Wednesday, April 27, 2005

Is Google Associated with a SearchMiracle Knock-Off?

Related Story: How to Remove Mirar Toolbar "It is suggestible to follow up a removal with one or more adware scans and/or to do an inspection using a HijackThis log."


The Internet is changing the world in more ways than immediately meet the eye. The world has become a vastly more complex place as a result of it. What may seem wonderfully simple -- starting a blog, for example, or adding advertising to one's site -- is freighted with issues that only unfold with the passage of time.

This blog is hosted by Blogspot.com. Originally intended to be an arts and lit blog, an early posting/article about the spyware pest SearchMiracle/EliteBar was so popular, throughout the web, that it became known as an adware/spyware blog. It became so popular, in fact, that it seemed reasonable to include some unobtrusive Google Ads.

In February of 2003, Google bought the company that owned Blogspot blogs and it has since offered its bloggers a quick and easy way to contract for advertising revenues. The revenues are based upon the number of times the Google Ads on a site are clicked. The contract is a much simplified version of similar contracts signed between search engines and the companies that pay to advertise on them.

These decisions were made easier by the fact that I think very highly of Google. Its search engine is by far the best on the web. To "Google it" is common practice now for millions, myself very much included. The company's handling of its Initial Public Offering (IPO), while harrowing, suggested that its owners didn't want to be just another company -- that they wanted to be fairer and more responsible than most.

Of course, adware is, at base, an attempt to make greater profits through pay-per-click (or pay-per-display) advertising contracts. I was not unaware of the potential conflict between Obiter Dicta's role as a source of information and commentary on slash and burn pay-per-click Internet advertising and its relationship with Google Ads. But the risk seemed small. I accept the inevitable role of responsible advertising in developing the net. I draw my boundary lines at: stealth downloading of adware; downloads achieved through misleading or intentionally confusing a user; hijacking of start pages; disabling and altering a user's resident software (thus damaging private property); providing no effective means of uninstalling the software; and harvesting a user's private information (perhaps even to sell as a secondary income stream). I was being consistent.

The reader may imagine my curiosity when I began, while grazing HijackThis logs of computers infested with Enternet Media's SearchMiracle/EliteBar, to notice a new listing: another pseudo search page: http://ny.contentmatch.net/. The listing seems to have begun appearing in numerous SearchMiracle-related logs in March of this year (2005).

The page is yet another front page represeting itself as an information directory while doing nothing more than inserting canned search terms into a search engine. The directory even looks suspiciously like the SearchMiracle and YupSearch directories. It is the target of another Browser Helper Object (BHO), this one referred to as the "Mirar Toolbar". Like SearchMiracle, it has more than one directory page fronting on the same search engine.: http://awbeta.net-nucleus.com/ being another. In the modern world, success breeds... well... knock-offs.

Again, after the fashion in these matters, the home page for Mirar, http://www.getmirar.com/, was notably unhelpful. It contained nothing more than a bright photo spread, a link to a toolbar download and a generic e-mail contact address. Of course, people very rarely download from these home pages so there is no link to a EULA and no descriptive information about Mirar's wonderful product. There is a link to an uninstall page which begins by offering the reader a number of "free gifts," for which the user must register, and refuses to allow him or her to proceed until at least one is chosen. While there may be a means to uninstall, the user who tries this route must traverse a labyrinth in order to get to it.

After considerable searching, I discovered that there was, indeed, a EULA for the Mirar Toolbar. It is located at http://policy.getmirar.com/EULA.html. The link from the Mirar homepage -- or to any page for that matter -- seems to have been forgotten.

