VIRUS BULLETIN www.virusbtn.com
8
DECEMBER 2004
HOW ‘DARE’ YOU CALL IT
SPYWARE!
Prabhat K. Singh, Fraser Howard and Joe Telafici
McAfee, AVERT
Anti-virus vendors frequently receive queries, objections
and legal notices from software vendors whose applications
are detected as spyware or adware. As a result, the task of
‘proving’ whether a given sample is a spyware/adware or
clean application demands careful judgment on the part of
the researcher.
Several such applications cannot be ignored as benign
software just because of the legal risks associated with
detection. Adware and spyware may be described as
applications that may carry out one or more unsolicited
actions, such as spying on a user’s PC activities, gathering
data about the user’s browsing habits or pushing unwanted
and/or offensive advertisements into the user’s system.
The majority of researchers in the AV industry are aware of
these descriptions, yet almost everyone has a different
interpretation of adware/spyware behaviour and companies
tend to add detection for applications that may not warrant
inclusion in this category, or vice versa.
Despite a rash of legislative activity in the US and the EU,
definitions of spyware, adware and associated terminology
vary widely. This article presents a description of spyware/
adware behaviour and visits a few criteria that may be used
by researchers to prove that a program can be detected as
adware/spyware. We break malware behaviour into six areas
to achieve an environment within which spyware/adware
can be compared with malware programs.
MALWARE PROGRAM BEHAVIOUR
In the following sections we will discuss six areas of
malware behaviour and structure: installation, survey,
replication, concealment, injection and payload (for more
information on this method of malware analysis see
http://downloads.securityfocus.com/library/masterthesis.pdf).
Installation
An installer creates and maintains an installation qualifier
so that the malware can execute on the victim system, and
ensures the automatic interpretation of