Microsoft Shifting Adware Approach?

The discovery that Microsoft updated its spyware definition files in order to advise users to ignore Claria’s adware fueled rumors that Redmond planned to acquire the contextual advertising company. But security experts said the move signals a change in its attitude to adware in general.

On June 30, the Wall Street Journal reported that Microsoft was in talks with Claria, which makes downloadable software that aggregates users’ Web surfing behavior.

Meanwhile, spyware watchers noticed that Microsoft Anti-Spyware (MAS), the spy-blocker software released as a free beta, advised users to “ignore” Claria’s GAIN, DashBar and DateManager. MAS formerly advised users to “quarantine” it. The blogosphere ignited with speculation that the upgrade was part of the companies’ courting process.

On Friday, Microsoft put out a statement, saying the re-evaluation had taken place at Claria’s request back in January. “We also decided that adjustments should be made to the classification of Claria software in order to be fair and consistent with how Windows AntiSpyware (Beta) handles similar software from other vendors,” the statement said.

Indeed, analysis of MAS virus definition files by Sunbelt Software and others found that they had been changed around March 31.

But after spyware experts combed through the new definition files, they found that Microsoft also reduced its MAS threat warnings for several other adware applications, including Webhancer, NewDotNet, WhenU WeatherCast and SaveNow, 180Solutions Search Assistant and Ezula.

In the middle of the media speculation about Microsoft possibly buying Claria, the conspiracy theory made sense, according to Alex Eckelberry, president of Sunbelt. But when reports surfaced of the threat levels for other apps being downgraded by MAS as well, he said, that’s when it was clear that there was a broader issue with Microsoft’s listing criteria.

Due to an agreement made with Giant Software before its acquisition by Microsoft, Sunbelt Software uses the same virus definition files as MAS, but adds its own filters and threat criteria on top of them. Eckelberry said Sunbelt is one of the more aggressive in blocking adware applications, because it sells its CounterSpy product to the enterprise as well as consumers.

Eckelberry pointed out that MAS still will bring the products to people’s attention and give them the opportunity to quarantine it. The MAS application uses the “ignore” rating for moderate-risk applications. It advises users that there’s some potential for adverse effect, but that they may be part of a wanted service.

“The big issue here is not about ‘ignore,’ but about the database philosophy and the philosophy about listing,” he said. “You can pretty safely argue that some of the programs they downgraded might warrant ‘ignore,’ and others, not. It comes down to how Microsoft defines adware.”

Eric Howes, a spyware researcher at the University of Illinois, thinks that Microsoft did a poor job of defining them. He first reviewed the MAS spyware criteria in the spring, and found them good. “All this illustrates is that well-written criteria can’t protect from bad human decision-making,” he said. He pointed out that Microsoft is new to the anti-spyware business, and evaluating software can be very time-consuming. “With adware and spyware, you’re dealing with a whole host of different behaviors and practices, so the context is critical.”

Howes, who consults with Sunbelt, said that in order to evaluate a downloadable application, someone must analyze how the software is distributed and presented, and how the functionality is actually implemented on the desktop.

Ben Edelman, a Harvard Ph.D. candidate and spyware expert, said the applications in question should be quarantined because of a variety of deceptive practices they use to get people to download them. For example, he said, Claria promotes its GAIN contextual advertising application on sites targeted at kids and via ads made to look like part of the user interface. The goal is to fool users into clicking on them.

Webhancer anonymously tracks users’ online behavior. NewDotNet lets users browse Web site addresses with non-standard domain names suc as .free. The two applications come bundled with eDonkey, a peer-to-peer application, Edelman said. Their user licensing agreements are delivered in an extremely narrow window, making them hard to read. “If you try to print them out, it takes 30 or 40 pages,” he said. Onscreen, “it’s like a joke, you can’t read anything there.”

Edelman said Ezula, a keyword advertising application, is often distributed via misleading pop-ups or through security exploits. It’s also been delivered via X-rated videos distributed on P2P networks, he said.

Companies that make adware, otherwise known as ad-supported software or contextual advertising applications, not only actively engage anti-spyware software vendors in discussions; they sometimes threaten to sue. For example, on May 10, Hotbar, a maker of browser and e-mail toolbars that add extra functionality while tracking user behavior, sent a letter to Sunbelt complaining that the latter infringed on its rights. The letter detailed the ways in which its ad-supported browser and e-mail toolbars inform users before installation and maintain their personal privacy afterward.

Hotbar objected to the way Sunbelt’s CounterSpy warns users of its presence.

“By misrepresenting Hotbar’s Software as spyware/adware or any other kind of undesirable software, you cause Hotbar severe and irreparable damages and, among

others, cause irreparable damage to Hotbar’s goodwill, dilute and tarnish the trademark

Hotbar, interfere with Hotbar’s contractual relations with its users, distribute libelous statements on Hotbar’s Software amongst Internet users and make fraudulent misrepresentations which scare users and cause them to uninstall Hotbar’s software (or to refrain from installing it in the first place).”

The letter demanded that Sunbelt stop warning users in any way of the software’s presence on their computers and to pay the company damages to be determined by Hotbar.

According to Edelman, security software vendors McAfee, Symantec, Computer Associates and the Internet Advertising Bureau are among the companies to receive similar warnings from adware makers.

Microsoft doubtless got similar letters, Edelman said, and maybe the company is tired of litigation. Companies that get such cease-and-desist letters have two options, he added: they can sue or review the application to see if the letter has merit. “Microsoft probably is just giving into threats from the vendors,” he said. “They figure theyll just set them to ‘ignore’ and let users figure it out.”

Microsoft’s re-evaluation of these apps puts it at odds with most other anti-spyware software vendors and security experts.

In its Claria statement, Microsoft acknowledged that a lack of agreement about spyware makes it harder to combat. “Today, anti-spyware vendors use different approaches, definitions, and types of criteria for identifying and categorizing spyware and other potentially unwanted software. This has limited the industry’s ability to have a broad, coordinated impact in addressing the problem,” its Claria statement said.

But Microsoft has gone its own way with these new definitions.

News Around the Web