Slashdot Mirror

← Back to Stories (view on slashdot.org)

Spyware in Kazaa, Limewire, Grokster

Posted by michael on from the comp.risks dept.

BigMacMike writes: "The San Francisco Chronicle (via the sfgate.com website) has a story that Kazaa, LimeWire, and others have secretly hidden software in their applications that track users' browsing habits." Not the first time. The corporate response is that they literally didn't know what was in these secondary applications that they were providing to be downloaded and installed alongside their primary program. Believe it if you wish.

21 of 364 comments (clear)

  1. wow... now i feel kinda bad... by Mr.+Quick · · Score: 5, Funny

    ... for downloading all that pr0n...

    hope limewire doesn't sell this info to my girlfriend...

    "honey, this jenna jameson person has alot of stuff on your computer, do you work with her?"

  2. Re:Double Edged Sword... by Cheshire+Cat · · Score: 5, Insightful
    Free music has a price, and it's really not all that bad if your computer doesnt have anything REALLY incriminating on it


    This is frighteningly similar to the arguement that if you have nothing to hide, why, you won't mind the police searching your house. Its not the fact that I'm trying to hide something, I just feel that its an intrustion of my privacy when programs report my activities to a third party.

    --

    Last night I shot an elephant in my pajamas. How he got in my pajamas I'll never know.
  3. BearShare by MoceanWorker · · Score: 5, Interesting

    another program that gives a user access to the gnutella network comes with 3 spyware programs to spy on users...

    first being Onflow Media Player... it is a Flash-like browser plug-in which displays animations and transmits user behavior information (not further specified) to the Onflow central servers.

    second being SaveNow... SaveNow displays context-related shopping pop-up windows in IE... the context information seems to reside on the client side so that no information has to be transmitted to the central server

    third being New.net, which is an alternative Domain Name Service which allows you to connect to TLDs like .free , .shop, .game and .xxx, etc, etc.... also, as they have to query an alternative DNS to let you access these sites, they will be able to track every visit to new.net-"powered" sites.

    not to mention all of these programs have silent auto-updates...

    why can't we all just use FreeNet? :-\

    --


    "The ones who dont do anything are always the ones who try to pull you down" -- Henry Rollins
  4. If the information was they collect was useless... by stefanlasiewski · · Score: 4, Insightful

    If the information they collect was useless, then they would not collect the information.

    --
    "Can of worms? The can is open... the worms are everywhere."
  5. get rid of all spy ware by flynt · · Score: 5, Informative

    Download the acclaimed Ad Aware program (link provided) here. It searches your registry and all your drives for running and installed spyware programs. It works great.

    1. Re:get rid of all spy ware by debrain · · Score: 4, Insightful

      A point of interest: If all the intellectually affluent people know how to, and indeed do, uninstall spyware, and this margin is not taken into account by the people that are recepients of the spyware data, would this not lead to a sponsoring of a dumber internet by promoting the sites that attract, well, the less technically fortunate?

      Suppose HP (who is advertising here right now, by the looks of it) is looking to advertise on the net - if the spyware data they buy shows that Slashdot, for example, is hardly even notable on the top spyware list, would this not be detrimental to Slashdot's (or rather VA's) efforts to make a buck off advertising, and in particular directed advertising? Advertisements that are possibly better directed to Slashdot may go to PC Magazine (for lack of a more appropriate choice) or other "mainstream" service.

      Of course, when advertising a car, Slashdot is hardly well-directed advertising and is oft notably a selection of people most fortunate technically, but there is probably a clear area where the technically inclined can find better content on any topic over the internet that spyware would never reveal statistically.

  6. Re:Mac versions by christurkel · · Score: 4, Informative

    No, the program seems to be Windows only, according to LimeWire.

    --

    CDE open sourced! https://sourceforge.net/projects/cdesktopenv/
  7. What makes you think they only log downloads? by Carnage4Life · · Score: 5, Informative

    I wrote an article on Kuro5hin entitled The Spyware Invasion when I found out that there was a piece of Spyware(WebHancer) on my machine that was logging EVERY URL I VISITED. It turns out that this company sells these statistics that they obtain from over 16 million unsuspecting users to businesses for over $12,000 a pop.

    What bothered me in particular about this approach is that I know a few websites that log users in with their pasword in the URL (Slashdot is one of them) and I wondered exactly how many of my passwords and userIDs had been sent to webHancer over the past weeks I had it unknowingly running on my machine. Of course, I quickly ran Ad-Aware on my machine and changed all my online passwords.

    PS: The offending application that installed this spyware was AudioGalaxy.

  8. Re:originally called a trojan by H310iSe · · Score: 5, Interesting

    It was in the register (my other regular read who scoops slashdot at least 1/2 the time BTW) - and people above seem to have been missing the point, yes, this is not gator or some other silly thing, it's spyware classified as a trojan by antivirus vendors because, it appears, no-one knows what exactly it does.
    LINKS: - the register article
    zdnet on the trojan
    symantec listing the file as a trojan

    --
    closed minded is as closed minded does
  9. FreeNet by HamNRye · · Score: 4, Funny

    Because if we all used FreeNet it would crash like a Microsoft built cessna flown by John Denver.

  10. Kazaa has it big time... by tcc · · Score: 5, Informative

    AD-AWARE (current 5.62) is one of the BEST ad removal tools for windows computer, grab it at Lavasoft. It's free, it has updates (download the latest definition file after installing the 5.62 version) and I've tracked it's every move with a filesystem scanner, and it doesn't put thrash anywhere in your system.

    It scans Registry, cookies, files, dlls, and it found the Kazaa backdoor installed in my system. Usually when you put a software you can remove it's tracking bugware and the main software will still run (I remember posting an article here over a year ago about bearshare having that same type of crap that Kazaa is using right now but it got rejected). What's interresting about Kazaa is if you remove the offending DLL (which is Cydoor bugtracking stuff), Kazaa won't start anymore, this really shows how BAD they want to track your moves.

    While I don't have anything against software companies making a buck by selling tracked info, I do have something against companies being hypocritical about it. When you install Kazaa, it offers you a lot of "free stuff" that any above average users knows that it means advertising stuff, spamming and tracking. This is okay in my book at LEAST it's part of the installer and if you don't know and say yes, well that becomes your problem. What I find really hypocritical is i've unselected EVERYTHING exept "Kazaa needed files" and it STILL installed that bugware thing, and it's not mentionned anywhere CLEARLY in the installer. People get pissed at microsoft activation process which is clear, known and way less intrusive than that, but they let that pass in exchange of leeching free MP3, vids, p0rn and warez. If one day the big suppliers of content on that services have an FBI raid at their places, they'll scream justice and claim that FBI couldn't use the informatin that Kazaa was getting from them because it's not constitutionnal. Well I'd say, make up your mind, if you want P2P and privacy, go to some other service, an example, Download winMX, run Ad-aware in case there's anything installed with the newer versions, and it will probably still run after the cleaning process (I use winMX I love it). Don't support crooks like Kazaa and bearshare that are trying to look friendly, on your side, and pro this and that, while they turn around and sell your browsing habbits without your knowledge.

    Also, notice when you're not uploading or downloading, but kazaa is running.. your drive burps every 5 seconds.... I'm still trying to figure out why.. it doesn't stop even after an hour.. it's not "windows-typical" drive burping.

    Anyways... hope that helps anyone out there.

    --
    --- Metamoderating abusive downgraders since my 300th post.
    1. Re:Kazaa has it big time... by LiENUS · · Score: 5, Informative

      problem is kazaa wont run unless cd_Clint.dll exists, www.cexx.org has a cd_clint dummy dll file that will deactivate it and let kazaa continue to run.

    2. Re:Kazaa has it big time... by Tackhead · · Score: 4, Informative
      > Also, notice when you're not uploading or downloading, but kazaa is running.. your drive burps every 5 seconds.... I'm still trying to figure out why.. it doesn't stop even after an hour.. it's not "windows-typical" drive burping.

      I don't use spyware, so I never installed Kazaa, so I can't help you. But I'm curious, too. (I hate advertisers, and anything that threatens to kick over the rocks under which they grow is k00l by me ;)

      So try a utility like this one: Sysinternals' filemon.exe

      Could be as innocent as your swap file, 'cuz some Windoze proggies leak memory like sieves. Could be something less-than-innocent. Let us know!

