Just days after hackers seized control of a banner ad server and used it to load malicious programs on vulnerable machines, researcher Eric Howes issued failing grades on all anti-spyware scanners he tested during a two-week stretch in October.
Howes, a graduate student at the University of Illinois at Urbana-Champaign, found that the best-performing anti-spyware scanner failed to detect about 25 percent of the "critical" files and registry entries installed by the malicious programs.
"One thing I found out for sure is that no single scanner removes everything," Howes said in an interview with eWEEK.com.
"I had an inkling before doing the test that the results would come back like this. But it still is disappointing to find that the tools, in many cases, are basically useless."
"The anti-spyware tools missed things that simply reinstalled what was deleted," Howes said, likening it to a cat-and-mouse game being won by the bad guys.
The results rated the Giant AntiSpyware detection tool as the best of the 20 scanners tested, but even then, Howes said the software detected only 100 out of 134 "critical" files and registry entries.
"Some of them are just terrible. In some cases, there were only 18 critical detections. Whats the point of missing critical files? Its all going to come back anyway," he said.
"Critical" detections include executable files (.EXE or .COM), dynamic link libraries (.DLL), BHO-related registry entries, toolbar-related registry entries and auto-start Registry entries.
Howes said companies that stealthily load spyware are using elaborate tricks to hide component files on computers. "They hide the files very well on the system and use complicated techniques to detect and replace component parts. If you rip out one or two parts, the undetected parts will come in and replace the files that you took out," he said.
During the tests, which pitted the top 20 anti-spyware scanners against spyware that comes embedded with peer-to-peer programs such as Grokster, Howes said he discovered that the malicious applications were capable of blocking the scanners.
"In the second and third group of tests, one of the installed programs prevented the anti-spyware scanners from running on reboot," he said, noting that reboots are a common method used by anti-spyware scanners to remove stubborn spyware and adware that remain in memory on a PC.
During the first round of tests, Howes found that McAfees AntiSpyware rated very poorly, picking up only 56 of 134 critical detections. InterMutes SpySubtract (72/134), Alurias Spyware Eliminator (42/134), Lavasofts Ad-Aware (82/134) and the popular Spybot Search & Destroy (40/134) also scored very low on detecting "critical" files.
Howes said things go so bad that, at one point during the tests, he found that he had missed a single executable file. "When I started the test box the next day, the next set of tests was compromised because of that one executable. Within a couple of minutes, the box was completely loaded again with spyware," he said.
Howes, who maintains a privacy and security page, recommends that users infected with spyware use two or more scanners in combination, as one will often detect and remove things that others do not.
Benjamin Edelman, an anti-spyware advocate who researches the methods and effects of spyware, said he was not surprised by the test results. "Erics work proves that paying more for spyware detection doesnt mean getting more. He found that the more expensive programs arent necessarily better than the free versions."
Edelman, a Harvard Law School student, has been monitoring spyware installations and chronicling the research findings on his Web site.
"Were very, very far from having a magic bullet solution. Were not dealing with fly-by-night operations," Edelman told eWEEK.com. He also warned that many bogus anti-spyware programs are circulating and exacerbating the problem for consumers.