[THIN] Re: Spyware article

Good Post!

Greg


On Fri, 28 Jan 2005 09:15:52 -0000, Nick Smith <nick@xxxxxxxxxxxxxxx> wrote:
>  
>  
> 
> I thought this would be of interest. In an mail I receive from
> www.windowssecrets.com 
> 
>   
> 
> Anti-adware misses most malware 
>  
>  By Brian Livingston 
>  
>  Now that 80% of home PCs in the U.S. are infected with adware and spyware,
> according to one study, it turns out that nearly every anti-adware
> application on the market catches less than half of the bad stuff.
>  
>  That's the conclusion of a remarkably comprehensive series of anti-adware
> tests conducted recently by Eric Howes, an instructor at the University of
> Illinois.
>  
>  Howes, a well-known researcher among PC security professionals, collected
> 20 different anti-adware applications. He then infected a fresh install of
> Windows 2000 SP4 and Office 2000 SP3 with several dozen adware programs in
> separate stages. Finally, he counted how many active adware components were
> removed by each anti-adware product.
>  
>  (Note: I use the single term "adware" in this article to refer to both
> "adware" and "spyware." Since it's not necessary for a spyware program to
> "call home" to be disruptive, the distinction between adware and spyware is
> meaningless. All such programs display ads or generate revenue for the
> adware maker in some other way. ) 
>  
>  Howes's tests were conducted over a period of weeks in October 2004. His
> results were mentioned at the time in several places, including Slashdot and
> eWeek. 
>  
>  Unbelievably, however, none of these commentators bothered to print a
> simple chart showing which anti-adware application did the best job at
> removing the unwanted components. Even Howes himself hasn't posted such a
> summary. In a telephone interview, Howes exhibited both modesty and
> perfectionism, implying that his work wasn't yet done to his satisfaction â
> despite the fact that his tests are some of the most extensive I've ever
> seen.
>  
>  Howes's test results sprawl over six long Web pages, with no overall totals
> or summary of the figures. It's a daunting body of data, but its bottom line
> is explosive. Adware seems to be evolving much faster than anti-adware, and
> the battle is so far being won by the adware side.
>  
>  For this issue of the Windows Secrets Newsletter, therefore, I've complied
> Howes's figures into a straightforward chart, shown below. I removed five
> products that didn't complete all of Howes's tests for a variety of reasons.
> What's left is a revealing rating, from the top to the bottom of the
> anti-adware heap.
>  
>  Each anti-adware application, according to Howe, removed a certain
> percentage of "critical" adware components. These are executable .exe and
> .com files, dynamic link library (.dll) files, and Windows Registry entries
> (autorun commands and the like).
>  
>  Almost all the anti-adware programs that were tested removed fewer than
> half of the hundreds of adware components Howes cataloged. The best at
> removing adware was Giant AntiSpyware, but even that program removed less
> than two-thirds of a PC's unwanted guests.  
>  
>  Giant AntiSpyware catches 63%, tests say
>  
>  Howes's tests were conducted before the Microsoft Corp. announced in
> December that it was purchasing Giant Company Software outright. For that
> reason, the tests use the version of Giant AntiSpyware that was available in
> October and not the newer Microsoft beta version that's currently available.
>  
>  Even so, with Giant's application removing 63% of a PC's adware components,
> and its nearest competitor, Webroot Spy Sweeper, removing less than 50%,
> it's clear that Microsoft has a potential winner on its hands.
>  
>  In the following table, which was reviewed by Howes himself before its
> publication here, the Adware Fixed column represents the percentage of
> critical components successfully removed, not just detected, by each product
> (higher percentages are better). The False Positives column shows the number
> of benign Windows files that were incorrectly reported by a product as
> adware (lower numbers are better): 
>  
> 
>   
> 
> Product 
> 
> Adware Fixed 
> 
>   
> 
> False Pos. 
