Wednesday, August 16, 2006

Spywares Will Be Spywares

As soon as I heard about free DJ softwares – KraMixer & MixSense – both from Kramware, I immediately went ahead and started the installation, only to realize that both come bundled with Save software L

Few years ago, Save software used to be a very ‘popular’ spyware – just as prominent as GAIN and few others were. I had not heard about Save afterwards until I came across these two freewares from Kramware. Nevertheless, still to give it a shot and see if anything has changed in its ‘spyware’ behavior, I went ahead and installed KraMixer along with it’s Save and search bar components. Yes it was not only Save, but also a search bar that came bundled with it (though its installation was optional). Another reason why I still installed it was that it mentioned Save is NOT a spyware! Now this was interesting. I did hear a while ago that GAIN had made efforts to come out of spywares category, but had never heard about Save making similar efforts – only if it had been technically true. Anyway, after the installation I fired up couple of monitoring tools (ethereal, filemon, autoruns, procexp, ollydbg) to see what these no-more-spyware softwares are up to.

Just to pause here to give a quick context – by the basic definition of spyware, it is a piece of software that monitors users’ browsing habits and sends that information to software owners. It is a broad category of software – ranging from monitoring just the websites users visits, to as severe as intercepting users’ personal information (e.g., emails, passwords, etc.). This information is then used by those vendors to send spam mails and targeted advertisements. That is how they make money.

Ok, coming back. As it was obvious, when I ran Spybot S & D and Windows Defender, both caught Save.exe and its search bar as potential spywares. Now, those same softwares, just to avoid being called as spyware, apparently have changed their modes of operations. Instead of sending users’ browsing habits back to their software owners, they now do the analysis locally on users’ machine about which advertisements to show. As an example, I installed kramware’s software on a fresh virtual machine and visited sites of Spybot S&D and Windows Defender . Because both are anti-spywares, after few minutes IE started showing pop-up related to all the anti-spyware softwares. What goes in the background is, as revealed by Ethereal dump, Save.exe downloads a small database from its website and saves it inside C:\Program Files\Save\Save.db. Save.exe also builds another database store.db in the same folder apparently to keep track of all the websites user visits. Save.exe and search bar components build user’s browsing habit by regularly monitoring IE’s index.dat to peek into all websites user visits (I’ll probably write more about these index.dat files in my future posts – it is worth a complete post for itself).

Still, one good thing about these Save softwares is that whatever they intend to do, they do with user’s consent as they have mentioned in their privacy policy. But the realization, that something running on my machine is constantly monitoring my browsing habits, still bothers me.

Kramware: find some place else, not my system; I would rather pay for a commercial software.

No comments: