Spyware: The Good, the Bad and the Ugly
The growth in rogue anti-spyware applications has made the bad and the ugly appear to be the good. For many unsuspecting Web users and online advertising agencies, Trojans posing as legitimate anti-spyware programs are installed, sometimes after a fraudulent credit card transaction by a security-minded consumer.
Among the bad masquerading as good is the fake Microsoft AntiSpyware Center. As with others of the kind, the application appears to conduct a scan for viruses and spyware. It inevitably delivers a list of threats to the computer user, prompting a software download, often at a price. Ugly black-hat programmers capture consumer credit card and personal information, and their software may be difficult to extricate.
“Rogue anti-spyware has been around since the first shareware versions of commercial anti-spyware tools began to appear nearly eight years ago,” said Gunter Ollmann, director of security strategy at IBM Internet Security Systems. The modus operandi of these rogue tools include installing other malware onto the host, removing other spyware or legitimate applications, and installing new spyware and then charging the user to remove the spyware it just added, he said.
Although rogue anti-spyware is not new, research from IBM shows that it has become the most popular malware. Nine months into 2007, IBM’s X-Force research and development team had counted more than 210,000 new malware applications — more than all of those identified in 2006. Trojans took the top spot in malware forms for 2007, comprising 28 percent of the total.
“The term ‘rogue anti-spyware’ covers a broad range of deceptive software typically marketed with overly aggressive methods — claiming users are infected when there’s no specific reason to think that’s the case, typically charging high fees and often refusing to assist users with their problems until users pay a fee,” said Ben Edelman, an assistant professor at the Harvard Business School in the Negotiation, Organizations and Markets unit.
Pop-up dialogue boxes that appear to be Windows alerts from existing workstation software may describe a threat or newly identified virus. However, many are misleading applications that even technology experts could mistake for the real thing.
“Some rogue anti-spyware looks relatively legitimate,” Edelman said. “Vendors often design slick Web sites with endorsements, logos of purported certifications, privacy policies and other apparent indicia of trustworthiness, so it can be hard even for IT professionals to figure out which anti-spyware software is trustworthy.”
“Identification and classification of this anti-spyware as rogue requires a malware expert to perform some level of analysis of the software,” Ollmann said. “Sometimes IT professionals may get lucky by running multiple anti-spyware tools on the same host, and some of them may identify the latest addition as rogue.”
Rogue anti-spyware may originate offshore with young tech wizards or be delivered through legitimate Web advertising agencies and media placement sources. Edelman relates that Casale Media made Spyware Stormer, a supposed spyware detection program that does not perform a comprehensive scan and is promoted to Web users with scare tactics. Spyware Stormer windows pass through the Casale Media ad server.
“These applications are typically purposefully downloaded by the user in an attempt to remove spyware they think they have,” Ollmann said. “Most anti-spyware tools are designed to appear commercial so that the user purchases the software. The payment transactions are real and are not obscured. In some cases, the objective may be to get the user’s credit card details. However, if the user has already installed the software, the malicious company could simply install other software that can obtain the details at any time.”
“Some rogue anti-spyware is distributed through banner ads,” Edelman cautions. “Others are installed through security exploits” — holes in Web browsers, for instance. They may install silently through these unpatched vulnerabilities.
Users of pirated software, blog or Web forums and adult content are particularly at risk. Regardless of the context in which they are presented, however, rogue anti-spyware applications may go so far to look legitimate that they refer concerned end users to proprietary Web sites featuring user testimonials, software features, etc.
Kelly Shermach is a freelance writer based in Brooklyn, N.Y., who frequently writes about technology and data security. She can be reached at editor (at) certmag (dot) com.