> 
>   
>  
> 
>   
> 
> Giant AntiSpyware 
> 
> 63% 
> 
>   
> 
> 0 
> 
>   
>  
> 
>   
> 
> Webroot Spy Sweeper 
> 
> 48% 
> 
>   
> 
> 0 
> 
>   
>  
> 
>   
> 
> Ad-Aware SE Personal 
> 
> 47% 
> 
>   
> 
> 0 
> 
>   
>  
> 
>   
> 
> Pest Patrol 
> 
> 41% 
> 
>   
> 
> 10 
> 
>   
>  
> 
>   
> 
> SpywareStormer 
> 
> 35% 
> 
>   
> 
> 0 
> 
>   
>  
> 
>   
> 
> Intermute SpySubtract Pro 
> 
> 34% 
> 
>   
> 
> 0 
> 
>   
>  
> 
>   
> 
> PC Tools Spyware Doctor 
> 
> 33% 
> 
>   
> 
> 0 
> 
>   
>  
> 
>   
> 
> Spybot Search & Destroy 
> 
> 33% 
> 
>   
> 
> 0 
> 
>   
>  
> 
>   
> 
> McAfee AntiSpyware 
> 
> 33% 
> 
>   
> 
> 9 
> 
>   
>  
> 
>   
> 
> Xblock X-Cleaner Deluxe 
> 
> 31% 
> 
>   
> 
> 1 
> 
>   
>  
> 
>   
> 
> XoftSpy 
> 
> 27% 
> 
>   
> 
> 3 
> 
>   
>  
> 
>   
> 
> NoAdware 
> 
> 24% 
> 
>   
> 
> 0 
> 
>   
>  
> 
>   
> 
> Aluria Spyware Eliminator 
> 
> 23% 
> 
>   
> 
> 3 
> 
>   
>  
> 
>   
> 
> OmniQuad AntiSpy 
> 
> 16% 
> 
>   
> 
> 1 
> 
>   
>  
> 
>   
> 
> Spyware COP 
> 
> 15% 
> 
>   
> 
> 0 
> 
>   
>  
> 
>   
> 
> SpyHunter 
> 
> 15% 
> 
>   
> 
> 1 
> 
>   
>  
> 
>   
> 
> SpyKiller 2005 
> 
> 15% 
> 
>   
> 
> 2 
> 
>   
> 
> 
>  Howes didn't test the anti-adware programs in the above list against a
> program called CoolWebSearch (CWS). This little bugger mutates every few
> days, it seems. CWS actually requires a completely separate anti-adware
> program, CWShredder, which is constantly evolving along with the nuisance.
> This is explained in more detail later in this article. 
>  
>  The fact that anti-adware products fail to remove all or even most adware
> components has been an open secret among security professionals for some
> time. For this reason, tech writers often say, "You should install two
> different programs and run both of them for maximum protection."
>  
>  To test this assertion, I compiled Howes's raw data into a new table
> showing the removal rate of the best app, Giant AntiSpyware, with every
> other tested product. According to this analysis, combining Webroot Spy
> Sweeper with Giant AntiSpyware did the most to remove unwanted components.
> But the combination of the two apps increased Giant's 63% success rate only
> 7 percentage points, to 70%: 
>  
> 
>   
> 
> Giant AntiSpyware plus... 
> 
> Total Adware Fixed 
> 
>   
>  
> 
>   
> 
> Webroot Spy Sweeper 
> 
> 70% 
> 
>   
>  
> 
>   
> 
> Ad-Aware SE Personal 
> 
> 69% 
> 
>   
>  
> 
>   
> 
> PC Tools Spyware Doctor 
> 
> 68% 
> 
>   
>  
> 
>   
> 
> Pest Patrol 
> 
> 67% 
> 
>   
>  
> 
>   
> 
> Spybot Search & Destroy 
> 
> 67% 
> 
>   
>  
> 
>   
> 
> Spyware Stormer 
> 
> 67% 
> 
>   
>  
> 
>   
> 
> Spyware COP 
> 
> 66% 
> 
>   
>  
> 
>   
> 
> Aluria Spyware Eliminator 
> 
> 65% 
> 
>   
>  
> 
>   
> 
> Intermute SpySubtract Pro 
> 
> 65% 
> 
>   
>  
> 
>   
> 
> NoAdware 
> 
> 65% 
> 
>   
>  
> 
>   
> 
> XsoftSpy 
> 
> 65% 
> 
>   
>  
> 
>   
> 
> McAfee AntiSpyware 
> 
> 64% 
> 
>   
>  
> 
>   
> 
> OmniQuad AntiSpy 
> 
> 64% 
> 
>   
>  
> 
>   
> 
> SpyHunter 
> 
> 64% 
> 
>   
>  
> 
>   
> 
> SpyKiller 2005 
> 
> 64% 
> 
>   
>  
> 
>   
> 
> Xblock X-Cleaner Deluxe 
> 
> 64% 
> 
>   
> 
> 
>  Finally, the computer press often recommends that the two anti-adware
> products that should be used together are Ad-Aware SE Personal and Spybot
> Search & Destroy. That preference may have become the conventional wisdom
> because both of these products have low-end, freeware versions. PC World, PC
> Magazine, and other publications have recommended this combination as
> recently as June and August, respectively. 
