Bits from Bill

Technology thoughts leaking from the brain of "Bill Pytlovany"

Saturday, December 03, 2005

180Solutions vs. Zone Labs

I caused a little bit of a stir this week when I appeared to side with adware company, 180Solutions in their lawsuit against Zone Labs, makers of Zone Alarm. 180Solutions has never been happy with most of the industry calling their programs Spyware and has tried in vain to scare security companies with bogus lawsuits. In one of the new versions of Zone Alarm, Zone Labs goes a step farther by implying that 180Solutions is monitoring your keystrokes and mouse movements.

The question here isn't if 180Solutions is spyware. Everyone I've talked to would agree they use despicable tactics to get installed on machines and would be considered spyware. The point missed by many recent news reports is; do they monitor keystrokes?

I experienced frustration and even anger with Zone Alarm when they started to tag my own program, WinPatrol as a "key logger". I received a number of frantic Emails from loyal users and more then a few angry ones from users who took the message at face value and didn't know my reputation.
Most folks told me I had a good case against Zone Labs and recommended that I proceed with a law suit. Well, I'm just not that kinda guy. I have always been a fan of Zone Labs because they still make their basic product available for free.

Instead, I contacted Zone Labs to inform them of their error. Their response was very positive and they introduced me to their PASS Partner program which "enables software vendors to ensure their applications integrate seamlessly with Zone Labs products".
"Zone Labs provides software vendors with a tool to scan their network enabled executables and create checksums. These application checksums are used to automatically configure program permissions within Zone Labs products." I now use the tool provided by Zone Labs and send them the appropriate information each time a new version of WinPatrol is released.

While this solution worked for me, it still means that Zone Alarm will incorrectly flag many programs as key loggers when in fact they don't log keys or mouse movements. Zone Alarms fault here is that they detect when applications use a particular Windows API function called "SetWindowsHook". This function has been around since Windows 3.1 and can be used to monitor a variety of actions within the operating system. In my case WinPatrol uses is to help us detect anytime a new program tries to launch. A 1993 article by Kyle Marsh details the useful capabilities of setting a Windows hook.
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnwui/html/msdn_hooks32.asp

I've listed some here
  • Process or modify all messages meant for all the dialog boxes, message boxes, scroll bars, or menus for an application or system
  • Process or modify all messages (of any type) whenever a SendMessage function is called (WH_CALLWNDPROC).
  • Process, modify, or remove keyboard events (WH_KEYBOARD).
  • Process, modify, or discard mouse events (WH_MOUSE).
  • Respond to certain system actions, making it possible to develop computer-based training (CBT) for applications (WH_CBT).

    Obviously, not all programs using this function are malicious key loggers. By flagging all applications that use this function as Key Loggers Zone Alarm is needlessly scaring the crap out of their users and giving a black eye to many legitimate programs. What's worse is they've opened up the door for a notorious company like 180Solutions to actually have a valid complaint.

  • Share on Facebook


    1 Comments:

    Blogger TeMerc said...

    Nice write up Bill. Shows how some legit programs can be flagged, and in your case dealt with properly. My guess would be that ZA probably knew what the 180Solutions app was trying to do.

    Very much as shown by this writeup by Papperghost with some info on what Zango tries to do:
    http://www.vitalsecurity.org/2005/12/weve-heard-riff-and-now-for-hook.html

    Good thing those guys are 180 are kinda slow, or they'd have us all hoodwinked.

    10:31 AM  

    Post a Comment

    << Home