Better Spyware Defenses Needed

March 8, 2008 – 6:02 PM

Warning: Long ramble ahead.

A lengthy discussion has popped up on the Bugtraq mailing list. It began with an observation from a user that Microsoft Antispyware missed software from Claria and a whole raft of cookies. It is not surprising that it did not detect the Claria software, since Microsoft has decided that adware will not be detected by default.

The discussion has turned into a series of suggestions for reducing the number of malware infections. New posts are arriving as I write this.

It is an interesting question; and it made me start thinking. As long as it is legal and as long as there is money to be made in doing it, people will continue to create unwanted software parasites. How do we stop those parasites from infecting the average computer?

Everyone seems to agree that computer users need to be educated about the risks. I believe that the people most at risk of becoming infected by spyware are those who have connected to the internet for the first time.

The incident that turned me into a crusader against spyware was an ActiveX driveby installation of Comet Cursor. I had been online for just a couple of days and decided that the default browser security settings were too tight – so I loosened them.

Basically, what I did was to leave the keys of a very nice car sitting in the ignition after parking it in a seedy neighborhood. It happened because I was ignorant of the risk. No one told me that the neighborhood was dangerous, so I dropped my guard. If I had known that spyware could appear on my computer just from surfing a web site, I would have been more likely to tighten the security settings, not loosen them.

Education is not the whole answer. Despite all the warnings, people still become infected. I still receive emails with the “I Love You” virus attached; and that virus is six years old!

Laws will help to a certain point. Unfortunately, the people creating the worst of the malware already realize that what they are doing is wrong. Most of them will not care about laws.

The ultimate solution will have be technological. The software which claims to protect against spyware will have to start living up to that claim. I can think of three things that antispyware software can start doing which will prevent the majority of spyware infections.

Number One:

At the moment, the second most popular method used to install unwanted software is to exploit browser flaws. Microsoft releases patches for most of these flaws but many people do not install them. Going to the wrong web page with an unpatched browser is like leaving home with the front door wide open.

This should be the first thing examined by antispyware software. If a patch, which fixes a flaw used in the installation of malware, is available and it is not installed, the software should point that out and tell the user to install it. It should make such a pest of itself about the patch that the user installs it just to make the program shut up.

You couldn’t do that with the corporate version, because the IT department may have vetoed a patch for causing more problems than it fixes. In the home version, the antispy program should make it difficult to ignore a patch that fixes a hole used by malware.

Number Two:

The most popular way to install spyware continues to be the third-party bundle. For years, most file sharing programs have been installing spyware. The antispy programs should keep a list of those P2P programs known to bundle third-party software and pop up a strong warning if the user is trying to install any of them.

Even better, why not scan any installer package as soon as it loads into memory? Most installers are just scripts which extract archived files to predetermined locations. With most installers and, with the right software, you can see what files are located inside, as if it were a regular Zip file. If the files for Gator or SaveNow are located within an installer, force the installer out of memory and pop up a warning.

Number Three:

After browser flaws and third-party bundles, the next most common source of malware infestation probably is the ActiveX installer. There is a common misconception about ActiveX. People believe that, if ActiveX has a signed digital certificate, it can be trusted. It is the unsigned ActiveX that is the problem, or so people are told.

The fact that an ActiveX program is signed means exactly NOTHING. Every single piece of ActiveX malware that I have seen has been signed. Every single one of them. Even the porn dialers are signed.

In theory, the certificate issuer will revoke a signature if the software is used for malicious purposes. X-Block once tried to convince Verisign to do just that. Verisign would not do it, despite clear evidence that the program was malicious. The digital signature system is nothing but a scam, since the issuers will do nothing about the malicious use of the signed files.

However, since those programs ARE signed, that makes things a little easier. The Antispy program should install a Browser Helper Object that reads each ActiveX certificate as Internet Explorer downloads it. If the ActiveX is signed by a company associated with malware, block it and pop up a warning.

This presents the malware creator with a cruel choice. They can leave their malicious creation unsigned and risk having the browser block it. Or they can choose to sign the files, making it easier to identify them. They can randomize the file names all they want and it will not matter. Not even the wealthiest of adware companies can afford to buy multiple digital signatures in order to avoid this sort of detection.

I know most of the antispyware developers are reading this. I am suggesting very strongly that they look into seeing if these things are possible. If the antispy programs start doing this, I believe it will put up a roadblock to the three main avenues of spyware infection. With those roads blocked and guarded by armed sentries, the neighborhood will become a little safer for everyone.

http://www.spywareinfo.net/oct27,2005#betterdefenses

You must be logged in to post a comment.