HOSTS Spybot F-Secure BackWeb

[Ron Reaugh]

What in general constitutes malicious or criminal distribution of harmful
and uninvited code/programs? Such is generally clear in situations like the
Swen virus which is a crime and arrests are made.

Here's one I dealt with recently which I'll indict the BackWeb folks. And
F-Secure because of their un-natural association therewith.

Suddenly one afternoon at a small company an XP Pro(fully patched and Nav
latest defs protected) workstation was unable to find/bring-up
www.google.com on the web. Each time a specific IP address would appear
instead. So I started investigating. The first thing of course was to
suspect a virus, trojan or worm. The fact that Google and only Google had
stopped working seemed to me to constitute a malicious interruption of
service/operation so something that NAV would find was what I started
looking for. So I double checked NAV defs to be the latest and NAV found
nothing. A search at Symantec found nothing so I decided to try another AV
program and downloaded F-Secure trialware and it found nothing. I could
find nothing wrong but just Google wouldn't work. I ran the latest Adware
6.181 + latest defs and it found a usual few things which got removed but
still NO Google operation.

So I asked myself what that strange IP was and striking out finding
anything, I simply submitted that IP to Goolge-Web and then Google-Group
on another unaffected workstation.

Soon I found that what this was is a form of "BROWSER HIJACKING".
Something that started by those sites that overwrote your homepage setting
in IE. A behavior that I consider nearly illegal when done without user
approval which is often that case. However MS seems to do it so that
implies legal acceptability.

So I downloaded SpyBot which is more agressive and more tedious than AdWare
and ran Spybot which found a ton of stuff and started removing the crap it
found. Soon I had a machine that was frozen and wouldn't complete a boot.
This was rather unexpected as I've used SpyBot before with no problems.

This new hijacking behavior involves overwriting the Windows HOSTS file and
apparently it's BackWeb code. It hijacks all searches to some brand-X
search site and apparently BackWeb contains some anti SpyBot code also.

Overwriting the HOSTS file destroyed user data as the HOSTS file was in use
at this company and of course Google operability was maliciously
interrupted. The fact that this is a file and was maliciously over written
constitutes a felony in my opinion. My Google research found that
apparently some code by the BackWeb folks, which is immediately attacked by
SpyBot and less so be AdWare, is the culprit.

Anti-Virus folks need to be lilly white and avoid all appearances of nasty
involvements. The freeze up of that XP Pro machine was due to the
interaction of SpyBot and ANOTHER VERSION of BACKWEB THAT F_SECURE FOLKS
EMBED IN THEIR TRIALWARE. That interaction caused me hours of hand
debugging and uninstalling in safe-mode to regain operability on that XP Pro
workstation.

The fact that F-Secure installed BackWeb, which attacks Spybot, on that XP
Pro machine without user permission constitutes a complete impeachment of
F-Secure as a reputable security company.

BLACKLIST if not prosecute F-SECURE.

Prosecute anyone over-writing the file HOSTS without premission.

[FromTheRafters]

"Ron Reaugh" <ron-reaugh@worldnet.att.net> wrote in message news:5yJcb.153080$0v4.11404861@bgtnsc04-news.ops.worldnet.att.net...

> This new hijacking behavior involves overwriting the Windows HOSTS file and
> apparently it's BackWeb code. It hijacks all searches to some brand-X
> search site and apparently BackWeb contains some anti SpyBot code also.

> My Google research found that
> apparently some code by the BackWeb folks, which is immediately attacked by
> SpyBot and less so be AdWare, is the culprit.

Some bad stuff *uses* the BackWeb application
Some good stuff also does.
Each thing using the application has registry settings which
may have been messed with by you and Spybot

> Anti-Virus folks need to be lilly white and avoid all appearances of nasty
> involvements. The freeze up of that XP Pro machine was due to the
> interaction of SpyBot and ANOTHER VERSION of BACKWEB THAT F_SECURE FOLKS
> EMBED IN THEIR TRIALWARE. That interaction caused me hours of hand
> debugging and uninstalling in safe-mode to regain operability on that XP Pro
> workstation.

Not all BackWeb applications are bad things, Spybot IIRC warns
of problems the user may incur.

The hijacker is the culprit I think, not Spybot or F-Secure.

> The fact that F-Secure installed BackWeb, which attacks Spybot, on that XP
> Pro machine without user permission constitutes a complete impeachment of
> F-Secure as a reputable security company.
>
> BLACKLIST if not prosecute F-SECURE.
>
> Prosecute anyone over-writing the file HOSTS without premission.

