Review of 3721(dot)com

Identification

Had a request to look at this site. Tried it, with my usual test box of totally clean, totally unpatched Win XP Home, no service packs, no antivirus, no nothing of any kind, just running a hardware firewall in the router.

The about.htm page asked me to install the Chinese Language Pack. Answered OK, it wanted the CD. I don’t get out of my chair that easily… clicked cancel. (Remember, I test like novices surf…) It took me back to the English about.htm page.

Found the how-to-use page, and let it install the Chinese keywords utility. The Install and Run warning, was properly signed by VeriSign, but the message was mostly bad font blocks. (No Chinese font loaded, as above.) Next, had a pop-up box all in Chinese, with one button. Clicked that, it went away. Nothing else happened. Restarted IE, nothing.

Restarted Win XP Home, and IE. There are 5 new icons in the tool bar, all Yahoo-related. Some Chinese characters appear in the right-end of the address bar.

All this was added to the autoplays, as reported by HijackThis:

Running processes:
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\wpabaln.exe

R0 – HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://seek.3721.com/srchasst.htm
R0 – HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://seek.3721.com/srchcust.htm
O2 – BHO: IE – {D157330A-9EF3-49F8-9A67-4141AC41ADD4} – C:\WINDOWS\DOWNLO~1\CnsHook.dll
O4 – HKLM\..\Run: [CnsMin] Rundll32.exe C:\WINDOWS\DOWNLO~1\CnsMin.dll,Rundll32
O4 – HKLM\..\Run: [helper.dll] C:\WINDOWS\system32\rundll32.exe C:\PROGRA~1\3721\helper.dll,Rundll32
O8 – Extra context menu item: Quick Search (Yisou.com) – res://C:\WINDOWS\DOWNLO~1\CnsMinEx.dll/1003
O9 – Extra button: Short Message – {00000000-0000-0001-0001-596BAEDD1289} – http://sms.3721.com/ie/index.htm (file missing)
O9 – Extra button: Yahoo 1G mail – {507F9113-CD77-4866-BA92-0E86DA3D0B97} – http://cn.mail.yahoo.com/promo/rd1 (file missing)
O9 – Extra button: E bazar – {59BC54A2-56B3-44a0-93E5-432D58746E26} – http://cn.rd.yahoo.com/auct/promo/3721/200508/ielogo-wcfashion/*
http://cn.promo.auctions.yahoo.com/200507/fashion/index.html?refcode=3721200508ielogo-wcfashion (file missing)
O9 – Extra button: 3721 Assistant – {5D73EE86-05F1-49ed-B850-E423120EC338} –
http://assistant.3721.com/index.htm?fb=Cns (file missing)
O9 – Extra button: Instant Messenger – {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} –
http://cn.rd.yahoo.com/home/messenger/bjk/clientbtn/?http://cn.messenger.yahoo.com/ (file missing)
O9 – Extra button: (no name) – {ECF2E268-F28C-48d2-9AB7-8F69C11CCB71} –
http://assistant.3721.com/security1.htm?fb=Cns (file missing)
O9 – Extra ‘Tools’ menuitem: Repair Browser – {ECF2E268-F28C-48d2-9AB7-8F69C11CCB71} –
http://assistant.3721(DOT)com/security1.htm?fb=Cns (file missing)
O9 – Extra button: (no name) – {FD00D911-7529-4084-9946-A29F1BDF4FE5} –
http://assistant.3721.com/clean1.htm?fb=Cns (file missing)
O9 – Extra ‘Tools’ menuitem: Clean Internet access record – {FD00D911-7529-4084-9946-A29F1BDF4FE5} –
http://assistant.3721(DOT)com/clean1.htm?fb=Cns (file missing)
O11 – Options group: [!CNS] Chinese keywords

UNINSTALL–There was an entry in the add/remove list for Chinese keywords. Ran it. The uninstall was perfect. That’s rare–it put the autoplays back exactly as they were.

