I.T. Mate
                                       Extranet
Menu: Home | About | Articles | Blog | Contact Us | Downloads | News | Search | Services | Support

hphosts logo
Services
hpHosts HOSTS file
sGB Hosted Guestbooks
sURL URL redirection
vURL Webpage dissection

Homepages
I.T. Mate
AB Archive
hpHosts Blog
hpHosts Online
Phishing Scams
Product Support
sURL
vURL Online

Friends ...
BugHunter
FSpamlist
Helen Benoist
Wrightway Computers

MVPLogo
Articles

Thursday 26 April 2007 - Enigma Software Group: Tracking the Hunter
Enigma Software Group: Tracking the Hunter
By Steven Burn - April 26th 2007

SpyHunterHow do you gather the masses to ensure your stock price goes up?, simple - ensure lots of people know about it, and scam err, have them try it.

Indeed, that's just what Enigma Software Group have done via a network of different website's, some making clear they run it - others trying to have you believe others do. The first site I found out about, 411-spyware-remove.com, was spammed to the Security Cadets forums on April 5th. This spam, as you can see from figure 1, attempts to convince us, that the SpyLocked infection was resolved by none other than 411-spyware-remove.com. Alas however, these claims are both mis-leading and spammy. The website offers a file under the title "Automatic Spyware Removal Tool for SpyLocked", with the filename FreeSpywareScanner.exe.

What originally got me curious is that it was UPX packed, and whilst I was able to unpack it, I was not able to actually extract the contents of the installer. All I got was an error from Universal Extractor telling me the installer was corrupt. Loading the installer on the test machine however, it ran absolutely fine, and proceeded to inform me I was installing SpyHunter, the program once listed (and should never have been removed) on Eric Howes, Rogue/Suspect Anti-Spyware Products & Web Sites list.

SpyHunterI ran SpyHunter on my test machine and did it remove SpyLocked as claimed? .... did it heck - it didn't even detect it!!!! detecting instead, only a few cookies, which it then wanted payment for before it would "remove the parasites".

Enigma Software Group however, didn't just spam one forum - heck no. They wanted to ensure it was seen and promoted in several places, such as eBaums World (1, 2), Lockergnome (1, 2 & 3), Lavasoft (now removed), Smart Computing (1), Aumha (now removed), PC Mag (1, 2, 3), to name but a few.

Enigma Software Group are not newcomers to scandals however, in 2004 they were outed at Spyware Beware, due to their 2-spyware.com website stealing content from other website's in order to push SpyHunter. In 2005 they were outed again for mis-use of the Index.dat Suite name, in order to push their Adorons Easy Security, and in some pages, SpyHunter. Indeed, Jurgita tried his/her best to discredit both of the claims, but failed miserably to do so (resulting for the second case atleast, in the removal of the pages making use of the Index.dat Suite name).

Their latest scandal however, is much worse than their previous practices as they have decided that after a period of being quiet, spamming is the best way to make things work for them. However, to make it work best, you need as much publicity and "options" as possible. This has resulted in a plethora of website's being used solely for the purpose of pushing SpyHunter - some making clear Enigma run them, some not so clear.

Site's we know of at present include;

411-spyware-remove.com
411-spyware.com
spywareremove.com
against-spyware.com
anti-spyware-101.com
spyware-escape.com
spywarelocked.org
xp-vista.com
softvote.com
pcontech.com
2-freespywareremoval.com
uninstall-spyware.com
uninstall-i-lookup.com
wiki-security.com
remove-spylocked.wiki-security.com
www.smitfraud-removal.com.removal-instructions.com*
pcthreat.com
spyware-techie.com

* Also valid as [infection].removal-instructions.com

Excluding their "official" website's (enigmasoftware.com, enigmasoftwaregroup.com) ... and there's likely alot more we've not yet found (but a note to ESG - we will).

ESG Press ReleaseIn a not so suprising twist however, it seems Enigma does not like the attention that they are receiving from the security community, and instead, have opted to offer a press release with claims of an "anticompetitive campaign" (see figure 3).

In this press release, they also ask;
"Accordingly, Enigma requests that participants in this forum thread should provide their name, address, and phone number."
So let me get this straight ESG ... you want us to post our personal details, in an OPEN forum? Not very security concious now is it?

Sorry ESG but, if you are going to resort to such silly techniques to push your product, and push up your stock values, then what do you expect us to do, just ignore it? somehow I think not.

