Denial is a powerful tool in the arsenal of companies who refuse to accept who they are. Much like individuals in denial, the illusions of grandeur or the premise of being something they are not is pervasive. These situations often require therapy, so let's begin.
Such is the case with Zango, who this week decided to sue PC Tools for $35 million dollars, based on the pretense that their "software" isn't spyware and is thus being wrongly removed by PC Tools' Spyware Doctor.
Here's where reality sets in: Hey Zango! YOU ARE SPYWARE! YOU'VE ALWAYS BEEN SPYWARE! Rebrand yourselves all you wish. Change the name of the company. Deny the reality of the situation all you want. It won't change the simple truth.
Let's review from a technical perspective, shall we?
From BleedingEdge Threats (Bleeding Edge Snort) we find the harsh reality of the situation. Consider a few fine signature examples from Matt Jonkman and team. There are no less the 25!
Posted as recently as April 23, 2007 we find:
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Zango Spyware (tbrequest data post)"; flow: to_server,established; uricontent:"/tbrequest"; nocase; uricontent:"&q="; nocase; pcre:"/\/tbrequest\d+\.php/Ui"; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/
adware.180search.html; classtype: trojan-activity; sid: 2003610; rev:1;)
We'll cover the fundamentals here. flow:to_server, established means that we're monitoring traffic as leaves to report back to your server. Not unlike spyware, yes? And if I'm not mistaken, a tbRequest.add to a PHP platform is a POST. What might we be posting? User profiles perhaps, so you can invade their privacy and feed them BS? I think so.
Why not take a look at the reference URL as well:
securityresponse.symantec.com
Why would our friends at Symantec label you a medium risk as adware and eradicate you in their defintions? Hmm...I can hear your crack legal team warming up the machinations of litgation once more. Oh wait, they sued you (or at least Hotbar) a few years back. Nevermind.
But let's get back on track.
Instead of spending $35 million to sue PC Tools, keep you hard earned money and spend a bit of time working on corporate moral and an enterprise wide reality check. Embrace who you are. Accept that you are part of the "series of tubes" that is the Internet, and that you are knowingly filling those tubes. I'd go so for as to suggest hiring corporate counselors (not the legal kind) to aid your staff in accepting reality. I'd even go so far as invite Senator Ted Stevens to come for a day to rally the troops thus: "The Internet is not something you just dump something on. It's not a big truck. It's a series of tubes. And if you don't understand those tubes can be filled and if they are filled, when you put your message in, it gets in line and it's going to be delayed by anyone that puts into that tube enormous amounts of material, enormous amounts of material".
Just face the truth and we'll all be better for it. Soul searching serves us well. But when that fails, rename yourselves again. I suggest TheBestDamnSpyware.com. Best of luck in your endeavor.
Friday, May 18, 2007
Subscribe to:
Posts (Atom)
Moving blog to HolisticInfoSec.io
toolsmith and HolisticInfoSec have moved. I've decided to consolidate all content on one platform, namely an R markdown blogdown sit...
-
Continuing where we left off in The HELK vs APTSimulator - Part 1 , I will focus our attention on additional, useful HELK features to ...
-
As you weigh how best to improve your organization's digital forensics and incident response (DFIR) capabilities heading into 2017, cons...
-
When, in October and November 's toolsmith posts, I redefined DFIR under the premise of D eeper F unctionality for I nvestigators in R ...