Advances in SUPERAntiSpyware’s Technology

The SUPERAntiSpyware team has been very busy the past months completing our latest round of technology for the 4.x version of SUPERAntiSpyware. We have been asked repeatedly by our users to explain what is so different about some of our new technologies, and why they are important in the removal of Malware.

To properly address this topic, we need to step back and describe some of the new forms of malware we are seeing installed on end users’ systems and what is required of today’s anti-spyware applications to properly detect and remove those threats.

What should an anti-spyware application be able to accomplish?

An anti-spyware application needs to be able to detect, remove and repair damage done by spyware infections. Although this statement is quite obvious, the technologies required to accomplish this task certainly are not. Today’s scanners need to go far beyond MD5 checksums, file name identification, and basic heuristics to defeat the new breed of threats that are here today and even tougher threats that are on the horizon.

Does scanning speed matter?

We tend to see lots of forum posts and reviews regarding the scanning “speed” compared to other products. Some products are faster than others, but is faster necessarily better? If one scanner is faster, yet does not catch the threats, then scan time means nothing. Who is to say what an appropriate scan time is? Virus scanners are notoriously slow, but yet they do not come under the barrage of attack that the anti-spyware scanners seem to come under in regards to scanning speed; yet they both are rooting out threats on your system.

What’s all this continued fuss about rootkits? Are they for real?

Let’s consider a specific example of a form of Malware that is testing the ability of scanners to detect and to remove them from users’ systems. Rootkits are an important element and example of the malware we are seeing daily on users’ systems. Rootkits are for real and they are getting trickier as the technologies are further developed by the “bad guys.” With the huge amount of money involved in dissemination of spyware, you can be sure that the threats are getting harder to detect and remove. The “next generation” of rootkits can be so deeply hooked into the system that they are almost undetectable by the current generation of scanners. If a product simply relies on the Windows API (Windows standard interface) for accessing the file system, you can be sure they are missing many of the rootkit style infections that are already in circulation today.

These “next generation” rootkits can silently monitor your system, log keystrokes, send data right under your firewall’s nose, and yet show no signs of infection on the user’s system. You may scan your system with several scanners and “appear” clean, but all the while your system and and your personal information are being compromised.

How we have addressed the problem

One of the major technologies we have developed in our research laboratories to address the “next generation” rootkit infections is our DDA (Direct Disk Access) technology. This technology was developed over a 2 year period and included exhaustive testing to fine tune it. Now the technology allows SUPERAntiSpyware to “see around’ these rootkits by directly parsing (reading) the hard disk so the threats no longer can block our ability to detect their existence. In addition, the DDA technology is required to remove these threats because they are hooked so deeply into the system that they “start” long before most drivers are even loaded; no matter how early we try to get “hooked in,” the rootkits seem to find ways to hook in earlier Thus there is the need to develop another proprietary method to remove the “heart” of these infections.

Can a single product detect everything? (Does this mean SUPERAntiSpyware catches everything?)

No matter how good any company’s technology is, no single product can detect and remove every threat on a given day as there are simply too many threats coming out daily to be able to catch everything no matter how many resources are dedicated to the problem.

However, our aim is to Remove ALL the Spyware, NOT just the Easy Ones!

You might wonder why we can make this claim. In today’s world of spyware, adware and malware, the landscape changes on a daily basis as new variants of the harmful applications are created and deployed. We realize this fact and therefore have created special diagnostic tools to quickly locate these new variants on user’s systems. The pertinent information is supplied directly to our malware research staff so they can update our detection and removal rules immediately and thus remove the new variant from user’s systems. That is why you may see more than a single update of our definitions on a given day.

What’s next?

Although the Direct Disk Access technology is a major step forward in the detection and removal of difficult to remove malware, we are already developing the next generation technology beyond Direct Disk Access that will be required to remove the threats of the future.

Developers – Fill out that version information and watch where you put your files!

During our daily research and quest to locate harmful software, we come across many types of applications and application components. Our current database has literally millions of file samples from users with potentially infected systems. Part of any researcher’s duty is to look at the various properties of a file, such as its installed location, its internal version information, its linked libraries and other items that can provide “clues” about what the software actually does and if it represents a potential threat. Many times we have files that are not in their native environment, meaning that we have a few samples of the file, but not the entire system configuration in which they were originally installed. This can make it difficult to properly differentiate between harmful and legitimate software components.

