What is Spycar?

Back in May 2006, when my colleague Tom Liston and I originally released Spycar, it worked well in analyzing the effectiveness of behavior-based antimalware products, as well as in identifying whether the tools had behavior-based detection capabilities at all. Spycar, still available for free, throws any one of 17 different aggressive spyware-like behaviors onto a machine. It then tries to coax an antispyware tool into detecting the action and blocking it.

Most antivirus and antispyware vendors today rely on signature-based detection, which identifies malware by checking for specific bit patterns in a file or in memory. Because such detection looks for a malware sample in its entirety, bad guys can avoid the technology by slightly tweaking their malware. Newer heuristic detection capabilities still look for patterns, but now they seek only telltale piece parts of malware, rather than match signatures against a whole file.

With behavior-based detection, however, the antimalware tool allows a program to run. If the program engages in evil behavior, the tool then kills the process and possibly rolls back any changes. The Spycar tool is designed to imitate the behaviors of evil programs, but in an entirely benign and completely reversible fashion. Some malware alters the hosts file, for example, mapping the domain names of some antivirus companies to an individual's own localhost IP address (127.0.0.1). Such an entry prevents the user from receiving signature updates. Spycar mimics this action in a benign way by appending an innocuous entry to the hosts file, with the hope that behavior-based defenses will block it. Spycar likewise alters the Run, RunOnce, and RunOnceEx registry keys in the HKLM and HKCU portions of the Registry, which adds an innocuous auto-start program that runs whenever someone boots the machine or logs on. Again, the hope is that an antimalware tool will detect Spycar's attempted changes and block them.

You can download Spycar and attempt to run it on your machine. Simply download each individual Spycar test one by one, and then run the program that is delivered to you. Spycar doesn't infect a machine, and it cleans itself up with the running of a program called TowTruck, also available at www.spycar.org. The TowTruck executable analyzes a system to see which of the Spycar tests were successful. After the analysis, the program rolls everything back to the pre-Spycar state.

At first, we had some good successes in testing with Spycar, finding some flaws in various antimalware tools, and learning about the strengths of others. You can read about our findings in the May 2006 issue of Information Security Magazine.

Then… Wham! The various antivirus and antispyware vendors wrote signatures to detect Spycar. Suddenly, for some vendors, Spycar could no longer measure whether these products had behavior-based detection capabilities and whether they were any good. That was a significant bummer, and the signatures remain a problem today with some but not all vendors. You can still run Spycar as a pure-play behavior-based detection tool. It can check that your antivirus technology detects the behaviors that Spycar models. Beware of testing it against signature-based products, however. Antivirus mechanisms may stop it from running and evaluating your behavior-based defenses.

Tom Liston and I have worked in the lab to brainstorm another approach, resulting in the creation of a new Spycar tool, which we haven't yet released. This new version models multiple behaviors simultaneously. Instead of just altering the hosts file or doing the other 16 behaviors one at a time, Spycar can be configured to simultaneously perform any combination of 25 different behaviors. The new design should allow Spycar to evaluate antimalware tools that have sophisticated behavior-based scoring systems.

But, alas, how can we deal with the signature problem? The new Spycar design is radically polymorphic, changing itself fundamentally each time it is run. That makes it far less detectable by signature-based heuristics, which is the good news. The bad news is that Tom Liston dreamed up some pretty radical morphing code for the new version, which we're not sure we want to unleash on the world at this time. It's nifty stuff, but we'll keep it in the lab for now.

More information: