Proaktiv IT-sikkerhet
 

You're bad. No, I'm not!

2009-05-22 [Malware discussion, Security terms, Spreading mechanisms]

Introduction

Most of the software that are present on a computer can be defined into one of the following categories:

  1. legitimate software that the user wants and is installed by the user himself or someone on his behalf
  2. malicious software that is installed without user consent - commonly termed malware.

The vendors of security software therefore have the following simple task:

Detect and remove as much malicious software as possible without erroneously defining benign software as malware.

Unfortunately, this is not as simple as it seems.

False positives

The term "false positive" is used to define those instances when antimalware software by error defines a legitimate program or program component as malicious. Unfortunately this happens all the time by all security software. False positives were discussed in length in a security article earlier this year, and we will not elaborate more here.

Bad or not bad, that is the question

This articles topic is rather the introduction of a third category in addition to the two above:

  1. software that some people consider malicious, but the program's vendor claims to be legitimate.

One may say that this type of software is in a grey zone, and the term greyware is often used to categorize it.

Many of the greyware types of software are - or claim to be - security software. It may be software that actually detects some malware - or just claims to do so. In either case such software usually alerts the user aggressively to purchase the program to be sufficiently protected. 

Another characteristic is that software in this category often is difficult to get rid of.

One interesting example of greyware is the Sony rootkit that came to fame a few years ago. This piece of software was created with legitimate intent, as a copy protection tool with hiding technology, but it was subsequently used by malware as a cloaking tool.

A vendor of software in our category #3 will often attempt to put pressure on a security company if the latter detects its program as malicious. Law suits may even follow. It may therefore be tempting for the security program vendors to comply with the greyware vendor's wishes and remove that particular program from the malware signature list.

On the other hand the security software's business case is to protect its customers, who may not be satisfied with such a decision.

Guidelines

Some guidelines and principles are therefore useful for the security vendors whenever they must decide to define a particular piece of software as legitimate or malicious.

The following characteristics all tips the scale of the weight into malicious:

  • the program install itself without user consent of knowledge,
  • the program claims to do only a minor part of what it is actually doing, and the "hidden part" may be seen as undesirable by most users,
  • the program updates itself with new components without user consent of knowledge,
  • the program deliberately makes it hard to get rid of as no removal program is available, nor can it be removed from the operating system's standard removal tool,
  • the program prompts the user to purchase in an extremely aggressive manner.