Spyware/Malware applications often try to disguise themselves as legitimate software components by using the same name as a windows component, but place themselves in a different folder. Classic and often used examples of this are the SVCHOST.EXE variants. The real SVCHOST.EXE file is used by Windows to host services and executes from the system folder of Windows. The file is typically located in C:WindowsSystem32 for most users. We find variations of this file such as SVOHOST.EXE, SVSHOST.EXE or files with Unicode characters that make them appear as “SVCHOST.EXE” when viewed through Windows Explorer.

We are trying to encourage developers to start fully filling out their version information within their files with legitimate information such as product name, copyrights, websites from which to download the software and possibly listing MD5, or other “hashes” for verification of legitimate components. Naming components with recognizable names is also good practice. This would assist and make the researcher’s job easier and more accurate and help prevent “false positives.” A false positive is when a legitimate file looks and acts like a potentially harmful piece of software and incorrectly ends up in a spyware or virus database to be blocked. Developers should also avoid installing anything in the Windows folder unless absolutely required. Items with random looking names with no version information are immediate red flags to any spyware or virus researcher!

With the number of harmful applications appearing at an alarming rate today, developers should do everything they can to make ensure that their applications are not flagged as harmful applications due to non-standard programming practices, installation and naming conventions! In this way, the number of “false positives can be materially reduced to the benefit of all users.

The Ethics of Business Practice: Deceptive Advertising

The business practices of malware companies include a multitude of unscrupulous and deceptive practices to spread their products in order to lure the unsuspecting computer user to purchase or download their products. In that segment of the business community, deceptive practices are wide spread and include the all too familiar “scam and scare tactics,” the “fake spyware-pay to remove” and also “installation of spyware itself.” The intentional false positives are also widespread. The lure of free software contributes to this problem. We’ll address that on another day.

A number of reputable software publishers, including SUPERAntiSpyware.com, do have totally free fully functional anti-spyware products and/or also functional full featured products with trial periods that are also fully functional. Paid versions are obviously necessary for any company to develop and maintain quality software. Few companies would be able to survive long term and maintain a product without any type of continuing revenue source.

We are observing a growing problem with the deception of using other names on paid search/keyword advertising to capitalize on the names of acknowledged, credible anti-spyware/anti-malware companies and to imply or actually state that there is something sinister or wrong with that “product.” This practice is being used by some under the guise of “blogging.”

These blog sites, upon luring patrons to their sites by use of the reputable software publisher’s name proceed to praise the virtues of another product in hopes that the customer who has been lured to the site under deception will purchase their promoted product and earn for the blogger a sales commission for product sold. It is not unheard of for the unscrupulous vendors to offer 70% or higher commission on each product sold – quite a bounty to go after for affiliates!

Certainly a legitimate “blogger” is entitled to be paid for his or her opinion of products they promote. However, what is wrong with that approach is the deception in using another company’s good name to lure the unsuspecting customer searching for that specific name to the blog or to other domain site and to also state as part of the ad that there is something about that company that will be “exposed” and that the blog site will reveal why the company’s product should not be purchased.

Claims by companies using such deceptive practices that affiliates are free to advertise products without regard to the practices they use are not credible. Reputable software publishers have absolute control over affiliates because affiliates can only obtain product from the publisher. Without payment of high commissions, in our opinion, bloggers have no incentive to promote the product nor would they do so unless it is the company itself doing the Blog.

Furthermore, it appears that in at least one instance of which we are aware, the blog site is actually hosted on the company’s servers. Thus, this is not an arms length relationship. Reputable software publishers also maintain communication avenues available and respond to issues raised regarding their business practices and defend them when challenged unless there is no defense.

In our opinion, if the business practices of a company are unethical, we believe that tells one much about the company itself and about its products. Attempting to capitalize on other’s names to sell such a product suggests that it is not worthy of purchase on its own merits.

The deceptive business practices of companies using such deceptive advertising continues to amaze us. If someone were using your name in advertising and stating “John Doe is a thief; read about it here,” what would be your reaction?

What Are The Incentives For Malware/Spyware Testing?

Computer users worldwide seek to identify the best, the most comprehensive and thorough anti-spyware, anti-trojan, anti-keyloggers and anti-virus scanners (collectively anti-malware) to defeat the abundance of the constantly increasing “malware” infecting their computers and affecting their use of the internet and their computer in general.

The various computer user group’s websites and online forums are filled with users’ requests seeking assistance and asking which product or products are best and also “why isn’t there adequate testing of “anti-malware” software to assist users in their selection of adequate solutions”. This is particularly directed at the Anti-spyware market.

As we have stated previously, malware testing is a “daunting task” that must be performed under conditions that are above reproach and that are completely transparent and readily reproducible by others to ensure the validity of the results.

The methodology of testing and some details of requirements of a protocol have appeared and have been discussed elsewhere. The question that is not addressed or considered by users is what are the requirements of the testing facility and competence of their staff, and very importantly “what are the incentives for malware testing?”

The criteria for the testing facility are readily identifiable and all would agree that they include an unbiased procedure and testing facility. Obviously vendors of anti/malware cannot serve in this capacity as they and the results would be subject to claims of bias. Thus, the first requisite is that the facility and those doing the testing cannot be associated with any vendor. It must be totally independent.

Secondly, the competency of the staff carrying out the testing becomes an issue. Although not insurmountable, it is important that consideration must be given to ensure the “intellectual honesty” of those implementing the testing procedure. Redundancy and proper supervision can be used to address these issues. In addition to competency of the staff, the adequacy of the physical facility itself requires consideration.

These issues are dwarfed by the second question which is “What Are The Incentives For Malware Testing?”

Exclusion of monetary return for testing seems to be self evident to ensure independence and to eliminate bias. A fee structure for testing of a vendor’s software and/or participation in a vendor association to underwrite funding likewise raises issues. Will only those participating in funding be part of the testing? How do we ensure complete independence?

The necessary fee structure could be prohibitive for smaller companies as maintenance of full time personnel and full time facilities would require substantive commitments that would not necessarily fulfill the requisite conditions of independence.

On line promotion of vendor products on the testing facilities web site raises issues of bias towards those vendors advertising on theses web sites. Recognizing that some testing facilities already utilize such a model does not satisfy the need for complete transparency and absence of any association between the facility and the vendors whose products are being tested. Even the appearance of impropriety suffices to create suspicion and doubt in vendors’ and users’ minds.

Thus, the issue of Testing Facilities to identify reliable and effective products is an extremely difficult problem with no readily identifiable solution. There must be more than an incentive, but a monetary structure to maintain and support such a facility. What is the incentive?

Currently, users are served by a faithful group of fellow users who give counsel and advice based upon their own experiences via forums. They are to be applauded for their dedication and willingness to assist unknown fellow computer users. Admittedly, such a system is less than perfect. Thus the various threads will continue to routinely ask the question: What is the best anti-malware software?

Even in the reported malware tests, we see that there is a continual reshuffling of the top products which confirms that “best is transient.” Best today does not ensure best tomorrow. Does this mean that the tests are meaningless? We invite your comments and opinions.

Are Suites really “Sweet”?

The proliferation of “Software Suites” to deal with the ever increasing “malware” problems raises serious issues for users of these products.

As the market for anti-virus software has stabilized, the major anti-virus software companies are entering other sections of the malware market in order to expand their user base and also to secure their current customers.

Depending upon the vendor, these suites now encompass not only the traditional anti-virus area, but have also expanded into the Firewalls, Anti-Spyware, Anti-Trojan, Anti-Keylogger, Anti-Phishing And Anti-Spam areas. This shift in emphasis and expansion is one result of the stabilization if not the decline of the anti-virus market and the movement of those writing malicious software into the lucrative adware/spyware area. In addition, as the distinction between anti-virus and anti-spyware products has blurred, considerable overlap of software capabilities has developed.

At first appraisal by computer users, the evolution of suites appears as a desirable solution to a continually evolving problem. The question arises whether these suites are really serving the end user’s needs?

In order to ensure adequate protection and to protect their customer base, the software suites appear to have adopted a philosophy that there is no need to co-exist with other competing programs. Thus users attempting to maintain dual means of protection are thwarted both by slowdowns of their computer system as well as by direct conflicts with users’ competing products. The use of resources by the suites is heavy even without competing components. The adage “jack of all trades, but master of none” seems appropriate here because the results of numerous tests clearly demonstrate that no single product can be relied upon to provide the required protection because rapid changes characteristic of the spyware area are in sharp contrast to the previous viral area. Thus users must seek and use multiple products to provide them the required margin of safety.

Co-existing with suites is a challenge because of the aforementioned problems, not the least of which is the heavy use of system resources by the “suite” products. The result of this dilemma is that users must rely upon products which are “light” on system resources. We have realized this requirement, as no single product can catch every infection on a given day, and have specifically designed our product, SUPERAntiSpyware, to be light on system resources and co-exist with existing security solutions. I am certain other companies will follow suit. Users will ultimately dictate the verdict on whether “suites are sweet.”.

The Importance of Testing Methodology

In today’s oversaturated market of anti-spyware/malware/adware applications, it is becoming increasingly difficult for users to determine which applications will perform best for their specific needs. Thus, they look for standardized and legitimate “comparative tests” of these applications.

Testing anti-spyware applications is not an easy task. It is imperative that those who are going to undertake the task of testing need to have the skills to perform the tests competently and to test the products in real-world situations. Otherwise they are not performing a service to users. Users also need to examine the credibility of the party testing the applications and not simply “look at the numbers.” Currently, most tests are not comparing “apples to apples” because every anti-spyware application uses different methods of reporting the “numbers” of infections detected and removed.

There are standardized and widely accepted elements of any investigative report. These include an Introduction, Materials and Methods or Procedures, Results, Discussion and usually, but not always, Conclusions.

The most critical elements of an adequate report or investigation are to provide the reader with the Materials and Methods used which would allow others to duplicate the experiment or investigation to determine the validity of the results; that is, are the results reproducible in the hands of others using the same procedures (Materials and Methods). Thus, the methodology used in any investigation must be of sufficient detail to allow any interested parties the opportunity to independently validate the results.

In using non-standardized methods, it is critical to provide detailed procedure in order to ensure validation by allowing reproduction of the results by others.

When or if it is determined that the methodology is itself flawed or contains documented errors, this invalidates the results and casts serious concerns on other components or elements of the entire methodology and on the results.

The level of detail cannot be assumed or taken on faith. Therefore, it is of the utmost importance to provide a level of detail which removes any ambiguity as to how something was done and to provide and detail the safeguards used to ensure that the procedures were indeed followed.

In examining the testing methodology used by recent tests by Malware-Test.com, it is unclear whether their own procedures were followed when flaws or errors are discovered as detailed elsewhere. This casts doubt on how other elements were carried out. Furthermore, it is one thing to say how you are carrying out the testing and another to actually follow the protocol. Thus, alleged transparency by providing the purported methodology cannot in and of itself be accepted on faith and can be extremely misleading particularly in view of any demonstrated inadequacies.

Malware testing is certainly a daunting task and adequate documentation of methodology is the single most important element in validation of the results. When testing is performed by individuals one can accept and or excuse minor inadequacies. However, when the results are performed by alleged experts, in testing facilities which exist for testing purposes, they must be held to the highest standards.

Are cookies really spyware?

This subject has been the debate of many newsgroups and online forums over the years. Cookies are simply text files stored on your hard drive and cannot themselves harm your computer in any way.

Typically cookies are used to remember logins and keep track of user settings on web-sites. Cookies can be used to track your movement on the Internet ONLY if a site is aware of the cookies and is designed to use the specific cookies.

Because of their use in tracking, many feel that this constitutes spyware. Most anti-spyware applicatoins, including SUPERAntiSpyware, detect tracking cookies in one form or another. If an application does not detect cookies, users often feel the application is “missing” critical spyware items because another scanner will detect them and label them as “spyware”.