yaoho.com, but you are also getting redirected to
> ad.doubleclick. com, images.atdmt.com, and whatever else. Since you
> are "visiting" those sites they can load in whatever the heck they
> please.

Not on my machine they can't. ;-)


> Usually, they just drop cookies, but sometimes they may drop malicious
> JavaScript, VBScript, Java Applets, and, the worst of all, inject
> ActiveX Controls. Usually, these links come as an image link, where
> the image is an ad or web bug.

Well, I've yet to see a browser or OS run a GIF, JPEG, BMP, etc. as
executable code. Not even Windows/Internet Explorer is that insecure,
although given enough time Microsoft will probably decide to include
that *feature* in a future release.