Your Spycar Ran Over My Dogma
Anti-spyware company Webroot released a report yesterday stating that the rate of spyware infections soared in the first quarter of 2006, infecting an estimated 87 percent of consumers' PCs with an average of 34 pieces of spyware per machine.
Now, there is no doubt that spyware (and more apropos of the numbers above -- adware) is a persistent and pernicious security problem that makes computing miserable for many consumers. There also is ample evidence that, as the report notes, the threat from stealthy Trojan horse programs designed to record what you type on your keyboard are a growing and potent threat. Check out Kaspersky Lab's latest top 20 online threats list and you will see that more than half -- and nearly all of the top 10 -- are Trojans that download keystroke-logging devices.
Still, I had a little trouble swallowing Webroot's infection per-PC numbers. Turns out they count tracking cookies when estimating the number of spyware infections for each machine. Tracking cookies can be misused, but they can't really hold a candle to keystroke loggers or adware like Vx2 from Direct Revenue/A Better Internet, which can be such a pain to remove that most people find it more worthwhile to simply back up their data and reinstall the operating system.
Webroot said they didn't break down their stats by type of spyware, and so could not tell me how much of that "32 pieces" number was cookie-related, but I'm guessing it's a fairly high percentage.
The other thing that bugged me was the following claim from Webroot's report:
"Security analysts blame this increasing infection rate on the adoption of free anti-spyware programs that use outdated technology and don't provide immediate threat definitions to combat against new and emerging threats. To guard against new spyware programs, home computer users must use an anti-spyware program with frequent definition updates and engines that are capable of removing the toughest spyware from deep within the operating system. Unfortunately, users who only install free anti-spyware programs do not get access to frequently updated definitions and versions."
I have always pointed Security Fix readers toward free anti-spyware tools, in part because I haven't had time to try out all of the various commercial programs. I must confess that until today I had not tried Webroot's "SpySweeper" software either, but I know some people who recently tested its mettle against commercial versions of free anti-spyware programs and found it to be only marginally better at spotting new threats.
Tom Liston and Ed Skoudis, both of Washington-based security consultancy Intelguardians, this week released the results of testing how well seven enterprise-level anti-spyware products fared in detecting and preventing attacks based on the types of changes the spyware tries to make to the system.
For their tests, Liston and Skoudis created a suite of tools they named "Spycar" -- basically, a set of harmless proof-of-concept spyware attacks like changing various "Internet Options" settings in Microsoft's Internet Explorer browser, or modifying the Windows "hosts" file, a simple text file that some types of spyware manipulate to interfere with security updates or redirect the victim's Web browser traffic to advertising sites.
The duo also tested whether the anti-spyware applications blocked changes to the default home and search pages in IE and Firefox, as well as the removal of most security and privacy options in IE. Skoudis and Liston found that Webroot's SpySweeper and the enterprise version of Ad-Aware fared about the same in detecting certain spyware-like behaviors, catching some, but failing to catch most of the 25 sample attacks these two guys threw at them.
But wait a second: We said the Spycar report looked at enterprise-level anti-spyware tools, not the versions typically used by consumers on home PCs. Why should home users care about the performance of anti-spware tools geared toward businesses? Here's what Skoudis and Liston had to say on that front:
"Most of the vendors whose enterprise products we tested also market a consumer-grade anti-spyware product. In fact, most enterprise anti-spyware tools are repackaged consumer products, with a management front end. At the outset of our testing, we expected that the enterprise tools would offer at least the same level of protection as the consumer products, but we were wrong. In every case where a vendor supported behavior-based detection, the enterprise tool was far weaker by default than the consumer product. Vendors told us they feared breaking corporate applications, and thus purposely dumbed down their protection for enterprise customers." Ah, the danger of false positives.
Interesting. But what about Webroot's claims regarding free anti-spyware software? I decided to find out for myself and pit the consumer version of SpySweeper up against several other free programs to see how they fared against Spycar (kudos to Webroot for sending me a trial version so that I could run this test). The other tools I tested were Ad-Aware SE Personal, Microsoft's Windows Defender program, and Javacoolsoftware's SpywareBlaster.