>  
>  Ad-aware and Spybot may have been a great combo back then. But adware
> apparently moves much faster than these two companies do. According to
> Howes's data, the two programs together barely removed half the adware
> components on an infected PC: 
>  
> 
>   
> 
> Ad-Aware SE Personal plus... 
> 
> Total Adware Fixed 
> 
>   
>  
> 
>   
> 
> Spybot Search & Destroy 
> 
> 54% 
> 
>   
> 
> 
>  I found no combination of any two anti-adware programs that removed more
> adware components than Giant AntiSpyware and Webroot Spy Sweeper, based on
> Howes's data. Removing only 70% of adware, unfortunately, isn't good enough.
> A much better strategy is to prevent adware from getting into your systems
> in the first place. I'll cover that next.  
>  
>  How to defend yourself against adware 
>  
>  First, let me make my opinion clear: The installation of adware should be
> illegal and harshly punished. Adware has exploded because it offers big
> economic incentives for its sponsors. They'll never adequately inform PC
> users about their software before it's installed. This troubling aspect of
> adware will never be wished away.
>  
>  Only software that a PC user specifically consents to should legally be
> able to install â and "end-user license agreements" that stretch off the
> screen should never be counted as consent. (This isn't a knock on
> "ad-supported software," such as the Opera browser. Such legitimate software
> is clearly integrated with its advertising and makes it easy to shut off the
> ads by registering.)
>  
>  In reality, today's tech-illiterate legislatures will never ban adware â if
> they could even think of an effective legal approach to do so. We need to
> engage the battle on a technical level instead.
>  
>  To understand adware, you first need to know how PCs get it. The ways that
> Howes obtained the adware he used in his tests provide us with some perfect
> examples: 
> Software downloads. For one group of tests, Howes downloaded and installed
> Grokster, a popular peer-to-peer file-sharing program, from CNET
> Download.com. Installing Grokster and clicking OK in its subsequent dialog
> boxes loaded 15 separate adware programs, containing 134 "critical"
> executable components, by Howes's count. This source of infection would
> compromise even Windows XP with its new Service Pack 2 (SP2).
>    
> Drive-by downloads. To set up another group of tests, Howes used Internet
> Explorer to visit the following Web locations: 007 Arcade Games (a games
> site), LyricsDomain (a song lyrics site), and Innovators of Wrestling (yup,
> a wrestling site). This resulted in 23 different adware programs being
> installed, carrying 138 components, Howes says. Drive-by downloads such as
> these are now less of a problem for users who've installed XP SP2.
>    
> You can't step into the same river twice. For yet another test, Howes
> visited the wrestling site again, but on a different date. The makers of
> adware must have signed a lot of distribution contracts with the site in the
> interim. Howes says his PC picked up 25 adware programs and 153 components
> on that one visit alone. (You'll notice that I didn't link to the examples I
> cited above, and I strongly recommend that you avoid trying any of them.) 
> 
> It's not enough to say "PC users should be more careful." Computer
> professionals, instead, have a duty and an obligation to prevent adware from
> infecting their PCs or anyone else's. Here are some steps to take: 
> Use Giant AntiSpyware (or install the MS beta), Webroot Spy Sweeper, and
> CWShredder.
