ECN Forum
Posted By: safetygem Anti-adware misses most malware - 02/05/05 01:51 AM
This is an article from Brian Livingston who's a well respected "expert" on the Windows operating system. I thought the research was very interesting.

Sorry, but, it if the column formatting didn't transfer very well. You can also read the column at: http://www.windowssecrets.com/050127/

Glenn

Anti-adware misses most malware

By Brian Livingston

Now that 80% of home PCs in the U.S. are infected with adware and spyware, according to one study, it turns out that nearly every anti-adware application on the market catches less than half of the bad stuff.

That's the conclusion of a remarkably comprehensive series of anti-adware tests conducted recently by Eric Howes, an instructor at the University of Illinois.

Howes, a well-known researcher among PC security professionals, collected 20 different anti-adware applications. He then infected a fresh install of Windows 2000 SP4 and Office 2000 SP3 with several dozen adware programs in separate stages. Finally, he counted how many active adware components were removed by each anti-adware product.

(Note: I use the single term "adware" in this article to refer to both "adware" and "spyware." Since it's not necessary for a spyware program to "call home" to be disruptive, the distinction between adware and spyware is meaningless. All such programs display ads or generate revenue for the adware maker in some other way. )

Howes's tests were conducted over a period of weeks in October 2004. His results were mentioned at the time in several places, including Slashdot and eWeek.

Unbelievably, however, none of these commentators bothered to print a simple chart showing which anti-adware application did the best job at removing the unwanted components. Even Howes himself hasn't posted such a summary. In a telephone interview, Howes exhibited both modesty and perfectionism, implying that his work wasn't yet done to his satisfaction — despite the fact that his tests are some of the most extensive I've ever seen.

Howes's test results sprawl over six long Web pages, with no overall totals or summary of the figures. It's a daunting body of data, but its bottom line is explosive. Adware seems to be evolving much faster than anti-adware, and the battle is so far being won by the adware side.

For this issue of the Windows Secrets Newsletter, therefore, I've complied Howes's figures into a straightforward chart, shown below. I removed five products that didn't complete all of Howes's tests for a variety of reasons. What's left is a revealing rating, from the top to the bottom of the anti-adware heap.

Each anti-adware application, according to Howe, removed a certain percentage of "critical" adware components. These are executable .exe and .com files, dynamic link library (.dll) files, and Windows Registry entries (autorun commands and the like).

Almost all the anti-adware programs that were tested removed fewer than half of the hundreds of adware components Howes cataloged. The best at removing adware was Giant AntiSpyware, but even that program removed less than two-thirds of a PC's unwanted guests.

Giant AntiSpyware catches 63%, tests say

Howes's tests were conducted before the Microsoft Corp. announced in December that it was purchasing Giant Company Software outright. For that reason, the tests use the version of Giant AntiSpyware that was available in October and not the newer Microsoft beta version that's currently available.

Even so, with Giant's application removing 63% of a PC's adware components, and its nearest competitor, Webroot Spy Sweeper, removing less than 50%, it's clear that Microsoft has a potential winner on its hands.

In the following table, which was reviewed by Howes himself before its publication here, the Adware Fixed column represents the percentage of critical components successfully removed, not just detected, by each product (higher percentages are better). The False Positives column shows the number of benign Windows files that were incorrectly reported by a product as adware (lower numbers are better):

Product Adware Fixed False Pos.
Giant AntiSpyware 63% 0
Webroot Spy Sweeper 48% 0
Ad-Aware SE Personal 47% 0
Pest Patrol 41% 10
SpywareStormer 35% 0
Intermute SpySubtract Pro 34% 0
PC Tools Spyware Doctor 33% 0
Spybot Search & Destroy 33% 0
McAfee AntiSpyware 33% 9
Xblock X-Cleaner Deluxe 31% 1
XoftSpy 27% 3
NoAdware 24% 0
Aluria Spyware Eliminator 23% 3
OmniQuad AntiSpy 16% 1
Spyware COP 15% 0
SpyHunter 15% 1
SpyKiller 2005 15% 2

Howes didn't test the anti-adware programs in the above list against a program called CoolWebSearch (CWS). This little bugger mutates every few days, it seems. CWS actually requires a completely separate anti-adware program, CWShredder, which is constantly evolving along with the nuisance. This is explained in more detail later in this article.

The fact that anti-adware products fail to remove all or even most adware components has been an open secret among security professionals for some time. For this reason, tech writers often say, "You should install two different programs and run both of them for maximum protection."

