Read the EULA.... No, Really Read It

Published: June 13, 2007

By Jeff Williams, CIPP CISSP

See other Security Tip of the Month columns

Those who know me and my views on privacy might describe me as “detail oriented,” if they were being polite. I’m the type of person who reads every word of every End User License Agreement (EULA) and privacy statement before deciding if I want to take part in whatever service or application it is. On several occasions, I have made data access requests to firms that I do business with in accordance with their privacy statement in order to see what information about me they have collected and to address any errors. I am also quick to drop a service provider when they change the terms of the agreement in a manner that doesn’t align with my personal views, if there is no way to opt out and still enjoy the service. At the same time, however, I do recognize that in most cases where I provide personal or demographic information about myself it is part of the “horse trade” that brings me the service I want at a more reasonable price than it might be without that data sharing. I try to be pragmatic in this regard, but I also try to ensure that any decision I make is an informed decision.

But, I’m not like many people in this regard.

Like many in the security field, I get to support friends, family, and neighbors when they find their computers infected. I’ve minimized the frequency of this by making sure they stay up to date on patches, run up-to-date anti-malware software, and so on. From time to time, however, even that is not enough. A recent clean-up visit illustrates what I’m going to consider a worst case scenario (though I’m sure the bad guys are working on a scenario that’s even worse even as I say this—it’s what they do).

I donated my time in an auction to do maintenance on all of the computers in the winning bidder’s home, to ensure that they were up to date and free from potentially unwanted software and viruses. I expected that there would be folks who would really appreciate this, but I had no idea that the “winner” would get to spend so much time with me.

Only one machine in their house had any significant issues but—wow. The notebook belonged to the family’s teenage son. He mentioned that his friends complained about how slow Internet access was when they used his computer. He wasn’t running any anti-malware software and wasn’t up to date on security updates. The machine’s performance was so bad that the boot took nearly 15 minutes and accessing the Internet (with the intent of running an online scan at was all but impossible.

As I looked at what software was installed I would regularly ask what some of the items were: P2P applications, social network tools, and a variety of other “freeware.” He couldn’t remember where he picked most of them up saying that he downloads a lot of software that he finds or that his friends use. I could see the link light on his network card lit up continuously immediately after the boot. I wanted to find out what traffic was associated with which application, so I installed Port Reporter and its PR-Parser companion tool. Some of the traffic was coming from the P2P applications, but even after disabling them temporarily, the Internet was still unusable.

After some fun with Process Explorer and a couple of other tools, I was able to identify several name-shifting binaries responsible for the traffic and suspend them, which enabled me to run the online scan I had intended to run as my first step. Seventeen pieces of malware and potentially unwanted software were removed in the end, including multiple downloaders, adware, bots, and a password-stealing Trojan.

After identifying the password stealer’s process (whose name was remarkably similar to a legitimate system file likely to avoid detection during casual review), I went back to PR Parser and noted that the process in question had had a connection to an IP address that WHOIS showed to be in another country. A Reverse IP lookup showed domains on that IP which suggested the owner probably didn’t have the best of intentions. We don’t know what precisely was sent to that IP address, but a review of the technical description of the Trojan in the Microsoft Malware Protection Center encyclopedia showed that it had the capability to steal a variety of IM client credentials and other information. Clearly, it was time for my young charge to change some passwords as a precaution. As it turned out, it was more than just IM passwords he ended up changing. You see, he had chosen—for simplicity—to use the same password everywhere he had an account: IM, social networking, e-mail, and even his bank’s online account access.

I took the opportunity to deliver some education on safe computing practices, which led to a discussion of the various freeware on the box. As we went through each item to find out if it was something he used and cared to keep or was open to removing it, we found several applications he wanted to keep. As a courtesy I pulled copies of the license agreements for review and on one of them I found some very interesting terms of service. Although it did not surprise me that this software came bundled with a number of the items found by our online scan—adware and other potentially unwanted software—I was a bit surprised by the brazenness of some of the conditions outlined in the EULA, such as the following embedded in a game installer’s Terms and Conditions.


And from the EULA of the first “value-added component” of the bundle:

(Y)ou acknowledge that you are aware of security and privacy limitations including without limitation: (i) the limitation of security, privacy and authentication measures and features in the Service; and (ii) that data and information on the Service may be subject to eavesdropping, forgery, spamming, tampering, breaking passwords, harassment, fraud, electronic trespassing, hacking, and system contamination, including without limitation, viruses, worms, and Trojan horses, causing unauthorized, damaging or harmful access and/or retrieval of information or data on your computer or other security or privacy hazards. If you do not wish to be subjected to these risks, you are advised not to use the Software or the Service.

A bit later in the EULA they are polite enough to warn you that “(t)here are inherent dangers in the use of any software available for downloading on the Internet, and Company cautions you to make sure that you completely understand the potential risks before downloading any of the (software).” At least on this point we can agree. They continue by stating that your privacy is important to them and you should also read their privacy statement. Unfortunately, no link is provided, but with a bit of research we find that while they don’t intend to collect personal data they probably will, that they will share this information broadly with other interested parties, they don’t protect any of the data in transit, and they can change their privacy policy at any time by updating their Web site (to which, again, they didn’t provide him with a link).

There’s plenty more like that, but I think you will see that all the harms suffered by him were clearly spelled out: we’re going to allow you to be infected, once you are infected people will eavesdrop on your communications, spam from your computer, crack your passwords, bombard you with pop-ups, hack your systems, infect you with more malware, and maybe also steal or destroy your data but probably after they’ve passed it around to some friends whom they don’t identify. That’s a fair trade for some games, right?

Some of you may be wondering why I would recount this tale to readers who are predominantly IT professionals. It is because this could be happening to the customers you support now and the impact could be much more significant. The password-stealing Trojan could easily have compromised corporate credentials if they matched those credentials used to remotely access your corporate network. With the compromised credentials, the attacker could access the corporate network appearing to be a legitimate user, perhaps even using a proxy dropped on the originally infected computer so as to appear to have a local and expected IP address. E-mail accessed online in a compromised account might contain business documents that should not have been sent outside the corporation but were sent by users to themselves for a bit of late-night reading. That same e-mail account or an IM account could include discussions about various projects going on or, in more extreme cases, customer data that should have been protected as personally identifiable information. If any of the malware had the ability to infect removable media, that removable media could have been carried in to your network, bypassing any protections prior to the host computer. In such a scenario, one or more hosts in your network might also become infected, allowing the attacker to steal more credentials and continue the cycle. Alternately, the same software might be downloaded by the same person inside of your network as they downloaded at home.

The moral of this tale is that data protection policies need to be well thought out and be considerate not only of systems in direct control of the business but also toward protecting the credentials by which employees can access those systems remotely. Policies should also define clearly the software and hardware that are permissible on systems used to connect to the network (even in a case where they are not corporate assets), that systems should be current on security updates both for the operating system and for all applications and that up-to-date anti-malware software is essential.

Beyond policy, though, awareness is a key element to the protection of data in your business. I hope this article has expanded yours by looking a bit more broadly at the threats we face every day and that you are able to leverage the information presented here with the people that you support so that you can get home in time for dinner.

Jeff Williams, CIPP CISSP is a Director in Microsoft’s Malware Protection Center. You can send your questions or comments to Jeff by email at .