|
|
|
Study: Tools Let Spyware Slip Through Cracks
By: Ryan Naraine
2004-11-23
Article Rating: / 0
There are 0 user comments on this Network Security & Hardware story.
A researcher has found that even the best-performing anti-spyware scanner failed to detect about 25 percent of the "critical" files and registry entries installed by the malicious programs.With the threat of a sophisticated spyware attack looming, a renowned security researcher says the most popular detection and removal tools "fail miserably" at addressing the growing spyware/malware scourge.
Just days after hackers seized control of a banner ad server and used it to load malicious programs on vulnerable machines, researcher Eric Howes issued failing grades on all anti-spyware scanners he tested during a two-week stretch in October.
Howes, a graduate student at the University of Illinois at Urbana-Champaign, found that the best-performing anti-spyware scanner failed to detect about 25 percent of the "critical" files and registry entries installed by the malicious programs.
"One thing I found out for sure is that no single scanner removes everything," Howes said in an interview with eWEEK.com.
"I had an inkling before doing the test that the results would come back like this. But it still is disappointing to find that the tools, in many cases, are basically useless."
"The anti-spyware tools missed things that simply reinstalled what was deleted," Howes said, likening it to a cat-and-mouse game being won by the bad guys.
The results rated the Giant AntiSpyware detection tool as the best of the 20 scanners tested, but even then, Howes said the software detected only 100 out of 134 "critical" files and registry entries.
"Some of them are just terrible. In some cases, there were only 18 critical detections. Whats the point of missing critical files? Its all going to come back anyway," he said.
"Critical" detections include executable files (.EXE or .COM), dynamic link libraries (.DLL), BHO-related registry entries, toolbar-related registry entries and auto-start Registry entries.
Howes said companies that stealthily load spyware are using elaborate tricks to hide component files on computers. "They hide the files very well on the system and use complicated techniques to detect and replace component parts. If you rip out one or two parts, the undetected parts will come in and replace the files that you took out," he said.
During the tests, which pitted the top 20 anti-spyware scanners against spyware that comes embedded with peer-to-peer programs such as Grokster, Howes said he discovered that the malicious applications were capable of blocking the scanners.
"In the second and third group of tests, one of the installed programs prevented the anti-spyware scanners from running on reboot," he said, noting that reboots are a common method used by anti-spyware scanners to remove stubborn spyware and adware that remain in memory on a PC.
 Is spyware a virus? Click here for a column.
During the first round of tests, Howes found that McAfees AntiSpyware rated very poorly, picking up only 56 of 134 critical detections. InterMutes SpySubtract (72/134), Alurias Spyware Eliminator (42/134), Lavasofts Ad-Aware (82/134) and the popular Spybot Search & Destroy (40/134) also scored very low on detecting "critical" files.
Howes said things go so bad that, at one point during the tests, he found that he had missed a single executable file. "When I started the test box the next day, the next set of tests was compromised because of that one executable. Within a couple of minutes, the box was completely loaded again with spyware," he said.
Howes, who maintains a privacy and security page, recommends that users infected with spyware use two or more scanners in combination, as one will often detect and remove things that others do not.
Benjamin Edelman, an anti-spyware advocate who researches the methods and effects of spyware, said he was not surprised by the test results. "Erics work proves that paying more for spyware detection doesnt mean getting more. He found that the more expensive programs arent necessarily better than the free versions."
Edelman, a Harvard Law School student, has been monitoring spyware installations and chronicling the research findings on his Web site.
"Were very, very far from having a magic bullet solution. Were not dealing with fly-by-night operations," Edelman told eWEEK.com. He also warned that many bogus anti-spyware programs are circulating and exacerbating the problem for consumers.
Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.
|
|
�������x}v6�EW-mmy,u{:{� I)RCR$;/1/ϸU�xDJ;-�@�U*�
w�Aȹ3&�9)ٝG,z�Ij|ݻ@�Be�FAU�L5
J�Զn�L7n[cQ0�P����᳙(,�Q �� �jG�0-Pk< �Z5��3�5ԗql+ne0��-ڎIQ>)2zʠ �~5;�6m��(CJ��ep(z�wv@~T�h�e�MGa�oF
�w*�Nuol9�Q��)+F(B(?F#�s�?9CvN�̚0/P8b��̪�Ҵ?��@Sա*��25~k>v^
��4
�ȅ�׳�F$fRvnٸ@d`j�I�@:"84��C6S!p���z09juj=fO-�{n�_w$z�(֛z$=+~bArxưIH'�|6XB�ZI`^<m=b'�3�:tQV�_57P7nǞ;w�27 -�QK� �TmO |lMݟP>�I
�uBģF�r ˺Y49hm�E�a�jj�T+W^4/[�,\YpoF_zJU4Eٿ]vή
$�(֝[0$}u=;yؼc 8� �d}#5��*%`ZJ$�0^����:~\B^�,9@NI?�|%ܲ_/iv�d�f1<˧0CF_8ri�OgsK߾ڤ>>;O}1�fPk5M�~"3h
ؕgxg�_:nNOn9n:'ݛ�9^qٝ{N4ps
ZʟZr�fc�_C&wA"rJze_R��~8�?_$VW�;Ǥ MXO'�gs�`H�Bm۲ܾ,BRKE�k�aX|Dˢ��5��o��ߖI@wlX�`)�@�+UyoA�{PĿ� G/<@'�L[w1p3Z&��T2��3=X�M��H��#M�3!RBʼۤ%/^(P�!P샖_.��
jN|*(If(;�/3 �BD4?CzC���0&pIzj0�pqe-C8zlNVڒ1Wbg(�e�ށ:ix>!e.ڽ^C�8^%g�5F
,h�eݴ8$!�VG5MGVݏM&�Y�*M, �F_̶#ؠ�S&�s;(<�|0��@>OtvϧԴPwP�?�:�ƠM��/�G˥yf�1�@�
L�n4`�
�p|w��-v9s��/|�\aR���֔FA��=H:]7(Z\χ`caȖC@B뎂9�{�ޚ�"�Q�ûCi`y1��=��զ�@CơAX�z��C�
`�3P��l~[>l0��s�0�N\IQo�'b�dQJJd$@�!��-i]�R@A�z<
�-��,rr�l+��+~#~DBj+�Nk@PGҹ;v�jP)�r��Z
~)0ٚ��ʬ$L�
X�*?ȉ#�o"0�%X����
,gZ
X��us֪%�6
��ʋz`N�&ǽ3yjm��Q#�U^^?]%h[�,9<�p��`�M?b�n;. %=&����,Â�_Ik̖%C&=�#-n�
˛mۇ�-}X�Ȧ��5[��}j�&Gb6g��{A3u�OP#'Կ����;7�ng[./=�\҇9 2V�[��d5�0�*�gUA�+�'|(@]4?+WUPÃ"`"+42ۣ��̞�f;�
+kF+UʝWQVy'g)5<�+1!�Y�/�tzS܊�&99IAw
���ew貟FO&Jb-yhZj�I�T*{Ҵ.�Z)퉟e�i
mc-3�,3aԕ %/E"b j7�{\Z1-#
l,>F4~hN/a2*)O�v;p��=F�5}n�&�VOUKg˟�xy#kzESڡWr9}~n
g%�A pG�I͔6 I�F|x
|�3 �kQDz3OD�:}:��L�lт0ې�l1�N(̕>A�TXzRhj]V,�/F�*�|�7(
��+���#�.Wɍk?Ng,n,Ki{yOٕ.[R\�|zn�N X�Y�=:=4̄�+ud'T-1�<}6:Hy5՝�үgjE)jL$�P�/#[ݵ�
;rm۽ϧ�sq,��bj\X<��~�)fQ�Ro�>�5
\��!E+LTRUad�[s�v/|�T}uxN`+\sW��&�L�J}#Nݡe-u6$�\.)J5�)` N� 2&h�:|�#H�& ,#Ez�.2
�ʠ�0�hs}�!T0�|*Wԫ5ˈ`m�S@Ak�SU�
Փ!0D^q~�V��Kbʹ�谣��zԘ{}Q�ː
0gted��->�흧�IV/굘�zrhUU�jV5�D;/P�G�"MϨ�H��_ય?�p
,&7�Xfe�^:�
~����^Jdw%6UY81f�-��1o0ٙ"yl�ėaG*�ӕ�~�>V�vʼnG =<@+:2�pn`{��E�~�t=G�iCx�Z
