One of the goals is to create a stable reference point which can be used in discussions of controversial issues. Let's mention a few of the initiatives that are most related to the topic of this article: the Anti-Virus Product Developers Consortium (AVPD), the Anti-Spyware Coalition (ASC) and the Anti- Malware Testing Standards Organization (AMTSO). AVPD was formed to provide an open forum in which developers could work toward common goals such as product testing, product certification, surveys, studies and market research. ASC is a group dedicated to building a consensus about definitions and best practices in the debate surrounding spyware and other potentially unwanted technologies. And finally, AMTSO was founded in May 2008 as an international non-profit association that focuses on addressing the global need for improvement in objectivity, quality and relevance of anti-malware testing ethodologies. More information about these organizations and initiatives can be found on their web pages.
SPECIFICS OF THE GREY ZONE SOFTWARE
Let's have a closer look at the previously mentioned problematic software where the decision-making process about its malicious intent or legitimacy is complicated and tricky. What kind of software is it? Well, put very simply-it's the software that is, in fact, completely useless and doesn't provide any real value. Or, in other words, if the software is actually paid for, then the only party that gets any genuine benefit from it is the author/company that develops it. That's a very simple and elegant definition, right? But in the real world, endless discussions could be held regarding the usefulness or legitimacy of these kinds of software.
What is worse, sometimes it even leads to lawsuits. It happens more and more often that after a lengthy analysis an AV company decides to detect some application and a few months later the developers complain about unjustified detection and request that the false positive (FP) be fixed. The rounds of decisions and considerations that follow are usually very uneasy due to the collision of interests. There are many factors that need to be taken into account-not only the software itself, but also the user base, and it is necessary to verify the company's credibility and to analyse the distribution channels that are used. The distribution channels themselves can easily turn a legitimate application into an unwanted one.
Basically we have two reasons to flag an application as potentially unsafe or unwanted: the application is being misused by some malware, or the distribution model constitutes direct incitements to illegal profit. In the first case you could think of countless system tools that are often misused by malware to enhance its features. Some examples are the system tools from SysInternals/Microsoft, various password crackers/ password recovery tools, using remote administrator tools to implement backdoors, and so on. In the second case (the use of dubious distribution channels) we're talking about a payper- install business model where the distributor earns a small cut of the profit for every successful installation of the software. This effectively means that the software is often spread by malware and automatically installed on a victim's PC, or offered in spam campaigns.
A very important piece of information is the incentive for detection itself. Often it comes in the form of a request from the customers who notice strange and unexpected behavior on the part of their PCs. Rogue companies and their products (rogue anti-virus, rogue anti-spyware) have their fraud fine-tuned to every little detail-the product and their website has a professional look, and often they are inspired by real anti-virus software. The websites are full of fake FAQ lists, along with lots of forged positive reactions and testimonies from non-existent users, etc.
Even if we base our decisions on relatively clear rules and recommendations such as those made by the ASC, the decision is difficult and time consuming to make. An in-depth analysis can take hours and days before a good reason for detection is found. That's where the AV companies expend a lot of resources nowadays. It is beyond the scope of this article to talk in detail about the ASC rules and best practices: the relevant documents are available on the ASC website.
(Eset Spol.s R.O is exhibiting at Infosecurity Europe 2010, the No. 1 industry event in Europe held on 27th-29th April in its new venue Earl's Court, London. The event provides an unrivalled free education programme, exhibitors showcasing new and emerging technologies and offering practical and professional expertise. For further information please visit www.infosec.co.uk)