>  At the moment, this is the short list of programs that appear to remove the
> largest number of adware components. I recommend that you buy the registered
> versions of these applications and keep them constantly updated. The few
> dollars involved are well worth it, compared to the damage that can be done
> by a rogue program controlling your PC.
>  
>  Microsoft hasn't yet announced whether its version of the Giant application
> will cost money or be free after the beta period is over â stay tuned.
> (Note: The MS beta is incompatible with the MS Media Center Extender and has
> other 0.9-type issues.)
>  
>  See Giant AntiSpyware download, Microsoft AntiSpyware beta, Webroot Spy
> Sweeper, CWShredder. 
> For prevention, install IE-SPYAD and Spyware Blaster. IE-SPYAD is a list
> maintained by Eric Howes of approximately 8,900 Web sites that are known to
> do things like install adware, hijack your browser home page, etc. Merging
> the list into your Windows Registry puts these sites into IE's Restricted
> Sites zone. They can't do much of anything to you then. The list, as of this
> writing, requires manual updating, but Howes hopes to automate the process
> soon.
>  
>  Spyware Blaster is freeware by Javacool Software that Howes recommendeds to
> guard against adware installs. A registration fee of $9.95 USD enables the
> auto-update feature of the software, which Howes encourages. Javacool also
> makes a related program, SpywareGuard.
>  
>  As commercial anti-adware programs develop their own always-on defenses,
> they may conflict with alternatives such as Spyware Blaster. Check the
> maker's documentation for possible incompatibilities before installing
> multiple products.
>  
>  See IE-SPYAD, Spyware Blaster. 
> Read up on Eric Howes's site. Aside from Howes's postings about his
> anti-adware test suite, linked to below, a particularly good read is his
> analysis of so-called anti-adware programs that are actually Trojan horses.
> People are so desperate to get rid of the adware that's slowing their
> systems to a crawl, Howes says, that too often they grasp at anything that
> promises a fix. See his list of rogue/suspect anti-spyware. 
> For big problems, consider stronger tools. HikackThis, for example, is a
> deep-analysis utility that examines the Registry and sectors of hard disks
> where adware often lurks. It's not a tool for novices, but a serious scalpel
> for those who are faced with major surgery on their PC. It produces log
> files that can be analyzed by experts, many of whom help PC users by
> volunteering their time in online forums. HijackThis quick start 
> Keep your security baseline updated. In this issue of the Windows Secrets
> Newsletter, we've begun a regular section on the six elements needed to
> protect your PC. This section appears below. 
> 
> It's absolutely absurd that PC users must download, install, and update
> multiple programs just to keep their machines from silently accumulating
> crapware from morally-challenged Web sites. It's criminal that the leading
> ISPs and software giants of the world didn't move earlier to prevent these
> nuisances from taking over the majority of consumers' PCs.
>  
>  The underlying reason that adware has compromised the entire Internet is
> that there's big money to be made. The best analysis of this I've seen is by
> Benjamin Edelman, a Harvard Law School student. He's documented almost $140
> million in recent investments by Silicon Valley venture capitalists in just
> four of the largest adware makers. See list of adware angels
>  
>  For those who are interested in deeper research on adware, links to Eric
> Howes's raw data on his comparative tests are posted on his anti-spyware
> testing page.
>  
>  To send us more information about adware, or to send us a tip on any other
> subject, visit WindowsSecrets.com/contact. You'll receive a gift certificate
> for a book, CD, or DVD of your choice if you send us a comment that we
> print.
********************************************************
This Weeks Sponsor: ThinPrint, GmbH
Now available: .print Remote Desktop Printing Engine
for Microsoft Terminal Services
http://www.thinprint.com/dotprint/index.php?sh2&lc=1
**********************************************************
Useful Thin Client Computing Links are available at:
http://thin.net/links.cfm
ThinWiki community - Excellent SBC Search Capabilities!
http://www.thinwiki.com
***********************************************************
For Archives, to Unsubscribe, Subscribe or
set Digest or Vacation mode use the below link:
http://thin.net/citrixlist.cfm

Other related posts: