Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Anti-Spyware Vendors Buy Databases?!

  • Please log in to reply
3 replies to this topic

#1 TeMerc


    Countermeasures Team Leader

  • Malware Response Team
  • 215 posts
  • Location:PHX., AZ.
  • Local time:05:39 PM

Posted 04 December 2004 - 03:01 AM

Here is a quote from Eric Howes(eburger68) from a thread over at DSLR:

Hi All:

If you were ever wondering where so many of the anti-spyware programs listed on the Rogue/Suspect Anti-Spyware page come from...


...the post leading off this thread is a good start at an answer. Right now the anti-spyware market is hot -- see:


Because the market looks so lucrative, we have a large number of people and companies jumping in with whatever they can get their hands on in the rush to get an anti-spyware application to market and start cashing in.

The problem for these people, of course, is where to get an anti-spyware application quickly and on the cheap? They usually have no experience in the anti-malware industry and they're not that interested in investing the effort to hire a quality research and development team to create an anti-spyware application themselves and do a proper job of it. That would simply take too much time and money.

Depressingly, there is a market out there for "rent-a-coder" anti-spyware applications and definitions databases, and many individuals and firms are perfectly happy to snap these up in order to speed the process of getting an application to market.

Anti-spyware applications are tough to do right, though. Not only are the spyware and adware pests we're seeing becoming ever more devious and difficult to remove, but the number of new pests and variants of existing pests is exploding. Consequently, anti-spyware applications are very "high maintenance," requiring laborious research and development every day of the year. Even the best in the business struggle to keep up.

Good anti-spyware vendors know that quality scan engines and definitions databases can't be purchased on the cheap and off the shelf. The best anti-spyware firms are hiring researchers like mad to update their definitions databases and plowing thousands of man hours into the development of their scan engines because they know that it is vital to be in control of every aspect of their anti-spyware application.

Unfortunately, the number of firms who are truly committed to producing quality anti-spyware programs is very small. The vast majority of anti-spyware applications available on the Net are rebranded cloneware apps produced by rent-a-coder operations who then sell their substandard wares to internet entrepeneurs -- often "mom and pop" type operations with no experience whatsoever in the anti-malware industry but who are looking to make a quick entry into a hot market.

I've actually communicated with a number of these small-time vendors who decided to buy an anti-spyware app on the cheap and jump in. What I've learned ranges from discouraging to downright scary. Some of the vendors aren't familiar with the concept of a "false positive." Still others have very little sense for the threat of spyware or how their own applications fail to detect and remove it.

One vendor I talked with the other day wasn't even familiar with the scan results of his own application. When I detailed the deficiencies in his application's reporting of detected spyware and adware, and he wasn't even aware of the kinds of information his program was neglecting to report. That kind of woeful ignorance is not uncommon among these vendors because they're simply buying rebranded applications and databases from some murky anti-spyware chop-shop.

In this kind of environment, we often see companies and individuals trolling the Net for definitions databases they can buy, instead of hiring quality researchers to do the job properly. Some of you may remember Ashley, the vendor behind Privacy Tools 2004:

»Anti-Spyware Vendor Threatens to Write Malware

After I reported that the beta of a new version of his application was producing ridiculous false positives, Ashley decided he could solve the problems with his application by simply going out and buying a new definitions database. The results were utterly predictable:


Still worse, we've even seen requests for databases that were little more than thinly veiled invitations for unscrupulous parties to rip-off and resell the databases from well-known anti-spyware applications like Ad-aware and Spybot Search & Destroy.

Another popular approach to building a spyware database involves merely harvesting file names and Registry keys from the growing number of anti-spyware research pages available online, such as those found at Pest Patrol's research site, SpywareGuide.com, Doxdesk.com, or Kephyr.com. The data stripped from these sites is then dumped into a file to be used by a relatively unsophisticated scan engine that does little more than perform dumb string scans on the hard drive and Registry, a surefire prescription for producing loads of false positives.

Not surprisingly, the anti-spyware applications that result from this blase attitude towards research are utter garbage. The definitions database is absolutely critical to an anti-spyware application, but the sub-standard anti-spyware vendors seem to regard it as an afterthought at best -- as icing on the cake of a flashy GUI and attractive set of web pages. It's the definitions database, however, that sets the few quality applications apart from the great mass of junk.

Sadly, all too many people out there just don't seem to care. Their only goal is to get an anti-spyware product quick and on the cheap. For a truly depressing read, take a look over the current "spyware" work projects being bid on at RentACoder.com:


It's a sure bet that most if not all of the applications that emerge from that degraded development process will wind up on the Rogue/Suspect Anti-Spyware pages.


Eric L. Howes

Full read of thread:
Posted Image
Calendar of Updates
Malware Advisor Blog
HijackThis! Trusted Advisor
Ultimate Countermeasures Page
TeMerc Internet Countermeasures
Remember, you can NEVER be OVERPROTECTED!!!
Proud Member of the Alliance of Security Analysis Professionals
Posted Image

BC AdBot (Login to Remove)


#2 raw


    Bleeping Hacker

  • Members
  • 2,577 posts
  • Gender:Male
  • Location:Texas
  • Local time:07:39 PM

Posted 05 December 2004 - 03:31 AM

I know that to be absolutely true. I have the source code for AdAlert.

AdAlert®, a complete spyware/adware/trojan scanner for your computer. It features a powerful and neat GUI, quarintining of malware files, 3 scanning modes (COMPLETE, CUSTOM, and QUICK), Active Malware Scanning that alerts of you of ANY adware/spyware running in the background, and then suspends the process from running (warning process monitor will not work on 9x OS), live updates and defintion downloads off the internet, a comprehensive help, and plently of customizable settings. --- What is AdAlert® 1.0 Personal? --- AdAlert® 1.0 Personal is an adware, spyware, trojan remover, it also is able to detect some viruses.

With bad intentions I could modify it and sell it to these "band wagons". Stick with the reputable ones:
Lavasoft, JavaCool, Spybot S&D.
Don't be taken in by a program claiming you have spyware and for 30 dollars it will remove it.


 rawcreations.net          @raw_creations

Current systems: WHAT OS, BackTrack-raw, PCLinuxOS, Peppermint OS 6, Kali Linux

and a custom Linux From Scratch server hosting a bunch of top secret stuff.

#3 phawgg


    Learning Daily

  • Members
  • 4,543 posts
  • Location:Washington State, USA
  • Local time:04:39 PM

Posted 05 December 2004 - 01:19 PM

I take that to mean I should uninstall my Rid O' D'Spies 1.23 & the ever popular SuppaStrong*SPY* Laxative? :thumbsup: darn, I liked using 'em right before I ran Cleanup! (with the volume turned up)

Edited by phawgg, 05 December 2004 - 01:25 PM.

patiently patrolling, plenty of persisant pests n' problems ...

#4 KoanYorel


    Bleepin' Conundrum

  • Members
  • 19,461 posts
  • Gender:Male
  • Location:65 miles due East of the "Logic Free Zone", in Md, USA
  • Local time:08:39 PM

Posted 05 December 2004 - 01:23 PM

Naw, Go ahead and sell 'em on eBay....

You might get more than 30 USD for 'em both.


The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users