&�`�i@%�M�mWq=[JzJw J`�Z�7~eGk�'ԿE���X{I-~ʮÿrRYE�G�ʚQ�z�C4�3~�Sb_@�7T_/=4xE0�q-��fdaD4@w=@�-�YMb�q?3XA mRFxޜ�9"yea@WI���J�hLwh�_�/Qm(}�"y��U
֕&ec<�M�`�%g\U�4=`\@HpjGi���}�Ϻ��!p/�*騫VIۂe2&0�ʃF5c�;
{Y}�|,On?�~�FZO!U�<@�ng?,�YE8&};琩gs�C/���ɹ%O��A2@X'v-(7Y40p�2^](lU|_ۯ|��c�i�4DZ6��s��ȈDry�T�kc[qO�f?�]ou*�Z-Y��i r#ct�3e}{c:k�7pOUU�^S<:h93$_P@hOXM\�?�\\f�vQmqLTSdT�RZ}bZ�.3zPz�`WRj�j L*>�M�C� 7P�ZvݏC~=բ,A�גHU*J5$�y�U��r=)i6Y+(#t�+��ǽ!6" ޜb��l[
ezפ_+�Gs;"ʊg�b|�r{q>'G{��l��j>cWՄθe�`�3O#[I�Yy�V}m4uH�"5Hq+�$X˴%I?N�����atA�*¾�G�.ܗvS柩fFog��8_aqOi;W9�0�4%
R͇Rie�mR��ߑJ\X 8~A�rVQ�=YKr�v�zJ5��dP��ZX'?�bGD �'T'.�_B'Wƒ"b$!Z4�>2,�q�vëJUV13/��-�1Ή{{0�=LLПBQ`n�о(&wm�I_�/�8)F�:w~�Õp;tNg�se_:m]t?�?&,{u~_wunt/���+!9kw>��{2{R��4�sy���ؕD\>k4.[mj2�m&A)��pQǮ�o>9jP8ګIt0lg~�hy# @$an߽�p.Z�:Kz5Kw.Rr1~Jz2W�!:|<`O*�a�ݺ�_~|ly̘�Z&IEqD��cf42l%zE�@�˸tOלY0z!B3ZOUc z
A0�3h�L;+�ؿ+[�Z\�f·łB?ZN�y0�(��@�RPOh�[#N:m�{mE
����b�bT1 _RJ�MQ�/YI{L/PEQ�):�*9Q{_a(kѷo5Aߐ>O1Ok7�tE�h[(�k�Nz4��\1[5.N:|"=Br�^'68�;=)��I�B2c�!A-HwԾ�N9 �4�qJh"�:�Q%;֏�?m8Zė{�,�/䎑�#��SN�$SQ(��iQ�-}yj��tJ9SBX��A�AXE� !Vo
̸G
s�8�Id=h�<|n�wcJljl�� 4�Qbh�,p��٦h��
�"��k§!��qZ/IHj��wl['/G'?Z7�ur�p:i��p*௹;_�����P�߅�M{fv+��(3*��wCOƭ�E/.q�h`bow�x7r`f[w,CN_W��ױ|}yWlw]�=(.({1{f=CB
_M�E �j=3��?zX�S:vm�\>()$E03Ա;QN9fī�9 7Gn�"�DR?�Hvw�EwO#xn|!<�?Kah
\)~-[t�tk4Yx�z[�uO\)Aę[#xmz�V~�nG�!1m.<@
;yfwQM+S0A$&nd*�PPh; '��/�$��s.*�o��:)7{b�9�9x'Cq�$Nkb� G(D\;%r->7,WxD�dII_y�/A$U%�!9H��TK�Lq֟JV�H�I�!yns �u@r$#$'S%TI{\I �-fF&�X� >��ր��,`�)�K��2hM^$&W+gEQ(}4,ܵh;�n�3ڌ 8��D =P�7Ow�IK$�SR@�R|భf@]��DCɞ3$qZh9�KE�%^0�u|�Ror{lk&',�t��N1���w@��,'������p��Qx�qZ4%W�D
mj/_<*w�D,&pa)uX*~Ba-'BZ-�q�SE� Hv�]0 " _%cmI"[ܶŶ,IjuS�+=8�$aCK>9C� ZǗ.)l��V@L!H:>a�$�p�<�J�LC7Eaŭx*)o#�+&X~de9l�m�6�[}]\W�.͜mg"MgⳌL`B#`3QYkv
�IƪJ��4ċ�nE`3��8`I��f u({8t�ma=�fEX3�6#�ͲBAоb�[Ys]
R{@'�\_4%EVOhamHQmV7Dxݕcsj�N \�Q�cVY=���kEV_ĮE2o�^5�6+jEjG&�Zc0%Ed
h
h@'٨ŢM3lzywЩnP5�}a{;��^=ca#·)lE؍_״1rAX}IL"'DĉW`j�P�^�N%zn,[B{?35$D䩝YK-i}�!k�mo8ϵמg�C�#<ޝâ.R�Zٶ5FI}0}L*>-��m: �5�N^�j�l܃xQlM1H�P"`|O%OZIO"
