During our daily research and quest to locate harmful software, we come across many types of applications and application components. Our current database has literally millions of file samples from users with potentially infected systems. Part of any researcher’s duty is to look at the various properties of a file, such as its installed location, its internal version information, its linked libraries and other items that can provide “clues” about what the software actually does and if it represents a potential threat. Many times we have files that are not in their native environment, meaning that we have a few samples of the file, but not the entire system configuration in which they were originally installed. This can make it difficult to properly differentiate between harmful and legitimate software components.
Spyware/Malware applications often try to disguise themselves as legitimate software components by using the same name as a windows component, but place themselves in a different folder. Classic and often used examples of this are the SVCHOST.EXE variants. The real SVCHOST.EXE file is used by Windows to host services and executes from the system folder of Windows. The file is typically located in C:WindowsSystem32 for most users. We find variations of this file such as SVOHOST.EXE, SVSHOST.EXE or files with Unicode characters that make them appear as “SVCHOST.EXE” when viewed through Windows Explorer.
We are trying to encourage developers to start fully filling out their version information within their files with legitimate information such as product name, copyrights, websites from which to download the software and possibly listing MD5, or other “hashes” for verification of legitimate components. Naming components with recognizable names is also good practice. This would assist and make the researcher’s job easier and more accurate and help prevent “false positives.” A false positive is when a legitimate file looks and acts like a potentially harmful piece of software and incorrectly ends up in a spyware or virus database to be blocked. Developers should also avoid installing anything in the Windows folder unless absolutely required. Items with random looking names with no version information are immediate red flags to any spyware or virus researcher!
With the number of harmful applications appearing at an alarming rate today, developers should do everything they can to make ensure that their applications are not flagged as harmful applications due to non-standard programming practices, installation and naming conventions! In this way, the number of “false positives can be materially reduced to the benefit of all users.