ZoneAlarm marketing alert mirrors RogueAV causing confusion

by Steve Ragan - Sep 21 2010, 07:44

A pop-up alert greeting users of Checkpoint Software’s ZoneAlarm Free Firewall over the weekend caused some rage, as users genuinely thought they were infected by a variant of the Zeus family of Malware. As it turns out, the pop-up was just an advertisement, but it is the look and feel of the warning driving the complaints.

As seen in the header image above, the pop-up comes off as a warning similar to those displayed by Rogue anti-Virus applications. While clearly marked as an alert, the wording explains that “ZeuS.Zbot.aoaq” is a Trojan that targets banking and financial data, and that the ZoneAlarm Free Firewall cannot block the threat.

However, the wording and overall look of the advertisement is what set some Checkpoint customers off. First, the wording of the pop-up will catch the attention of anyone who has ever used a computer to perform banking functions. If that was the goal for Checkpoint’s marketing team, then it surely worked.

Yet, there is no way to tell how many users assumed they were infected and panicked. Likewise, there is no way to tell how many people purchased the discounted ZoneAlarm Internet Security out of fear alone. This is because the way the pop-up appeared, and the overall look of the warning itself, mirrored the tactics used by many common Rogue anti-Virus applications.

At the same time, this may impact Checkpoint on another level, as many users who are unaware of how a Firewall works might incorrectly assume ZoneAlarm is a shoddy product. It’s known that fear will push sales. You see this in the security market all the time. Still, is the reputation hit worth it?

The advertisement seems to hint that a firewall would block Trojans like Zeus, which is simply not the case. Firewalls do not block Malware, they are there to block or filter traffic.

Some vendors in the security space augment their built-in Firewalls with technology that looks at traffic, preventing malicious downloads or malicious hosts, but that is the software itself doing the work, not a Firewall alone. Software-based Firewalls are an excellent layer of security on a computer, but they are a single layer only, and the pop-up from Checkpoint seems to imply otherwise.

We asked for comment, and Checkpoint emailed the following statement to us earlier this afternoon.

“The popup message in ZoneAlarm Free Firewall was intended as an alert to a virus our technology discovered. We wanted to proactively let our users know that ZoneAlarm Free Firewall and other AV products do not fully protect from this virus. It was never our intent to lead customers to believe they have a virus on their computer.”

“This was purely an informative message about a legitimate and serious virus that also included information about the differences in protection of various products, and how to get protection against it. ZoneAlarm is committed to providing our customers with the best protection and considers it our job to proactively alert users whenever a potential risk is looming rather than wait for the damage to be done,” the statement concluded.

The aforementioned comparison is the landing page a user is directed to when clicking either one of the options in the pop-up. Seen fully here, the image below is a screen capture from the comparison table.

 

 

The landing page explains that Zeus has infected millions of PCs and it often comes from unauthorized downloads online, adding a note that because it changes form rapidly, it is rarely detected by anti-Virus. In their listing Checkpoint uses Norton, Trend Micro, AVG Free, Avast Free, and Avira Free as examples of anti-Virus software that fail to detect Zeus.

The testing came from Virus Total, a site known to security researchers and vendors as a single location where Malware samples can be tested for detection rates. Even criminals use Virus Total as a means to ensure that their payloads can remain hidden.

What the landing page fails to mention is that these results can be a double edge sword. Sometimes, when Virus Total reports a small number of detections in their anti-Virus listings, it could mean a false positive.

Yet, the idea that the listed vendors can’t detect Zeus using signatures or other methods, such as behavioral and heuristic monitoring, is misleading. The mention of Virus Total testing seems to steer the user into assuming that a Firewall should block Malware such as Zeus, when, as mentioned, it shouldn’t.

While those familiar with security software understand what Checkpoint did, the layman who is only vaguely aware of what was happening is the user many security and IT professionals are defending. Oddly, the layman was the intended prospect from the looks of things.

[See the Checkpoint forum topic on this issue here.]

ZoneAlarm has had many changes over the years, and is still a solid layer of security on a system, but the Firewall will only examine traffic, it cannot detect and remove Malware.

Checkpoint has a right to up-sell free users, and they are not the only vendor to do so. Every vendor who offers a free security product to the marketplace will advertise and encourage users to upgrade to a commercial version. The issue here is how the advertisement was delivered.

We asked if Checkpoint will continue to use these types of advertisements, but we’ve not heard back from them as of yet. We’ll update once we do.

What do you think? Was Checkpoint in the wrong for delivering an advertisement such as this one? Leave a comment and let us know.

[Hats off to John Leyden at The Register for breaking the story, also a nod should be given to AvinashR on the Wilders Security Forums for posting the pop-up image.]

 

 

Around the Web

comments powered by Disqus