THE EFFECTIVENESS OF MALWARE COUNTERMEASURES: TWO VIEWS

I received the following email from a fellow ToThePointer.

Dennis,

Great crusade against spyware, but I fear that your Spysweeper (and apparently Spybot and Ad-Aware, quite popular in the tech press) are hardly adequate in the battle against spyware, which the ‘good guys’ seem to actually be *losing*.

Here’s an article summary on an exhaustive paper that remains to be fully analyzed: windowssecrets

They’re using Eric Howes’s research: spywarewarrior

Regards,
Joshua Reed

Naturally I went to these sites right away. At the first site you’ll have to scroll down a ways to find the feature article: Anti-adware misses most malware, by Brian Livingston

The first few paragraphs follow.

Now that 80% of home PCs in the U.S. are infected with adware and spyware, according to one study, it turns out that nearly every anti-adware application on the market catches less than half of the bad stuff.

That’s the conclusion of a remarkably comprehensive series of anti-adware tests conducted recently by Eric Howes, an instructor at the University of Illinois.

Howes, a well-known researcher among PC security professionals, collected 20 different anti-adware applications. He then infected a fresh install of Windows 2000 SP4 and Office 2000 SP3 with several dozen adware programs in separate stages. Finally, he counted how many active adware components were removed by each anti-adware product.

(Note: I use the single term “adware” in this article to refer to both “adware” and “spyware.” Since it’s not necessary for a spyware program to “call home” to be disruptive, the distinction between adware and spyware is meaningless. All such programs display ads or generate revenue for the adware maker in some other way. )

Howes’s tests were conducted over a period of weeks in October 2004… [The tests’] bottom line is explosive. Adware seems to be evolving much faster than anti-adware, and the battle is so far being won by the adware side.

I’ve complied Howes’s figures into a straightforward chart, shown below… The best at removing adware was Giant AntiSpyware [since bought by Microsoft], but even that program removed less than two-thirds of a PC’s unwanted guests.

Where does this malware come from? Howes listed three sources. One I’ve mentioned repeatedly – pirate software sites, file sharing programs. The other two – gaming sites and professional wrestling (!) – I’ve never visited. I’ve only criticized internet gaming as a waste of time comparable to television. Apparently it’s a big source of malware.

To understand adware, you first need to know how PCs get it. The ways that Howes obtained the adware he used in his tests provide us with some perfect examples:

Software downloads. For one group of tests, Howes downloaded and installed Grokster, a popular peer-to-peer file-sharing program, from CNET Download.com. Installing Grokster and clicking OK in its subsequent dialog boxes loaded 15 separate adware programs, containing 134 “critical” executable components, by Howes’s count.

Drive-by downloads. To set up another group of tests, Howes used Internet Explorer to visit the following Web locations: 007 Arcade Games (a games site), LyricsDomain (a song lyrics site), and Innovators of Wrestling (yup, a wrestling site). This resulted in 23 different adware programs being installed, carrying 138 components, Howes says. Drive-by downloads such as these are now less of a problem for users who’ve installed XP SP2.

You can’t step into the same river twice. For yet another test, Howes visited the wrestling site again, but on a different date. The makers of adware must have signed a lot of distribution contracts with the site in the interim. Howes says his PC picked up 25 adware programs and 153 components on that one visit alone. (You’ll notice that I didn’t link to the examples I cited above, and I strongly recommend that you avoid trying any of them.)

Yet, in my opinion, the Livingston article, and the Howes research, is alarmist.

The operating systems on which the tests were conducted are far less secure than Windows XP, especially with service pack 2 (SP2) that really plugs up holes. Any of you using Windows XP with SP2 knows how intrusive its protection can be.

The version of SpySweeper used for the Howes test is certainly not 3.5, the latest.
Giant AntiSpyware has been made more effective by its new owner, Microsoft, and is available as a free download from Microsoft-security-spyware.

PC magazine also performed a comprehensive test, with much more satisfactory results. You can read the whole article at pcmag.com
Their summary chart is more optimistic:

As you can see, SpySweeper 3.5, the latest version, caught almost everything. Microsoft’s beta does as well. I run both. Since I stay away from sites known to attack visitors, have installed SP2, run sweeps daily, and use the tools from Trend Micro that I’ve mentioned in the past, I don’t have much of a problem.

SpySweeper is PC Magazine’s Editor’s Choice. You can read their reasons at here.

There are additional tools you can use to be even more secure, but I think we’ve reached the practical limit. Additional programs interfere with one another, and consume too much of my time.

Next week I plan to discuss an alternative to Internet Explorer, Firefox. Just as I was researching the article, Microsoft announced it will be releasing a new version of Internet Explorer, but didn’t say when.

Dennis Turner