Quick Links: SpywareGuide Greynets Blog | SpywareGuide Product Database | SpywareGuide Company Database | SpywareGuide Categories
Search SpywareGuide Database & Site
Security Email Alerts & Updates
SpywareGuide powered by FaceTime Security Labs

Open Letter to Software Developers: Mind Your CLSIDs

by Jan Hertsens

From time to time, we are contacted by software developers with something along the lines of "You are detecting our legitimate software as a spyware program, fix this at once!".?

The Problem

  • Some legitimate programs are using the same "CLSID" as known spyware or adware programs.
  • Many anti-spyware programs use a "blacklist" of CLSIDs in their detections.
  • This causes the legitimate program to be indentified as a?suspect component, causing confusion for the users, and anger for the authors

The Cause

There are various "toolkits" on the market that allow developers to quickly create BHOs and toolbars, who even include sample code, with CLSID included. Many developers, both legitimate to illegitimate,?use this sample code in their own application, without any change to the CLSID. Any new component should have its own CLSID. Failure to generate a new one is poor programming practice?on the side of the developer.

Why This is Bad

The Windows system uses the CLSID a unique indentifier in the registry, to look up which "module" should be used with which program. Microsoft (rightfully) insists that each module should have it own CLSID. What happens if program A uses the same CLSID as program B you just created?
  • Program B breaks Microsoft requirements. You might shrug this off , but it can impact any "logo certification" afterwards.
  • If a user happens to have both A and B installed on the same machine (remeber that adware and spyware?are rampant, so if A is aggressive, it will probably be installed before B), then the Windows function to look up the module will fail. What the end result will be is undefined. Windows might launch either A or B or none or both or croak in another way. Rest assured that it will cause havoc on the user's machine, in the worst possible way (remember Murphy?). It also becomes a real pain to do customer support on this problem, because of the unpredictable behaviour. In short, you are breaking the user's installation.
  • If program A is a spyware or adware, its CLSID will be included in lots of online databases, message boards and spyware scanners. If you press hard enough (making yourself extremely unpopular in the progress) you might get one or two anti-spyware vendors to remove it (this would decrease their chances of finding adware and spyware), but you will never succeed in removing all references to your CLSID from the Internet. Message boards, forum posts, usenet groups, Google caches all?have a really long memory. If any user does a Google on the CLSID you are using and sees that it was used by some?questionable program?in the past,?the user?will not question the relevance of this post, or the date it was made, or in what context.?The user?will delete your program as fast as?possible. You really don't want any possible association between your program and any spyware, adware or general malware!
  • It makes you look sloppy! Personally, if I see that software B is using a duplicate CLSID, I think: "This is a developer that does copy&paste development, doesn't read the docs and hence does not know what he is doing. I should think twice before running this software, because who knows what else is wrong". Will your users think otherwise?

The solution

  • Read the Microsoft documentation
  • Create a fresh GUID using your favorite means of invoking the CoCreateGuid API (i.e. running GUIDGEN.EXE, UUIDGEN.EXE, calling Guid.NewGuid from managed code, etc.)
  • Recompile your application and distribute the new version

What doesn't work

Acting as if nothing has happened

This will cause trouble for you and your software in the future. The more popular your product gets, the more time and money you will spend on resolving these issues.

Saying: "This happened by accident. I got the same CLSID by chance"

Not only is this irrelevant, it also extremely hard to believe. While I take most Microsoft claims with a healthy dose of salt, their algorithm for the generation of unique IDs seems quite solid. In view of this and the large "keyspace" a CLSID has, the claim is about as credible as saying "I won the lottery 3 times in a row, without cheating".

Trying to force anti-spyware authors to change their detections

Not only will this not work (see reasons above, you cannot retract a statement that is published on the Internet), but you can be sure that word will get out of your actions, showing you "bullying anti-spyware authors", enforcing the suspicion of a link with the?questionable?behaviors?itself (see above).

Saying: "We used the CLSID first, THEY stole it from us!"

Cases like this have been known to happen, so you have my sympathy. However, I can only advise you to bite the bullet and go for the solution above. Getting the?illegitimate authors to change their CLSID (if you can even find them) will be as much fun as convincing a bank robber to wipe his feet before entering the bank. A CLSID is supposed to be a random number, without any specific functionality, so don't get too attached to it. The pain of the problems above will be much bigger.

Unless otherwise noted this article is Copyright © 2021 by FaceTime Communications, Inc. This article may not be resold, reprinted, or redistributed for compensation of any kind without prior written permission from FaceTime Communications, Inc. For reprint or media inquires please contact us with the phrase "Spyware Guide Articles" in the subject line and we will by happy to assist you. Links to this article from other websites are appreciated and encouraged. Users are also encouraged to utilize our RSS system to provide unique content and extracts for their site.

Read other articles (back to full list)

Help with the BUST!
Click here and give us what details you have and let our international research team take it from there. If you desire your report will remain anonymous.
Recent Blog Posts
Notice: Undefined index: version in /data/www/spywareguide/magpierss/rss_parse.inc on line 228
  • A Year In Security
  • Youtube Comment Bot Spams In Waves
  • VGA Awards Trailers Used As Bait For Spam Offers
  • Fake Visa Electronic Report Serves Up Zbot Data Stealer
  • Banned Console Owners Beat The System - With Stickers
  • Spot The Hack
  • The Futility Of EULAs
  • Auto Whaler Spears Phishers
  • Fake Porn Grabbers Snag Nothing But Malware
  • Console DDoS Botnets - A Thriving Industry
  • Recent Modifications
    2021-8-24  Adult Networks/Services
    2017-2-10  Adult Hosts
    2016-3-30  CoolWebSearch
    2015-9-29  Malicious URLS
    2015-5-19  Dialers
    2015-1-5  Email Threats
    2013-7-20  Date Manager
    2013-4-10  BeeBus
    2012-12-18  JT.Moonwalk
    2012-12-18  Sadbiz

    Site EULA | Site Map | Contact Us | About Us | Site and Spyware FAQ | Advertise | RSS Feeds  | Link To Us | SpywareGuide Japan Japanese

    © Copyright 2007, FaceTime Communications, Inc. All rights reserved.