+|hOgHqJG;x��u]X{eR̗ٹ-LG &z|m�fo`zI˲�-�VHSl�'8�冼/W%<�tI _%[5tA6UI�@�ܡ#�'ݗ�R�����M|bӥ�С
z+c�^z0Y� EG��sLںg?JgA7qg3^/_D7{$쇈~RX:byxDGLvXGDtD�
e��|aO�c<>x�ݑeҔ�c)?1#�oq�i�-dme��M1mnX=CG=N+-��;׳ܹ/�?���\(jAX�ZsD��&jY%_�b#�Lݸ�|r�3}Ě'_nuRDcܨڗE^�9]Dr)P53˼>a�rW3۠�bRsL\) |3} p淛!�i.;�(�;v�ʃVK�
]�Sb��ş
/yc
s;m�Gk"�){�_|�t+ķz�L �ܨ47��*D��f�y;&�AS�L�ʹ��m�Z!��ߤ�|�چձ�L-(ʘӈ�{:\x�-�1+ztѥEoJY��VCmWbr,u�{0b�~�P2oO3@85l��)l^$����-\"*Nh�V,�P25aRD�K-{�/+rpDL�Kפ{�|: 8weQ?a3?}��Ѹ0rȣYqe^�,m/'�I4b8&�6/^4bd��@/j�d]Lr�'0&KCS�`vtɏ�Cϸl`��q"o��(6=�X6s
~V�xsHLv��m��� 3cьJCMwȭx!n1z���ʍ^X��3,8C"�>fyG)j/�[L_(oǺtoײnc䭼Nĭd�?J~~'L`M#��~�^~
jqh!_<9?&d܊(�^L@�x8�n
|�#��V;���/@c7�'Tݐ�0U�k)'>?�Dw
�5>ZG�ĸŦWܩ�gGR(k4X�����k�R�w
G�*L <߉F!��3&�-E�*[ނ0H�Q�&"עm@*VHticN=F55�R;}nZbfڎXu�0^�Vz^7�;_�;J[w�^�6�]^q�=!o7ݝ�AVnVu&k��C[wnWy#On@ Ϝp�'찔c?10Nl,EI��G�2vð`m
2,\�=k>I��*t=jh�DƤJd�i_T¿CTj~8�P^�s�0]\+uMi
fG@VT'=v�,�J\k��/1_�A�Xie�c=�Hmy9YyKj
s�2��n�2HmN3��X>f鳏ji+�TJ1 M&?=�q}��a>:>(��o�ztӸ'0J�+�ļJJ4:�}^+jL_7Z��Vg&'tl&v*1&V*)t|{?OI��-g:w:+/:Oļ\\snOa.=Ơe�a|o�EZd3+nsl+ZKȶ<+il�wAQg)q8
@�ə莥��� сHz3jX:.#�F¯eQ�^_�f�FܞVk}wQZTQN30]L6ejBGh-e(hd�tix����=)<�1_+@ZL�B(Yiv'�o.'�졢�T�ov/>QHՕݷod]C6o XTp*�:{ᛒWZ-�F��d�>��QhTJґ
�`�<$wz.爘����= .BM�8��Wǃ�"Ba#X�� *>I���R7G���P5�vW:�:nً�9l~��V�=GwB&#w�y;��� 8CT=aN��?5$�.+Ja SAڝ�!�:,8 ���V+��{�χ\oX|I7�"7�>�BY��s4e)PF}eOWJ�ƈ\氟aH�9p=S!�-�0Șh
MQ VHxD�~1&IBE<
liMX�� ;��YC) Q?�\Ϣ"��#BLk4�3DDc^r�{VĄ5W~V�؋^_#+&(?,p�E�
�gGLƙ;fQZ,��sϾ@b)`�H'�UL�CNq*�@���`g*o���
c�!�Vz%%�n67Xp_�Li0q�>�"(�&�.t�ѧàq?Sf
:�R���L�DΨf�ldaQ({b:M�u߃3,ȏ-VH�ݜ�(�8�×�9I(tC�K/H�zsRfƅdayFf|?g�e/(��
�@Ka1c�~Po֔J$4
>�(%f�ٕa+�V�Y�/=7)
;oU�emn�#M蕴B*�^���Ȉ}��w4�}:>�'s;x|�{MZ&GUӽ$G
}�[8zz^}>\;}�_hT繾��,g6OFY�ufvʜTN�:cͅfU��]=$;5�U6�j�UzuL��6�Bu�p
:kj:;�K_�9v�Χ65�A^�^z�+�!(8iz67a\nq���4ħyOB34yD{Qu�xS3S�S~
-̒SޅnN9rz?�hp)?Si�}>?G(]~)4:坓BsS��3˜r�'g?
