This article can also be found in the Premium Editorial Download "Information Security magazine: Identity crisis solved: Tips from a top identity management expert."
Download it now to read this article plus other related content.
|Behavior-Based Spyware Detection|
|Click here for a comparison of behavior-based spyware detection. (PDF).|
Behavior-based detection is a double-edged sword: While it improves detection, it increases the likelihood of false positives, which could break an unusual but legitimate enterprise application. Still, there's great value in blocking or alerting on suspect behavior.
Based on our experience with AV tools, we fully expected the antispyware products to have heuristic or behavior-based detection abilities to cope with a rapidly morphing threat. However, McAfee is the only one that detected any of our tests in its default configuration; eSoft, Lavasoft and Webroot turn off behavior-based detection by default; and CA, SurfControl and Trend Micro have no behavior-based detection capabilities. Because many enterprises run security software with a default configuration, you'll have to consider your own policy.
To test behavior-based detection, we created 25 small custom programs, each of which attempted to perform a single spyware-like behavior. We dubbed the collection "SPYCAR" in homage to the well-known EICAR antivirus test file.
Our SPYCAR specimens tested each antispyware tool's ability to detect the following:
- The addition of new registry values or start menu entries to run programs loaded by SPYCAR.
- Various changes to the "Internet Options" panel in IE (including changes that lock out users' ability to change their home page).
- Changes to the home page of both IE and Firefox.
- Additions to the hosts file.
- The launch of a keylogging application.
- Addition of a browser helper object (BHO) to IE.
- Changes to the default wallpaper.
Interestingly, McAfee's default settings block programs from being run from IE's "Temporary Internet Files," a simple protection that can defeat many "drive-by" spyware installs.
eSoft, Lavasoft and Webroot produced a mixed bag of results when behavior-based detection was enabled. Webroot detected and blocked attempts to install values under the "Run" and "RunOnce" keys in HKCU and HKLM, which are often used to start spyware automatically at system boot or user logon. However, Webroot completely missed additions to RunOnceEx, a registry key that operates in much the same fashion as RunOnce. By blocking only two of the three most commonly used registry keys for launching spyware, Webroot missed a major portion of the defensive puzzle.
Lavasoft's behavior-based detection has to be enabled on each individual client. When set to its highest level of detection, Lavasoft alerted the user to an attempt to install a value under RunOnceEx and even offered the option to block it, but then failed to actually block the activity. Lavasoft was, however, the only product to detect a rather tricky attempt to replace IE as the default Windows shell in order to launch a spyware application.
eSoft's behavior-based detection was weaker than that of Lavasoft or Webroot, though it did detect and roll back an installed BHO when an on-demand scan was performed.
This was first published in May 2006