Network News

X My Profile
View More Activity

Your Spycar Ran Over My Dogma

Anti-spyware company Webroot released a report yesterday stating that the rate of spyware infections soared in the first quarter of 2006, infecting an estimated 87 percent of consumers' PCs with an average of 34 pieces of spyware per machine.

Now, there is no doubt that spyware (and more apropos of the numbers above -- adware) is a persistent and pernicious security problem that makes computing miserable for many consumers. There also is ample evidence that, as the report notes, the threat from stealthy Trojan horse programs designed to record what you type on your keyboard are a growing and potent threat. Check out Kaspersky Lab's latest top 20 online threats list and you will see that more than half -- and nearly all of the top 10 -- are Trojans that download keystroke-logging devices.

Still, I had a little trouble swallowing Webroot's infection per-PC numbers. Turns out they count tracking cookies when estimating the number of spyware infections for each machine. Tracking cookies can be misused, but they can't really hold a candle to keystroke loggers or adware like Vx2 from Direct Revenue/A Better Internet, which can be such a pain to remove that most people find it more worthwhile to simply back up their data and reinstall the operating system.

Webroot said they didn't break down their stats by type of spyware, and so could not tell me how much of that "32 pieces" number was cookie-related, but I'm guessing it's a fairly high percentage.

The other thing that bugged me was the following claim from Webroot's report:

"Security analysts blame this increasing infection rate on the adoption of free anti-spyware programs that use outdated technology and don't provide immediate threat definitions to combat against new and emerging threats. To guard against new spyware programs, home computer users must use an anti-spyware program with frequent definition updates and engines that are capable of removing the toughest spyware from deep within the operating system. Unfortunately, users who only install free anti-spyware programs do not get access to frequently updated definitions and versions."

I have always pointed Security Fix readers toward free anti-spyware tools, in part because I haven't had time to try out all of the various commercial programs. I must confess that until today I had not tried Webroot's "SpySweeper" software either, but I know some people who recently tested its mettle against commercial versions of free anti-spyware programs and found it to be only marginally better at spotting new threats.

Tom Liston and Ed Skoudis, both of Washington-based security consultancy Intelguardians, this week released the results of testing how well seven enterprise-level anti-spyware products fared in detecting and preventing attacks based on the types of changes the spyware tries to make to the system.

For their tests, Liston and Skoudis created a suite of tools they named "Spycar" -- basically, a set of harmless proof-of-concept spyware attacks like changing various "Internet Options" settings in Microsoft's Internet Explorer browser, or modifying the Windows "hosts" file, a simple text file that some types of spyware manipulate to interfere with security updates or redirect the victim's Web browser traffic to advertising sites.

The duo also tested whether the anti-spyware applications blocked changes to the default home and search pages in IE and Firefox, as well as the removal of most security and privacy options in IE. Skoudis and Liston found that Webroot's SpySweeper and the enterprise version of Ad-Aware fared about the same in detecting certain spyware-like behaviors, catching some, but failing to catch most of the 25 sample attacks these two guys threw at them.

But wait a second: We said the Spycar report looked at enterprise-level anti-spyware tools, not the versions typically used by consumers on home PCs. Why should home users care about the performance of anti-spware tools geared toward businesses? Here's what Skoudis and Liston had to say on that front:

"Most of the vendors whose enterprise products we tested also market a consumer-grade anti-spyware product. In fact, most enterprise anti-spyware tools are repackaged consumer products, with a management front end. At the outset of our testing, we expected that the enterprise tools would offer at least the same level of protection as the consumer products, but we were wrong. In every case where a vendor supported behavior-based detection, the enterprise tool was far weaker by default than the consumer product. Vendors told us they feared breaking corporate applications, and thus purposely dumbed down their protection for enterprise customers." Ah, the danger of false positives.

Interesting. But what about Webroot's claims regarding free anti-spyware software? I decided to find out for myself and pit the consumer version of SpySweeper up against several other free programs to see how they fared against Spycar (kudos to Webroot for sending me a trial version so that I could run this test). The other tools I tested were Ad-Aware SE Personal, Microsoft's Windows Defender program, and Javacoolsoftware's SpywareBlaster.

In all, SpySweeper fared pretty well, mainly because the free tools did so miserably. SpySweeper succesfully blocked Spycar's attempts to change the Windows hosts file, and thwarted changes to IE's home and search pages. However, the program failed to defend the Windows registry -- spyware programs modify it to ensure they start up whenever an infected PC is restarted -- in two out of five of the Spycar suite's attempts to change it.

SpySweeper did not prevent any attacks on other IE settings: for instance, Spycar was able to remove every single feature tab in IE's "Internet Options" menu, including the "Security," "Privacy," and "Advanced" tabs. It was pretty eerie watching those tabs just disappear one by one. Should a piece of spyware make changes to settings in those tabs prior to removing them, the average user would be pretty helpless to know what to do next.

Windows Defender stopped one of Spycar's attempts to change the registry, but allowed the others. It also failed to stop any of the other 11 attacks in the Spycar suite, and its "real-time protection" happily allowed all of the changes to IE settings -- including modifications to IE's default home and search pages. Windows Defender also stood idly by while Spycar made additions to the Windows hosts file, which I found pretty disturbing.

SpywareBlaster didn't prevent any of the Spycar attacks, and neither did Ad-Aware (in hindsight, including it was kind of a silly thing to do because the free program doesn't come with real-time detection -- just on-demand scanning. In fairness, it found all of Spycar's registry changes in a subsequent on-demand scan.)

I don't think these tests are comprehensive enough to make informed judgments about whether free anti-spyware programs are any better or worse than store-bought programs, but the Spycar experiment does demonstrate that the anti-spyware industry is -- like the current anti-virus industry -- woefully dependent upon a constant stream of updates to detect new threats. The fear of turning businesses away through false positives is the main reason more anti-virus products don't do a better job at detecting suspicious behavior exhibited by previously unknown viruses and worms, and it does not appear that the anti-spyware industry is any further along in this respect.

Seeing as these tools still rely largely on an update process, I didn't want Webroot's claims about the frequency of updates in its product compared with that of free tools to go unchallenged. So I had a look at the last month's worth of security updates for the tools mentioned here (going back through each day of the archives at BroadBand Reports' daily Security Software Updates listings). Webroot's Spysweeper downloaded new definitions 13 times over the past month. AdAware and Windows Defender each received seven updates in the 30 days ending May 10. Spywareblaster received just two updates during that same period.

By Brian Krebs  |  May 10, 2006; 10:23 AM ET
Categories:  From the Bunker  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: Microsoft Issues Three Security Updates
Next: Bill Would Criminalize Failure to Report Breaches


Thanks for the article! Did you try Spybot? What are your opinions on Spycar, did it uninstall clean?

Posted by: Mike | May 10, 2006 5:01 PM | Report abuse


It may be instructive to perform the same tests without anti-spyware software installed but using a regular user account rather than an adminsitrator account.

Posted by: gary | May 10, 2006 5:12 PM | Report abuse

spycar is essentially a spyware simulator... do a search on the usefulness of virus simulators in anti-virus testing (specifically sarah gordon's paper on whether good virus simulators are still a bad idea) and you'll get a feel for why spyware simulators are actually NOT useful for testing anti-spyware software...

Posted by: kurt wismer | May 10, 2006 5:16 PM | Report abuse

Mike, no, I didn't compare Spybot, though I have used it in the past. I understand it is supposed to have some "real-time" blocking features (blocking some "browser helper objects" for example), though I can't recall ever seeing those in action back when I last had that program installed. Spycar comes with a program called TowTruck that allows you to create and wipe profiles. In fact, when you ask TowTruck to tell you how your anti-spyare program fared, it automagically wipes the changes it made.

Posted by: Bk | May 10, 2006 5:19 PM | Report abuse

So, does this mean that Webroot is better than the freeware solutions since it catches more and has more frequent updates?

Posted by: Riya | May 10, 2006 5:55 PM | Report abuse

Brian Krebs wrote:
"SpywareBlaster didn't prevent any of the Spycar attacks"

Hello Brian,

Perhaps you erred in what program you meant but Spywareblaster was not designed to provide that type protection. If by chance you did not err I would respectfully ask that you take the time to understand what protection Spywareblaster does provide before making irresponsible remarks in an article that will be shared across many Security Forums. Javacool LLC has given FREELY to the Internet community for a number of years via it's protection software. It would be only right for you to offer either a correction in your article or some kind of correction freely admitting that you did err in mentioning Spywareblaster in the same breath in regards to this Spycar test.


Posted by: Bubba | May 10, 2006 6:00 PM | Report abuse

Webroot should mind the old proverb:
"Those who live in glass houses, should not throw stones."

If you are offered the Windows Genuine Advantage notification package in Automatic Updates and you refuse to install it, you can't download definitions updates for Windows Defender.

I switched to Ad-Aware SE as my backup to Spybot S&D. Given the poor performance of Windows Defender as described in Security Fix, I have no regrets.

Posted by: Ken L | May 10, 2006 6:11 PM | Report abuse

Spy Sweeper, originally a very good product, has fallen behind the others. It has become very resource hungry and fails to much the others in performance.

I am now using Spyware Doctor from No, it's not free, but it is very good - which is my main concern.

Off Topic : We have developed a culture of expecting everything relating to the internet to be free. There are very many wonderful [ and useful ] products that are available for free - AntiVir® PersonalEdition Classic - but generally a little money has to be spent on essentials.

* Operating System
* Firewall
* Virus Protection
* Spyware Protection

Would make a great article !!!

Posted by: Anna Konda | May 10, 2006 7:28 PM | Report abuse

If you go back, for example to, you'll find that they used to break these things out. Unfortunately, the data was undermining their point. Seems that malicious spyware was down from 9% of corp systems to 7% of corp systems.

So that's a little different - "80% of systems have SPYWARE! The sky is falling! News at 11!" is great for hysteria, but 1 out of 14 systems have bad spyware isn't quite so scary.

Then you also have to consider that they're using their own spyaudit to collect the data, and that data is collected from prospective customers. Hmmm. Of course, the problem may actually be worse than they think, since spyaudit fairly well stinks.

IMHO, keeping your security patches up to date is the most important thing you can do.

Posted by: usedtoworkthere | May 10, 2006 10:38 PM | Report abuse

Your reference to free anti-spyware software as being inadequate in stopping spyware is not correct. Many anti-spyware programs come in limited free versions, with real-time protection disabled, however with the same scanning and detection capabilities like the full versions. Free programs are not inherently worse than their paid brothers, and in some cases, offer at least the same if not greater protection.
I can achieve the same results using 0-money scanners as with any paid anti-spyware product.
One last thing, SpywareBlaster provides passive protection. You might as well say that the Hosts file did not prevent any spyware from installing or running.

Posted by: Jason | May 11, 2006 1:41 AM | Report abuse

I tried the test and was able to block most things with Windows Defender switched to the advanced mode instead of the regular mode. The mode where you join Spynet allows you more control, and I found I was asked if I wanted to allow said changes, and was able to block them. Could you try the test again in the other mode of Windows Defender?

Posted by: Louis | May 11, 2006 2:16 AM | Report abuse

No one here should expect to be protected from a socially engineered 'click-on'. If one goes ahead and tells the OS to install it, that's it, you've had it. Expect the freeware to protect you from 'drive-by' attacks not voluntary downloads.

Posted by: George | May 11, 2006 3:32 AM | Report abuse

I disagree completely with your assessment of SpySweeper. As an Administrator for and a Teacher/Expert at several other sites, I spend hours every day working with people infested with malware. As you mentioned, spy cookies are the least of our concern. We are fortunate to have on our staff representatives from several of the companies you mentioned in this article. One of those is a gentleman from the Threat Assessment team at SpySweeper. He spends all day "parked" in our sites' chat room. When a new piece of malware shows up on the site (a very regular occurrance), our Staff know that they can go to him, submit the file, and it is normally incorporated into SpySweepers next definition update. Impressive, if you ask me. I don't like seeing claims made against SpySweeper, saying that they are inflating something by including tracking cookies. The fact is, they target very FEW cookies. They concentrate more on nastier malware. I've used SpySweeper over and over again for victims on our site. It cleanly and easily removes some of the nastiest infections out there. Is it perfect? Of course not. It's still the best all around anti-malware application out there.

Posted by: Kathie | May 11, 2006 8:17 AM | Report abuse

Brian, Thanks much for your column and blog! As you have noted previously, fighting spyware requires a layered approach.

I do the following; the amount of effort required really makes me resent using a PC!

1) don't browse in "God" mode - I cannot bring myself to follow the advice to run as a WinXPpro Limited User for various reasons, not the least of which is the inability to update some anti-spyrus applications. I have downloaded DropMyRights from Microsoft and installed it in the shortcuts for Firefox, Outlook & Explorer. However if these apps are launched by a hyperlink, they open in Administrator mode and I am vulnerable.

2) create no-go zones that IE & Firefox cannot visit using a) JavaCoolSoftware's Spyware Blaster and b) Eric Howes' IE-SpyAd

3) install real-time blockers a)Spybot S&D Resident, b)Windows Defender (but you must change the idiotic default settings) c)Webroot's SpySweeper (kudos to for making free to users for a couple of years) - unfortunately it is VERY hard to make Weboroot's product play nice with other anti-spyware apps so I am using it less and less.

4) periodic sweeps using an app such as Lavasoft's AdAware SE

5) anti-keyloggers as you have pointed to in the poast

If I find myself using a free app 6 months later, I send them a $10 donation. It's not much, but I hope it helps them to keep the updates coming.

Posted by: OhioMC | May 11, 2006 9:14 AM | Report abuse

"Windows Defender also stood idly by while Spycar made additions to the Windows hosts file..."

Sorry, but not here, running Defender Beta2 Refresh (v1.1.1347).

Posted by: Robear Dyer, MS MVP-Windows (IE/OE, Security, Shell/User) | May 11, 2006 10:24 AM | Report abuse

Brian, Love your posts... learn a lot! I try to keep my home PC safe. But now I will be on assignment, using a new boss's laptop for short consulting work... Should I not even log on to my personal email or anything requiring my password's entry - just in case he has a way of recording keystrokes? Yes, I could change the password, but am so partial to it. Am a paranoid amateur. Thank you for any advice!

Posted by: Maria | May 11, 2006 11:39 AM | Report abuse

Those tests are not for the detective defense like anti-spyware/anti-virus solutions.That tests are for the proactive defense solutions - HIPS. In fact, in the real world, detective defense is useless agains malware. As the author of those tests said at Wilders Security Forum, "2007 is the year of the HIPS". I would even say- "the year of the sandbox HIPS" (like my DefenseWall, for instance). That is the main reason of this type of the tests creation (SpyCar, DFK Threat Simulator, Scoundrel Simulator and some others).

Posted by: Ilya Rabinovich | May 11, 2006 11:54 AM | Report abuse

Ken L wrote, "If you are offered the Windows Genuine Advantage notification package in Automatic Updates and you refuse to install it, you can't download definitions updates for Windows Defender."

You are referring to the WGA Validation Tool (ActiveX control), not WGA Notifications application (905474). The latter is not required to update Defender.

Posted by: Robear Dyer, MS MVP-Windows (IE/OE, Security, Shell/User) | May 11, 2006 12:49 PM | Report abuse

>You are referring to the WGA Validation Tool >(ActiveX control), not WGA Notifications >application (905474). The latter is not required to >update Defender.

That is not correct. I already have the WGA tool else would I have been able to install Defender in the first place?

I was offered both the WGA notifications package and a Defender definitions update. I declined the notifications package and accepted the Defender definitions updates. When I tried to update the definitions, the install failed.

WGA Notifications is required for Defender definitions updates offered through Automatic Update. Read the "What is the Windows Genuine Advantage Notifications program?" section of the WGA FAQ at:

With WGA, MS is following the same unsuccessful path that the RIAA is following. Instead of making a superior, secure product, MS is going after their customers..."Guilty Until Proven Innocent."

The RIAA is failing badly as their industry continues to pump out low-quality junk, CD sales fall like a rock, and music piracy continues unabated.

Going after students, grandmothers, and other low-volume users does ZERO for corporate bottom lines. The real pirates are the factories operated by rogue Chinese Army generals and guarded by their troops, who stamp out thousands of XP CD's. If you want to stop software piracy, you have to go there.

Sending lawyers and WGA after end-users is simply taking the path of least resistance, not the path that will do anything about the problem.

Posted by: Ken L | May 11, 2006 6:00 PM | Report abuse

I also tried with Windows Defender in advance mode and the darn thing didn't even pop up and tell me anything was changing. I also tried with Reg Defend with Tony ruleset and it seemed to block everything.

Posted by: Nogard | May 12, 2006 10:42 AM | Report abuse

I wonder how long it will be until Liston falls off the wagon again. Also, how much of Liston's code is his own? He has a nasty propensity for taking other people's code - both open source and proprietary - and loudly claiming it's all his own and due to his own merit.

Posted by: AA | May 15, 2006 3:40 AM | Report abuse

I must insist that everyone discover the sad truth behind "Spycar"-- it is this:

Posted by: Dr. Gerry | May 17, 2006 5:21 PM | Report abuse

Sadly, both AA and Dr. Gerry are right in regards to Mr. Liston, as will become abundantly clear in the time to come.
"Open Source"... yeah, right...

Posted by: sAnnT0n | May 18, 2006 10:02 AM | Report abuse

The comments to this entry are closed.

RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company