In a rather interesting twist, I posted in the private area of the hpHosts forums a few weeks ago, concerning 2-spyware.com's rather strange ethics when it comes to those that block them from potential victims. On Feb 7th 2006, 2-spyware.com posted an article entitled "hpHOSTS untrustworthy resource" at;

hxxp://www.2-spyware.com/articles/security/78.html

As shown by: hxxp://www.kiguolis.com/archives/2006/02/09/hphosts-threat-to-everyday-surfing/

Yet as if by magic, 2-spyware.com now claims this to have been written Feb 5th 2007, as shown at;

hxxp://www.2-spyware.com/news/post246.html

... slow day at the office perhaps? who knows.

ESG Press Release
Getting back to the main topic however ... the problem Enigma have with the methods they have used in this latest (and probably not the last) scandal, is one of greed.
Instead of doing things ethically, like many other developers do, they've opted for the unethical methods. Setting up a multitude of website's, with enough of a difference
to not make it initially clear who actually created and runs the site's, but obvious mistakes that when looked at, give the game away.

For starters, all of the website's referenced above, all host the file (SpyHunter) themselves, instead of the expected link with an affiliate ID. From there, a quick look
through the site's shows virtually identical content, re-worded and re-displayed a little, and virtually identical privacy policy's and terms of service. Of which, the privacy policy,
further tries to lay the blame on this scam, on affiliates.

Enigma have tried blaming the affiliates before though, just as they will likely do this time round. Hopefully this time, the appropriate bodies such as the FTC, will see through this, just as we do, and finally do something about them.

References

Enigma Software, A Mystery?
http://securitygarden.blogspot.com/2007/04/enigma-software-mystery.html

Anti-Spyware 101: Another Site Pushing SpyHunter
http://blog.malwareteks.com/?p=92

SpyHunter, should this be listed as a Rogue Anti-Spyware Application?
http://blog.malwareteks.com/?p=88

411-spyware.com - The new forum spammers?
http://www.securitycadets.com/2007/04/411-spywarecom-the-new-forum-spammers/

Enigma Software Try To Silence The Critics
http://temerc.blogspot.com/2007/04/enigma-software-try-to-silence-critics.html

I'm on it, Get on it, The troops are on fire
http://www.vitalsecurity.org/2007/04/im-on-it-get-on-it-troops-are-on-fire.html

Threats Against Spyware Detectors, Removers, and Critics
http://www.benedelman.org/spyware/threats/

Independent SpyHunter Review (April 28th)
http://www.hc-si.info/stuff/e107_plugins/content/content.php?content.8

SpyHunter Technical Discussion
http://spywarewarrior.com/viewtopic.php?t=24810

Watch our for 2-spyware.com
http://www.spywarewarrior.com/viewtopic.php?t=3071

Email from EnigmaSoftwareGroup
http://netrn.net/spywareblog/archives/2004/05/20/email-from-enigmasoftwaregroup/

SpyHunter Revisited
http://netrn.net/spywareblog/archives/2004/08/16/spyhunter-revisited/

SpyHunter and Ad-aware
http://netrn.net/spywareblog/archives/2004/06/24/spyhunter-and-ad-aware/

Another View of SpyHunter
http://netrn.net/spywareblog/archives/2004/06/08/another-view-of-spyhunter/

More on the SpyHunter Story
http://netrn.net/spywareblog/archives/2004/06/07/more-on-the-spyhunter-story/

Update 1: 27th April 2007 - new site found (2-freespywareremoval.com)
Update 2: 27th April 2007 03:24 - Added new reference
Update 3: 27th April 2007 03:39 - pcontech.com is actually a SpyNoMore affiliate - my fault for mixing the files with the ESG one's
Update 4: 27th April 2007 13:50 - 2 new site's found (uninstall-i-lookup.com, uninstall-spyware.com)
Update 5: 29th April 2007 05:23 - Added 2 new references
Update 6: 13th May 2007 22:20 - 2 new site's found (wiki-security.com, remove-spylocked.wiki-security.com)
Update 7: 18th May 2007 07:18 - New site found (removal-instructions.com and *.removal-instructions.com)
Update 8: 23rd October 2007 23:55 - New site found (pcthreat.com) (found by Andy at Security Cadets)
Update 9: 15th February 2008 - New site found (spyware-techie.com) (found by Andy at Security Cadets)
<< Back to Articles Discuss this article

Archives: 2003 | 2004 | 2005/6

Sophie Lancaster Foundation

End User Licence Agreement | Help Us | Privacy Policy | Terms of Use
Copyright 1998 - 2017 I.T. Mate - All Rights Reserved