͟{9埡sv9?ρ�]"g~.��/�E�|E�}/>�9�/r��ϋ�D��)?Ar/"�2g~/A~.s�2g0n9�_?r
_崿���r�s�(GvG9 ?�~r�C�(+��&��Ku�Ay+GZWqz~?29)�G9Rk_�y+-iN>質�9�;f7_ʡsTh=�*Я#Ux|dnldҹ:$�R;��]Q-=-;p]�9h\l %^a/4ZE�/Ѥ���|�E�W4|Wyd�r�
b{e?VR�w;]�CҤ�]�|j.�{%])W[O'�)^ut�k(%s<2g!�g}=*
t�=}}:c7G"\��|8�Nt7<1 }Q1��8 v�t{���.�ue"G~xwYYMWVF+$kà?y�%k"L^]lفǮAw�ia0Q*��uýEy�R�W8ր�zCO��aj'<3�;X��;i5�i__�W�mЙO�%�>A÷DV�)pF ;F,RK|c ,>(N�h8kjzrt5pÅvksn �]w��n����)CZִZjVU�%Hd6##"2t�x+*5ɪ"+uW9 ط]�V*r
`"�
*�s>P�`2?4UJ`
Ԋ�z5C=b�{Ǭ[ɞP��#��^?&G�^
e_ƘE,d���æȗጝWv,�P�@0E{vX8P*`!�I�؞.F^͇$�C�X?�6VI�2hؐMX�Klɜʹ�1v�u̿6&p&7\4)ķ�Y"D˼��xl�4@;4=ı�
>Pg�)b|+S}&KΒ 0 hJ/nӡ�xg��K�Q,Y̌B`
�jϗ9[n-c
$QMy��H|r�[���;$} F(V
#V}�/"0�;��Vӄ."�w3j'��"�n#9�]�3@Z�/`51���פ c�_601=MxY�>}r �1-�XK&Ơ}�Lt5~.<ݜ WU�z�Q�aq�ef~{^f$Z�Ak~�;ݹ)a<<�T�G|O$O�
}u+6�a`瑱nǝ)Zk�O^�!��N�
fB~Ʈ<.o"Kwz_L& _�\v�ix�F[k2#0' MĮ+fAj3&r�,svw��
�6{Nz> a"
aeO,|Ͷ�/+%&aBc M�=�Xƥ$�1`=E(Qz|T.q
"�"H�"s�{B�|'njP%^dA2,��K�و܇Є2�<
�~霰�)#,|HVKPsXOm:�Zd�\7�*M>J���Ͷ�
M1^{�3�E3dư�F<
h�:BQN{�A�}N垓$Wg_5 b fy.b3@p6�+|SDN��KPRJ��Vr.Q
?f�TZvAgL3ƷX�|@ăx!$K�VT��6pɋq#,^[ |t,G巧c��S���%�^Πo'b/;y>s7eEQ&PL;tW�;QV*i/';@Bo&� oX�)u��'|oW|B�l<{{�
,��CR�6�N�>�LcA��>X�ZXq/[�2R*4%NS��ֵd2- �Ƶ \� cwH�v&,t>[/uԝ8G�
Pr��3қsx�ěc� *+�~"�3v���vo.F/e�G�x���M-I�S`#ނ4�ܨN�A"+1�J=�y؛T�ng`��wDl
.7��.O]&
Ta!*e;1K,P`Odr&gw>G-�H�G�x
kY�oc3gz��Ϸ;���<�v;�͇OV�e�˭%�!�Ҷ\)v�cʥ.�S�ܟ?C[�a��҃fHEw�k,^��zX�ջbw.qS`�:hw b
��}�u+e!.��1�:3�OTXg�{*.v�edM����QmS?�pKTVD'�dM��/v�3qߜ93Qa[_���Gz���n}#e��^f#3s묞ƫ
�ɤ{%̅Fda��gZ-*?҆g'�Q
aa��vX� '�Ɣ
ϰ"�- xs�Wm��xDh^#3E~2㡺_0�U9sm�j3+�4cdX$�,E"�)ԛa:(�z��0����_D&tĵa=&��xqea���Vt*,zvV?Pv/isTO3uG�~v�~v�u~i a�%
ӨT\��ߴ;��+�,�ںqKZ?~<6#EKB^ �D>Vurҹ�
M+ߴ1dF-<��#@5̆UZ"<&o�)FҢpL岑+ziKmw9n�~;�1{jX~
�)CUk̥D/t^JB\qrh5
|
Network Security & Hardware 
