An almighty row has broken out in the security market after web and mail security firm GFI Software put branded toolbar software player Zugo Ltd on its list of the top 10 malware infections for June, as we reported on Monday. GFI said Zugo was the second most detected malware threat last month, at 2.37% of all detections.
The news prompted an angry response from Zugo Ltd, with spokesman and QA Engineer Naresh Yeluri accusing CBR of making a "big mistake" and asking for a retraction of our original story. "Be aware that Zugo does not host any adware, malware, trojans or viruses, therefore offers no harm to any computer," he said. "We ask you to correct the story as soon as possible."
However GFI Software – which says its top 10 malware list is compiled from collected scan data of tens of thousands of GFI VIPRE Antivirus customers who are part of GFI’s ThreatNet threat tracking system – stands by its assertion that Zugo’s toolbar should be included on a list of malware risks.
Eric Howes, GFI Labs Spyware Research Manager, said: "The reason Zugo is on the list is that for the past nine months to a year they have continued to mislead users with stealth installs, deception, and even through fraudulent installs."
Howes conceded that Zugo’s toolbar is in itself is not adware, but that the manner of its distribution means it should be considered malware. "We don’t categorise it as adware," he said. "The software, in isolation, is innocuous. But the problem lies with their large affiliates programme, which can cause our customers to wind up with their software on their computer whether they wanted it or not."
Zugo’s Yeluri insisted that the firm’s software should not be on GFI’s list, adding: "Our software enriches the value to the users’ browser by installing a toolbar and search changes with users’ consent. Zugo provides innovative search based products that deliver clear monetization solutions for online publishers, content owners and distributors."
But GFI’s Howes said that his organization has detected what he called ‘Russkranian’ gangs from Russia or the Ukraine, acting as Zugo affiliates and tricking people into downloading the Zugo software. "They get paid up to $1.50 per install so they have every incentive to do as many installations as possible," he said. "Stealth or deceptive installs are malicious – it’s malware – even if the software itself is not adware or a virus."
Howes said an example of a stealth install might be a landing page telling a user that they need a particular codec installed in order to view a video (often pornographic). "But there’s no codec and the user still doesn’t see the video," said Howes. "Our customers are relying on us to tell them what is legitimate and what is not legitimate."
Howes confirmed that Zugo has complained directly to GFI Software about its inclusion on the list of malware threats, and that, "Their response is that they are making serious efforts to get their affiliates’ acts cleaned up, and I do take them seriously in this, but there are so many affiliates out there running wild on things like Facebook that’s it’s a haven for these kinds of [stealth] installs."
Howes said stealth and fraudulent installs are rife on Facebook and other social networking sites as they also try and give the installation some kind of legitimacy by saying that one of your ‘friends’ has recently downloaded it, looked at a similar picture or story, ‘liked’ it and so on. "Facebook is a bit of a minefield for this sort of thing with Facebook worms, posts on ‘walls’, recommendations that appear to be coming from friends and worse," said Howes.
Zugo’s Yeluri said: "Naturally we are extremely concerned by this detection and I would like to assure you that our platform does not host any malware/adware and that it poses no threat to anyone’s computer."
Please follow this author on twitter: www.twitter.com/jasonstamper