The EULA provides information required by the laws of most civilized countries. The reader learns that Mirar is the product of a company called Net Nucleus based out of Toronto, Ontario. Until about a week ago, it included a statement of Net Nucleus's relationship with a company called WhenU:


By downloading the Software, you will also automatically receive a bundled software product called SaveNow and SearchBar, proprietary software products of WhenU.com Inc. (“WhenU”). By clicking on the “I Accept” or “Yes” button, you are also consenting to the terms of the license granted by WhenU, which are provided below.
WhenU is infamous for any number of reasons not the least of which is having briefly been removed from both the Google and Yahoo search engines [story] for engaging in a practice called cloaking. It has been accused, by malware watchdog Ben Edelman, of failing to obey its own privacy policy [details]. While it denied the allegations, it changed its policy to more accurately reflect that fact that it collects users' personal information:


As described in WhenU's Response, WhenU changed its privacy policy subsequent to the posting of this research. In particular, WhenU revised the privacy policy posted on some pages of its public web sites, but failed to revise other pages, and failed to revise the privacy policy and other privacy promises embedded within WhenU software installers.

It is not clear whether a relationship continues between the two companies.

Both WhenU and Mirar Toolbar often bundle their product with third party software. Mirar is widely reputed to utilize stealth downloads. This may also be what is meant by Symantec's vague warning that:


It will also attempt to download and install the Mirar toolbar from a predetermined Web site.

Mirar's recent habit of appearing in HijackThis logs infested with SearchMiracle/EliteBar, known to stealth download via malicious Java Scripts, suggests the possibility that it has expanded its old bundling approach.

In the open, as it were, where it is not camouflaged by being a small part of a big bundled infection, the Mirar Toolbar tends to be described as in the following letter to the InfoPackets Newsletter (May 2004):


Gazette Reader 'SweetImage' writes: " Dennis is there any way to get rid of the Mirar toolbar once and for all? I have searched sites where I have found loads of people having the same problem. I have used at least 8 different Adware-blocking programs to remove the toolbar from my system, but none of them can get rid of this rotten thing! Mirar support has not answered my emails and I am going absolutely crazy trying to remove it from my system. I cannot use the Windows System Restore because it won't allow me to roll back (except for today's date) -- and furthermore, Dell can't help me. Am I stuck with this toolbar? I don't even know where it came from! Thank you very much if you can help! "

Such is the sound of yet another satisfied customer.

All of this said, this would be just another sad but all too familiar story if it weren't for one fact. The surprise of this story comes when a visitor to http://ny.contentmatch.net/ or http://awbeta.net-nucleus.com/ clicks on one of the canned search engine terms only to find that the Mirar directory, to which it forcibly redirects a user's browser, is a portal to the Google Search Engine.

Of course, these directories are uniformly created as a source of advertising revenue. A question begs the asking: How does NetNucleus generate revenue from its Mirar search directory if it enters search terms in the Google Search Engine? Put more directly: Does Google have a business relationship with NetNucleus -- a company widely reputed to use stealth downloads and that recently shows up with alarming frequency in HijackThis logs together with software utilizing startpage trojans to install spyware -- to enhance advertising revenues from its search engine?

I, for one, will be pleased to learn that there is no such relationship, that there is another explanation and that Mirar will be required to cease its practice of downloading (stealthily or otherwise) portals to the Google Search Engine. Also that my tiny part in the Google empire will not be considered to be the actual bad business arrangement. It seems that starting a blog is not so wonderfully simple as it would appear. It is only natural to experience some amount of anxiety over the vast interconnectedness that threatens to leave us all subject to situations that seem beyond our ability to foresee. In light of the many issues this article touches upon, the question can only be asked: For all of the potential of it, just how real is this electronic democracy? How real can it remain?



Also See:
  • Sunbelt Tangles with NetNucleus (February 7, 2007). NetNucleus, purveyor of the Mirar Toolbar, threatens to sue Sunbelt Software for labeling it's product "Adware". Sunbelt replies with a devastating overview of Mirar's stealth installation methods (and more).
  • How to Remove Mirar Toolbar "It is suggestible to follow up a removal with one or more adware scans and/or to do an inspection using a HijackThis log."
  • Adware & Malware Identifier Index (May 9, 2005). "The following is an in-progress index of some of the more common malware toolbars/browser helper objects at large on the Internet."
  • Online Bibliography (Regularly updated). A bibliography of Gilbert Wesley Purdy's work on the Web and elsewhere including computer topics.

No comments: