Did ZoneAlarm Really Get it Wrong?
After
reading about the lawsuit I set out to see for myself what all the
controversy was about ...
The machine used was a fresh install of Windows XP Pro SP2, running (beta version) Windows OneCare and (beta version) Microsoft Anti-Spyware and AntiHook 2.5. I then visited 180Solutions and selected to download Zango offered on their site.
What is Zango? 180Solutions description: Free online
games brought to you by Zango, your online entertainment provider. Play
online arcade games, card games, board games and puzzles.
After downloading the file it was scanned at
Jotti's and the
results were:
As you can see there are still 2 Antivirus programs that detect Zango ...
Next the install was started and the Windows OneCare Firewall prompts
once with ...
However 3 different entries are created and set as Allowed in the Firewall
... why 3?
During the install AntiHook stops the install and presents this prompt ... oh my what's that?
As you can see in the screenshot Zango does hook (WH_SHELL) itself
into the system.
Microsoft: About Hooks - "Hooks tend to slow down the system because they increase the amount of processing the system must perform for each message. You should install a hook only when necessary, and remove it as soon as possible".
Did ZoneAlarm get it wrong?
What is a WH_CBT hook?
Microsoft Description: The system calls a WH_CBT hook procedure
before activating, creating, destroying, minimizing, maximizing, moving, or
sizing a window; before completing a system command; before removing a
mouse or keyboard event from the system message queue; before setting
the input focus; or before synchronizing with the system message queue.
Revised: in further checking the "WH_CBT" was not from Zango, but rather from clicking a pop-up from Zango and ending up with a Apropos install. Since this happened during the same session I incorrectly assumed it came from Zango. The drive was formatted afterwards so I was unable to reproduce the WH_CBT results.
180Solutions was complaining that "ZoneAlarm was advising that our 180search Assistant “is trying to monitor your mouse movements and keyboard strokes” Revised: it sure looks like it is monitoring everything else!
The next prompt I get is that Zango is hooking into OneCare, not just OneCare but into everything else that loads or interacts with the system. So you have to ask yourself is all this really necessary for some fun-and-games?
I then fired up Microsoft Anti-Spyware ... but wait that gets hooked too!
Just what useful purpose does this serve? Oh yeah ... "fun and games with
Zango"
So what were the Microsoft Anti-Spyware results? Not much different that the results from ZoneAlarm ... I'm not a lawyer but what is "Joe average user" supposed to think? Remove or quarantine it's all a matter of legal terms I guess ... but 180Solutions complains about that too.
Meanwhile, Congress is considering adding “Good Samaritan” language to any new spyware law enacted. If that happens, companies like Microsoft, CA and Zone Labs – as well as others who themselves profit from competing online advertising models – would get virtually limitless legal protection from companies like ours. Potentially, all a scanning app company would have to do is show “good faith” and they would have safe harbor protection.
Microsoft, CA and Zone Labs are not operating in good faith? Or is it possibly the other way around?
The scan results were saved and can be viewed
here (no removal was action taken)
Perhaps the Microsoft Anti-Spyware team needs to take another look at
zangohook.dll?
Next I removed the 3 entries from the Firewall for Zango (still wondering why it needs 3) and started the uninstall via Add Remove. Well the next prompt I get is Zango wants to establish a connection again ... for what? Zango calls home so much I couldn't keep track.
I selected the option to Block the connection which brought up several other
prompts wanting to connect.
Completed the uninstall, and rebooted rescanned with Microsoft Anti-Spyware and to 180's credit the system scanned clean.
kudos for a clean uninstall ...
Was ZoneAlarm so wrong in the
180Solutions detection description?
Perhaps in technical legal terms (again I'm not a lawyer) but not the
possible effects this type program could have. Once "hooked" into the system
and full access to connect ... what's to stop it from who knows what ... all
this from a company with a history of very
questionable tactics, however they state they are cleaning up their act
again. Oh no
what's
this? ... not another one!
Revised: reinstalled Zango today and I find more disturbing results. While signing into Hotmail I get a pop-up that Zango wants another connection. Mind you this is in the middle of signing in ... is Zango gathering this info too? They say NO but it sure makes you wonder about the timing.
After signing in I then get yet another disturbing pop-up and right in the middle of the pop-up I get a prompt that Zango wants to copy the info from the Clipboard ... imagine that! What if I have some sensitive info there? (passwords, etc.) Yikes!
While in the process of trying to cancel out of the above I get another pop-up from "exactsearch.net" (eXact Advertising) ... Oh no am I going to get infected again this time from eXact? This is scary stuff being it's in the middle of my Hotmail account!
So did ZoneAlarm get it wrong? ... you decide ... but ask yourself this
... do other game programs do this?
The above reflects my own personal opinion not that of Microsoft or any of
the other products mentioned.
Mike Burgess
"There's no place like 127.0.0.1"