In all, SpySweeper fared pretty well, mainly because the free tools did so miserably. SpySweeper succesfully blocked Spycar's attempts to change the Windows hosts file, and thwarted changes to IE's home and search pages. However, the program failed to defend the Windows registry -- spyware programs modify it to ensure they start up whenever an infected PC is restarted -- in two out of five of the Spycar suite's attempts to change it.
SpySweeper did not prevent any attacks on other IE settings: for instance, Spycar was able to remove every single feature tab in IE's "Internet Options" menu, including the "Security," "Privacy," and "Advanced" tabs. It was pretty eerie watching those tabs just disappear one by one. Should a piece of spyware make changes to settings in those tabs prior to removing them, the average user would be pretty helpless to know what to do next.
Windows Defender stopped one of Spycar's attempts to change the registry, but allowed the others. It also failed to stop any of the other 11 attacks in the Spycar suite, and its "real-time protection" happily allowed all of the changes to IE settings -- including modifications to IE's default home and search pages. Windows Defender also stood idly by while Spycar made additions to the Windows hosts file, which I found pretty disturbing.
SpywareBlaster didn't prevent any of the Spycar attacks, and neither did Ad-Aware (in hindsight, including it was kind of a silly thing to do because the free program doesn't come with real-time detection -- just on-demand scanning. In fairness, it found all of Spycar's registry changes in a subsequent on-demand scan.)
I don't think these tests are comprehensive enough to make informed judgments about whether free anti-spyware programs are any better or worse than store-bought programs, but the Spycar experiment does demonstrate that the anti-spyware industry is -- like the current anti-virus industry -- woefully dependent upon a constant stream of updates to detect new threats. The fear of turning businesses away through false positives is the main reason more anti-virus products don't do a better job at detecting suspicious behavior exhibited by previously unknown viruses and worms, and it does not appear that the anti-spyware industry is any further along in this respect.
Seeing as these tools still rely largely on an update process, I didn't want Webroot's claims about the frequency of updates in its product compared with that of free tools to go unchallenged. So I had a look at the last month's worth of security updates for the tools mentioned here (going back through each day of the archives at BroadBand Reports' daily Security Software Updates listings). Webroot's Spysweeper downloaded new definitions 13 times over the past month. AdAware and Windows Defender each received seven updates in the 30 days ending May 10. Spywareblaster received just two updates during that same period.
Posted by: Mike | May 10, 2006 5:01 PM | Report abuse
Posted by: gary | May 10, 2006 5:12 PM | Report abuse
Posted by: kurt wismer | May 10, 2006 5:16 PM | Report abuse
Posted by: Bk | May 10, 2006 5:19 PM | Report abuse
Posted by: Riya | May 10, 2006 5:55 PM | Report abuse
Posted by: Bubba | May 10, 2006 6:00 PM | Report abuse
Posted by: Ken L | May 10, 2006 6:11 PM | Report abuse
Posted by: Anna Konda | May 10, 2006 7:28 PM | Report abuse
Posted by: usedtoworkthere | May 10, 2006 10:38 PM | Report abuse
Posted by: Jason | May 11, 2006 1:41 AM | Report abuse
Posted by: Louis | May 11, 2006 2:16 AM | Report abuse
Posted by: George | May 11, 2006 3:32 AM | Report abuse
Posted by: Kathie | May 11, 2006 8:17 AM | Report abuse
Posted by: OhioMC | May 11, 2006 9:14 AM | Report abuse
Posted by: Robear Dyer, MS MVP-Windows (IE/OE, Security, Shell/User) | May 11, 2006 10:24 AM | Report abuse
Posted by: Maria | May 11, 2006 11:39 AM | Report abuse
Posted by: Ilya Rabinovich | May 11, 2006 11:54 AM | Report abuse
Posted by: Robear Dyer, MS MVP-Windows (IE/OE, Security, Shell/User) | May 11, 2006 12:49 PM | Report abuse
Posted by: Ken L | May 11, 2006 6:00 PM | Report abuse
Posted by: Nogard | May 12, 2006 10:42 AM | Report abuse
Posted by: AA | May 15, 2006 3:40 AM | Report abuse
Posted by: Dr. Gerry | May 17, 2006 5:21 PM | Report abuse
Posted by: sAnnT0n | May 18, 2006 10:02 AM | Report abuse
The comments to this entry are closed.