Put Your Antispyware Apps to the TestMarch 8, 2008 – 6:21 PM
Does your antispyware software really work? With security experts warning of “rogue” antispyware products that sometimes do more harm than good, two security researchers have decided to take matters into their own hands.
They’re working on a new software product, called Spycar, that will test the effectiveness of antispyware applications. “We decided the best way to do that would be to write a suite of tiny custom programs that each do a tiny spyware-like thing,” says Tom Liston, a senior security consultant with Intelguardians, based in Washington, DC.
Liston is developing the software with Ed Skoudis, also an Intelguardians security consultant.
Spycar will contain about 25 small programs, each of which engages in the kind of nasty behavior normally associated with spyware. For example, it will add favorites to Internet Explorer, or add a file to the machine and change the computer’s Registry so that the file launches at startup. The software will then undo all of the changes it has made after the testing has been completed.
“You could really test and see if your antispyware is doing the things that it should be doing,” Liston says.
And that is becoming an increasingly important concern for many Internet users. While many antispyware products can identify malicious code when using signatures, a kind of digital fingerprint that alerts the software to unwanted code, Liston says the apps don’t do so well when trying to identify unknown software, like that contained in Spycar, that behaves like spyware. “Not too many of them are catching behavior-based stuff at this point,” he says.
Liston likens the state of antispyware products to the antivirus market several years ago: overly reliant on signature-based techniques and lacking in standard testing tools.
Setting a Standard
Security giant Symantec agrees with him, at least when it comes to antispyware testing tools.
“We would love to see the antispyware industry evolve to the point where there are standardized tests,” says David Cole, director of the company’s security response group. “We’ve evolved to that point on the antivirus side.”
In fact, the Spycar name is a play on a popular antivirus testing tool created by EICAR (the European Institute for Computer Antivirus Research).
Symantec and other major security vendors banded together earlier this year to develop standard ways of testing their antispyware products, something that they say will eliminate customer confusion in this space. Information on this effort can be found here.
It’s no surprise that customers are confused. Literally dozens of antispyware products have been classified as rogue antispyware by Spywarewarrior.com, a Web site that serves as a clearinghouse for information about the spyware problem.
One of these alleged “rogue” products came under scrutiny in January, when Microsoft and the Washington state attorney general sued antispyware software vendor Secure Computer. Their complaint alleges that Secure Computer’s Spyware Cleaner software not only failed to remove spyware as advertised, but left its users less secure. The White Plains, New York, company pulled Spyware Cleaner from the market soon after the suit was filed.
While Spycar won’t help users remove rogue antispyware products, it will give customers of those products a sense of whether they have a problem, Liston says.
Spycar will be available free of charge in May. More information will be made available on the company’s Web site at that time.