4 replies to this topic

[kirbyk]

I've been doing a little bit of research on the FunWebProducts toolbar for work (it's causing error messages in our logs). There's a lot of scattered information out there, but some stuff I've figured out that I couldn't easily find through google. I wanted to collect my findings somewhere that'll get archived.

You get it from several sources, but typically either the iWon.com searchbar or their Smiley toolbar. FunWebProducts.com will show you their applications. They claim it isn't spyware, because it isn't grabbing identifying information. But it _is_ sending them a record of every websearch you made, with your IP address. I don't know what they use it for.

What we see in our web logs are things like:

63.144.42.96 - - [17/May/2004:09:13:12 -0700] "GET
/calldetail/bellsouth?p=8283614550 HTTP/1.1" 200 3471 "-" "SURF"
63.144.42.96 - - [17/May/2004:09:13:14 -0700] "GET
/calldetail/bellsouth?p=8283614550 HTTP/1.1" 200 3471 "-" "Mozilla/4.0
(compatible; MSIE 5.5; Windows 98; FunWebProducts)"

What I notice is that every request from the browser (the one with the UserAgent containing FunWebProducts) also has an identical request from useragent "SURF". FunWebProducts is the user's browser. It downloads all the images and stylesheets and so forth. SURF, on the other hand, just loads the html for the user requested page, without images. This goes back to somewhere other than the user's web browser.

So, they have your IP Address, browser settings (probably no big deal), and the text of every web page you've visited (a more worrisome prospect.) This'll probably slow down your browsing, as you're requesting and downloading the text portion of every web page twice, and then retransmitting it somewhere. (Since it doesn't fetch images, though, it's not so bad unless you're looking at huge text files.)

It's worse news for webmasters, as if many users have this, the bandwidth increases are more noticable.

Also, if you're reading confidential webpages, like on a corporate internal site over a VPN, you could very well be leaking proprietary information to who knows where. Be very concerned if you handle anything you want to keep secret through the web.

I'd recommend users download the appropriate software to remove this product (it's difficult to remove, but there are numerous pages returned on a search for 'FunWebProducts spyware' on google that give help.) I'd also encourage any webmasters with proprietary documents or worried about bandwidth usage from the html part of their documents to ban the "SURF" user agent. (I don't know what the user experience is if the FunWebProducts half of the query is allowed but the spyware part is blocked. I don't really want to test this product on my system.)

Hope this helps! I hadn't previously seen any reports of the SURF user agent anywhere.

[Mike]

This goes back to somewhere other than the user's web browser.

Any idea where it's sending it?

[tbannist]

I'm not sure this a problem with FunWebBar. I've seen the mysterious "SURF" User Agent String immediately before the following: "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)" This could be some IE spyware that's not related with FunWebBar or a broken download accelerator.

Of course it could be spyware that is included in FunWebBar but also spread through other dubious means too.

[just1time]

"But it _is_ sending them a record of every websearch you made, with your IP address. I don't know what they use it for."
I surmise that the company is interested in what you are searching for, in order to show a "targeted" ad based on the query. So if a person enters "new car", "cell phone", or "DVD"--the program will likely attempt to show related ads to this person/IP address, every chance it gets.

[Budfred]

"But it _is_ sending them a record of every websearch you made, with your IP address. I don't know what they use it for."
I surmise that the company is interested in what you are searching for, in order to show a "targeted" ad based on the query. So if a person enters "new car", "cell phone", or "DVD"--the program will likely attempt to show related ads to this person/IP address, every chance it gets.

This may still be true, but note that the last post to this topic was almost 4 years ago... We clearly classify them as malware these days...