Thursday, April 25, 2013

Recovering From Accusations of Malware


Here is the story of my 8 year battle against false reports of malware in my software, how I eventually won that battle, and how you can ensure the same thing doesn't happen to your website or products.

The Beginning: Can one person make an effective anti-spyware product?

In 2005 my software company was two years old, I had a good number of customers, and people were hungry for more private label software.  The economy was great and I had a lot of requests to create new private label applications.

In particular, there were many requests for anti-spyware and anti-virus products.  However, I always turned them down citing the inability to maintain a good definitions database.

Eventually, I found a way that I could maintain a definitions database for spyware (not antivirus) by creating internal software that sourced information about files from the web, meaning I didn't need a team to maintain definitions.

With that, I created what I think was a fairly good and safe anti-spyware product that I called Ad-Purge.    Upon release it sold well and people seemed to like it for a light-weight spyware solution.  However, because of the crowd sourced definitions it was prone to false positives: if a lot of websites thought a file was spyware then Ad-Purge did too.

The Spyware Warrior on the Offensive

Within a few months of release Ad-Purge was labeled as a "rogue anti-virus product" by a person who called himself Spyware Warrior.  I, of course, was appalled.  I wrote to him trying to clear my name; I made changes to the software to make it more consumer friendly; I kept a close watch on the definitions to avoid false positives, but Spyware Warrior was determined that I created the product with bad intentions.

I eventually decided that Mr. Spyware Warrior was simply a jerk and went back to what I enjoyed: writing software instead of spending time trying to appease him.  This was a mistake, for the spyware community took his opinions as fact causing Ad-Purge, and worse my website, to show up on many different blacklists and malware sites.

In 2008 I was forced to simply discontinue Ad-Purge in order to avoid being caught up in any more of these false accusations.  Eventually the false positives went away for the most part and business resumed as usual.  I continued to sell the private label version but made sure my customers could not repeat my mistakes.  In particular, I turned down many requests from my customers to make the demo version detect spyware but not remove it until the software was purchased in full.

Five Years Later

Recently, in 2013, I became aware that my website and business had extremely negative reviews on a crowd sourcing security website called Web of Trust (WOT).  Upon closer inspection I discovered that we had some good customer reviews but the vast majority listed us as a malware website!

Here is our current Web of Trust page:

I began by replying to each of the user reviews that cited malware and asking them to reevaluate their ratings.  They were helpful but reluctant to change their rating unless I had my software removed from various website reputation scanners, for example:

URL Void:
Virus Total:

These tools list scan results from various security software vendors.  If any of the vendors think your website is malicious then it is a bad sign. was listed by over 20 different vendors as being a distributor of malware.  When I contacted some of the vendors they made circular references: we can't take you off our list because you're listed on URL Void.  Obviously I couldn't get removed from URL Void without them first taking me off their list.

The Solution

What I had to do was track down every suspicious file or URL that was being tracked by these vendors, make sure it was actually safe, and use all of their false positive reporting tools to contact them individually.

I noticed when scanning my software executables that thought many of my programs written in Visual Basic 6, our older programming language, were spyware.  As a simple test I recompiled the software on an updated system, resigned our executables and installers, and uploaded the new copies to our website.  This took care of about 75% of the false positives.  I don't know what they were keying on, maybe an old VB6 .dll file, but I suspect that those files are used by potentially millions of applications written in the early 2000s that are also being falsely accused of being spyware.

Next, I went through all the URLs on our site that were flagged as malicious.  Many of them were old URLs that are not even in use, pointing to blank pages or error messages.  It seemed that many of the vendors never bothered to check what was actually at the URL they were condemning, they simply found it listed by other vendors and added it to their own database.

Armed with the knowledge that everything on my website was safe I began submitting false positive reports to the antivirus vendors.  Sometimes you have to sign up and post on a forum, sometimes there is a false positive submission form, and sometimes you have to download the company's product and register your email address (sketchy).

Most vendors removed the false positives right away, but many took no action or used more circular logic.  I wonder if they actually look at the content of files and URLs or they just crowd-source their definitions like I did... lesson learned.

When it came down to only 4 or 5 websites reporting malware I resolved to contact them every day, repeatedly, until they responded.

I have also been tracking down blog posts which list us as a malware distributor and leaving comments that explain what my company does.  A quick look at my website shows that my apps are highly rated on places like the Mac App Store and the Windows Store, meaning they have been scrutinized and vetted by companies who hopefully would never let malware into their systems.

Are My Customers Malicious?

I wonder how, after the 2008 incident, all this started up again and I suspect that I have a small number of customers who are actively using my rebranding services to create fake programs and distribute viruses with them.  I rebrand our software for other companies to sell, and I suspect that some of my customers must be modifying the executables after I deliver them.

I don't have a good way of knowing whether it is deliberate or not.  It's certainly possible that one of my customers had an infected computer, purchased clean software from me, downloaded it, it was infected on their computer, and then they tried to distribute it.  Obviously this is a bad practice and all software should be verified clean before distribution.

One sure indicator of a fraud is when I am paid hundreds of dollars for a product and the purchaser seems to take no interest in their final product's quality.  They will upload poor quality images even though my artist can create professional graphics for them for free.  Sometimes they provide URLs which are dead or point to an unregistered domain.  Then their payment will be charged back and I know the whole thing was a ruse.  Was this someone with malicious intent or just someone trying to use a stolen credit card?  Maybe both?  I don't know.

I've learned to spot those obvious cases, but I certainly can't tell a person's intentions from their normal transactions with me.  It is against our terms of service for our customers to do anything illegal with the software purchased from us, including distribute malware or engage in scamming.  The vast majority of my customers are people interested in making money with shareware or trying to offer a bonus product to their customers.  Having software with your name on it can impress clients, make your website more legitimate, create more sales for other products when packaged, etc.

I don't think it's up to me to judge people's intentions.  All I can really do is respond to any inquiries by anti-virus vendors.  

The number of anti-virus vendors who have contacted me in the past 10 years about my software or my customer's?  Zero.

In the end I simply decided to discontinue the anti-spyware product entirely.  I will continue to update the definitions database for the legitimate customers who vastly outnumber the potentially bad ones.

My Name Is Cleared, Kinda

Now, finally, I have been removed from every major website credibility reporting tool and most anti-virus vendors.  One vendor, AlienVault, responded to my technical support request with a phone call from a sales rep.  When I asked him if the support team knew how I could report a false positive he asked them and responded "They don't know but they're looking at like 7 monitors right now."  Ugh.

I have bookmarked my WebOfTrust, URLVoid and VirusTotal pages and intend to check them frequently.  If you have websites or distribute shareware I highly recommend you do the same.  These anti-virus vendors are not going to contact to you if your site or products get falsely accused.  And worse, if any false positives start making the rounds they are sure to be amplified by security vendors copying each other's records.  It's something that has to be stopped immediately or it spreads out of control.

Web of Trust currently reports that my website is trusted, but only barely.  My hope is that their users will reevaluate my website and change their scores.  I'm also going to start promoting Web of Trust on my website so that my actual customers can report their good experiences.  If you have a moment, I sure would appreciate a positive rating there:

Now, hopefully, I can get back to what I really love: writing apps!