Some anti-spyware products may leave you no better
off
Traditionally, anti-virus programs have provided protection from
malware - programs deliberately created to perform an unauthorised,
typically harmful, action. Viruses, worms and Trojans are all
obvious examples of malware.
But there are other ways for hackers, spammers and other
cybercriminals to harm users. Criminals can use non-viral, but
potentially hostile programs such as adware, riskware and pornware
to attack users or hijack their machines. Such programs can be
legitimate applications, but their potential for misuse means that
users increasingly see them as undesirable and want a means to
identify them.
This heterogeneous mix of programs gets lumped together under
the umbrella term 'spyware', but it is worth asking what exactly
spyware is. Is it a new phenomenon? How real is the threat and does
it justify the publicity given to it?
There is no industry standard definition of spyware, but nearly
all definitions include characteristics that apply to different
kinds of Trojans, including backdoor Trojans, Trojan proxies and
password-stealing Trojans. Such programs have been around for
almost 10 years, since the first AOL password stealers appeared,
although they were not called spyware at that time.
Many suppliers also include adware under the spyware umbrella.
Adware programs launch advertisements on infected machines and
redirect search engine results to promotional websites. They have
much in common with spam, although they do not arrive via
e-mail.
They do, however, waste bandwidth, raise potential HR and legal
problems and pose a threat to company confidentiality.
This leaves riskware and pornware. Although legitimate, riskware
can be misused by cybercriminals. One example is remote
administration utilities. The past few years have seen a fusion of
traditional virus techniques with those of hackers. In this
changing climate, riskware programs have come into their own as a
means of dropping viruses onto victim machines or as a means of
stealing data.
The same is true of pornware - malware-related programs that use
a computer's modem to connect to pornographic pay-to-view services
or download pornographic content from the web without the consent
of the user.
It is clear that there is a terminology problem here. The
various programs now often lumped together as spyware are not new
phenomena, although the use of the term 'spyware' is.
Although such programs are not new, their use for malicious
purposes has increased. Viruses were typically isolated acts of
cybervandalism aimed at spreading themselves to other discs or
programs and only sometimes damaging data on the infected machine.
They did not represent the holistic threat to enterprises and users
of today's malware.
So what has changed? As well as the convergence of virus writing
and hacking techniques, there has been a growing commercialisation
of malware. Malware does more things and affects systems in a much
wider sense than it did in the 1990s. Much of it is designed to
distribute spam, steal confidential data or co-ordinate distributed
denial of service attacks. The bad guys are now more intent on
making money or selling their technology to others to make money
and many spyware programs help them do so.
This has resulted in a greater focus on these programs and there
has also been a growth in the number of standalone 'spyware'
products. One reason for the emergence of such products is the
ethical scruples of traditional anti-virus suppliers. Until the
late 1990s, malicious code could be clearly defined. This has
become much more difficult with some of the programs that fall
under the spyware umbrella.
How do you distinguish between legitimate remote administration
tools and a backdoor Trojan? Intent is the key factor, but it is
not so easy to draw this distinction in software.
Traditional anti-virus suppliers have always been justifiably
scrupulous about what they detected. If it could not be clearly
defined as a 'bad thing' that fell into one of the established
categories, they were reluctant to add it to their databases.
You may remember the heated debates about the Friend Greeting
application in 2002: this was effectively a spam utility that would
send itself to a user's contacts. Many system administrators
requested detection from their anti-virus suppliers, who were
hesitant about adding it to their databases. They did not want to
label a program as a worm or Trojan when it came with a clear
end-user licence agreement and required the user to opt in to its
marketing methods in advance. Dealing with such applications is
much less clear-cut than dealing with traditional threats.
Companies that have developed products to detect such programs
have no such historical baggage and have been more than happy to
add detection for the disparate array of programs now re-christened
as spyware. Faced with the growth of such programs, many system
administrators have bought into this because they perceive that
anti-virus suppliers do not deal with the threat and yet want the
means to block applications they know can do them harm.
But there is a clear gap between perception and reality. Many
peopleÕs perception is that traditional anti-virus suppliers do not
deal with spyware. The new kids on the block, by contrast,
dedicated specifically to detecting spyware, are seen as dealing
with these threats better. With some traditional anti-virus
suppliers reaching for their chequebooks to buy anti-spyware
companies, the myth has grown that anti-virus programs cannot
detect spyware.
The reality, of course, is that a number of anti-virus suppliers
have included detection of spyware programs for many years. The key
to understanding this reality is to reach into the spyware bag and
examine its contents more closely.
Once you realise it is filled with Trojans, adware, diallers,
remote administration tools and many other programs that can be
potentially misused, it becomes clear that detection has been
around for a while, although without the fanfare that now
accompanies spyware.
The key issue for anti-virus suppliers offering detection of
non-viral, potentially hostile programs is to call things by their
true name, and assure users they detect the threats that have been
dumped into the new spyware category.
David Emm is senior technology consultant, Kaspersky Lab
UK
Kaspersky Lab can be found at InfoSecurity at stand number
550
www.kaspersky.co.uk