Overall, the install is sloppy–note the (file missing) on some of the items above. The uninstall was good. Clearly not a drive-by download. I saw no extra popups at the site, before or after installing the plug-in, or after removing it.

While the site is on the SpybotSD list of sites that it adds to the restricted sites list in IE, my test, as of Sept 8, 2005, didn’t show anything more suspicious than an overly-invasive toolbar with a sloppy install.

I’d like anyone who can read Chinese to repeat the test–I could easily have missed installing a optional portion of the toolbar.

Spyware: Too Many Labels, Not Enough Clarity

Definitions

Written by Jerry Stern
Coordinator of Anti-Spyware Operations, Association of Software Professionals

All these definitions for what is loosely being called “spyware” are a problem.

Earlier this year, the Federal Trade Commission decided that a working definition was good enough, without a formal definition based on new legislation. They can deal with the problem based on existing regulations.

Various industry groups have attempted definitions. Some of these groups include publishers of products sometimes self-labeled as adware. Most include publishers of cleanup tools.

Most of the definitions focus on whether or not a program sends out personally-identifiable information. Spyware supposedly sends information that’s trackable back to you, and adware either sends non-identifiable information, or just acts as a server for additional advertising in some fashion. The difference is subtle and pointless, for most consumers–the issue is generally more of regaining system performance than of blocking surfing history. While the information stolen isn’t always significant, the theft of service, or unauthorized use of a computer and connection bandwidth, is generally an invasion, and most of the definitions focus in on trying to place a specific label, rather than using existing privacy laws and existing commercial regulation as approaches to prosecution of offending providers of software and services.

Here is the definition proposed by the Anti-Spyware Coalition:

“Spyware: The term Spyware has been used in two ways.
In its narrow sense, Spyware is a term for Tracking Software deployed without adequate notice, consent, or control for the user.

In its broader sense, Spyware is used as a synonym for what the ASC calls “Spyware and Other Potentially Unwanted Technologies.”

In technical settings, we use the term Spyware only in its narrower sense. However, we understand that it is impossible to avoid the broader connotations of the term in colloquial or popular usage, and we do not attempt to do so. For example, we refer to the group as the Anti-Spyware Coalition and vendors as makers of anti-spyware software, even recognizing that their scope of concern extends beyond tracking software.”

Compare this to the Federal Trade Commission’s definition from their workshop of April 19, 2004, titled “Monitoring Software on Your PC: Spyware, Adware, and Other Software.” For the workshop, the working definition of Spyware is “…software that aids in gathering information about a person or organization without their knowledge and which may send such information to another entity without the consumer’s consent, or asserts control over a computer without the consumer’s knowledge.”

Note the hedge words “such software aides in gathering, and therefore may not actually be doing the gathering alone, or may do something else. It may send information but also may not. This is deliberately vague, and therefore flexible.

A more precise definition would be great for the spyware publishers, and even better for the publishers of adware, who would gain some protection from a legal distinction that shows that their behavior is not automatically labeled as illegal. A definition would also help some of the antispyware companies, temporarily–it would allow them freedom to label a particular ad technology and publisher as illegal, and delete that product with some partial protection from potential legal actions for libel and for removing some other company’s products. Again, that, for a time, would help.

As the industry of spyware (etc) now exists, everything that can be done, is being done, whether it is to deliver targeted ads, to steal information, or to steal bandwidth and processor time. There are no limits. Everything that can be done in the future, will be done. As new security holes are found, they will be exploited. As holes close, others open, and any new legal definition will be obsolete faster than legal action can be brought to stop newly-prohibited behavior.

Some of the definitions, including that of the Anti-Spyware Coalition, attempt to simultaneously show that “spyware” technology can have a legitimate purpose for monitoring the internet activities of children or employees. That’s a big distraction. Monitoring of that type is legal. Using the same technology to monitor which city I’m trying to find a hotel reservation for is not. Any technology-based definition of spyware may be useful for system technicians, but is meaningless for capturing illegal activity, or for proving legal use for de-listing products from a spyware removal database.

