Thursday 26 April 2007
- Enigma Software Group: Tracking the Hunter
Enigma Software Group: Tracking the Hunter
By Steven Burn - April 26th 2007
How do you gather the masses to ensure your stock price goes up?, simple - ensure lots of people know about it, and scam err, have them try it.
Indeed, that's just what Enigma Software Group have done via a network of different website's, some making clear they run it - others trying to have you believe others do. The first site I found out about, 411-spyware-remove.com, was spammed to the Security Cadets forums on April 5th. This spam, as you can see from figure 1, attempts to convince us, that the SpyLocked infection was resolved by none other than 411-spyware-remove.com. Alas however, these claims are both mis-leading and spammy. The website offers a file under the title "Automatic Spyware Removal Tool for SpyLocked", with the filename FreeSpywareScanner.exe.
What originally got me curious is that it was UPX packed, and whilst I was able to unpack it, I was not able to actually extract the contents of the installer. All I got was an error from Universal Extractor telling me the installer was corrupt. Loading the installer on the test machine however, it ran absolutely fine, and proceeded to inform me I was installing SpyHunter, the program once listed (and should never have been removed) on Eric Howes, Rogue/Suspect Anti-Spyware Products & Web Sites list.
I ran SpyHunter on my test machine and did it remove SpyLocked as claimed? .... did it heck - it didn't even detect it!!!! detecting instead, only a few cookies, which it then wanted payment for before it would "remove the parasites".
Enigma Software Group however, didn't just spam one forum - heck no. They wanted to ensure it was seen and promoted in several places, such as eBaums World (1, 2), Lockergnome (1, 2 & 3), Lavasoft (now removed), Smart Computing (1), Aumha (now removed), PC Mag (1, 2, 3), to name but a few.
Enigma Software Group are not newcomers to scandals however, in 2004 they were outed at Spyware Beware, due to their 2-spyware.com website stealing content from other website's in order to push SpyHunter. In 2005 they were outed again for mis-use of the Index.dat Suite name, in order to push their Adorons Easy Security, and in some pages, SpyHunter. Indeed, Jurgita tried his/her best to discredit both of the claims, but failed miserably to do so (resulting for the second case atleast, in the removal of the pages making use of the Index.dat Suite name).
Their latest scandal however, is much worse than their previous practices as they have decided that after a period of being quiet, spamming is the best way to make things work for them. However, to make it work best, you need as much publicity and "options" as possible. This has resulted in a plethora of website's being used solely for the purpose of pushing SpyHunter - some making clear Enigma run them, some not so clear.
Site's we know of at present include;
* Also valid as [infection].removal-instructions.com
Excluding their "official" website's (enigmasoftware.com, enigmasoftwaregroup.com) ... and there's likely alot more we've not yet found (but a note to ESG - we will).
In a not so suprising twist however, it seems Enigma does not like the attention that they are receiving from the security community, and instead, have opted to offer a press release with claims of an "anticompetitive campaign" (see figure 3).
In this press release, they also ask;
"Accordingly, Enigma requests that participants in this forum thread should provide their name, address, and phone number."So let me get this straight ESG ... you want us to post our personal details, in an OPEN forum? Not very security concious now is it?
Sorry ESG but, if you are going to resort to such silly techniques to push your product, and push up your stock values, then what do you expect us to do, just ignore it? somehow I think not.
In a rather interesting twist, I posted in the private area of the hpHosts forums a few weeks ago, concerning 2-spyware.com's rather strange ethics when it comes to those that block them from potential victims. On Feb 7th 2006, 2-spyware.com posted an article entitled "hpHOSTS – untrustworthy resource" at;
As shown by: hxxp://www.kiguolis.com/archives/2006/02/09/hphosts-threat-to-everyday-surfing/
Yet as if by magic, 2-spyware.com now claims this to have been written Feb 5th 2007, as shown at;
... slow day at the office perhaps? who knows.
Getting back to the main topic however ... the problem Enigma have with the methods they have used in this latest (and probably not the last) scandal, is one of greed.
Instead of doing things ethically, like many other developers do, they've opted for the unethical methods. Setting up a multitude of website's, with enough of a difference
to not make it initially clear who actually created and runs the site's, but obvious mistakes that when looked at, give the game away.
For starters, all of the website's referenced above, all host the file (SpyHunter) themselves, instead of the expected link with an affiliate ID. From there, a quick look
further tries to lay the blame on this scam, on affiliates.
Enigma have tried blaming the affiliates before though, just as they will likely do this time round. Hopefully this time, the appropriate bodies such as the FTC, will see through this, just as we do, and finally do something about them.
Enigma Software, A Mystery?
Anti-Spyware 101: Another Site Pushing SpyHunter
SpyHunter, should this be listed as a Rogue Anti-Spyware Application?
411-spyware.com - The new forum spammers?
Enigma Software Try To Silence The Critics
I'm on it, Get on it, The troops are on fire
Threats Against Spyware Detectors, Removers, and Critics
Independent SpyHunter Review (April 28th)
SpyHunter Technical Discussion
Watch our for 2-spyware.com
Email from EnigmaSoftwareGroup
SpyHunter and Ad-aware
Another View of SpyHunter
More on the SpyHunter Story
Update 1: 27th April 2007 - new site found (2-freespywareremoval.com)
Update 2: 27th April 2007 03:24 - Added new reference
Update 3: 27th April 2007 03:39 - pcontech.com is actually a SpyNoMore affiliate - my fault for mixing the files with the ESG one's
Update 4: 27th April 2007 13:50 - 2 new site's found (uninstall-i-lookup.com, uninstall-spyware.com)
Update 5: 29th April 2007 05:23 - Added 2 new references
Update 6: 13th May 2007 22:20 - 2 new site's found (wiki-security.com, remove-spylocked.wiki-security.com)
Update 7: 18th May 2007 07:18 - New site found (removal-instructions.com and *.removal-instructions.com)
Update 8: 23rd October 2007 23:55 - New site found (pcthreat.com) (found by Andy at Security Cadets)
Update 9: 15th February 2008 - New site found (spyware-techie.com) (found by Andy at Security Cadets)