  11. It's ClickTillUWin by Kman_xth · · Score: 5, Informative

    Here's a (dutch :P) site about this thing, with more details http://www.zdnet.nl/News.cfm?id=14504 The article says that LimeWire 2.0.2 and Grokster ask on installation if you want to install a certain 'service' or program called 'ClickTillUWin'. Whether or not you confirm or deny this request, it secretly DOES install it on your pc. This so-called online lottery game contains the trojan. If you go to clicktilUwin.com you'll see that there are possibly more programs 'infected' by this trojan (check the partners section). What is basically does (according to the above article) is install a file called Dlder.exe. When you start the p2p program it came with, dlder.exe will automatically start too and download a second piece, called explorer.exe (and no, not the same one windows users normally have). This program then does some things to the windows registry and sends usernames and your ip adress to http://www.2001-007.com. Symantec (the guys of Norton Antivirus) have called this thing a trojan horse and all of their antivirus applications will regognize it as one. The above article also states that other antiviruscompanies have also already updated their software (waiting for you to press the 'update button' that is :)

  12. SaveNow Must Die! by fm6 · · Score: 5, Insightful
    There's all kinds of nasty spyware and adware out there, but the one that raises my blood pressure is SaveNow/WhenUShop. This is supposedly a voluntary opt-in system, but some program (probably BearShare) installed it covertly on my system and didn't remove it when I uninstalled.

    The lost of privacy was bad enough, but SaveNow seems to work by hooking into Windows Explorer and intercepting a great many application events. For a long time I blammed the resulting performance hit on a combination of my own excessive system tweaking, buggy Explorer plugins, and MS software bloat. It wasn't until Explorer froze up totally that I realized some background process was interfering with it, and found the culprit by process of elimination.

    It strikes me that this is not very different from activities that have gotten people sued or even arrested. It's all there -- unauthorized access, theft of services, malicious action. Perhaps it's time we gave Mister Ashcroft a call!

  13. Re:How can you tell if it's installed? by kubla2000 · · Score: 4, Informative

    You can also do as The Register's oft-quoted article suggests:

    Those who prefer to see to their own Trojan removal need only search for a hidden directory under their \Windows directory called \Explorer. Simply delete the \Windows\Explorer directory, along with the companion file Dlder.exe in the \Windows directory.

  14. Re:morpheus by MushMouth · · Score: 4, Informative

    I thought you guys were sophisticated.

    add this to your "hosts" file

    127.0.0.1 ads.musiccity.com

    (if you don't know where that is do a find hosts, it is somewhere in your windows directory. Morpheus will no longer pop up any ads

  15. Here is a comprehensive Hosts File that blocks em by sh0rtie · · Score: 5, Informative

    here is a really comprehensive hosts file that blocks morpheus,bearshare,hotline and 10,000 advert servers, daily updates, instructions and works on all platforms including Linux/beos/macs ;)

  16. You installed that spyware. by toofast · · Score: 5, Insightful

    A friend of mine worked at webHancer for a while. Trust me, there's a nice dialog that:
    1. tells you what webHancer is
    2. tells you what webHancer does
    3. asks you if you want to install audiogalaxy with or without it.

    I've installed audiogalaxy several times, and all you have to do is uncheck the check box. But most people click "Next" without even reading the dialogs.

    You consented to it. That doesn't make it spyware, it makes it ignorantware.

  17. How it works (the real facts) by DABANSHEE · · Score: 5, Informative

    1st a quote..

    "F-Secure Virus Descriptions

    NAME: DlDer
    ALIAS: Trojan.Win32.DlDer, Troj_DlDer

    This two-component trojan was discovered in the end of December 2001. The trojan being installed on a user's system constantly upgrades its main component that connects to 2001-007.com website and reports user's ID, web browser a user is using and all URLs that a web browser and all its child windows open. The trojan violates user's privacy and opens a security hole in a system by downloading and activating executable files.

    The main component of the trojan is Explorer.exe file that is located in Windows folder in \Explorer\ subfolder (do not mix with the original Windows' Explorer.exe). This component is constantly upgraded by the second trojan component that has the name 'DlDer.exe' and is located in Windows folder.

    The DlDer.exe file is most likely dropped to user's system by ActiveX applet or Javascript code that a user doesn't notice when he is browsing Internet. The exact way how this file is dropped is not yet known. The case is under investigation.