The ASC definition, by including “without adequate notice, consent, or control”, continues to include terms that require additional definitions. As such, it’s open to interpretation by the user who doesn’t know where the software came from, by the cleanup product publisher who doesn’t know what to remove, and by the courts, who will have to wrestle with the meaning of “adequate notice” before deciding whether to allow a libel claim to proceed against an antispyware publisher. The existing case law on user licenses will come into effect here; so-called “shrinkwrap licenses” have been used to hide practices just as illegal as spyware, but not quite as blatant.

The temptation to label everything is strong in this industry. Labels add structure, but they also provide innuendo, distortion, and false security. Spyware can be many things, and in the current technological landscape, it will be more varied and more devious than can be predicted with a legal definition. Working definitions can help a technician in triage and cleanup, but once enacted into regulation, precise legal definitions of what is and is not spyware can only damage the industry.

The ASC definition of spyware would be far stronger without the words “deployed without adequate notice, consent, or control.” A spy may still be a spy after the press has published a leak stating their identity. A spy camera doesn’t stop being a spy camera if it’s being used to monitor your babysitter. Screen-scraper software isn’t something else if it’s monitoring your corporate network for illegal behavior. And finally, spyware doesn’t stop being spyware if the publisher asks for permission to snoop.

Yes, that would mean that spyware can be judged on the basis of action instead of apparent intent, and on what information is being transmitted, based on existing privacy laws. That would make the identification and removal of spyware much simpler. Definitions based on intentions and permissions lead to prosecutions based on telepathy and hearsay. Definitions based on feature lists, actions, and information are practical, and can lead to a clear view of what software is useful on a system, and what should be removed.

This article was written on behalf of the Association of Software Professionals.

Crawler(dot)com toolbar

Identification

Downloaded and tested the Crawler.com search toolbar, which allows users to search multiple search engines at once.

Test run Aug 25th, 2005, clean Win XP Home, no patches, not activated, no drivers except automatically-installed items from the Windows installation. Items listed as detected by HijackThis.

Installing the Crawler toolbar added these items to the system settings:
Running processes:
C:\Program Files\Crawler\CToolbar.exe

R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://portal.crawler.com/search/ie.aspx?tb_id=60002
R0 – HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://portal.crawler.com/?tbid=60002
R1 – HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://portal.crawler.com/search/ie.aspx?tb_id=60002
R1 – HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Crawler\ctbr.dll/sa
R0 – HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://portal.crawler.com/search/ie.aspx?tb_id=60002
R0 – HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\Crawler\ctbr.dll/sa
R0 – HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 – URLSearchHook: (no name) – {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} – C:\PROGRA~1\Crawler\ctbr.dll
O2 – BHO: (no name) – {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} – C:\PROGRA~1\Crawler\ctbr.dll
O3 – Toolbar: &Crawler Toolbar – {4B3803EA-5230-4DC3-A7FC-33638F3D3542} – C:\PROGRA~1\Crawler\ctbr.dll
O8 – Extra context menu item: Crawler Search – tbr:iemenu
O18 – Protocol: tbr – {4D25FB7A-8902-4291-960E-9ADA051CFBBF} – C:\PROGRA~1\Crawler\ctbr.dll

When Internet Explorer is NOT running, CToolbar continues to run, and it autoplays with the system.

Uninstall results–this item not removed–it’s the IE home page:
R0 – HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://portal.crawler.com/?tbid=60002

Overall: The main executable runs when it shouldn’t, for no stated purpose. Uninstall doesn’t restore home page but does restore all other settings. Search results from toolbar show pay-for-display ads first, clearly labeled, before showing true search results which may or may not be on the first page of results.

Summary: I wouldn’t automatically delete this one if the user finds it helpful–doesn’t appear to do anything disruptive. The publisher should fix the way it runs ctoolbar, so that it starts with IE, and doesn’t run all the time.