Enigma Software Group: Tracking the Hunter Part 2
By Steven Burn - August 31st 2008
For those not familiar with Part 1, in April of last year, I, along with many others, wrote about Enigma Software Group spam appearing all over the interweb.
Not content with this, SpyHunter was being misrepresented as an automatic removal tool, when infact, it was a free SCAN only, you actually had to pay for the removal. The following is an example of what the pages used to look like;
And since the incident? it's changed of course, it now says "Download SpywareLocked SpyHunter* Spyware Detection Utility.";
I recently spoke with Alvin, CEO of ESG, and he also assured me that ESG dropped the affiliates that were involved in the spamming, always a good thing (whether or not they've re-registered as affiliates is anyone's guess - the internet provides a good enough level of annonimity for spammers, so it will be up to ESG to monitor their affiliates, and of course, whilst we certainly shouldn't be policing companies affiliates, if we report those we do find doing wrong, we can also help).
Indeed, I've also been keeping an eye out for signs of their spam re-appearing and thus far, I've not spotted any. In addition to this, monitoring the domains used in the spam run, show a few of them, whilst returning an OK (200) or 0 (not a code thats meant to be used, but is sometimes used by idiotic sysadmins, in place of the "real" code) status code, are not actually online anymore. Whether this is because they're re-designing, or have been forced to remove the site, is anyone's guess (heck it could even be due to their being ditched by ESG and their not having found the new rubbish to peddle). Those that currently appear offline are;
View the complete list of results;
This one currently returns a 0 status code, along with an additional 403 (Forbidden).
This one is currently "parked with GoDaddy"
The only site I currently do have a major issue with, is spyware-techie.com, which claims;
The problem with this claim however, is that yes, the adverts are going via a third party, however, no matter how many times you refresh the advert, or how many different user agents you feed it (or indeed, how many IP's), you'll still end up with an advert for SpyHunter. Meaning in short, that the notice they've displayed is not entirely accurate. There's no way an ad server is *that* targetted so as to display a single advert for a single product each and every time - unless it is specifically told to. This is confirmed when you look at the actual ad URL;
A little testing showed that id2= is the parameter we're interested in, and ESG adverts fall between 4700 > 4900. Change the id= parameter, you get an advert for linksmile.com. Change the id2= parameter either below 4700 or above 4900, you get an advert for linksmile.com. The fact the URL for the advert is not auto-generated on spyware-techie.com, means these adverts have been specifically chosen, and thus, contradicts their site notice.
We can even see this same behaviour on pchubs.com. In this case, though the adverts are virtually identical, they this time come from clickxchange.com;
In this case, ESG has 1959077. Changing this to any other value, will result in an "ad expired" image showing up. But change the .36 to any value between 30 - 89, and you get ESG adverts - once again, the sites code shows no auto-generation of the ad URL, showing it to be specifically chosen.
All adverts for ESG on clickxchange.com, are loaded via a 302 redirect, directly from ESG themselves;
HTTP/1.1 302 Found
Date: Sun, 31 Aug 2008 15:38:53 GMT
Server: Apache/2.2.8 (Unix) mod_ssl/2.2.8 OpenSSL/0.9.8h DAV/2 PHP/5.2.7-dev
Set-Cookie: c195907736=87; expires=Wed, 10-Sep-2008 15:38:53 GMT; path=/
P3P: CP="ALL DSP COR CURa OUR IND UNI"
Just to be clear, I've no problem with anyone advertising ESG or their products, aslong as it is done properly. Or put simply, if you are only going to advertise one product, whether affiliate or otherwise (and especially when the adverts are coming via a third party ad server), tell us why - otherwise you're going to find alot of suspicious folks such as myself.
I did send an e-mail to both spyware-techie.com and pchubs.com, to ask what their relationship to ESG was, but to date, have not received a response. I did however, receive a response from Alvin, who advised me that neither of these sites were affiliates, they have simply chosen to display SpyHunter adverts. In this case, I suppose the benefit of the doubt must be given. However, perhaps a better idea for both of these sites, would be to advise specifically why they are advertising only SpyHunter, and not any of the others?
In a recent blog posting, I also touched on an issue with the ESG adverts that appeared on Google ("Remove VirusHeal (Free)" - shown left). The two problems with this advert is firstly, it mentions removal being free, but doesn't mention that it's only free if done manually, otherwise the user has to pay for it. Secondly, the domain name shown in the advert, is NOT the domain name that you will be taken to. Instead you would be taken to www.virusheal-removal.com.removal-instructions.com.
So what do the new adverts look like? Alvin already showed me what the modified adverts would look like when I was talking to him, but I took a look whilst writing this article, and well, see for yourself ("Remove AntiVirus 2009" - shown right). The new adverts are a major improvement over the old, as the misleading URL is gone, and the word "Free" has been moved and renamed "Free Scan" to make it clearer to the user.
We've seen that ESG themselves have improved as time has gone by, as I mentioned in the blog, instead of going on the offensive and trying to sue the bejingles out of everyone, they are much more willing to co-operate and work together to resolve issues that arise. A sign of good intentions.
So what of SpyHunter itself? Well on August 13th, I ran a quick scan with SH, and it detected DMSetup.exe (part of SiteAdvisor Plus) (1 / 2), an F/P that was thankfully corrected by Alvin and his product manager (McAfee wouldn't have been too pleased with that one). However, I ran SH again on a fully clean system prior to my first blog posting, and other than a few cookies, nothing was detected, so no more false positives.
I spoke to Alvin concerning the cookies, and the fact that SH should remove these for free. He agree'd that removing them for free was a good idea, and is "open to the idea", which I presume means, he is pondering removing these for free in a future version?
So, is SpyHunter a rogue? My recent testing suggests no, it isn't. Though I should mention, my testing did not include actual removal of infections (don't have a licence for SH). I also didn't pit SH against the gigabytes of malware samples I have (sure I could see which were detected, but thats pointless if I can't also test removal).
Based on all of the above, would I recommend SpyHunter? Put simply, no. Whilst my tests showed it was not a rogue, and ESG themselves have improved, there are several things still putting me off - first and foremost being the lack of a fully functional trial (I'm not paying for something that I can't test first).
Enigma Software Group: Tracking the Hunter
Enigma Software Group - SpyHunter and Misleading adverts
Enigma Software Group removed from hpHosts