    The DlDer.exe file when it is started downloads Explorer.exe file from a website and puts it to \Windows\Explorer\ folder. Then the trojan creates a startup key for Explorer.exe file. On next System restart the Explorer.exe file is activated and it creates a startup key for DlDer.exe file and starts to connect to 2001-007.com website and report user's ID, web browser and all URLs that a user visits to there.

    We recommend to delete both trojan components from an infected system. If these components can't be deleted (locked files) they should be deleted from pure DOS (in case of Windows 9x system) or renamed with different extensions (EXA for example) with immediate system restart (in case of Windows NT/2000/XP system).

    [F-Secure Anti-Virus Research Team, December 28th, 2001]"

    Now some links

    Astechnica Forum - "Is download.com infected with a virus???"

    Arstechnica Forum - "explorer.exe and Explorer.exe"

    Computing.Net Forum - "How to delete trojan in explorer.exe"

    Gnutella Forum - "p2p Trojan info"

  18. C:\WINNT\system32\drivers\etc\hosts by Anonymous Coward · · Score: 4, Informative

    they probably wont mod up a helpful windows post, so the answer for windows users is in the subject line. ad-haters might like to add all these:

    127.0.0.1 ads.x10.com
    127.0.0.1 ads.musiccity.com

    127.0.0.1 207-87-18-203.wsmg.digex.net
    127.0.0.1 Garden.ngadcenter.net
    127.0.0.1 Ogilvy.ngadcenter.net
    127.0.0.1 ResponseMedia-ad.flycast.com
    127.0.0.1 Suissa-ad.flycast.com
    127.0.0.1 UGO.eu-adcenter.net
    127.0.0.1 VNU.eu-adcenter.net
    127.0.0.1 a32.g.a.yimg.com
    127.0.0.1 ad-adex3.flycast.com
    127.0.0.1 ad.adsmart.net
    127.0.0.1 ad.ca.doubleclick.net
    127.0.0.1 ad.de.doubleclick.net
    127.0.0.1 ad.doubleclick.net
    127.0.0.1 ad.fr.doubleclick.net
    127.0.0.1 ad.jp.doubleclick.net
    127.0.0.1 ad.linkexchange.com
    127.0.0.1 ad.linksynergy.com
    127.0.0.1 ad.nl.doubleclick.net
    127.0.0.1 ad.no.doubleclick.net
    127.0.0.1 ad.preferences.com
    127.0.0.1 ad.sma.punto.net
    127.0.0.1 ad.uk.doubleclick.net
    127.0.0.1 ad.webprovider.com
    127.0.0.1 ad08.focalink.com
    127.0.0.1 adcontroller.unicast.com
    127.0.0.1 adcreatives.imaginemedia.com
    127.0.0.1 adex3.flycast.com
    127.0.0.1 adforce.ads.imgis.com
    127.0.0.1 adforce.imgis.com
    127.0.0.1 adfu.blockstackers.com
    127.0.0.1 adimage.blm.net
    127.0.0.1 adimages.earthweb.com
    127.0.0.1 adimg.egroups.com
    127.0.0.1 admedia.xoom.com
    127.0.0.1 adpick.switchboard.com
    127.0.0.1 adremote.pathfinder.com
    127.0.0.1 ads.admaximize.com
    127.0.0.1 ads.bfast.com
    127.0.0.1 ads.clickhouse.com
    127.0.0.1 ads.enliven.com
    127.0.0.1 ads.fairfax.com.au
    127.0.0.1 ads.fool.com
    127.0.0.1 ads.freshmeat.net
    127.0.0.1 ads.hollywood.com
    127.0.0.1 ads.i33.com
    127.0.0.1 ads.infi.net
    127.0.0.1 ads.jwtt3.com
    127.0.0.1 ads.link4ads.com
    127.0.0.1 ads.lycos.com
    127.0.0.1 ads.madison.com
    127.0.0.1 ads.mediaodyssey.com
    127.0.0.1 ads.msn.com
    127.0.0.1 ads.ninemsn.com.au
    127.0.0.1 ads.seattletimes.com
    127.0.0.1 ads.smartclicks.com
    127.0.0.1 ads.smartclicks.net
    127.0.0.1 ads.sptimes.com
    127.0.0.1 ads.tripod.com
    127.0.0.1 ads.web.aol.com
    127.0.0.1 ads.x10.com
    127.0.0.1 ads.xtra.co.nz
    127.0.0.1 ads.zdnet.com
    127.0.0.1 ads01.focalink.com
    127.0.0.1 ads02.focalink.com
    127.0.0.1 ads03.focalink.com
    127.0.0.1 ads04.focalink.com
    127.0.0.1 ads05.focalink.com
    127.0.0.1 ads06.focalink.com
    127.0.0.1 ads08.focalink.com
    127.0.0.1 ads09.focalink.com
    127.0.0.1 ads1.activeagent.at
    127.0.0.1 ads10.focalink.com
    127.0.0.1 ads11.focalink.com
    127.0.0.1 ads12.focalink.com
    127.0.0.1 ads14.focalink.com
    127.0.0.1 ads16.focalink.com
    127.0.0.1 ads17.focalink.com
    127.0.0.1 ads18.focalink.com
    127.0.0.1 ads19.focalink.com
    127.0.0.1 ads2.zdnet.com
    127.0.0.1 ads20.focalink.com
    127.0.0.1 ads21.focalink.com
    127.0.0.1 ads22.focalink.com
    127.0.0.1 ads23.focalink.com
    127.0.0.1 ads24.focalink.com
    127.0.0.1 ads25.focalink.com
    127.0.0.1 ads3.zdnet.com
    127.0.0.1 ads3.zdnet.com
    127.0.0.1 ads5.gamecity.net
    127.0.0.1 adserv.iafrica.com
    127.0.0.1 adserv.quality-channel.de
    127.0.0.1 adserver.dbusiness.com
    127.0.0.1 adserver.garden.com
    127.0.0.1 adserver.janes.com
    127.0.0.1 adserver.merc.com
    127.0.0.1 adserver.monster.com
    127.0.0.1 adserver.track-star.com
    127.0.0.1 adserver1.ogilvy-interactive.de
    127.0.0.1 adtegrity.spinbox.net
    127.0.0.1 antfarm-ad.flycast.com
    127.0.0.1 au.ads.link4ads.com
    127.0.0.1 banner.media-system.de
    127.0.0.1 banner.orb.net
    127.0.0.1 banner.relcom.ru
    127.0.0.1 banners.easydns.com
    127.0.0.1 banners.looksmart.com
    127.0.0.1 banners.wunderground.com
    127.0.0.1 barnesandnoble.bfast.com
    127.0.0.1 beseenad.looksmart.com
    127.0.0.1 bizad.nikkeibp.co.jp
    127.0.0.1 bn.bfast.com
    127.0.0.1 c3.xxxcounter.com
    127.0.0.1 califia.imaginemedia.com
    127.0.0.1 cds.mediaplex.com
    127.0.0.1 click.avenuea.com
    127.0.0.1 click.go2net.com
    127.0.0.1 click.linksynergy.com
    127.0.0.1 cookies.cmpnet.com
    127.0.0.1 cornflakes.pathfinder.com
    127.0.0.1 counter.hitbox.com
    127.0.0.1 crux.songline.com
    127.0.0.1 erie.smartage.com
    127.0.0.1 etad.telegraph.co.uk
    127.0.0.1 fp.valueclick.com
    127.0.0.1 gadgeteer.pdamart.com
    127.0.0.1 gm.preferences.com
    127.0.0.1 gp.dejanews.com
    127.0.0.1 hg1.hitbox.com
    127.0.0.1 image.click2net.com
    127.0.0.1 image.eimg.com
    127.0.0.1 images2.nytimes.com
    127.0.0.1 jobkeys.ngadcenter.net
    127.0.0.1 kansas.valueclick.com
    127.0.0.1 leader.linkexchange.com
    127.0.0.1 liquidad.narrowcastmedia.com
    127.0.0.1 ln.doubleclick.net
    127.0.0.1 m.doubleclick.net
    127.0.0.1 macaddictads.snv.futurenet.com
