Antivirus vendors admit they 'dropped the ball' on spyware

By Shawna McAlearney, News Editor 17 Jun 2005 | SearchSecurity.com

Digg This!     StumbleUpon     Del.icio.us

Security Watercooler articles are designed to get you thinking -- and talking -- about issues facing information security professionals. Please Sound Off with your opinions.

Even AV vendors admit they initially failed when it came to protecting users from spyware. But they have their reasons.

"There's an argument that AV vendors dropped the ball, but it's a very slippery ball," said Roger Thompson, director of malicious content research at Computer Associates based in Islandia, NY. "Classifying spyware has never been an easy thing for AV vendors to do because of context -- it's all shades of gray, unlike viruses which are all black. It's only things like bots that everyone agrees are spyware."

A valid point given the spectrum of "spyware" that runs from bots to cookies, but analysts aren't buying it.

"I'm absolutely amazed AV vendors did nothing about spyware," said Amrit Williams, research director for Gartner's Information Security and Risk practice in Stamford, Conn. "It's bad stuff getting on your computer -- isn't that what they're supposed to prevent?

"AV vendors were in the best position to provide a level of protection against spyware, not simply detecting it, but preventing it in real-time as they have done with viruses," Williams concluded. "They should have provided this protection two to three years ago."

The buzzword this year is 'bot,' referring to millions of remote-controlled machines

Who's to blame? Share your thoughts on who's to blame for the current spyware dilemma we face by clicking on Sound Off.

surreptitiously compromised by code that got through conventional AV scanners. Carole Theriault, a security consultant for Lynnfield, Mass.-based Sophos Inc., said bots act similarly to spyware in that they attempt to steal information from your system. "But, in the end," she said, "the end user doesn't care if we call it a virus, spyware, a bot or a flower pot as long as we safeguard their computers from these pests."

Ed Skoudis, a noted author and security consultant, said AV vendors made their decision to not initially scan and quarantine or destroy spyware and bots for understandable, if debatable, reasons.

"From a legal perspective, if they characterize every overly aggressive advertiser as 'malicious code,' they'll face huge lawsuits. One person's spyware is another person's meal ticket," Skoudis said. "So, if an AV tool deletes the code used by such an advertiser, the advertiser's business model collapses, and a lawsuit results."

Part of the problem is because AV tools are designed to eliminate a threat, rather than advise that a potentially unwanted program [PUP] has been installed. And what is -- and isn't -- spyware is often in the eye of the beholder. Cookies are part of the Web browsing experience and many IT departments use remote management programs like PCAnywhere that others might classify as spyware.

Or AV vendors could just be greedy.

"The economic reason for minimizing spyware signatures in AV tools involves selling another product," Skoudis noted. "Why sell you just one product, when a vendor can sell you two: antivirus and antispyware."

Vincent Weafer, senior director of Symantec Security Response in Cupertino, Calif., said spyware isn't a technology

Security Watercooler Check out other articles in the series: Who should be on (and off) the hook for ID theft? Taking a swipe at two-factor authentication The latest heavyweight battle: CSO vs. CISO

challenge, but rather a policy issue for each organization. He offers six behavior-based definitions of spyware to consider:

• Installation characteristics -- does it have active or passive user consent;
• Stealth properties -- silent install, no user interface, obscure naming etc;
• Privacy impact -- does it release confidential information;
• Integrity impact -- removes/lowers security protection, modifies browsers settings, overwrites system data;
• Performance impact -- system slowdown, stability, frequency of pop-ups, active conduit for additional security risks;
• Removal ease -- apparent avoidance of uninstall, non-functional uninstall, etc.

"Companies need to do a discovery scan for spyware and then decide which things they're prepared to exclude," Thompson agreed.

In an earlier interview at the Gartner IT Security Summit, a user in the financial services community who asked not to be identified, said an analyst report created for his organization examined deficiencies in the antivirus industry concerning the detection of spyware.

"While the larger antivirus vendors are neck-and-neck in functionality and capability, they have all ignored antispyware," the report said. "The smaller specialty software firms that have focused on developing antispyware are the recognized industry leaders. During the later half of 2004, Computer Associates acquired PestPatrol, Microsoft acquired Giant Software [and others], and McAfee released its initial version of antispyware -- all in an effort to have a showing in this space."

Tags: Malware, Viruses, Trojans and Spyware,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Malware, Viruses, Trojans and Spyware Schneier-Ranum Face-Off: Is antivirus dead? Modern malware, stealthy botnets, adapt quickly, expert says Computer worm infections up, scareware antivirus down, Microsoft says Web-based attacks skyrocket, pirating sites surge, security firms say Mini guide: How to remove and prevent Trojans, malware and spyware Kaspersky system analyzes malicious URLs on Twitter for malware Silon malware intercepts Internet Explorer sessions, steals credentials Breach forces payroll service provider PayChoice to shut down again RSA research underscores problem tracking cybercriminals Conficker analysis finds P2P coding limited, less sophisticated

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary bot worm  (SearchSecurity.com) directory traversal  (SearchSecurity.com) government Trojan  (SearchSecurity.com) Kraken  (SearchSecurity.com) man in the browser  (SearchSecurity.com) polymorphic malware  (SearchSecurity.com) RAT (remote access Trojan)  (SearchSecurity.com) RavMonE virus  (SearchSecurity.com) RFID virus  (SearchSecurity.com) Rock Phish  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary