Intro

Some of our customers noticed that Exterminate It! web site appeared at McAfee’s siteadvisor.com site and Web Of Trust mywot.com site. We checked this information and were surprised when found that our web site is marked as untrustworthy. So we decided to investigate this issue.

We reviewed comments that people leave at siteadvisor.com and mywot.com (surely useful) security sites. Most of these, who commented our web site, stated that it contains “malicious content, viruses” (mywot.com) or “adware, spyware, or viruses” (siteadvisor.com). We are absolutely sure that these people did not download or install Exterminate It! application to check its’ functionality. It seems that they even did not read what McAfee says about downloadable software that is hosted by and directly linked to from our web site.

Exterminate It! executable is safe!

Take a look at the “Download tests” section of the McAfee’s siteadvisor.com site. All downloads are green! They’ve checked 32(!) executable files from our web site. Most of them are different versions of Exterminate It! application. The conclusion is: “In our tests, we found downloads on this site were free of adware, spyware, and other potentially unwanted programs.” No comments…

Also, Exterminate It! is presented on many respectable distribution web sites like download.com or download.cnet.com, where software carefully checked prior to uploading.

False positives ? No!

A few people stated that Exterminate It! is malware because it makes false-positive detections. Well, using such logic, we can say that Kaspersky or Norton Antivirus are malware as well. Because ALL anti-spyware tools make false-positive detections periodically. Even the best of them. Unfortunately, false-positive detections are inevitable in our work.

What is false-positive detection? The term false positive is used when antimalware software wrongly classifies an innocuous file as a malware. The incorrect detection may be due to heuristics or to an incorrect malware signature in a database.

How false positives happen

Let’s see how that may happen. For example, if a trojan (call it TerribleTrojan) installs some Dynamic Link Library (call it aaa.dll) among other files, than during analysis aaa.dll will be treated as a part of that trojan and new entry will be added to the detection database. After that, if aaa.dll will be detected at another computer, then the user will be notified that its’ computer is infected with TerribleTrojan. But trojans are programs and they (like any program) can use absolutely harmless libraries and files for own purposes. If aaa.dll is harmless and legitimate, then such case will be treated as false-positive detection.

What will happen next? People, who knows that aaa.dll is harmless (for example, its’ developers), will notify us and aaa.dll will be removed from our detection database. That is how it works.

We suppose that people, who “blamed” Exterminate It! in false-positive detections cannot distinguish “false-positive detections” from “fake detections”. Fake detections is a tactics, which used by rogue anti-spyware to scare the user and force him to purchase the product. Rogue anti-malware “detects” non-existent items or creates files randomly and then detects them. Such items are showed to the user as trojans and spyware.

Exterminate It! reputation

Exterminate It! is presented on the market more than 2 years. It used by thousands of people. Exterminate It! can cope with spyware removal in many cases when other brand antivirus/antimalware cannot. Such results are not accessible with only “false-positive detections” and “fake detections”. Anyone, who used Exterminate It! software knows that.

We never used false-positive detections as a marketing tactics to boost sales. Even more, each customer, who does not satisfied with the Exterminate It! software, can get its money back.

Host-file.net issue

What else? Someone said that Exterminate It! web site is “rogue security, fake antivirus distribution site” because it is listed at hosts-file.net. The owner of the hosts-file.net listed our web site basing on its personal opinion after arguing on one of the anti-malware forums. He is alleged that our product is “rogue” because it does not have trial version. But, first of all, we can provide anyone with free one week trial code, i.e. anyone have possibility to check full Exterminate It! software functionality free of charge. Contact our support first. Furthermore, free trial version of the Exterminate It! software will be available soon in public. So, the reason of the listing is questionable.

Phishing? No!

Also, some comments blame Exterminate It! web site in phishing. It is an absolute nonsense! What is “phishing”? Phishing is the criminally fraudulent process of attempting to acquire sensitive information such as usernames, passwords and credit card details by masquerading as a trustworthy entity in an electronic communication. But Exterminate It! web site does not process Credit Cards. All sales are made through the RegNow Affiliate Network. All payments are processed by the RegNow as well. RegNow is a big trustworthy and legitimate service provider. Even world’s leading multi-national companies with some of the Internet’s biggest brands use RegNow services. Exterminate It! web site does not collect any confidential or sensitive data, therefore phishing fraud is impossible. So, the people, who says about phishing regarding Exterminate It! web site are absolutely incompetent and do not understand what does it mean.

What other things make people alerted? They don’t like, for example, that exterminate-it.com domain name is registered with so called whois protection. Whois protection is a legitimate service provided by web hosting, which allows to hide personal details listed in the WHOIS database from the public eye and thus protects identity from any type of online/offline abuse. Everyday domain owner’s information is harvested by spammers from publicly available WHOIS database to send spam. We think that anyone has the right to protect own identity information such as E-mail address, phone number, mailing address, etc. This is not a crime. Many of respectable sites are protected by whois protection. On the contrary, criminals do not use whois protection – they just use false data for domains registration.

Conclusions

Well, it seems that we reviewed all most popular “sins” of our web site. Of course, we do not pay attention to the various funny statements like “Looks very suspicious!” :) If our web site looks “very suspicious”, than hundreds of millions web sites over the World look “very suspicious” as well.

Unfortunately, the reason of these attacks to Exterminate It! web site and Exterminate It! software are not understandable and cannot be rationally explained. Perhaps it may be some kind of paranoia, because so many malware and scams all around the Internet. But most likely the negative feedback is a result of unfair competition from our competitors. If it is so, then we proud that “big players” of the anti-spyware market consider us as a worthy competitors and a threat to their business. It means that we produce competitive, high quality software product.
We are trying to compete in natural way: by improving our product, integrating newer functionality and providing additional protection instead of using fake users to provide negative feedback.

Negative feedback could be generated by malware-creators, trying to protect their “children” at any cost.

If you installed Exterminate It! software and found it useful or if you are already our customer and satisfied with our product, then we ask you to visit siteadvisor.com and/or mywot.com sites and vote for exterminate-it.com web site.

Thank you

Note to other antimalware products creators
let’s compete in normal way: by improving our antimalware products, including newer functionality instead of using fake users to provide “negative” feedback.

Recently we discovered that Exterminate It! being detected by several antivirus / firewall products as Trojan-GameThief.Win32.Taworm.zt.

We received many complaints from our customers regarding this issue. Kaspersky, F-Secure and Zone Alarm are detecting us as trojan and blocking Exterminate It! execution.

We have contacted Kaspersky Virus Analyst Team and here is their response:

We would like to thank Kaspersky Analyst Team for fast reaction. Shortly Exterminate It! will be removed from their detection – stay updated.

False Positives happen very often in antimalware industry.
We inform companies that develop antimalware/antivirus software about these Exterminate It! False Detections.

If you found such False Positive Detection please let us know what antimalware/antivirus software you are using (specify the exact version and edition of the product).

Otherwise you can contact antimalware company by yourself. It would be great if you would describe your Exterminate It! – related experience in this message.

Some companies provide no-reaction to False Positives Inquiries. By this reaction you can understand the reasonability of using such antimalware products if their malware database actuality and cleanness are not maintained.

We would like to note that in Exterminate It! history our antimalware product erroneously being detected as “malware” (False Positive) by the following products under different names:

• Kaspersky (Trojan-GameThief.Win32.Taworm.zt)
• Avira (SPR/Fake.Exter.2)
• Jiangmin (TrojanDownloader.Delf.dwh)
• AntiVir (SPR/Fake.Exter.2)
• McAfee-GW-Edition (Riskware.Fake.Exter.2)
• CAT-QuickHeal (Trojan.Agent.ATV)
• AntiVir (SPR/Fake.Exter.2)
• eSafe (Win32.SPRFake.Exter)

Here are few examples of such detections on VirusTotal service:

link1 link2 link3

We guarantee that our software contains no malicious code. It is an entirely antimalware solution without any illegitimate functionality.

Here is 100% clean report from SoftPedia

As a temporary solution, you can disable any other antimalware software installed on your computer and report the incorrect detection/removal to the developers of these applications.

Also, you can add the Exterminate It! installation folder to the Ignore list (if this is supported by your antimalware suite)

A rootkit is a program or a set of programs designed to provide priveleged access to the computer system and, at the same time, to hide itself or it’s associated files from detection.

Historically, root kit tools appeared on Unix-like operating systems as programs that provided intruder with most privileged (root) access to the system. Today, rootkits exist for all most popular operating systems from Windows to Linux. Windows rootkits allow the attacker to gain most privileged access to the system.

Rootkits can be divided on kernel-mode and user-mode:

1. Kernel-mode rootkits replace or modify parts of the operating system or add code to the operating system. Usually, rootkits of that type are implemented as device drivers (Windows) or loadable kernel modules (Linux). Kernel-level rootkits obtain unrestricted access to all system resources and, as a matter of fact, became a part of an operating system. That is why kernel-mode rootkits are invisible for most anti-spyware and anti-virus applications. This is most dangerous and hard to remove type of rootkits. When you are trying to remove kernel-mode rootkits, you need to operate at the lowest system level. This should be done very carefully, because every wrong action can lead to system crash. Exterminate It! successfully works on this level.
2. User-mode rootkits intercept and replace system calls in order to protect themselves from detection and hide information about intruder. Such rootkits are implemented as dynamic link libraries (DLLs) on Windows operating system.
   User-mode rootkit hooking can be performed in different ways:
• DLLs (libraries with executable code) can be loaded to different processes and could act on their behalf.
• File / process patching can be used on disk or directly in memory.

Such rootkits could change behavior of regular applications.

Rootkits differ from other malicious software in their function. The main function of the rootkit is to maintain control over the infected computer system, hide itself and associated malware files and to provide access for the intruder.

Rootkit do not infect other programs like virus and it do not spread over the local network like worm. It hides from detecting software and keeps “doors open” for a malefactor, who can use infected system for malicious actions such as sending SPAM, DDoS attacks, information stealing, etc. However, a worm spreading over local area network or trojan disguised as legitimate software, may install rootkit on infected computer. Most recent infection sometimes are using combined approach when trojan installs the rootkit and afterward rootkit protects other trojans installed from the Internet.

Technically rootkit software is very complex. It can be developed only by highly qualified specialists, because a bug in such software (especially kernel-mode rootkits) may cause total system crash and make crashed system useless for malefactor’s needs. Also rootkit should effectively resist modern anti-malware scanners.

Due to their nature, rootkits are very hard to detect and even harder to remove. Re-installation of operating system only may help in some complex cases. But all is not so bad. Fortunately, some anti-malware applications already implemented anti-rootkit functionality and Exterminate It! is one of them.

Exterminate It! provides rootkit unhooking, direct disk scanning and removal techniques which are working in most cases. Also custom solutions can be provided in case of difficult rootkit infections. So you won’t be left alone in face of rootkit infection.

Note that this functionality is in beta now, but you already can turn it on on Exterminate It! Options page. Anti-rootkit functionality is available in activated Exterminate It! copies only.

Activation system is improved in this release. Deactivation issues caused by enabling / disabling network devices were fixed.

Antirootkit functionality is still under development, but new Beta version is already available in Exterminate It! and can be used in activated copies. Rootkit unhooking and hidden files search features were improved.

Several stability issues were fixed

What’s new:

• Files Removal Functionality – implemented rootkit-proof file removal;
• Direct Disk Scan for Rootkit Hidden Files functionality (beta);
• Added detailed Rootkit Driver Options;
• Added automatic missed OS version info uploading in order to improve Rootkit Unhooking functionality;
• Kernel Files Database Updated;
• Minor User Interface bug-fix and various UI improvements.

Right now we are working on improving our activation system to prevent software de-activation.

Also we are working on improving our own Antirootkit functionality. First parts includes:

• hidden files scan
• rootkit unhooking functionality