    127.0.0.1 maximumpcads.imaginemedia.com
    127.0.0.1 media.preferences.com
    127.0.0.1 mercury.rmuk.co.uk
    127.0.0.1 mojofarm.sjc.mediaplex.com
    127.0.0.1 nbc.adbureau.net
    127.0.0.1 newads.cmpnet.com
    127.0.0.1 ng3.ads.warnerbros.com
    127.0.0.1 ngads.smartage.com
    127.0.0.1 nsads.hotwired.com
    127.0.0.1 ntbanner.digitalriver.com
    127.0.0.1 ph-ad05.focalink.com
    127.0.0.1 ph-ad07.focalink.com
    127.0.0.1 ph-ad16.focalink.com
    127.0.0.1 ph-ad17.focalink.com
    127.0.0.1 ph-ad18.focalink.com
    127.0.0.1 realads.realmedia.com
    127.0.0.1 redherring.ngadcenter.net
    127.0.0.1 redirect.click2net.com
    127.0.0.1 regio.adlink.de
    127.0.0.1 retaildirect.realmedia.com
    127.0.0.1 s2.focalink.com
    127.0.0.1 sh4sure-images.adbureau.net
    127.0.0.1 spin.spinbox.net
    127.0.0.1 static.admaximize.com
    127.0.0.1 stats.superstats.com
    127.0.0.1 sview.avenuea.com
    127.0.0.1 thinknyc.eu-adcenter.net
    127.0.0.1 tracker.clicktrade.com
    127.0.0.1 tsms-ad.tsms.com
    127.0.0.1 v0.extreme-dm.com
    127.0.0.1 v1.extreme-dm.com
    127.0.0.1 van.ads.link4ads.com
    127.0.0.1 view.accendo.com
    127.0.0.1 view.avenuea.com
    127.0.0.1 w113.hitbox.com
    127.0.0.1 w25.hitbox.com
    127.0.0.1 web2.deja.com
    127.0.0.1 webads.bizservers.com
    127.0.0.1 www.admex.com
    127.0.0.1 www.alladvantage.com
    127.0.0.1 www.commission-junction.com
    127.0.0.1 www.freestats.com
    127.0.0.1 www.imaginemedia.com
    127.0.0.1 www.netdirect.nl
    127.0.0.1 www.oneandonlynetwork.com
    127.0.0.1 www.targetshop.com
    127.0.0.1 www.teknosurf2.com
    127.0.0.1 www.teknosurf3.com
    127.0.0.1 www.websitefinancing.com
    127.0.0.1 www2.burstnet.com
    127.0.0.1 www4.trix.net
    127.0.0.1 www80.valueclick.com
    127.0.0.1 z.extreme-dm.com
    127.0.0.1 z0.extreme-dm.com
    127.0.0.1 z1.extreme-dm.com
    127.0.0.1 toolbar.netscape.com
    127.0.0.1 actionsplash.com
    127.0.0.1 ad.doubleclick.net
    127.0.0.1 ads.belointeractive.com
    127.0.0.1 ads.bluefish.com
    127.0.0.1 ads.doubleclick.net
    127.0.0.1 ads.inet.com
    127.0.0.1 ads.inet1.com
    127.0.0.1 ads.intelliads.com
    127.0.0.1 ads.realcities.com
    127.0.0.1 ads.ucomics.com
    127.0.0.1 adserver.matchcraft.com
    127.0.0.1 adserver1.harvestadsdepot.com
    127.0.0.1 ads1.intelliads.com
    127.0.0.1 cj.com
    127.0.0.1 clickhereforcellphones.com
    172.0.0.1 clickheretofind.com
    127.0.0.1 clickthrutraffic.com
    127.0.0.1 connect.247media.ads.link4ads.com
    127.0.0.1 content.uclick.com
    127.0.0.1 hitbox.com
    127.0.0.1 kr123.com
    127.0.0.1 qksrv.net
    172.0.0.1 rmedia.boston.com
    127.0.0.1 servedby.advertising.com
    127.0.0.1 www.actionsplash.com
    127.0.0.1 www.clickhereforcellphones.com
    127.0.0.1 www.clickheretofind.com
    127.0.0.1 www.clickthrutraffic.com
    127.0.0.1 www.cj.com
    127.0.0.1 www.kr123.com
    127.0.0.1 www.qksrv.net
    127.0.0.1 w26.hitbox.com
    127.0.0.1 ads.nextlevel.com