I laughed, I cried, I grabbed another beer.

Are you saying that the BackWeb application attacks Spybot, and
the HOSTS file has BackWeb code? ~ nevermind...

Spybot must be used with caution.

[Ron Reaugh]

I find that most your post was jibber.

No reputable computer security company should be including ANYKIND of
adware/spyware code in there downloads. I say blacklist F-Secure for so
doing.

Both Adware and Spybot remove BackWeb...therefore BackWeb is bad stuff! You
wanna supply any reputable source saying BackWeb is good stuff?

"FromTheRafters" <!0000@nomad.fake> wrote in message
news:vn70343m0fj3ac@corp.supernews.com...
>
> "Ron Reaugh" <ron-reaugh@worldnet.att.net> wrote in message
news:5yJcb.153080$0v4.11404861@bgtnsc04-news.ops.worldnet.att.net...
>
> > This new hijacking behavior involves overwriting the Windows HOSTS file
and
> > apparently it's BackWeb code. It hijacks all searches to some brand-X
> > search site and apparently BackWeb contains some anti SpyBot code also.
>
> > My Google research found that
> > apparently some code by the BackWeb folks, which is immediately
attacked by
> > SpyBot and less so be AdWare, is the culprit.
>
> Some bad stuff *uses* the BackWeb application
> Some good stuff also does.
> Each thing using the application has registry settings which
> may have been messed with by you and Spybot
>
> > Anti-Virus folks need to be lilly white and avoid all appearances of
nasty
> > involvements. The freeze up of that XP Pro machine was due to the
> > interaction of SpyBot and ANOTHER VERSION of BACKWEB THAT F_SECURE FOLKS
> > EMBED IN THEIR TRIALWARE. That interaction caused me hours of hand
> > debugging and uninstalling in safe-mode to regain operability on that XP
Pro
> > workstation.
>
> Not all BackWeb applications are bad things, Spybot IIRC warns
> of problems the user may incur.
>
> The hijacker is the culprit I think, not Spybot or F-Secure.
>
> > The fact that F-Secure installed BackWeb, which attacks Spybot, on that
XP
> > Pro machine without user permission constitutes a complete impeachment
of
> > F-Secure as a reputable security company.
> >
> > BLACKLIST if not prosecute F-SECURE.
> >
> > Prosecute anyone over-writing the file HOSTS without premission.
>
> I laughed, I cried, I grabbed another beer.
>
> Are you saying that the BackWeb application attacks Spybot, and
> the HOSTS file has BackWeb code? ~ nevermind...
>
> Spybot must be used with caution.
>
>

[FromTheRafters]

"Ron Reaugh" <ron-reaugh@worldnet.att.net> wrote in message news:mtLcb.158665$3o3.11358935@bgtnsc05-news.ops.worldnet.att.net...
> I find that most your post was jibber.
>
> No reputable computer security company should be including ANYKIND of
> adware/spyware code in there downloads.

It is *not* adware or spyware, it is a legitimate application
that some adware and spyware abuses. E-mail worms use
SMTP, but that shouldn'r mean that anyone using SMTP
is malicious by association.

> I say blacklist F-Secure for so doing.

Say it all you want, but those with a clue won't listen.

> Both Adware and Spybot remove BackWeb...therefore BackWeb is bad stuff!

Erroneous conclusion.

> You wanna supply any reputable source saying BackWeb is good stuff?

I will leave that to others, or will try to supply info tomorrow if nobody
else does beforehand.

Later.

[Ron Reaugh]

The presence of BackWeb in the F-Secure download and the fact that it causes
SpyBot to hang an XP system is simply unconscionable and moves F-Secure to
the dark side.

"FromTheRafters" <!0000@nomad.fake> wrote in message
news:vn742cgi48qkb6@corp.supernews.com...
>
> "Ron Reaugh" <ron-reaugh@worldnet.att.net> wrote in message
news:mtLcb.158665$3o3.11358935@bgtnsc05-news.ops.worldnet.att.net...
> > I find that most your post was jibber.
> >
> > No reputable computer security company should be including ANYKIND of
> > adware/spyware code in there downloads.
>
> It is *not* adware or spyware, it is a legitimate application
> that some adware and spyware abuses. E-mail worms use
> SMTP, but that shouldn'r mean that anyone using SMTP
> is malicious by association.
>
> > I say blacklist F-Secure for so doing.
>
> Say it all you want, but those with a clue won't listen.
>
> > Both Adware and Spybot remove BackWeb...therefore BackWeb is bad stuff!
>
> Erroneous conclusion.
>
> > You wanna supply any reputable source saying BackWeb is good stuff?
>
> I will leave that to others, or will try to supply info tomorrow if nobody
> else does beforehand.
>
> Later.
>
>

[Colonel Flagg]

In article <9RMcb.153330$0v4.11425106@bgtnsc04-
news.ops.worldnet.att.net>, ron-reaugh@worldnet.att.net says...
> The presence of BackWeb in the F-Secure download and the fact that it causes
> SpyBot to hang an XP system is simply unconscionable and moves F-Secure to
> the dark side.