To test this assertion, I compiled Howes's raw data into a new table showing the removal rate of the best app, Giant AntiSpyware, with every other tested product. According to this analysis, combining Webroot Spy Sweeper with Giant AntiSpyware did the most to remove unwanted components. But the combination of the two apps increased Giant's 63% success rate only 7 percentage points, to 70%:

Giant AntiSpyware plus... Total Adware Fixed
Webroot Spy Sweeper 70%
Ad-Aware SE Personal 69%
PC Tools Spyware Doctor 68%
Pest Patrol 67%
Spybot Search & Destroy 67%
Spyware Stormer 67%
Spyware COP 66%
Aluria Spyware Eliminator 65%
Intermute SpySubtract Pro 65%
NoAdware 65%
XsoftSpy 65%
McAfee AntiSpyware 64%
OmniQuad AntiSpy 64%
SpyHunter 64%
SpyKiller 2005 64%
Xblock X-Cleaner Deluxe 64%

Finally, the computer press often recommends that the two anti-adware products that should be used together are Ad-Aware SE Personal and Spybot Search & Destroy. That preference may have become the conventional wisdom because both of these products have low-end, freeware versions. PC World, PC Magazine, and other publications have recommended this combination as recently as June and August, respectively.

Ad-aware and Spybot may have been a great combo back then. But adware apparently moves much faster than these two companies do. According to Howes's data, the two programs together barely removed half the adware components on an infected PC:

Ad-Aware SE Personal plus... Total Adware Fixed
Spybot Search & Destroy 54%

I found no combination of any two anti-adware programs that removed more adware components than Giant AntiSpyware and Webroot Spy Sweeper, based on Howes's data. Removing only 70% of adware, unfortunately, isn't good enough. A much better strategy is to prevent adware from getting into your systems in the first place. I'll cover that next.

How to defend yourself against adware

First, let me make my opinion clear: The installation of adware should be illegal and harshly punished. Adware has exploded because it offers big economic incentives for its sponsors. They'll never adequately inform PC users about their software before it's installed. This troubling aspect of adware will never be wished away.

Only software that a PC user specifically consents to should legally be able to install — and "end-user license agreements" that stretch off the screen should never be counted as consent. (This isn't a knock on "ad-supported software," such as the Opera browser. Such legitimate software is clearly integrated with its advertising and makes it easy to shut off the ads by registering.)

In reality, today's tech-illiterate legislatures will never ban adware — if they could even think of an effective legal approach to do so. We need to engage the battle on a technical level instead.

To understand adware, you first need to know how PCs get it. The ways that Howes obtained the adware he used in his tests provide us with some perfect examples:


Software downloads. For one group of tests, Howes downloaded and installed Grokster, a popular peer-to-peer file-sharing program, from CNET Download.com. Installing Grokster and clicking OK in its subsequent dialog boxes loaded 15 separate adware programs, containing 134 "critical" executable components, by Howes's count. This source of infection would compromise even Windows XP with its new Service Pack 2 (SP2).

Drive-by downloads. To set up another group of tests, Howes used Internet Explorer to visit the following Web locations: 007 Arcade Games (a games site), LyricsDomain (a song lyrics site), and Innovators of Wrestling (yup, a wrestling site). This resulted in 23 different adware programs being installed, carrying 138 components, Howes says. Drive-by downloads such as these are now less of a problem for users who've installed XP SP2.

You can't step into the same river twice. For yet another test, Howes visited the wrestling site again, but on a different date. The makers of adware must have signed a lot of distribution contracts with the site in the interim. Howes says his PC picked up 25 adware programs and 153 components on that one visit alone. (You'll notice that I didn't link to the examples I cited above, and I strongly recommend that you avoid trying any of them.)

It's not enough to say "PC users should be more careful." Computer professionals, instead, have a duty and an obligation to prevent adware from infecting their PCs or anyone else's. Here are some steps to take:

Use Giant AntiSpyware (or install the MS beta), Webroot Spy Sweeper, and CWShredder.
At the moment, this is the short list of programs that appear to remove the largest number of adware components. I recommend that you buy the registered versions of these applications and keep them constantly updated. The few dollars involved are well worth it, compared to the damage that can be done by a rogue program controlling your PC.

Microsoft hasn't yet announced whether its version of the Giant application will cost money or be free after the beta period is over — stay tuned. (Note: The MS beta is incompatible with the MS Media Center Extender and has other 0.9-type issues.)

See Giant AntiSpyware download, Microsoft AntiSpyware beta, Webroot Spy Sweeper, CWShredder.


