Study: Tools Let Spyware Slip Through Cracks

With the threat of a sophisticated spyware attack looming, a renowned security researcher says the most popular detection and removal tools “fail miserably” at addressing the growing spyware/malware scourge.

Just days after hackers seized control of a banner ad server and used it to load malicious programs on vulnerable machines, researcher Eric Howes issued failing grades on all anti-spyware scanners he tested during a two-week stretch in October.

Howes, a graduate student at the University of Illinois at Urbana-Champaign, found that the best-performing anti-spyware scanner failed to detect about 25 percent of the “critical” files and registry entries installed by the malicious programs.

“One thing I found out for sure is that no single scanner removes everything,” Howes said in an interview with eWEEK.com.

“I had an inkling before doing the test that the results would come back like this. But it still is disappointing to find that the tools, in many cases, are basically useless.”

“The anti-spyware tools missed things that simply reinstalled what was deleted,” Howes said, likening it to a cat-and-mouse game being won by the bad guys.

The results rated the Giant AntiSpyware detection tool as the best of the 20 scanners tested, but even then, Howes said the software detected only 100 out of 134 “critical” files and registry entries.

“Some of them are just terrible. In some cases, there were only 18 critical detections. What’s the point of missing critical files? It’s all going to come back anyway,” he said.

“Critical” detections include executable files (.EXE or .COM), dynamic link libraries (.DLL), BHO-related registry entries, toolbar-related registry entries and auto-start Registry entries.

Howes said companies that stealthily load spyware are using elaborate tricks to hide component files on computers. “They hide the files very well on the system and use complicated techniques to detect and replace component parts. If you rip out one or two parts, the undetected parts will come in and replace the files that you took out,” he said.

During the tests, which pitted the top 20 anti-spyware scanners against spyware that comes embedded with peer-to-peer programs such as Grokster, Howes said he discovered that the malicious applications were capable of blocking the scanners.

“In the second and third group of tests, one of the installed programs prevented the anti-spyware scanners from running on reboot,” he said, noting that reboots are a common method used by anti-spyware scanners to remove stubborn spyware and adware that remain in memory on a PC.

Is spyware a virus? Click here for a column.

During the first round of tests, Howes found that McAfee’s AntiSpyware rated very poorly, picking up only 56 of 134 critical detections. InterMute’s SpySubtract (72/134), Aluria‘s Spyware Eliminator (42/134), Lavasoft’s Ad-Aware (82/134) and the popular Spybot Search & Destroy (40/134) also scored very low on detecting “critical” files.

Howes said things go so bad that, at one point during the tests, he found that he had missed a single executable file. “When I started the test box the next day, the next set of tests was compromised because of that one executable. Within a couple of minutes, the box was completely loaded again with spyware,” he said.

Howes, who maintains a privacy and security page, recommends that users infected with spyware use two or more scanners in combination, as one will often detect and remove things that others do not.

Benjamin Edelman, an anti-spyware advocate who researches the methods and effects of spyware, said he was not surprised by the test results. “Eric’s work proves that paying more for spyware detection doesn’t mean getting more. He found that the more expensive programs aren’t necessarily better than the free versions.”

Edelman, a Harvard Law School student, has been monitoring spyware installations and chronicling the research findings on his Web site.

“We’re very, very far from having a magic bullet solution. We’re not dealing with fly-by-night operations,” Edelman told eWEEK.com. He also warned that many bogus anti-spyware programs are circulating and exacerbating the problem for consumers.

Check out eWEEK.com’s for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzer’s Weblog.