You're a goddamn idiot.

Backweb isn't bad, the people that MISUSE it *under certain
circumstances* would be considered bad.

a gun, when sitting in a cabinet harms no one... put it in a crack-heads
hands and someone will eventually get shot....

a piece of software, hell, let's say Internet Explorer is *meant* to
view websites, browse the web, whatever.... when placed in the wrong
hands.... you can completely and totally destroy websites with it
through Unicode Exploits...

Backweb is used by legitimate and accepted programs.

Backweb is used by illegitimate and unacceptable malicious programs.

Get the idea you ****ing moron?

[donutbandit]

"Ron Reaugh" <ron-reaugh@worldnet.att.net> wrote in
news:9RMcb.153330$0v4.11425106@bgtnsc04-news.ops.worldnet.att.net:

> The presence of BackWeb in the F-Secure download and the fact that it
> causes SpyBot to hang an XP system is simply unconscionable and moves
> F-Secure to the dark side.

Perhaps you are over reacting. However, I would not want someone installing
what amounts to a backdoor on my box even if it WAS to install automatic
updates.

That's why I stay away from any such applications. I prefer to go and get
my own updates.

[FromTheRafters]

"Ron Reaugh" <ron-reaugh@worldnet.att.net> wrote in message news:9RMcb.153330$0v4.11425106@bgtnsc04-news.ops.worldnet.att.net...
> The presence of BackWeb in the F-Secure download and the fact that it causes
> SpyBot to hang an XP system is simply unconscionable and moves F-Secure to
> the dark side.

It's presence means nothing of the sort, and the XP hang
was likely caused by your meddling and not reading the
Spybot Search & Destroy literature.

http://spybot.eon.net.au/index.php?l...ts-backweblite

or any of the references therein.

http://www.cexx.org/dlgli.htm

...I am not affiliated with any computer related organization,
and couldn't care any less about which program you use. I
am unbiased in this respect.

[Jay T. Blocksom]

On Fri, 26 Sep 2003 00:09:54 GMT, in <alt.privacy.spyware>, "Ron Reaugh"
<ron-reaugh@worldnet.att.net> wrote:
>
> I find that most your post was jibber.
>
[snip]

Actually, that was precisely the reaction I had to your original incoherent
rant which started this thread.

> No reputable computer security company should be including ANYKIND of
> adware/spyware code in there downloads.
[snip]

True enough; but you've not established that the fine folks at <f-prot.com>
did anything even remotely approaching that. Here, this might help:

<http://zapatopi.net/afdb.html>

> I say blacklist F-Secure for so
> doing.
>
[snip]

I'm sure you do.

<http://www.winternet.com/~mikelr/flame74.html>

> Both Adware and Spybot remove BackWeb...therefore BackWeb is bad stuff!
[snip]

Your logic engine is obviously VERY broken. Perhaps the hamster died?

Tell me, if you're *so* concerned about security and privacy, why do you
even permit on your system, let alone *use*, Windows XP, MSIE and Outleak
Excuse -- the Unholy Trinity of big-time malware?

*And* you're a top-posting twit.

*plonk*

--

Jay T. Blocksom
--------------------------------
Appropriate Technology, Inc.
usenet01[at]appropriate-tech.net


"They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety."
-- Benjamin Franklin, Historical Review of Pennsylvania, 1759.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NOTE: E-Mail address in "From:" line is INVALID! Remove +SPAMBLOCK to mail.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Unsolicited advertising sent to this E-Mail address is expressly prohibited
under USC Title 47, Section 227. Violators are subject to charge of up to
$1,500 per incident or treble actual costs, whichever is greater.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

[Spam Buster]

"Ron Reaugh" <ron-reaugh@worldnet.att.net> wrote in message
news:5yJcb.153080$0v4.11404861@bgtnsc04-news.ops.worldnet.att.net...
|
| Prosecute anyone over-writing the file HOSTS without premission.
|

I agree with your assessment of SpyBot: great stuff; one of its (optional)
features is to make the hosts file read-only...

SB