For prevention, install IE-SPYAD and Spyware Blaster. IE-SPYAD is a list maintained by Eric Howes of approximately 8,900 Web sites that are known to do things like install adware, hijack your browser home page, etc. Merging the list into your Windows Registry puts these sites into IE's Restricted Sites zone. They can't do much of anything to you then. The list, as of this writing, requires manual updating, but Howes hopes to automate the process soon.

Spyware Blaster is freeware by Javacool Software that Howes recommendeds to guard against adware installs. A registration fee of $9.95 USD enables the auto-update feature of the software, which Howes encourages. Javacool also makes a related program, SpywareGuard.

As commercial anti-adware programs develop their own always-on defenses, they may conflict with alternatives such as Spyware Blaster. Check the maker's documentation for possible incompatibilities before installing multiple products.

See IE-SPYAD, Spyware Blaster.


Read up on Eric Howes's site. Aside from Howes's postings about his anti-adware test suite, linked to below, a particularly good read is his analysis of so-called anti-adware programs that are actually Trojan horses. People are so desperate to get rid of the adware that's slowing their systems to a crawl, Howes says, that too often they grasp at anything that promises a fix. See his list of rogue/suspect anti-spyware.


For big problems, consider stronger tools. HikackThis, for example, is a deep-analysis utility that examines the Registry and sectors of hard disks where adware often lurks. It's not a tool for novices, but a serious scalpel for those who are faced with major surgery on their PC. It produces log files that can be analyzed by experts, many of whom help PC users by volunteering their time in online forums. HijackThis quick start


Keep your security baseline updated. In this issue of the Windows Secrets Newsletter, we've begun a regular section on the six elements needed to protect your PC. This section appears below.


It's absolutely absurd that PC users must download, install, and update multiple programs just to keep their machines from silently accumulating crapware from morally-challenged Web sites. It's criminal that the leading ISPs and software giants of the world didn't move earlier to prevent these nuisances from taking over the majority of consumers' PCs.

The underlying reason that adware has compromised the entire Internet is that there's big money to be made. The best analysis of this I've seen is by Benjamin Edelman, a Harvard Law School student. He's documented almost $140 million in recent investments by Silicon Valley venture capitalists in just four of the largest adware makers. See list of adware angels

For those who are interested in deeper research on adware, links to Eric Howes's raw data on his comparative tests are posted on his anti-spyware testing page.

To send us more information about adware, or to send us a tip on any other subject, visit WindowsSecrets.com/contact. You'll receive a gift certificate for a book, CD, or DVD of your choice if you send us a comment that we print.


[This message has been edited by safetygem (edited 02-04-2005).]
Posted By: gfretwell Re: Anti-adware misses most malware - 02/05/05 05:28 AM
I think these programs work the wrong way. Instead of simply trying to remove the software they should supply code to kill the site they call home to.
If a few million users had the option to use their spare CPU cycles to ping the site to death people would stop doing this
Posted By: Indcom Re: Anti-adware misses most malware - 02/07/05 02:41 AM
Yeah...I would love to be able to get back at some of those outfits that load me up with adware and spyware. anybody got any suggestions. I do keep my McAfee running 24/7 when I'm on the internet, but, it doesn't catch it all/
Posted By: cjim453 Re: Anti-adware misses most malware - 02/26/05 03:43 AM
Lycos I believe did something similar with a screensaver just a few months ago. It would use some of your bandwidth while the screensaver was active and use the bandwidth of known spammers. It shut the sites down for a few days then I think they got skittish about possibly being held liable for damages and pulled it.
Posted By: hurk27 Re: Anti-adware misses most malware - 03/07/05 05:49 AM
The problem is these Ad-ware are enjoying no legal action against them and as of what I see in the bills put into legislature it might be awhile before anything is done about it. While writing a virus is illegal. One guy I know who was on top of this way back in the early "90's" was Steve Gibson who's web site is devoted to internet security. @ www.grc.com he developed the first anti-adware program called Opt-Out but was unable to compete with Lavasoft's Ad-Ware which at that time he started linking everyone to. He also pushed Zone alarm because he found it was the first to block outgoing attempts which stopped "bots" from phoning home. I too use McAfee for anti-virus as I have had bad experiences with others. If you want some good reading go to the above site he has some really funny experiences with the hackers and did some reverse engineering with some of their bots and was able to break into there secret IRC site after they launched a DOS attack on his site. They now leave him alone. But I did wish he would of went after them. [Linked Image]
© ECN Electrical Forums